BILL ANALYSIS �
AB 779
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 779 (Jones)
As Amended August 31, 2007
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |58-2 |(June 5, 2007) |SENATE: |30-6 |(September 6, |
| | | | | |2007) |
-----------------------------------------------------------------
Original Committee Reference: JUD.
SUMMARY : Makes changes designed to improve California's data
security breach notification law. Specifically, this bill :
1)Prohibits, as of July 1, 2008, a person, business, or public
agency that sells goods or services to any resident in
California and accepts as payment a credit card, debit card,
other payment device from doing any of the following:
a) Storing payment related data unless the person,
business, or agency has a data retention and disposal
policy which appropriately limits the amount and time that
payment related data are retained;
b) Storing sensitive authentication data, as defined,
subsequent to authorization, even if the data is encrypted;
c) Storing payment verification codes, payment verification
values, PIN verification values, or any payment related
data that is not needed for business purposes;
d) Retaining a primary account number unless retained in a
manner that is consistent with the other provisions of this
bill and in a form that is expected to be indecipherable to
unauthorized persons;
e) Sending payment related data over open, public networks
unless the data is encrypted using strong cryptography and
security protocols or otherwise rendered indecipherable;
and,
f) Failing to limit access to payment related data only
those individuals whose job requires that access.
2)Exempts from the provision above any person or business
subject to sections 6801 to 6809 of Title 15 of the United
States Code (Gramm-Leach-Bliley Act) and state or federal
statutes or regulations implementing those sections, if the
�
AB 779
Page 2
person or business is subject to compliance oversight by a
state or federal regulatory agency with respect to those
sections.
3)Provides, when breach notification is required, that the
breach notice must be written in plain language and shall
include, at a minimum, all of the following:
a) The date of the notice;
b) The name of the agency, person, or business that
maintained the data at the time of the breach;
c) The date, or estimated date, on which the breach
occurred, if the date or estimated date is possible to
determine;
d) A description of the categories of personal information
that was, or is reasonably believed to have been, acquired
by an unauthorized person;
e) A toll-free number, if available, or an electronic mail
address that the individual may use to contact the person,
entity, or agency responsible for the breach; and,
f) The toll-free numbers and addresses of the major credit
reporting agencies.
4)Provides, when breach notification is required, that the owner
or licensee of the personal information shall be entitled to
reimbursement from the person, business, or agency that
maintained the data for all reasonable and actual costs of
providing notice to consumers.
5)Provides that if substitute notice is utilized, as provided by
existing law, the notice must also be provided to the Office
of Privacy Protection.
The Senate amendments :
1)Clarify that the effective date of this bill is July 1, 2008.
2)Make minor and clarifying changes relating to the required
contents of a breach notification.
3)Incorporate provisions of AB 1298 and provide appropriate
chaptering provisions relative to AB 1298.
FISCAL EFFECT : According to the Senate Appropriations
Committee, the Department of General Services has indicated that
�
AB 779
Page 3
if there were a breach of data security, however, notice and
liability costs to the state could be significant. Under the
bill state agencies would be responsible both for notifying
customers and liable for unspecified "reasonable and actual
costs" even if they were following industry standards at the
time the breach occurred. Compliance with PCI and the terms of
AB 779 would reduce the state's exposure to liability by
limiting if not eliminating the amount of consumer data stored
or retained in state databases, but to the extent the term
"reasonable and actual costs" is undefined and there is no
requirement in AB 779 for proof of risk to a consumer's data
prior to owners of the data recouping costs or damages, state
costs could be significant. These costs would vary based on the
size of the breach , but assuming replacing a credit card were
to cost $5 and a state agency were to suffer a data security
breach impacting 30,000 records, replacement costs alone would
be $150,000, not including notice requirements and potential
response to consumer questions.
Franchise Tax Board (FTB) indicates that since the majority of
its transactions with taxpayers are payments of tax obligations,
not goods or services, it has interpreted the bill's provisions
as having no application to FTB.
AS PASSED BY THE ASSEMBLY , this bill was substantially similar
to the version approved by the Senate.
COMMENTS : According to the author and sponsor, the California
Credit Union League, this bill makes needed improvements to
California's landmark data breach notification law in light of
three years of experience with the operation of the law. The
bill makes three important changes to existing law: 1) it
entitles the owner or licensee of personal information to
recover notification costs from the person, business, or agency
that actually maintained and compromised the data; 2) it
generally restricts how a person, business, or agency stores,
retains, sends, or otherwise uses personal payment data to a
manner which is necessary for business purposes; and, 3) it
specifies the form and content of breach notices so as to make
them more consumer-friendly.
Existing law generally requires a person or business that owns
or licenses computerized data that contains an individual's
personal information to notify that individual in the event of a
security breach. While the person or business that owns or
�
AB 779
Page 4
licenses that data is often the same person or business that
maintains the data, this is not always the case. This bill,
therefore, gives the owner or licensee of the data the right to
recover notification costs from the party that actually
compromised the data.
Existing law prescribes the methods by which notice shall be
given but says nothing about the required contents of the
notice. This bill will require the notice to include the date
of the breach, the name of the person, business or agency that
maintained the data at the time of the breach, and the kinds of
personal information that may have been compromised. In
addition, the notice has to include helpful information to the
consumer, including a toll-free number and address for
contacting the person, business, or agency that maintained the
data and toll-free numbers and addresses of the major credit
reporting agencies.
According to the author and supporters the provisions of this
bill will achieve three important objectives. First, by giving
owners and licensees the right to seek reimbursement from the
party that compromised the data, it creates a financial
incentive for businesses to take better care of its customers'
personal information. Second, it will make the notices
themselves more consumer-friendly. Third, by imposing certain
limitations on the amount and time that data can be stored,
retained, and accessed, it will reduce identity theft by
reducing the amount of time that data is exposed to potential
unauthorized persons. The author contends that this bill, as
amended, merely codifies existing best industry practices and
standards.
Opponents of this bill include a number of retail and financial
associations. Opponents claim that government intervention is
unnecessary because the industry polices itself; for example,
merchants typically sign contracts to protect databases as a
condition of accepting credit card payments.
Finally, some opponents oppose the reimbursement provision of
this bill on the grounds that it amounts to unwarranted
government interference between consenting businesses that have
contractual agreements and obligations.
�
AB 779
Page 5
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0003003