California Strengthens Data Breach Notification Law

California is known for having some of the toughest privacy laws in the country. But that hasn’t stopped assembly members from upping the ante to protect consumers in the event of company data breaches.

Last month, Gov. Jerry Brown signed legislation to protect state residents affected by security breaches that compromise their personal data, leaving them susceptible to identity theft and cyber mischief. The law requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised.

“Recent breaches emphasized the need for stronger consumer protections and awareness,” Assemblyman Roger Dickinson said in a statement. “The retailers affected by the recent mega data breaches are not the first nor will they be the last.”

The legislation, which amends current privacy laws, applies to individuals and companies that conduct business in the Golden State. California isn’t alone in its quest to protect residents’ personal information. A total of 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands “have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information” according to the National Conference of State Legislatures. Alabama, New Mexico and South Dakota are the exceptions.

High-profile breaches involving Home Depot, Target, P.F. Chang’s, JPMorgan and others continue to make consumer cybersecurity a pressing issue. This week's total, of 588 breaches, represents a 25.9 percent increase over the same time period last year (467 breaches), according to the Identity Theft Resource Center.

While California law requires companies to offer identity theft protection services, it appears the onus is on the consumer to accept those services. This comes at a time when consumers may be reaching “breach fatigue,” in the wake of ongoing news about company cyber hacks, The Washington Post reported.

“I think we get upset. I think we get angry. And then we go back to what’s easy, convenient and we’re used to,” Steven Weisman, a senior lecturer at Bentley University and author of “Identify Theft Alert,” told the Post.

California is taking privacy protection beyond company data breaches. Gov. Brown signed more than a dozen bills into law last month that address privacy and consumer protection.

Among them is one that prohibits state agencies from helping the federal government carry out searches of individuals’ electronically stored data, such as phone records, unless it has a warrant. Another law requires state agencies to post their privacy policies prominently on their websites.