Companies concerned about potential liability issues raised by California's identity theft law may have much more to worry about if a recently proposed piece of similar legislation is passed.
The proposed bill seeks to toughen and broaden the scope of legislation already in place.
Under that law, put into place last year, any company that maintains computerised databases containing certain personal information about California residents is obliged to inform those individuals of any security breach in which unencrypted personal data may have been compromised.
The bill seeks to widen the definition of breachable data to include all data, rather than only computerised data.
The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual.
"It would have some real serious operational implications for affected companies," one user said.
The potential costs of paying for credit-monitoring services for individuals whose personal information may have been compromised is huge. Broadening the definition of breachable data also makes the task of protecting it "monumentally" difficult, he said.
The user added that there already is a quiet lobbying effort to stop the bill from being passed.
Jaikumar Vijayan writes for Computerworld