Strict Data Breach Law Moves Forward in California

The California Senate has approved a strict bill that would allow any California resident affected by a data breach to sue a company for up to $1,000 per breach.

SB-1121 provides a number of regulations for how businesses handle consumer data. The bill requires companies to implement security procedures and notify consumers when their unencrypted and non-redacted personal information has been breached.

If a company did not take reasonable security measures to prevent a breach and/or did not notify individuals of the breach in a timely manner, a consumer can recover damages between $200 and $1,000, and still join a class action lawsuit against the company.

The bill deals with data breaches, but also outlines how companies must handle sharing information with third parties, particularly for marketing purposes. Individuals now have the right to contact companies to ask with whom their information has been shared and what information was included. Companies must respond to requests within 30 days.

The bill will now go to the state assembly. If passed there, Governor Jerry Brown would have 30 days to sign or veto the bill.

Colorado has also enacted a stricter data breach notification law. Starting September 1, companies will have only 30 days to notify consumers of a data breach, which is the shortest time of any notification law in the United States.

At the federal level, Democratic Senators Elizabeth Warren and Mark Warner introduced a bill in January that would give the FTC more power to investigate credit reporting industries and levy fines. This came in the wake of the Equifax breach, which exposed the personal information of over 140 million Americans.