BILL ANALYSIS �
SB 1386
Page 1
Date of Hearing: August 14, 2002
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Darrell Steinberg, Chair
SB 1386 (Peace) - As Amended: August 5, 2002
Policy Committee: JudiciaryVote:9-3
Business and Professions 7-1
Urgency: Yes State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill requires state agencies and businesses to disclose a
security breach of a computer system containing personalized
data and to notify those individuals whose personal information
has, or may have been, accessed. Specifically, this bill:
1)Requires an agency, person, or business owning or licensing
computerized data containing personal information to disclose
any security breach to any person whose unencrypted personal
information was, or is reasonably believed to have been,
accessed by an unauthorized person.
2)Requires disclosure to be made in the most expedient time
frame possible consistent with the legitimate needs of law
enforcement.
3)Defines "personal information" as an individual's first and
last name in combination with any one or more of the
following: social security number; driver's license number or
California Identification Card; or an account, credit or debit
card number in combination with any required security code or
password that would permit access to the account. The
definition specifically excludes public information lawfully
made available from government records.
4)Defines "notice" as being provided by one of three methods:
written notice; electronic notice consistent with federal law,
or substitute notice.
5)Allows a substitute notice only upon demonstration that the
cost of providing notice would exceed $250,000, or more than
�
SB 1386
Page 2
500,000 people would be notified. The substitute notice must
consist of the following three actions: email notice, posting
notice on the notifier's website, and notification of the
major statewide media.
6)Permits an agency, person or business to comply with these
provision by utilizing their own notification procedures as
part of an information security policy, as long as such
procedures are otherwise consistent with the timing
requirements of this bill.
FISCAL EFFECT
Potential minor absorbable General Fund or special costs for
departments to provide the required notifications in the event
of a security breach.
COMMENTS
1)Purpose . This bill is intended to help consumers protect
their financial security by requiring that state agencies and
businesses that keep consumers' personal information in a
computerized data system to quickly disclose to consumers any
breach of the security of the system, if the information
disclosed could be used to commit identity theft. A consumer
injured by a violation of the provisions of this bill would
have the right to bring civil suit and recover damages.
According to the author, the provisions of this bill were
partially inspired by the recent incident at the state's
Stephen P. Teale Data Center in which computer hackers were
able to illegally access sensitive financial and personal
information regarding approximately 265,000 state workers. On
June 6, 2002, the Senate Committee on Privacy, chaired by this
bill's author, held an informational hearing on the incident
to explore why the breach, which reportedly occurred on April
5, 2002, was not discovered until May 7, 2002 and employees
were not notified until May 21, 2002. Private sector
businesses have also encountered similar security problems.
2)Opposition . The Information Technology Association of America
(ITAA) is concerned about piecemeal state-by-state regulation
of this issue and believes it is best left to the purview of
federal government. ITAA is also concerned that the bill
�
SB 1386
Page 3
lacks any caps on liability.
3)Related Legislation . AB 2297 (Simitian), pending in the
Senate Judiciary Committee, requires a person or entity
conducting business on an Internet website that collects
personal and identifying information to notify each individual
who may have been affected in the case of a breach of security
that results in the disclosure of personal and identifying
information.
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081