August 31, 2011 - SACRAMENTO - Earlier today Gov. Jerry Brown signed into law a bill by State Sen. Joe Simitian (D-Palo Alto) to enhance consumer privacy protection when sensitive data is lost or stolen. Senate Bill 24 strengthens the state's existing data breach notification requirements by providing consumers with the information they need to protect themselves against identity theft. 

As a result of legislation Simitian passed in 2002 (AB 700), California law requires data holders, such as businesses or state agencies, to notify individuals when there has been a breach of personal information. However, the law does not indicate what information should be contained in this notification.

"Senate Bill 24 is the logical next step to ensure consumers have the specific information they need to protect themselves after a data breach," Simitian said. 

Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.

"No one likes to get the news that personal information about them has been stolen," said Simitian. "But when it happens, people deserve to get the information they need to decide what to do next."

In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians. This requirement will "give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide," Simitian explained.

A survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley found that 28 percent of data breach victims receiving a security breach notification letter "do not understand the potential consequences of the breach after reading the letter."

The California Office of Privacy Protection referred to today's bill signing as, "a great day for California" and indicated that the Senator's bill, "helps protect and empower Californians."

Privacy Rights Clearinghouse, a non-profit consumer education and advocacy group, reports that at least 500 million sensitive records have been compromised nationwide since 2005.

Since Simitian's original privacy legislation (AB 700) was signed into law in 2002, more than 45 states have adopted legislation modeled on California's statute. At least 14 other states, and Puerto Rico, also require security breach notifications to include specified information, just as SB 24 does.

Senate Bill 24 will become law on January 1, 2012. For more information on SB 24, visit