California State Sen. Joe Simitian could be called the father of state data breach notification laws. He received
the award for Excellence in the Field of Public Policy at the RSA Conference 2007 in recognition of that -- though he's willing to share the credit.
Through some luck, cooperation and the intricacies of the California legislative process, the bills eventually became, in effect, one law, and "virtually identical," said Simitian, who spoke with SeachCompliance.com following a "Town Meeting" at the Cupertino Civic Center Sept. 16 for constituents of California's 11th Senate district, which makes up much of Silicon Valley, from Redwood City to San Jose.
California's law is notable for its emphasis on disclosure and for a lack of prescriptive requirements, a contrast to earlier versions of the Massachusetts 201 CMR 17.00 data protection regulation, which specified encryption to be used in the protection of personally identifiable information, Nevada's Senate Bill No. 227 mandates use of the Payment Card Industry Data Security Standard (PCI DSS) for all entities doing credit card business in the state.
Last month a Simitian-sponsored amendment of the California law, known as Senate Bill 20, passed through the legislature and is now awaiting the signature of Gov. Arnold Schwarzenegger. SB 20 strengthens the notification requirements for breaches but still does not take steps to mandate how to prevent data breaches. In the interview excerpts that follow, Simitian discusses SB 20, where it fits into the evolving fabric of breach laws, and whether a federal law -- or another state law -- might be a better way to go.
What makes California's data breach notification law work?
Simitian: I think the strength of the law is its simplicity. You don't mandate privacy protection. You simply say, if you have a failure, then there are consequences. There's cost and there's cost to your reputation. The hope and expectation was that people would say that the cost and the cost to reputation would be significant enough that we ought to take some steps to prevent this from happening. And that in fact has happened.
Other states have followed California's lead and developed their own standards and my assessment is that about half the states that followed suit have pretty much taken the California law and used it in total, and maybe the other half have done their own thing but along the same basis. We also hoped and expected that Washington would take a look. I think Washington has made us nervous because what we mostly hear from Washington is a watered-down version of the law with a pre-emption feature which would preclude states like California from having a more rigorous set of standards.
This is not my argument, but I have heard it from others and think it's a credible argument, that we'd actually be better off with a state law that imposes a meaningful de facto national standard than a federal law that waters down that standard and precludes states from doing something more robust. That being said, we really ought to have a national standard and not a state-by-state standard. The patchwork quilt of state statutes is just crazy.
What does SB 20 bring to the data breach discussion?
Simitian: It's about to what extent you want to be prescriptive, and to what extent do you want to provide flexibility. The RSA folks' view was that the security breach law is elegant in its simplicity because we don't tell you that you have to meet this standard. We say, "Look, here's the deal, if it doesn't go well, there are consequences, so you figure out how you want to avoid those consequences."
One of the critiques of the law is that it doesn't set a specific time period, or say all reasonable speed. [In SB 20] there is a healthy tension between specificity and flexibility. On the issue of notice we want to be able to describe what the notice should look like. In about 25 to 30 percent of the notices that go out, you'd be hard-pressed if the recipients knew what it is someone is trying to communicate or not communicate. A little bit of specificity on what the essential elements of an effective notice might include would in fact be helpful, and helpful not only for consumers -- who need to get a notice they can read and understand and use to make judgments about what to do -- but also helpful to businesses, who want to know if they've complied with the law. A little bit of specificity is not too prescriptive. It's actually helpful to both businesses and consumers, and I think we struck the right balance with SB 20.
It's in Gov. Schwarzenegger's hands now. Do you think he is going to sign it?
Simitian: I do. We put in an amendment late in the process to eliminate opposition so I am optimistic about a signature, and at this point there's no formal opposition that I'm aware of. We had opposition from the insurance and financial services industry. There was one last requirement that ultimately I decided to remove from the bill to eliminate the opposition. The bill, in its not-quite-but-almost-final form, required disclosure of the number of individuals whose data had been breached. We got strong pushback on that. I thought it was a reasonable requirement but ultimately I did not want to put the entire bill at risk for one condition.
But it does require a minimum. If there are a minimum number of people affected, then you would have to disclose?
Simitian: That's right. My argument was, you want to let the state know, so we can get some sense of the scope of the problem. And also so consumers have some sense. If I communicate to you that you are one of three files that were compromised, then you are probably a little more anxious and a little more likely to take some steps to protect yourself then if you were one of 500,000.
How successful do you think this has been? Are you preventing breaches?
Simitian: I think that's counterintuitive. I think it's been tremendously successful, which I think is hard for most people to conclude with the number of breaches we read about on a seemingly daily basis when you pick up the paper. What I tell people is we will never know how many we would have read about if it had not been for the passage of such a law. What we are seeing now I think is likely only the tip of the iceberg all those years ago, and you had no way of knowing. The joke is that [I am] the best friend security professionals ever had because all of a sudden people and companies who did not take security seriously a decade ago take it very seriously today because there are consequences, and that's the beauty of the law.
But states like Massachusetts have taken a huge leap from that by specifying encryption and certain technologies and not considering the size of the business.
Simitian: I think when you are legislating in this field there are some tough choices to be made. There are some tradeoffs to be considered. If you are too specific, you could be obsolete pretty quickly. If you reference a third-party standard, you have effectively abdicated your responsibility to legislate. We sought a good way to let the law be self-enforcing and to use a light touch and to build in a measure of flexibility. I'm a Silicon Valley legislator. I don't want to see a proliferation of frivolous lawsuits. I want to grow online commerce, and the case I've been making for the past decade is, the way you grow online commerce is by responding to the public's legitimate concerns about security and privacy. I can avoid litigation by taking this step, or I can submit myself and if I think I am in fact fully compliant, and let folks make their own judgment rather than hire the privacy police to be out there monitoring if you do or don't comply.
Simitian: So we're back to the issue of do you really want to use a private industry standard as your legislative default. That's not a comment or critique on the standard. This is the question that arises whenever there's a state statute. Would we better served by federal legislation? My answer to that is, you'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law. If there was a meaningful standard at the national level I think many states would be happy to accept it. So, I ask myself, is this really a place where I should be urging federal action? I think there are certain areas where states are more nimble than the federal government about recognizing and addressing issues. Assuming the [Nevada] law itself has merit, that actually somebody else somewhere was able to do a little more, provide an initial increment of protection, doesn't bother me in the slightest.
If you were try to toughen the bill further, outside of getting the minimum number back in, would you want to do anything more with the law?
Simitian: Probably not. We did things from day one that proved to be wise decisions. We don't specify the level of encryption. I'm not sure if we should weigh in. The reason encryption is in the bill at all is because there's an exception in terms of notice if the data was encrypted. The next question is, encrypted to what level. I don't think we're going down that path. At some point you have to let go and not micromanage it. I think if people are going to encrypt data that they are going to do a good job.
Were you surprised or did you notice that though this is one of your big issues along with water and the environment, that more than 100 people in an hour-and-a-half town meeting, none of them asked about data privacy?
Simitian: No, I wasn't surprised, though I think the privacy issue is a sleeping giant. I continue to be troubled by the extent to which our privacy rights slip away almost without notice. As an example, we have this FastTrak [toll system], and that uses an RFID technology. So if you are driving over the Golden Gate Bridge into San Francisco from Sacramento, you see a sign that says it's 22 minutes to get to the San Francisco airport. But how do they know that? They know it because somebody's tag got read at the bridge, and thought they were just being read to pay the toll, and got read at the airport. I don't think people have given that a moment's thought. In fact, those records have been subpoenaed in civil cases, by the wife who wanted to know if her husband was really where he said he was when he was there.
Let us know what you think about the story; email: Scot Petersen, Executive Editor