BILL ANALYSIS �
SB 1386
Page 1
Date of Hearing: June 18, 2002
ASSEMBLY COMMITTEE ON JUDICIARY
Ellen M. Corbett, Chair
SB 1386 (Peace) - As Amended: June 6, 2002
As Proposed to Be Amended
SENATE VOTE : NOT RELEVANT
SUBJECT : PERSONAL INFORMATION: DISCLOSURE; BREACH OF SECURITY
KEY ISSUE : SHOULD STATE AGENCIES AND BUSINESSES THAT MAINTAIN
COMPUTERIZED DATA SYSTEMS CONTAINING PERSONAL INFORMATION BE
REQUIRED TO DISCLOSE A BREACH OF SECURITY TO ANY PERSON WHOSE
PERSONAL INFORMATION WAS, OR MAY HAVE BEEN, ACCESSED BY AN
UNAUTHORIZED PERSON IF THE INFORMATION DISCLOSED COULD BE USED
TO COMMIT IDENTITY THEFT?
SYNOPSIS
This bill is intended to help consumers protect their financial
security by requiring any agency or business that maintains a
computerized data system that contains personal information to
disclose any breach of the security of the system immediately
after discovery of the breach to any person whose personal
information was or may have been accessed by an unauthorized
person if the information disclosed could be used to commit
identity theft. The bill provides that immediate disclosure is
not required if it would impede an ongoing law enforcement
investigation, but disclosure is required once the investigation
is no longer compromised.
Supporters argue that the measure is necessary because the
sooner an individual is informed that their personal information
was accessed by an unauthorized person, the more likely it is
that the steps they take to prevent identity theft will be
effective. The author's office has indicated that they are
working with interested concerned parties, including Amazon,
American Electronics Association, California Cable Association,
Experian, and Lexis-Nexis. At the time of the writing of the
analysis, these groups had not contacted the Committee.
SUMMARY : Seeks to help consumers protect their financial
security. Specifically, this bill :
�
SB 1386
Page 2
1)Requires any agency, person or business that maintains a
computerized data system that contains personal information to
disclose any breach of the security of the system immediately
after discovery of the breach in the security of the data to
any person whose personal information was, or may have been,
accessed by an unauthorized person.
2)Provides that immediate notification under the bill is not
required if a law enforcement agency determines that
disclosure will impede an ongoing investigation and provides
that notification shall be made when it no longer compromises
the investigation.
3)Defines "breach of the security of the system" to mean
unauthorized access to personal information contained in a
database that could be used to commit identity theft.
EXISTING LAW :
1)Regulates the maintenance and dissemination of personal
information by state agencies under the Information Practices
Act. (Civil Code section 1798 et seq. All further statutory
references are to this Code unless otherwise noted.)
2)Provides that an agency may not disclose any personal
information in a manner that would link the information
disclosed to the individual to whom it pertains unless the
disclosure falls into one of a number of specified exceptions
and requires an agency to maintain an accurate accounting of
the date, nature and purpose of each disclosure of a record
made pursuant to specified exceptions. (Sections 1798.24 and
1798.25.)
3)Requires a business to take all reasonable steps to destroy or
arrange for the destruction of a customer's records containing
personal information which is no longer to be retained by the
business, as specified. (Section 1798.81.)
4)Provides that the crime of identity theft occurs when any
person willfully obtains personal identifying information of
another person and uses that information for an unlawful
purpose. Existing law defines "personal identifying
information" as the name, address, telephone number, driver's
license number, social security number, place of employment,
�
SB 1386
Page 3
employee identification number, mother's maiden name, demand
deposit account number, savings account number, or credit card
number of an individual person. (Penal Code section 530.5.)
FISCAL EFFECT : The bill as currently in print is keyed
fiscal.
COMMENTS : As proposed to be amended, this bill requires an
agency or business that maintains a computerized data system
that contains personal information to disclose any breach of the
security of the system immediately after discovery of the breach
to any person whose personal information was or may have been
accessed if the information that was disclosed could be used to
commit identity theft. In support of the measure, the author
states:
SB 1386 will help consumers protect their financial
security, by requiring those entities which maintain
personal information to provide notice when the entity
discovers that unauthorized persons accessed sensitive
information, defined in the bill as information which
can be used to commit identity theft.
The recent incident at the Stephen P. Teale Data
Center which saw the personal financial information of
hundreds of thousands of state workers fall into the
hands of computer hackers is a dramatic demonstration
of an all too common event - a breach in data base
security which exposes victims to the further harm of
identity theft. In the Teale incident, authorities
knew of the breach in security almost a month before
state workers were told. ? We can at least be thankful
that victims were given the opportunity to take
protective measures based upon notice of the event -
albeit late notice.
All too often events of this sort go completely
unreported. How can this be? The embarrassment of
disclosure that a company or agency was "hacked," or
the fear of lost business based upon shoddy
information security practices being disclosed
overrides the need to inform the affected persons. In
other instances, credit card issuers, telephone
companies and internet service providers, along with
state and local officials "handle" the access of
�
SB 1386
Page 4
consumer's personal and financial information by
unauthorized persons internally, often absorbing the
losses caused by fraud as a matter of "customer
service" without ever informing the customer of the
unauthorized use of his/her account. ?
Customers need to know when unauthorized activity
occurs on their accounts, or when unauthorized persons
have access to sensitive information, in order to take
appropriate steps to protect their financial health.
Recent Computer Hacking Of State Employee Records Motivating
Need For The Bill. The provisions of this bill have been
introduced in response to the recent incident at the state's
Stephen P. Teale Data Center in which computer hackers were able
to illegally access sensitive financial and personal information
regarding approximately 265,000 state workers, including Social
Security numbers. According to the Controller's Office, the
information on these computers also contained employees' names
and deduction information, but did not include bank account
numbers, home addresses, or phone numbers.
On June 6, 2002, the Senate Committee on Privacy, chaired by the
author, held an informational hearing on the incident to explore
why the breach, which reportedly occurred on April 5, 2002, was
not discovered until May 7, 2002 and employees were not notified
until May 21, 2002. Testimony at the hearing reportedly
revealed that during this period of time unauthorized persons in
Germany attempted to access one state workers' bank account and
another had an unauthorized change of address attempt made on
her credit card account.
Background materials prepared for the hearing indicate that
every state employee who had a voluntary deduction was affected,
including civil service employees, Legislators, Constitutional
Officers, Judicial Council employees and California State
University employees. Employees who do not have a voluntary
deduction, legislative staff, and retired state employees (PERS
or STRS) were not affected.
Private Sector Security Breaches. Recently, it was also
disclosed that an unauthorized individual using an access code
normally employed by Ford Motor Credit had accessed 13,000 full
credit histories of consumers from Experian, including names,
addresses, Social Security numbers, mortgage information and
�
SB 1386
Page 5
credit-card account details. In that case, both Ford Motor
Credit and Experian notified the affected consumers, a practice
this bill seeks to encourage.
Unfortunately, not all companies are as forthcoming. Background
materials prepared for the Senate Privacy Committee hearing
include a recent article reporting an incident involving Bank
One. In that case, a former employee sold hundreds of financial
records to an identity theft ring, but the company never told
its customers. The article stated:
The incident also highlights what privacy experts say
is the biggest problem surrounding identity theft
incidents - corporate secrecy. Bank One never told
its customers about the problem. Disclosure only came
eight months after the theft - when a victim received
a call from the Secret Service, discovered someone had
purchased a Jaguar in his name and contacted [the
local news channel]. ? In fact, it's common that
consumer victims aren't told about a break-in, as
companies try to avoid the potential embarrassment and
cross their fingers that no crimes will actually be
committed with the stolen data.
Bill Being Heard Today As Proposed To Be Amended. This bill is
being heard as proposed to be amended. The proposed amendments
offered by the author address a concern that the bill's current
language providing that an agency or business may notify
affected individuals "as soon as is practicable" may be too
broad and could permit an agency or business to simply say that
waiting, for example, an entire year to notify affected
employees and individuals was "as soon as practicable." Because
the language was included to account for the situation where
disclosure of a breach in security of the system might impede an
ongoing law enforcement investigation, it was suggested that the
bill be amended to specifically reference this situation. The
proposed amendments reflect this suggestion.
ARGUMENTS IN SUPPORT : Both the Privacy Rights Clearinghouse and
the Identity Theft Resource Center support the measure, stating:
The bill describes "breach of security" as pertaining
to personal information that could be used to commit
the crime of identity theft as codified in California
Penal Code 530.5. Typically, such personal
�
SB 1386
Page 6
information includes but is not limited to Social
Security numbers and financial account numbers.
The bill requires those individuals whose personal
information has been compromised due to a computer
security breach to be notified "immediately, or as
soon as is practicable." This provision is important
because the sooner an individual takes identity theft
prevention steps, the more likely it is that he or she
will not become a victim of fraud. Typically,
individuals who are at risk for identity theft place a
fraud alert or a security freeze on their three credit
reports.
Pending Related Legislation. AB 2297 (Simitian), which requires
a person or entity conducting business on an Internet Web site
that collects personal and identifying information to notify
each individual who may have been affected in the case of a
breach of security that results in the disclosure of personal
and identifying information, has been referred to the Senate
Committees on Business and Professions and Judiciary.
REGISTERED SUPPORT / OPPOSITION :
Support
Privacy Rights Clearinghouse
Identity Theft Resource Center
Opposition
None on file
Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334