This week the Governor of California vetoed what would have been a landmark law on data breach notification. The law sought to strengthen the notification required when databases of personal information are compromised. California’s existing data breach law, which will continue unamended, requires companies and state government agencies to notify individuals when their personal information has been compromised.
 

In the Governor’s veto message, Governor Schwarzenegger made the point that the law was well-intended, but it imposed additional burdens on businesses without a corresponding consumer benefit, specifically stating:

To the Members of the California State Senate:

I am returning Senate Bill 1166 without my signature.

This bill would require any agency, person, or business that must issue an information security breach notification pursuant to existing law to also fulfill certain additional requirements pertaining to the security breach notification.

California’s landmark law on data breach notification has had many beneficial results. Informing individuals whose personal information was compromised in a breach of what their risks are and what they can do to protect themselves is an important consumer protection benefit. This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.

Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill.

Sincerely, Arnold Schwarzenegger