#8. California’s Required Notifications for Data Security Breaches

What’s so AWFUL? New notice requirements could actually help would-be attackers with their targeting and tactics.

SB 1166

California law requires notification whenever a business reasonably believes a breach may have occurred, even where there is no risk to the consumer.  Most online companies have California customers, and most are subject to hundreds of hacker intrusion attempts every day.  Even when an attack is thwarted, there may be reason to believe that some information was obtained.   To avoid lawsuits authorized by the California law, including statutory damages of $3,000 per violation, companies will be motivated to report hack attempts even where the data was not usable in a threatening way.  This results in over-notification, which only de-sensitizes consumers to breaches that justify taking action.

Sen. Simitian’s amendments require that companies reveal notice requirements that could actually help would-be attackers target certain companies and refine their tactics to breach the security of systems and use any data obtained:

• In listing the types of information subject to the breach, victimized companies will reveal data elements held by the company and attract further hack attempts.

• The company must reveal if a delay was requested by law enforcement.  If no delay was requested, hackers may suspect that the target company does not work closely with law enforcement.

• Victimized companies must publish a description of the breach incident, which may reveal clever tactics that other attackers would want to emulate.  This could also reveal other potential vulnerabilities in the company’s systems.

Back to iAWFUL list

What’s wrong? Privacy legislation that sets information collection defaults will harm the growth of online commerce.