BILL ANALYSIS SB 550 Page 1 Date of Hearing: July 6, 2005 ASSEMBLY COMMITTEE ON BANKING AND FINANCE Ron Calderon, Chair SB 550 (Speier) - As Proposed to be Amended: July 6, 2005 SUBJECT : Data brokers SUMMARY : Establishes the California Data Brokers Access and Accuracy Act of 2005 (the Act) which requires data brokers to authenticate their customers before providing them with consumer data files. The Act also allows a consumer who is the subject of a consumer data file to receive, upon request, information contained about him or her in the file. Specifically, this bill : 1)Establishes the following definitions: a) Provides that "consumer data file" means personally identifiable information about an individual, in whatever form or by whatever means it is compiled, maintained or furnished, that is retrievable by, indexed by, or includes four or more digits of an individual's Social Security number (SSN), driver's license number, nondriver identification number, or biometric identifier. "Consumer data file" does not include: i) Compilations of personally identifiable information derived solely from widely distributed media or published court opinions. ii) Compilations of personally identifiable information held or used solely for the purpose of servicing or processing a financial product or service requested or authorized by the consumer. iii) Compilations of personally identifiable information held and used solely for one or both of the following: fraud prevention; or to comply with the USA PATRIOT ACT. iv) Compilations of personally identifiable information that is not reasonably expected to include or does not typically include any of the following: four or more digits of an individual's SSN, driver's license number, SB 550 Page 2 nondriver identification number, or biometric identifier. b) "Data broker" means any person other than a governmental entity that regularly engages in compiling or maintaining consumer data files used or expected to be used or collected in whole or in part for the purpose of providing consumer data files, or access to those files, to nonaffiliated third parties for monetary fees, dues, or on a cooperative nonprofit basis. "Data broker" does not include: i) Any financial institution subject to the provisions of Division 1.2 of the Financial Code, except that a consumer reporting agency shall be excluded from the definition of "data broker" only to the extent it is engaged in an activity regulated by the Fair Credit Reporting Act (FCRA). ii) Any person when furnishing information to a consumer reporting agency pursuant to and in compliance with the FCRA. iii) Any "covered entity," as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. iv) Any person that does not furnish personally identifiable information except public record information solely relating to property characteristics, as defined, or the right, title, or interest in real property. v) An internet service provider (ISP) , as defined, unless the ISP is in the business of collecting personally identifiable information for the primary purpose of compiling consumer data files for the purpose of providing consumer data files, or access to those files, to nonaffiliated third parties for monetary fees, dues, or on a cooperative nonprofit basis . c) "Fraud prevention" means: i) Investigation by a business of a customer of that business who is suspected of committing fraud. SB 550 Page 3 ii) An evaluation of the authenticity or veracity of a customer's identity based on the customer's personally identifiable information that is provided as part of a customer-initiated transaction. d) "Personally identifiable information" means information that identifies, relates to, or describes a particular individual. e) "Widely distributed media" means media available to the general public and includes a telephone book, a television or radio program, a newspaper, or a Web site that is available to the general public on an unrestricted basis. 2)Requires a data broker, upon request, to disclose to an individual: a) All consumer data files about the individual compiled or maintained by the broker. b) The specific sources of the consumer data files about the individual. 3)Specifies that the disclosure described above shall be provided once during any 12-month period without charge to the individual, and for additional disclosures during the 12-month period, the data broker may charge the individual a reasonable fee, not to exceed $20. 4)Specifies that a data broker must require an individual who has requested information in a data file to furnish proper identification. A data broker shall collect only as much personally identifiable information from an individual as is reasonably necessary to properly identify the individual. A data broker shall use the personally identifiable information provided by an individual solely for the purpose of processing the transaction requested by the individual. 5)Requires a data broker to post, in a specified manner, a notice on its Web site that clearly and conspicuously states all of the following: a) An individual's right to access consumer data files. b) Whether four or more digits of a SSN, driver's license SB 550 Page 4 number, nondriver identification number, or biometric identifier may be communicated to a third party. c) Examples of third parties to which consumer data files are communicated. d) Examples of the purposes for which the third parties may use consumer data files. 6)Requires a data broker to notify an individual of his or her right to access personally identifiable information and the right to request and receive prompt correction of errors in that information in a live or automated message through its customer service telephone number. 7)Requires a data broker to have: a) A secure and dependable authentication process for each third party to whom the data broker furnishes or permits to have access to consumer data files. A data broker shall maintain reasonable procedures to avoid unauthorized access to consumer data files, including requiring prospective recipients to identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. A data broker shall make a reasonable effort to verify the identity of a new prospective recipient and the uses certified by the prospective recipient prior to furnishing a consumer data file. No data broker may furnish a consumer data file to any person if it has reasonable grounds for believing the consumer data file will be used for any purpose in violation of any applicable federal or state law or regulation. b) A process to determine which subscribed access code accessed consumer data files or identity verification services, which consumer data files have been accessed and by whom, and for what purpose the files or services were accessed. 8)Establishes that any waiver of a provision of the Act is contrary to public policy and is void and unenforceable. 9)Establishes the following penalties for a violation of the Act: SB 550 Page 5 a) Any individual injured by a violation may institute a civil action to recover damages. b) In addition to damages, for a willful, intentional, or reckless violation, an individual may recover a civil penalty not to exceed $3,000 per violation. Otherwise, the individual may recover a civil penalty of up to $500 per violation for a violation of this title. c) Any data broker that violates, proposes to violate, or has violated this Act may be enjoined. d) The rights and remedies available are cumulative with each other and with any other rights and remedies available under law. EXISTING STATE LAW : 1)Requires a business, except those covered by specified privacy laws, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure. (Civil Code, Section 1798.81.5(b)) 2)Requires a business, except those covered by specified privacy laws, that discloses personal information about a California resident pursuant to a contract with a non-affiliated third party to require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification or disclosure. (Civil Code, Section 1798.81.5(c)) 3)Requires a business that owns or licenses personal information to implement and maintain reasonable security procedures and practices and requires a business which owns or licenses computerized personal information to provide notice of any breach in the security of the data, as specified. (Civil Code, Section 1798.82) SB 550 Page 6 4)Requires that a business must either disclose to customers, upon request, what categories of personal information the business shares with third parties for marketing purposes, or provide customers with the ability to opt-out of having their information shared for marketing purposes. (Civil Code, Section 1798.83.) 5)Provides that any customer who is injured by a violation of any of the above provisions may bring a civil action to recover damages. (Civil Code, Section 1798.84) 6)Establishes the California Financial Information Privacy Act, which would prohibit financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent, as provided. (Financial Code, Section 4050 et seq.) EXISTING FEDERAL LAW: 1)Establishes the FCRA as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (Public Law 108-159), which provides consumers, upon request, with one free credit report from each consumer reporting agency (CRA) in every 12-month period. A consumer is entitled to all information in his or her file at the time of the request, except as specified, and the agencies are responsible for correcting inaccuracies. The FCRA covers CRAs and other issuers of consumer reports such as tenant and employment screening services. Consumer credit reports may only be used for "permissible purposes" including employment, credit, insurance, rental housing, child support enforcement and collection purposes. (15 U.S.C. 1681 et seq.) 2)Establishes HIPAA (Public Law 104-191) which, among other things, provides for the privacy of health information created or maintained by health care entities. The federal regulations implementing HIPAA's privacy provisions govern a "covered entity" which means a: a) Health plan b) Health care clearinghouse c) Health care provider who transmits any health information in electronic form in connection with a SB 550 Page 7 transaction as defined. (45 CFR 160.103) FISCAL EFFECT : None COMMENTS : SB 550 provides for the regulation of data brokers and gives consumers the ability to access information retained about them in a data broker's consumer data files. This bill came about as the result of numerous data breaches that have been reported over the last six months, particularly the ChoicePoint and LexisNexis breaches. The data breaches were the subject of a recent Senate Banking, Finance and Insurance Committee hearing. This bill is a result of that hearing and subsequent negotiations. According to the author, this bill is necessary because "more rigorous customer authentication would help ensure that businesses use consumer information for legitimate purposes; . . . better authentication would have prevented the 2004 ChoicePoint data breach in which individuals posing as legitimate companies were able to compromise the records of 145,000 consumers." Also, "regarding the section of the bill that would allow consumers to view all of the information about them held by data brokers . . . consumers have a fundamental right to this access, particularly because data brokers typically collect and sell consumer information without consumers' knowledge or consent." Proposed amendments. The proposed amendments address many of the issues the opponents of the measure have raised, however some groups remain in opposition because they have not had time to analyze the impact of the new language. The opponents also argue that, even with these amendments, the definitions of data broker and consumer data file are too broad and may inadvertently includes entities that should not be regulated. Definition of data broker. In general, a data broker is an entity that assimilates information in a database and sells it to unaffiliated third parties. The databases may be used for a wide array of purposes including identity verification, research or marketing. The information included as part of a database may be as simple as name, address and phone number, but it could SB 550 Page 8 also contain a wide array of personal information such as a consumer's SSN and credit history, the magazines she subscribes to, her dress size, type of car she drives and the number and ages of children she has. Under SB 550, any entity, other than the government, is data broker if it regularly engages in compiling or maintaining personally identifiable information about consumers and provides that information to nonaffiliated third parties for compensation of some sort. CRAs, covered entities governed by the HIPAA Privacy Rule, title companies and ISPs are not included in the definition of data brokers. Most financial institutions are also excluded from the definition of data broker except those financial institutions that are part of a consumer reporting agency but are not subject to FCRA. These entities are financial institutions under the federal Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) and SB 1 (Speier) (Chapter 241, Statutes of 2003) because they receive information from a financial institution such as transaction or credit header data. (Credit header data accompanies a consumer's credit report and consists of name, address, and Social Security number, among other information.) Under GLBA and SB 1, these financial institutions are limited as to how the data can be used. Examples of permissible uses include fraud prevention and detection, institutional risk management and to complete a transaction. Definition of consumer data file. SB 550 defines a consumer data file as personally identifiable information about an individual that includes four or more digits of an individual's SSN, driver's license number, nondriver identification number, or biometric identifier. A consumer data file does not include data derived solely from widely distributed media or published court opinions. It also excludes information used solely for fraud prevention and/or complying with the Patriot Act. Any entity that has personally identifiable information about a consumer and provides it to a third party for compensation becomes a data broker under SB 550. The bill currently does not distinguish between information voluntarily provided by the consumer and information collected without a consumer's knowledge. Other recently enacted statutes such as the "Do Not Call" law distinguish between customers and those that have no SB 550 Page 9 relationship with the entity making the calls. Based on FCRA . The structure of SB 550 is loosely modeled on the federal FCRA which requires CRAs to handle information in a consumer report in a specified manner, share the reports only with specified users and provide consumers a copy of their report upon request. The FCRA also includes a mechanism to allow consumers to dispute information contained on their report and specifies a process that CRAs must follow in order to verify the accuracy of the disputed information. As proposed to be amended, the bill no longer includes a controversial provision which would have given consumers the ability to correct information in files held by data brokers. The bill now allows consumers to access their files but does not allow for correction of errors. Customer authentication. In the case of the ChoicePoint data breach, the company sold information about consumers, including SSNs, to individuals who posed as representatives from legitimate businesses. The individuals did not steal the data from ChoicePoint, but instead were paying customers who used the data to steal identities. Existing law, AB 1950 (Wiggins), (Chapter 877, Statutes of 2004) requires any entity that has specified personal information about a California consumer to have reasonable security procedures to protect that information from unauthorized access. AB 1950 was not in effect when the ChoicePoint breach occurred last year. Had it been, a strong case could be made that ChoicePoint was in violation of the law because it did not have "reasonable security procedures" in place. SB 550 would require data brokers to maintain reasonable procedures to avoid unauthorized access to consumer data files, including requiring prospective recipients to identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. The opponents of the measure argue "the bill would impose a process that requires each customer to certify their intended use when accessing publicly available data, even though there is no such requirement when anyone obtains the same information by requesting a public record from a government entity." SB 550 Page 10 However, SB 550 requires that data brokers must know their customers in all instances, not just those where the customer is receiving information provided in public records. In light of the volume and sensitivity of information held by data brokers, a requirement to know who is receiving the information does not seem unreasonable. Finding data brokers. Today, consumers know the names ChoicePoint, LexisNexis and Axciom largely because they recently suffered data breaches. However, there is an unknown quantity of other data brokers that consumers may not ever find. SB 550 is silent on how consumers will be able to identify data brokers in order obtain a copy of their records. Federal legislation. Congress is currently considering over a dozen legislative proposals dealing with data brokers. One example is the Personal Data Security and Privacy Act authored by Senators Arlen Specter and Patrick Leahy. This measure would regulate the activities of data brokers, allow consumers access to information in their files, enhance penalties for the misuse of personal information and require notice of data breaches in specified circumstances. At this point, the measure does not preempt state laws that go further except to the extent the laws are in conflict. A House of Representatives version contains similar provisions regulating data brokers, but it would preempt state laws. REGISTERED SUPPORT / OPPOSITION : Support CalPIRG Consumer Action Consumer Federation of California Consumers Union Privacy Rights Clearinghouse World Privacy Forum Opposition Acxiom American Electronics Association Association of California Insurance Companies Association of California Insurance Companies SB 550 Page 11 California Association of Collectors California Association of Licensed Investigators California Bankers Association California Chamber of Commerce California Financial Services Association California Mortgage Bankers Association California Retailers Association ChoicePoint Experian First American Corporation LexisNexis NetChoice TransUnion Analysis Prepared by : Margaret Gladstein / B. & F. / (916) 319-3081