On September 29, 2010, Governor Schwarzenegger vetoed California Senate Bill 1166 (“SB 1166”), which would have expanded the state’s current security breach notification law.1 SB 1166 sought to regulate the content of security breach notices, and also would have required any person or business affected by a large-scale breach to notify the state Attorney General.

California’s security breach notification law, the first of its kind to be approved by a state legislature, went into effect on July 1, 2003.2 It requires any person or entity that conducts business in California, and that owns or licenses computerized data which includes “personal information,” to notify California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a security breach.3 In its current form, the state law does not require covered businesses or persons to communicate any particular information about the breach to consumers.