California Governor Vetoes Enhanced Security Breach Notification Bill

Client Alert

On October 11, 2009, Governor Schwarzenegger vetoed California Senate Bill 20 (“SB 20”), a bill that would have added new obligations under the state’s security breach notification law.[1]  SB 20 would have required security breach notices to include certain types of information, and also would have required the California Attorney General to be notified of larger-scale breaches.

California’s landmark security breach notification law went into effect on July 1, 2003.[2]  It requires any person or entity that conducts business in California, and that owns or licenses computerized data that includes “personal information,” to notify California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach.[3]

Since 2003, 44 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, also have enacted security breach notification laws.  In general, these state security breach notification laws are understood to be modeled on the California law.  Many states, however, have built upon California’s model and added more detailed requirements.  For example, at least fourteen states and Puerto Rico require security breach notices to include certain types of information for consumers.[4]  In addition, at least thirteen states and Puerto Rico require an entity that suffers a security breach to notify a state regulator, such as the Attorney General, as well as the affected individuals.[5]  With SB 20, California would have added similar requirements to its own breach notification laws.

Specifically, SB 20 would have amended the California law to require that security breach notices “be written in plain language” and include certain types of information, such as a list of the categories of “personal information” affected by the breach, the actual or estimated date of the breach (if known), the nature of the breach, and whether the notice was delayed as a result of law enforcement investigation.  Additionally, SB 20 would have required notifying the California Attorney General of any breach that resulted in breach notification to more than 500 California residents.

In vetoing SB 20, Governor Schwarzenegger lauded the beneficial consumer protections of the existing California law.[6]  Nonetheless, the Governor believed that SB 20 was “unnecessary,” indicating that “there is no evidence that there is a problem with the information provided to consumers” under the existing law.  The Governor also stated that “there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when [SB 20] does not require the Attorney General to do anything with the notices.”  Concluding that SB 20 would have imposed additional and unnecessary duties on businesses “without a corresponding consumer benefit,” the Governor vetoed SB 20.

Despite the Governor’s veto of SB 20, California businesses should be mindful that consumers in other states may be covered by laws that require more detailed security breach notices and/or notification of state agencies.  Additional information, including links to the state breach notification laws, is available through Morrison & Foerster’s free online privacy library at


[2] Cal. Civ. Code § 1798.82.  “Personal information” is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:  (1) Social Security number; (2) driver’s license number or California identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information; or (5) health insurance information.  Cal. Civ. Code § 1798.82(e).  A similar breach notification law applies to California state agencies.  See Cal. Civ. Code § 1798.29.

[3] Cal. Civ. Code § 1798.82(a).  Any person or entity that maintains computerized data that includes “personal information” that the person or entity does not own must notify the owner or licensee of that information about any such incident.  Cal. Civ. Code § 1798.82(b).

[4] These states include Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

[5] These states include Alaska, Hawaii, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.