BILL ANALYSIS SB 1386 Page 1 SENATE THIRD READING SB 1386 (Peace) As Amended August 23, 2002 Majority vote SENATE VOTE :32-0 JUDICIARY 9-3 BUSINESS AND PROFESSIONS 7-1 ----------------------------------------------------------------- |Ayes:|Corbett, Dutra, Jackson, |Ayes:|Correa, Cardenas, | | |Longville, Shelley, | |Cedillo, Corbett, Kelley, | | |Steinberg, Vargas, Wayne, | |Koretz, Nation | | |Aroner | | | | | | | | |-----+--------------------------+-----+--------------------------| |Nays:|Harman, Bates, Robert |Nays:|Wyman | | |Pacheco | | | | | | | | ----------------------------------------------------------------- APPROPRIATIONS 16-7 ----------------------------------------------------------------- |Ayes:|Steinberg, Alquist, | | | | |Aroner, Cohn, Corbett, | | | | |Correa, Diaz, Firebaugh, | | | | |Goldberg, Negrete McLeod, | | | | |Papan, Pavley, Simitian, | | | | |Keeley, Wiggins, Wright | | | | | | | | |-----+--------------------------+-----+--------------------------| |Nays:|Bates, Ashburn, Daucher, | | | | |Maldonado, Robert | | | | |Pacheco, Runner, Zettel | | | ----------------------------------------------------------------- SUMMARY : Seeks to help consumers protect their financial security. Specifically, this bill : 1)Requires an agency, person, or business that conducts business in California and owns or licenses computerized data containing personal information to disclose any security breach to any resident of California whose unencrypted SB 1386 Page 2 personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 2)Requires disclosure to be made in the most expedient time frame possible consistent with the legitimate needs of law enforcement. 3)Defines "personal information" as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card; or an account, credit or debit card number in combination with any required security code or password that would permit access to the account. The definition specifically excludes public information lawfully made available from government records. 4)Defines "notice" as being provided by one of three methods: written notice; electronic notice consistent with federal law, or substitute notice. 5)Allows a substitute notice only upon demonstration that the cost of providing notice would exceed $250,000, or more than 500,000 people would be notified. The substitute notice must consist of the following three actions: email notice, posting notice on the notifier's Web site, and notification of the major statewide media. 6)Permits an agency, person or business to comply with these provision by utilizing their own notification procedures as part of an information security policy, as long as such procedures are otherwise consistent with the timing requirements of this bill. EXISTING LAW : 1)Regulates the maintenance and dissemination of personal information by state agencies under the Information Practices Act. Provides that an agency may not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the disclosure falls into one of a number of specified exceptions and requires an agency to maintain an accurate accounting of the date, nature and purpose of each disclosure of a record SB 1386 Page 3 made pursuant to specified exceptions. 2)Requires a business to take all reasonable steps to destroy or arrange for the destruction of a customer's records containing personal information which is no longer to be retained by the business, as specified. 3)Provides that the crime of identity theft occurs when any person willfully obtains personal identifying information of another person and uses that information for an unlawful purpose. Existing law defines "personal identifying information" as the name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, or credit card number of an individual person. FISCAL EFFECT : According to the Assembly Appropriations analysis, potential minor absorbable General Fund or special costs for departments to provide the required notifications in the event of a security breach. COMMENTS : This bill is intended to help consumers protect their financial security by requiring that state agencies and businesses that keep consumers' personal information in a computerized data system to quickly disclose to consumers any breach of the security of the system, if the information disclosed could be used to commit identity theft. A consumer injured by a violation of the provisions of this bill would have the right to bring civil suit and recover damages. According to the author, the provisions of this bill were partially inspired by the recent incident at the state's Stephen P. Teale Data Center in which computer hackers were able to illegally access sensitive financial and personal information regarding approximately 265,000 state workers. On June 6, 2002, the Senate Committee on Privacy, chaired by this bill's author, held an informational hearing on the incident to explore why the breach, which reportedly occurred on April 5, 2002, was not discovered until May 7, 2002 and employees were not notified until May 21, 2002. Private sector businesses have also encountered similar security problems. Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334 FN: 0006915 SB 1386 Page 4