BILL ANALYSIS SB 1386 Page 1 Date of Hearing: June 18, 2002 ASSEMBLY COMMITTEE ON JUDICIARY Ellen M. Corbett, Chair SB 1386 (Peace) - As Amended: June 6, 2002 As Proposed to Be Amended SENATE VOTE : NOT RELEVANT SUBJECT : PERSONAL INFORMATION: DISCLOSURE; BREACH OF SECURITY KEY ISSUE : SHOULD STATE AGENCIES AND BUSINESSES THAT MAINTAIN COMPUTERIZED DATA SYSTEMS CONTAINING PERSONAL INFORMATION BE REQUIRED TO DISCLOSE A BREACH OF SECURITY TO ANY PERSON WHOSE PERSONAL INFORMATION WAS, OR MAY HAVE BEEN, ACCESSED BY AN UNAUTHORIZED PERSON IF THE INFORMATION DISCLOSED COULD BE USED TO COMMIT IDENTITY THEFT? SYNOPSIS This bill is intended to help consumers protect their financial security by requiring any agency or business that maintains a computerized data system that contains personal information to disclose any breach of the security of the system immediately after discovery of the breach to any person whose personal information was or may have been accessed by an unauthorized person if the information disclosed could be used to commit identity theft. The bill provides that immediate disclosure is not required if it would impede an ongoing law enforcement investigation, but disclosure is required once the investigation is no longer compromised. Supporters argue that the measure is necessary because the sooner an individual is informed that their personal information was accessed by an unauthorized person, the more likely it is that the steps they take to prevent identity theft will be effective. The author's office has indicated that they are working with interested concerned parties, including Amazon, American Electronics Association, California Cable Association, Experian, and Lexis-Nexis. At the time of the writing of the analysis, these groups had not contacted the Committee. SUMMARY : Seeks to help consumers protect their financial security. Specifically, this bill : SB 1386 Page 2 1)Requires any agency, person or business that maintains a computerized data system that contains personal information to disclose any breach of the security of the system immediately after discovery of the breach in the security of the data to any person whose personal information was, or may have been, accessed by an unauthorized person. 2)Provides that immediate notification under the bill is not required if a law enforcement agency determines that disclosure will impede an ongoing investigation and provides that notification shall be made when it no longer compromises the investigation. 3)Defines "breach of the security of the system" to mean unauthorized access to personal information contained in a database that could be used to commit identity theft. EXISTING LAW : 1)Regulates the maintenance and dissemination of personal information by state agencies under the Information Practices Act. (Civil Code section 1798 et seq. All further statutory references are to this Code unless otherwise noted.) 2)Provides that an agency may not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the disclosure falls into one of a number of specified exceptions and requires an agency to maintain an accurate accounting of the date, nature and purpose of each disclosure of a record made pursuant to specified exceptions. (Sections 1798.24 and 1798.25.) 3)Requires a business to take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information which is no longer to be retained by the business, as specified. (Section 1798.81.) 4)Provides that the crime of identity theft occurs when any person willfully obtains personal identifying information of another person and uses that information for an unlawful purpose. Existing law defines "personal identifying information" as the name, address, telephone number, driver's license number, social security number, place of employment, SB 1386 Page 3 employee identification number, mother's maiden name, demand deposit account number, savings account number, or credit card number of an individual person. (Penal Code section 530.5.) FISCAL EFFECT : The bill as currently in print is keyed fiscal. COMMENTS : As proposed to be amended, this bill requires an agency or business that maintains a computerized data system that contains personal information to disclose any breach of the security of the system immediately after discovery of the breach to any person whose personal information was or may have been accessed if the information that was disclosed could be used to commit identity theft. In support of the measure, the author states: SB 1386 will help consumers protect their financial security, by requiring those entities which maintain personal information to provide notice when the entity discovers that unauthorized persons accessed sensitive information, defined in the bill as information which can be used to commit identity theft. The recent incident at the Stephen P. Teale Data Center which saw the personal financial information of hundreds of thousands of state workers fall into the hands of computer hackers is a dramatic demonstration of an all too common event - a breach in data base security which exposes victims to the further harm of identity theft. In the Teale incident, authorities knew of the breach in security almost a month before state workers were told. ? We can at least be thankful that victims were given the opportunity to take protective measures based upon notice of the event - albeit late notice. All too often events of this sort go completely unreported. How can this be? The embarrassment of disclosure that a company or agency was "hacked," or the fear of lost business based upon shoddy information security practices being disclosed overrides the need to inform the affected persons. In other instances, credit card issuers, telephone companies and internet service providers, along with state and local officials "handle" the access of SB 1386 Page 4 consumer's personal and financial information by unauthorized persons internally, often absorbing the losses caused by fraud as a matter of "customer service" without ever informing the customer of the unauthorized use of his/her account. ? Customers need to know when unauthorized activity occurs on their accounts, or when unauthorized persons have access to sensitive information, in order to take appropriate steps to protect their financial health. Recent Computer Hacking Of State Employee Records Motivating Need For The Bill. The provisions of this bill have been introduced in response to the recent incident at the state's Stephen P. Teale Data Center in which computer hackers were able to illegally access sensitive financial and personal information regarding approximately 265,000 state workers, including Social Security numbers. According to the Controller's Office, the information on these computers also contained employees' names and deduction information, but did not include bank account numbers, home addresses, or phone numbers. On June 6, 2002, the Senate Committee on Privacy, chaired by the author, held an informational hearing on the incident to explore why the breach, which reportedly occurred on April 5, 2002, was not discovered until May 7, 2002 and employees were not notified until May 21, 2002. Testimony at the hearing reportedly revealed that during this period of time unauthorized persons in Germany attempted to access one state workers' bank account and another had an unauthorized change of address attempt made on her credit card account. Background materials prepared for the hearing indicate that every state employee who had a voluntary deduction was affected, including civil service employees, Legislators, Constitutional Officers, Judicial Council employees and California State University employees. Employees who do not have a voluntary deduction, legislative staff, and retired state employees (PERS or STRS) were not affected. Private Sector Security Breaches. Recently, it was also disclosed that an unauthorized individual using an access code normally employed by Ford Motor Credit had accessed 13,000 full credit histories of consumers from Experian, including names, addresses, Social Security numbers, mortgage information and SB 1386 Page 5 credit-card account details. In that case, both Ford Motor Credit and Experian notified the affected consumers, a practice this bill seeks to encourage. Unfortunately, not all companies are as forthcoming. Background materials prepared for the Senate Privacy Committee hearing include a recent article reporting an incident involving Bank One. In that case, a former employee sold hundreds of financial records to an identity theft ring, but the company never told its customers. The article stated: The incident also highlights what privacy experts say is the biggest problem surrounding identity theft incidents - corporate secrecy. Bank One never told its customers about the problem. Disclosure only came eight months after the theft - when a victim received a call from the Secret Service, discovered someone had purchased a Jaguar in his name and contacted [the local news channel]. ? In fact, it's common that consumer victims aren't told about a break-in, as companies try to avoid the potential embarrassment and cross their fingers that no crimes will actually be committed with the stolen data. Bill Being Heard Today As Proposed To Be Amended. This bill is being heard as proposed to be amended. The proposed amendments offered by the author address a concern that the bill's current language providing that an agency or business may notify affected individuals "as soon as is practicable" may be too broad and could permit an agency or business to simply say that waiting, for example, an entire year to notify affected employees and individuals was "as soon as practicable." Because the language was included to account for the situation where disclosure of a breach in security of the system might impede an ongoing law enforcement investigation, it was suggested that the bill be amended to specifically reference this situation. The proposed amendments reflect this suggestion. ARGUMENTS IN SUPPORT : Both the Privacy Rights Clearinghouse and the Identity Theft Resource Center support the measure, stating: The bill describes "breach of security" as pertaining to personal information that could be used to commit the crime of identity theft as codified in California Penal Code 530.5. Typically, such personal SB 1386 Page 6 information includes but is not limited to Social Security numbers and financial account numbers. The bill requires those individuals whose personal information has been compromised due to a computer security breach to be notified "immediately, or as soon as is practicable." This provision is important because the sooner an individual takes identity theft prevention steps, the more likely it is that he or she will not become a victim of fraud. Typically, individuals who are at risk for identity theft place a fraud alert or a security freeze on their three credit reports. Pending Related Legislation. AB 2297 (Simitian), which requires a person or entity conducting business on an Internet Web site that collects personal and identifying information to notify each individual who may have been affected in the case of a breach of security that results in the disclosure of personal and identifying information, has been referred to the Senate Committees on Business and Professions and Judiciary. REGISTERED SUPPORT / OPPOSITION : Support Privacy Rights Clearinghouse Identity Theft Resource Center Opposition None on file Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334