BILL ANALYSIS �
SB 550
Page 1
Date of Hearing: July 6, 2005
ASSEMBLY COMMITTEE ON BANKING AND FINANCE
Ron Calderon, Chair
SB 550 (Speier) - As Proposed to be Amended: July 6, 2005
SUBJECT : Data brokers
SUMMARY : Establishes the California Data Brokers Access and
Accuracy Act of 2005 (the Act) which requires data brokers to
authenticate their customers before providing them with consumer
data files. The Act also allows a consumer who is the subject
of a consumer data file to receive, upon request, information
contained about him or her in the file. Specifically, this
bill :
1)Establishes the following definitions:
a) Provides that "consumer data file" means personally
identifiable information about an individual, in whatever
form or by whatever means it is compiled, maintained or
furnished, that is retrievable by, indexed by, or includes
four or more digits of an individual's Social Security
number (SSN), driver's license number, nondriver
identification number, or biometric identifier. "Consumer
data file" does not include:
i) Compilations of personally identifiable information
derived solely from widely distributed media or published
court opinions.
ii) Compilations of personally identifiable information
held or used solely for the purpose of servicing or
processing a financial product or service requested or
authorized by the consumer.
iii) Compilations of personally identifiable information
held and used solely for one or both of the following:
fraud prevention; or to comply with the USA PATRIOT ACT.
iv) Compilations of personally identifiable information
that is not reasonably expected to include or does not
typically include any of the following: four or more
digits of an individual's SSN, driver's license number,
�
SB 550
Page 2
nondriver identification number, or biometric identifier.
b) "Data broker" means any person other than a governmental
entity that regularly engages in compiling or maintaining
consumer data files used or expected to be used or
collected in whole or in part for the purpose of providing
consumer data files, or access to those files, to
nonaffiliated third parties for monetary fees, dues, or on
a cooperative nonprofit basis. "Data broker" does not
include:
i) Any financial institution subject to the provisions
of Division 1.2 of the Financial Code, except that a
consumer reporting agency shall be excluded from the
definition of "data broker" only to the extent it is
engaged in an activity regulated by the Fair Credit
Reporting Act (FCRA).
ii) Any person when furnishing information to a consumer
reporting agency pursuant to and in compliance with the
FCRA.
iii) Any "covered entity," as defined in the Health
Insurance Portability and Accountability Act of 1996
(HIPAA) regulations.
iv) Any person that does not furnish personally
identifiable information except public record information
solely relating to property characteristics, as defined,
or the right, title, or interest in real property.
v) An internet service provider (ISP) , as defined,
unless the ISP is in the business of collecting
personally identifiable information for the primary
purpose of compiling consumer data files for the purpose
of providing consumer data files, or access to those
files, to nonaffiliated third parties for monetary fees,
dues, or on a cooperative nonprofit basis .
c) "Fraud prevention" means:
i) Investigation by a business of a customer of that
business who is suspected of committing fraud.
�
SB 550
Page 3
ii) An evaluation of the authenticity or veracity of a
customer's identity based on the customer's personally
identifiable information that is provided as part of a
customer-initiated transaction.
d) "Personally identifiable information" means information
that identifies, relates to, or describes a particular
individual.
e) "Widely distributed media" means media available to the
general public and includes a telephone book, a television
or radio program, a newspaper, or a Web site that is
available to the general public on an unrestricted basis.
2)Requires a data broker, upon request, to disclose to an
individual:
a) All consumer data files about the individual compiled or
maintained by the broker.
b) The specific sources of the consumer data files about
the individual.
3)Specifies that the disclosure described above shall be
provided once during any 12-month period without charge to the
individual, and for additional disclosures during the 12-month
period, the data broker may charge the individual a reasonable
fee, not to exceed $20.
4)Specifies that a data broker must require an individual who
has requested information in a data file to furnish proper
identification. A data broker shall collect only as much
personally identifiable information from an individual as is
reasonably necessary to properly identify the individual. A
data broker shall use the personally identifiable information
provided by an individual solely for the purpose of processing
the transaction requested by the individual.
5)Requires a data broker to post, in a specified manner, a
notice on its Web site that clearly and conspicuously states
all of the following:
a) An individual's right to access consumer data files.
b) Whether four or more digits of a SSN, driver's license
�
SB 550
Page 4
number, nondriver identification number, or biometric
identifier may be communicated to a third party.
c) Examples of third parties to which consumer data files
are communicated.
d) Examples of the purposes for which the third parties may
use consumer data files.
6)Requires a data broker to notify an individual of his or her
right to access personally identifiable information and the
right to request and receive prompt correction of errors in
that information in a live or automated message through its
customer service telephone number.
7)Requires a data broker to have:
a) A secure and dependable authentication process for each
third party to whom the data broker furnishes or permits to
have access to consumer data files. A data broker shall
maintain reasonable procedures to avoid unauthorized access
to consumer data files, including requiring prospective
recipients to identify themselves, certify the purposes for
which the information is sought, and certify that the
information will be used for no other purpose. A data
broker shall make a reasonable effort to verify the
identity of a new prospective recipient and the uses
certified by the prospective recipient prior to furnishing
a consumer data file. No data broker may furnish a consumer
data file to any person if it has reasonable grounds for
believing the consumer data file will be used for any
purpose in violation of any applicable federal or state law
or regulation.
b) A process to determine which subscribed access code
accessed consumer data files or identity verification
services, which consumer data files have been accessed and
by whom, and for what purpose the files or services were
accessed.
8)Establishes that any waiver of a provision of the Act is
contrary to public policy and is void and unenforceable.
9)Establishes the following penalties for a violation of the
Act:
�
SB 550
Page 5
a) Any individual injured by a violation may institute a
civil action to recover damages.
b) In addition to damages, for a willful, intentional, or
reckless violation, an individual may recover a civil
penalty not to exceed $3,000 per violation. Otherwise, the
individual may recover a civil penalty of up to $500 per
violation for a violation of this title.
c) Any data broker that violates, proposes to violate, or
has violated this Act may be enjoined.
d) The rights and remedies available are cumulative with
each other and with any other rights and remedies available
under law.
EXISTING STATE LAW :
1)Requires a business, except those covered by specified privacy
laws, that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices appropriate to the nature of
the information, to protect the personal information from
unauthorized access, destruction, use, modification or
disclosure. (Civil Code, Section 1798.81.5(b))
2)Requires a business, except those covered by specified privacy
laws, that discloses personal information about a California
resident pursuant to a contract with a non-affiliated third
party to require by contract that the third party implement
and maintain reasonable security procedures and practices
appropriate to the nature of the information to protect the
personal information from unauthorized access, destruction,
use, modification or disclosure. (Civil Code, Section
1798.81.5(c))
3)Requires a business that owns or licenses personal information
to implement and maintain reasonable security procedures and
practices and requires a business which owns or licenses
computerized personal information to provide notice of any
breach in the security of the data, as specified. (Civil Code,
Section 1798.82)
�
SB 550
Page 6
4)Requires that a business must either disclose to customers,
upon request, what categories of personal information the
business shares with third parties for marketing purposes, or
provide customers with the ability to opt-out of having their
information shared for marketing purposes. (Civil Code,
Section 1798.83.)
5)Provides that any customer who is injured by a violation of
any of the above provisions may bring a civil action to
recover damages. (Civil Code, Section 1798.84)
6)Establishes the California Financial Information Privacy Act,
which would prohibit financial institutions from sharing or
selling personally identifiable nonpublic information without
obtaining a consumer's consent, as provided. (Financial Code,
Section 4050 et seq.)
EXISTING FEDERAL LAW:
1)Establishes the FCRA as amended by the Fair and Accurate
Credit Transactions Act of 2003 (FACT Act) (Public Law
108-159), which provides consumers, upon request, with one
free credit report from each consumer reporting agency (CRA)
in every 12-month period. A consumer is entitled to all
information in his or her file at the time of the request,
except as specified, and the agencies are responsible for
correcting inaccuracies. The FCRA covers CRAs and other
issuers of consumer reports such as tenant and employment
screening services. Consumer credit reports may only be used
for "permissible purposes" including employment, credit,
insurance, rental housing, child support enforcement and
collection purposes. (15 U.S.C. 1681 et seq.)
2)Establishes HIPAA (Public Law 104-191) which, among other
things, provides for the privacy of health information created
or maintained by health care entities. The federal
regulations implementing HIPAA's privacy provisions govern a
"covered entity" which means a:
a) Health plan
b) Health care clearinghouse
c) Health care provider who transmits any health
information in electronic form in connection with a
�
SB 550
Page 7
transaction as defined. (45 CFR 160.103)
FISCAL EFFECT : None
COMMENTS : SB 550 provides for the regulation of data brokers
and gives consumers the ability to access information retained
about them in a data broker's consumer data files. This bill
came about as the result of numerous data breaches that have
been reported over the last six months, particularly the
ChoicePoint and LexisNexis breaches.
The data breaches were the subject of a recent Senate Banking,
Finance and Insurance Committee hearing. This bill is a result
of that hearing and subsequent negotiations.
According to the author, this bill is necessary because "more
rigorous customer authentication would help ensure that
businesses use consumer information for legitimate purposes; . .
. better authentication would have prevented the 2004
ChoicePoint data breach in which individuals posing as
legitimate companies were able to compromise the records of
145,000 consumers."
Also, "regarding the section of the bill that would allow
consumers to view all of the information about them held by data
brokers . . . consumers have a fundamental right to this
access, particularly because data brokers typically collect and
sell consumer information without consumers' knowledge or
consent."
Proposed amendments. The proposed amendments address many of
the issues the opponents of the measure have raised, however
some groups remain in opposition because they have not had time
to analyze the impact of the new language. The opponents also
argue that, even with these amendments, the definitions of data
broker and consumer data file are too broad and may
inadvertently includes entities that should not be regulated.
Definition of data broker. In general, a data broker is an
entity that assimilates information in a database and sells it
to unaffiliated third parties. The databases may be used for a
wide array of purposes including identity verification, research
or marketing. The information included as part of a database
may be as simple as name, address and phone number, but it could
�
SB 550
Page 8
also contain a wide array of personal information such as a
consumer's SSN and credit history, the magazines she subscribes
to, her dress size, type of car she drives and the number and
ages of children she has.
Under SB 550, any entity, other than the government, is data
broker if it regularly engages in compiling or maintaining
personally identifiable information about consumers and provides
that information to nonaffiliated third parties for compensation
of some sort. CRAs, covered entities governed by the HIPAA
Privacy Rule, title companies and ISPs are not included in the
definition of data brokers.
Most financial institutions are also excluded from the
definition of data broker except those financial institutions
that are part of a consumer reporting agency but are not subject
to FCRA. These entities are financial institutions under the
federal Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) and
SB 1 (Speier) (Chapter 241, Statutes of 2003) because they
receive information from a financial institution such as
transaction or credit header data. (Credit header data
accompanies a consumer's credit report and consists of name,
address, and Social Security number, among other information.)
Under GLBA and SB 1, these financial institutions are limited as
to how the data can be used. Examples of permissible uses
include fraud prevention and detection, institutional risk
management and to complete a transaction.
Definition of consumer data file. SB 550 defines a consumer
data file as personally identifiable information about an
individual that includes four or more digits of an individual's
SSN, driver's license number, nondriver identification number,
or biometric identifier. A consumer data file does not include
data derived solely from widely distributed media or published
court opinions.
It also excludes information used solely for fraud prevention
and/or complying with the Patriot Act.
Any entity that has personally identifiable information about a
consumer and provides it to a third party for compensation
becomes a data broker under SB 550. The bill currently does not
distinguish between information voluntarily provided by the
consumer and information collected without a consumer's
knowledge. Other recently enacted statutes such as the "Do Not
Call" law distinguish between customers and those that have no
�
SB 550
Page 9
relationship with the entity making the calls.
Based on FCRA . The structure of SB 550 is loosely modeled on
the federal FCRA which requires CRAs to handle information in a
consumer report in a specified manner, share the reports only
with specified users and provide consumers a copy of their
report upon request. The FCRA also includes a mechanism to
allow consumers to dispute information contained on their report
and specifies a process that CRAs must follow in order to verify
the accuracy of the disputed information.
As proposed to be amended, the bill no longer includes a
controversial provision which would have given consumers the
ability to correct information in files held by data brokers.
The bill now allows consumers to access their files but does not
allow for correction of errors.
Customer authentication. In the case of the ChoicePoint data
breach, the company sold information about consumers, including
SSNs, to individuals who posed as representatives from
legitimate businesses. The individuals did not steal the data
from ChoicePoint, but instead were paying customers who used the
data to steal identities.
Existing law, AB 1950 (Wiggins), (Chapter 877, Statutes of 2004)
requires any entity that has specified personal information
about a California consumer to have reasonable security
procedures to protect that information from unauthorized access.
AB 1950 was not in effect when the ChoicePoint breach occurred
last year. Had it been, a strong case could be made that
ChoicePoint was in violation of the law because it did not have
"reasonable security procedures" in place.
SB 550 would require data brokers to maintain reasonable
procedures to avoid unauthorized access to consumer data files,
including requiring prospective recipients to identify
themselves, certify the purposes for which the information is
sought, and certify that the information will be used for no
other purpose.
The opponents of the measure argue "the bill would impose a
process that requires each customer to certify their intended
use when accessing publicly available data, even though there is
no such requirement when anyone obtains the same information by
requesting a public record from a government entity."
�
SB 550
Page 10
However, SB 550 requires that data brokers must know their
customers in all instances, not just those where the customer is
receiving information provided in public records. In light of
the volume and sensitivity of information held by data brokers,
a requirement to know who is receiving the information does not
seem unreasonable.
Finding data brokers. Today, consumers know the names
ChoicePoint, LexisNexis and Axciom largely because they recently
suffered data breaches. However, there is an unknown quantity
of other data brokers that consumers may not ever find. SB 550
is silent on how consumers will be able to identify data brokers
in order obtain a copy of their records.
Federal legislation. Congress is currently considering over a
dozen legislative proposals dealing with data brokers. One
example is the Personal Data Security and Privacy Act authored
by Senators Arlen Specter and Patrick Leahy. This measure would
regulate the activities of data brokers, allow consumers access
to information in their files, enhance penalties for the misuse
of personal information and require notice of data breaches in
specified circumstances. At this point, the measure does not
preempt state laws that go further except to the extent the laws
are in conflict. A House of Representatives version contains
similar provisions regulating data brokers, but it would preempt
state laws.
REGISTERED SUPPORT / OPPOSITION :
Support
CalPIRG
Consumer Action
Consumer Federation of California
Consumers Union
Privacy Rights Clearinghouse
World Privacy Forum
Opposition
Acxiom
American Electronics Association
Association of California Insurance Companies
Association of California Insurance Companies
�
SB 550
Page 11
California Association of Collectors
California Association of Licensed Investigators
California Bankers Association
California Chamber of Commerce
California Financial Services Association
California Mortgage Bankers Association
California Retailers Association
ChoicePoint
Experian
First American Corporation
LexisNexis
NetChoice
TransUnion
Analysis Prepared by : Margaret Gladstein / B. & F. / (916)
319-3081