Simitian, co-author of California's original 2003 legislation, has proposed a new bill, , that would spell out what companies must tell customers in their data breach letters and require that breaches affecting more than 500 people be reported to the state's attorney general.

Speaking at a Friday at the University of California, Berkeley, Simitian said that the new law would give "greater clarity and specificity as to the content of security breach notices, which I think is long past due."

While some breach notification letters do a good job of telling users what happened to their data, a "substantial number" do not, "leaving consumers more confused than informed," Simitian said.

California's breach law was the nation's first. It requires that consumers be notified when unencrypted, computerized financial data is lost or stolen, and is credited with shining a light on the issue of data privacy and inspiring similar legislation in 43 other states. The law was just expanded in January to cover medical and insurance data.

Simitian said one of his goals in writing the 2003 bill was to help people outside of California. "This goal has been more fully realized than we could have ever anticipated at the time," he said.