I was reading today on the Trusted ID Blog that the State Senate in California passed by a large margin measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft criminals. The bills were both authored by State Senator Joe Simitian who sponsored SB1386, California’s original breach notification law in 2002. SB1386 paved the way for many other state laws regarding data breaches.
SB364 (privacy) mandates that consumers receive a clear, informative notification letter when their personal data has been stolen from a business or public agency. It also requires the state to create a central reporting site to catalog security breaches. SB612 (ID theft prosecution) allows identity theft perpetrators to be prosecuted in the county in which the victim lives. One issue with identity theft prosecution is that most states prosecute in the county where the perpetrator lives. This is usually highly inconvenient for the victim who typically drops the charges due to the inconvenience. Both laws must now be acted on by California’s state assembly.
The major lesson is that it is infinitely cheaper to prevent a data breach than it is to rectify one. I’ve heard all kinds of estimates regarding the cost of notifying customers ranging up to over $10,000 per customer. And that’s not including the damage done to your business from the loss of faith that customers might have as a result of the data breach. While security is a difficult thing to budget for (I wish I had a dollar for every small business owner who said to me, “Why should I spend $1000 on a firewall when we don’t even have a security problem?”), it is certainly a-stitch-in-time-saves-nine kind of situation.