BILL ANALYSIS                                                                                                                                                                                                    



                                                                  SB 1386
                                                                  Page  1


          SENATE THIRD READING
          SB 1386 (Peace)
          As Amended August 23, 2002
          Majority vote

           SENATE VOTE  :32-0  
           
           JUDICIARY           9-3         BUSINESS AND PROFESSIONS          
                7-1
           
           ----------------------------------------------------------------- 
          |Ayes:|Corbett, Dutra, Jackson,  |Ayes:|Correa, Cardenas,         |
          |     |Longville, Shelley,       |     |Cedillo, Corbett, Kelley, |
          |     |Steinberg, Vargas, Wayne, |     |Koretz, Nation            |
          |     |Aroner                    |     |                          |
          |     |                          |     |                          |
          |-----+--------------------------+-----+--------------------------|
          |Nays:|Harman, Bates, Robert     |Nays:|Wyman                     |
          |     |Pacheco                   |     |                          |
          |     |                          |     |                          |
           ----------------------------------------------------------------- 
           APPROPRIATIONS      16-7                                        
           
           ----------------------------------------------------------------- 
          |Ayes:|Steinberg, Alquist,       |     |                          |
          |     |Aroner, Cohn, Corbett,    |     |                          |
          |     |Correa, Diaz, Firebaugh,  |     |                          |
          |     |Goldberg, Negrete McLeod, |     |                          |
          |     |Papan, Pavley, Simitian,  |     |                          |
          |     |Keeley, Wiggins, Wright   |     |                          |
          |     |                          |     |                          |
          |-----+--------------------------+-----+--------------------------|
          |Nays:|Bates, Ashburn, Daucher,  |     |                          |
          |     |Maldonado, Robert         |     |                          |
          |     |Pacheco, Runner, Zettel   |     |                          |
           ----------------------------------------------------------------- 

          SUMMARY  :  Seeks to help consumers protect their financial  
          security.  Specifically,  this bill  :   

          1)Requires an agency, person, or business that conducts business  
            in California and owns or licenses computerized data  
            containing personal information to disclose any security  
            breach to any resident of California whose unencrypted  








                                                                  SB 1386
                                                                  Page  2

            personal information was, or is reasonably believed to have  
            been, acquired by an unauthorized person.

          2)Requires disclosure to be made in the most expedient time  
            frame possible consistent with the legitimate needs of law  
            enforcement.

          3)Defines "personal information" as an individual's first name  
            or first initial and last name in combination with any one or  
            more of the following data elements, when either the name or  
            the data elements are not encrypted:  social security number;  
            driver's license number or California Identification Card; or  
            an account, credit or debit card number in combination with  
            any required security code or password that would permit  
            access to the account.  The definition specifically excludes  
            public information lawfully made available from government  
            records.

          4)Defines "notice" as being provided by one of three methods:   
            written notice; electronic notice consistent with federal law,  
            or substitute notice.

          5)Allows a substitute notice only upon demonstration that the  
            cost of providing notice would exceed $250,000, or more than  
            500,000 people would be notified.  The substitute notice must  
            consist of the following three actions:  email notice, posting  
            notice on the notifier's Web site, and notification of the  
            major statewide media.

          6)Permits an agency, person or business to comply with these  
            provision by utilizing their own notification procedures as  
            part of an information security policy, as long as such  
            procedures are otherwise consistent with the timing  
            requirements of this bill.

          EXISTING LAW  : 

          1)Regulates the maintenance and dissemination of personal  
            information by state agencies under the Information Practices  
            Act.  Provides that an agency may not disclose any personal  
            information in a manner that would link the information  
            disclosed to the individual to whom it pertains unless the  
            disclosure falls into one of a number of specified exceptions  
            and requires an agency to maintain an accurate accounting of  
            the date, nature and purpose of each disclosure of a record  








                                                                  SB 1386
                                                                  Page  3

            made pursuant to specified exceptions. 

          2)Requires a business to take all reasonable steps to destroy or  
            arrange for the destruction of a customer's records containing  
            personal information which is no longer to be retained by the  
            business, as specified. 

          3)Provides that the crime of identity theft occurs when any  
            person willfully obtains personal identifying information of  
            another person and uses that information for an unlawful  
            purpose.  Existing law defines "personal identifying  
            information" as the name, address, telephone number, driver's  
            license number, social security number, place of employment,  
            employee identification number, mother's maiden name, demand  
            deposit account number, savings account number, or credit card  
            number of an individual person.  

           FISCAL EFFECT  :  According to the Assembly Appropriations  
          analysis, potential minor absorbable General Fund or special  
          costs for departments to provide the required notifications in  
          the event of a security breach.

           COMMENTS :  This bill is intended to help consumers protect their  
          financial security by requiring that state agencies and  
          businesses that keep consumers' personal information in a  
          computerized data system to quickly disclose to consumers any  
          breach of the security of the system, if the information  
          disclosed could be used to commit identity theft.  A consumer  
          injured by a violation of the provisions of this bill would have  
          the right to bring civil suit and recover damages.
           
          According to the author, the provisions of this bill were  
          partially inspired by the recent incident at the state's Stephen  
          P. Teale Data Center in which computer hackers were able to  
          illegally access sensitive financial and personal information  
          regarding approximately 265,000 state workers.  On June 6, 2002,  
          the Senate Committee on Privacy, chaired by this bill's author,  
          held an informational hearing on the incident to explore why the  
          breach, which reportedly occurred on April 5, 2002, was not  
          discovered until May 7, 2002 and employees were not notified  
          until May 21, 2002.  Private sector businesses have also  
          encountered similar security problems.

           Analysis Prepared by  :    Saskia Kim / JUD. / (916) 319-2334       
                            FN: 0006915








                                                                  SB 1386
                                                                  Page  4