BILL ANALYSIS �
SB 1386
Page 1
SENATE THIRD READING
SB 1386 (Peace)
As Amended August 23, 2002
Majority vote
SENATE VOTE :32-0
JUDICIARY 9-3 BUSINESS AND PROFESSIONS
7-1
-----------------------------------------------------------------
|Ayes:|Corbett, Dutra, Jackson, |Ayes:|Correa, Cardenas, |
| |Longville, Shelley, | |Cedillo, Corbett, Kelley, |
| |Steinberg, Vargas, Wayne, | |Koretz, Nation |
| |Aroner | | |
| | | | |
|-----+--------------------------+-----+--------------------------|
|Nays:|Harman, Bates, Robert |Nays:|Wyman |
| |Pacheco | | |
| | | | |
-----------------------------------------------------------------
APPROPRIATIONS 16-7
-----------------------------------------------------------------
|Ayes:|Steinberg, Alquist, | | |
| |Aroner, Cohn, Corbett, | | |
| |Correa, Diaz, Firebaugh, | | |
| |Goldberg, Negrete McLeod, | | |
| |Papan, Pavley, Simitian, | | |
| |Keeley, Wiggins, Wright | | |
| | | | |
|-----+--------------------------+-----+--------------------------|
|Nays:|Bates, Ashburn, Daucher, | | |
| |Maldonado, Robert | | |
| |Pacheco, Runner, Zettel | | |
-----------------------------------------------------------------
SUMMARY : Seeks to help consumers protect their financial
security. Specifically, this bill :
1)Requires an agency, person, or business that conducts business
in California and owns or licenses computerized data
containing personal information to disclose any security
breach to any resident of California whose unencrypted
�
SB 1386
Page 2
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
2)Requires disclosure to be made in the most expedient time
frame possible consistent with the legitimate needs of law
enforcement.
3)Defines "personal information" as an individual's first name
or first initial and last name in combination with any one or
more of the following data elements, when either the name or
the data elements are not encrypted: social security number;
driver's license number or California Identification Card; or
an account, credit or debit card number in combination with
any required security code or password that would permit
access to the account. The definition specifically excludes
public information lawfully made available from government
records.
4)Defines "notice" as being provided by one of three methods:
written notice; electronic notice consistent with federal law,
or substitute notice.
5)Allows a substitute notice only upon demonstration that the
cost of providing notice would exceed $250,000, or more than
500,000 people would be notified. The substitute notice must
consist of the following three actions: email notice, posting
notice on the notifier's Web site, and notification of the
major statewide media.
6)Permits an agency, person or business to comply with these
provision by utilizing their own notification procedures as
part of an information security policy, as long as such
procedures are otherwise consistent with the timing
requirements of this bill.
EXISTING LAW :
1)Regulates the maintenance and dissemination of personal
information by state agencies under the Information Practices
Act. Provides that an agency may not disclose any personal
information in a manner that would link the information
disclosed to the individual to whom it pertains unless the
disclosure falls into one of a number of specified exceptions
and requires an agency to maintain an accurate accounting of
the date, nature and purpose of each disclosure of a record
�
SB 1386
Page 3
made pursuant to specified exceptions.
2)Requires a business to take all reasonable steps to destroy or
arrange for the destruction of a customer's records containing
personal information which is no longer to be retained by the
business, as specified.
3)Provides that the crime of identity theft occurs when any
person willfully obtains personal identifying information of
another person and uses that information for an unlawful
purpose. Existing law defines "personal identifying
information" as the name, address, telephone number, driver's
license number, social security number, place of employment,
employee identification number, mother's maiden name, demand
deposit account number, savings account number, or credit card
number of an individual person.
FISCAL EFFECT : According to the Assembly Appropriations
analysis, potential minor absorbable General Fund or special
costs for departments to provide the required notifications in
the event of a security breach.
COMMENTS : This bill is intended to help consumers protect their
financial security by requiring that state agencies and
businesses that keep consumers' personal information in a
computerized data system to quickly disclose to consumers any
breach of the security of the system, if the information
disclosed could be used to commit identity theft. A consumer
injured by a violation of the provisions of this bill would have
the right to bring civil suit and recover damages.
According to the author, the provisions of this bill were
partially inspired by the recent incident at the state's Stephen
P. Teale Data Center in which computer hackers were able to
illegally access sensitive financial and personal information
regarding approximately 265,000 state workers. On June 6, 2002,
the Senate Committee on Privacy, chaired by this bill's author,
held an informational hearing on the incident to explore why the
breach, which reportedly occurred on April 5, 2002, was not
discovered until May 7, 2002 and employees were not notified
until May 21, 2002. Private sector businesses have also
encountered similar security problems.
Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334
FN: 0006915
�
SB 1386
Page 4