BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
SB 20 S
Senator Simitian B
As Introduced
Hearing Date: February 24, 2009 2
Civil Code 0
SIK:jd
SUBJECT
Privacy: Security Breach Notification
DESCRIPTION
This bill would amend California's security breach notification
law to provide that any agency, person, or business required to
issue a notification under existing law must meet additional
requirements regarding that notification. This bill would
require that security breach notifications be written in plain
language and contain certain specified information, including
contact information regarding the breach, the types of
information breached, and the date, estimated date, or date
range of the breach. This bill would provide that a security
breach notification may also include other specified
information, at the discretion of the entity issuing the
notification.
Under this bill, any agency, person, or business that must
provide a security breach notification under existing law to
more than 500 California residents as a result of a single
breach would be required to submit the notification
electronically to the Attorney General. This bill would amend
the substitute notice provisions of California's security breach
notification law to require that an entity providing substitute
notice also provide notice to the Office of Information Security
and Privacy Protection.
BACKGROUND
In 2003, California's first-in-the nation security breach
notification law went into effect. Since that time, 44 other
states and the District of Columbia, Puerto Rico, and the Virgin
(more)
�
SB 20 (Simitian)
Page 2 of ?
Islands have enacted breach notification laws, following
California's lead. California's statute requires state agencies
and businesses to notify residents when the security of their
personal information is breached. According to an ongoing
chronology by the Privacy Rights Clearinghouse, more than 252
million records containing sensitive personal information have
been involved in security breaches in the United States since
January 2005. For the seventh year in a row, identity theft
topped the Federal Trade Commission's (FTC) list of top 10
consumer complaints in 2006. Of the nearly 700,000 complaints
filed with the FTC that year, 36% related to identity theft.
And, among the 50 states, California ranked third in identity
theft victims, after Arizona and Nevada.
A December 2007 study from the Samuelson Law, Technology &
Public Policy Clinic of University of California, Berkeley,
Boalt Hall School of Law, found that security breach
notification laws provide strong incentives for public and
private organizations to engage in best practices with respect
to the security of personal information. The study also made a
number of recommendations to improve upon security breach
notification laws, including that notifications should include
basic information about the breach. This bill is intended to
augment California's security breach notification law by
implementing this recommendation.
CHANGES TO EXISTING LAW
1. Existing law requires any agency, person, or business that
owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be
made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of
law enforcement, as specified. (Civil Code Sections
1798.29(a) and (c) and 1798.82(a) and (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify
the owner or licensee of the information of any breach of the
security of the data immediately following discovery if the
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. (Civil Code
�
SB 20 (Simitian)
Page 3 of ?
Sections 1798.29(b) and 1798.82(b).)
Existing law defines "personal information," for purposes of
the breach notification statute, to include the individual's
first name or first initial and last name in combination with
any one or more of the following data elements, when either
the name or the data elements are not encrypted: social
security number; driver's license number or California
Identification Card number; or account number, credit or debit
card number, in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records. (Civil Code Sections 1798.29(e) and (f)
and 1798.82(e) and (f).)
This bill would provide that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding the
notification including that it be written in plain language.
This bill would also require that the notification include, at
a minimum, the following information:
The name and contact information of the reporting
agency;
A list of the types of personal information that were or
are reasonably believed to have been the subject of the
breach;
The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided;
The date of the notice;
Whether the notification was delayed because of an
investigation by law enforcement;
A general description of the breach incident;
The estimated number of persons affected by the breach;
and
The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
bank account or credit card number, a social security
number, or a driver's license or California identification
card number.
This bill would provide that an agency, person, or business
may also include the following information in a security
�
SB 20 (Simitian)
Page 4 of ?
breach notification, at its discretion:
Information regarding what the entity has done to
protect individuals whose information has been breached;
and
Advice on steps that the individual may take to protect
himself or herself.
This bill would require any agency, person, or business that
must provide a security breach notification pursuant to
existing law to more than 500 California residents as a result
of a single breach of the security system to submit the
notification electronically to the Attorney General.
2. Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the affected
class of persons to be notified exceeds 500,000, or if the
entity does not have sufficient contact information.
Substitute notice must consist of: (a) email notice when the
entity has an email address for the affected individuals; (b)
conspicuous posting of the notice on the entity's Web site;
and (c) notification to major statewide media. (Civil Code
Sections 1798.29(g) and 1798.82(g).)
This bill would additionally require notification to the
Office of Information Security and Privacy Protection when an
agency, person, or business uses substitute notice.
COMMENT
1.Stated need for the bill
The author writes:
Although California has a security breach notification law
(A.B. 700, Simitian/S.B. 1386, Peace - 2002), we do not
require public agencies, businesses, or persons subject to
that law to provide any standard set of information about
the breach to consumers. As a result, security breach
�
SB 20 (Simitian)
Page 5 of ?
notification letters often lack important information -
such as the time of the breach or type of information that
was breached - or are confusing to consumers. This leaves
consumers uncertain about how to respond to the breach or
protect themselves from identity theft, and leaves
businesses and government entities that have experienced a
breach unsure about what to put in the notices they send
consumers.
This bill would make relatively modest but helpful changes
to the current security breach notification statutes to
enhance consumer knowledge about, and understanding of,
security breaches by requiring that the customer
notification required by current law contain specified
information.
2. Recent research on need for augmenting security breach
notification law
In December 2007, the Samuelson Law, Technology & Public
Policy Clinic, University of California-Berkeley School of Law
released a study entitled "Security Breach Notification Laws:
Views from Chief Security Officers" (study). The study
included a comprehensive review of the literature available on
the world of information security and in-depth interviews with
chief information security officers at a variety of business
organizations nationwide.
The study made a number of findings, including that breach
notification laws: 1) provide organizations (public, private,
and non-profit) strong incentives to invest in best practices
with respect to information security; 2) contribute to
awareness of the importance of information security throughout
all levels of an organization; 3) increase cooperation among
different departments within an organization with respect to
information security; 4) have increased requirements that
third party vendors, data collectors, and organizations comply
with information security measures; 5) provide "lessons
learned" across organizations, allowing organizations to learn
from each others' breaches, and justifying investment in
security; and 6) inform and educate consumers about the
importance of being concerned and diligent about the security
of their personal information. The study also identified a
number of areas for improvement in security breach
notification laws, including basic guidelines for the
information included in such notifications. The author
�
SB 20 (Simitian)
Page 6 of ?
asserts that this bill would implement this recommendation and
thereby strengthen California's security breach law.
3. Standardized content of security breach notifications
intended to fill gap in current law
While existing law imposes requirements for notification of
security breaches, it does not contain requirements for the
content of those notifications. The author provided the
committee with several examples of breach notification letters
that lack certain basic information such as the type of
information breached, when the breach occurred, or how to
protect against identity theft. In some cases, the letters
contained confusing technical or legal jargon. The study
discussed in Comment 2 provides:
Notifications can only provide value to consumers if they
have useful information about the [breach] incident and
know what steps can be taken to mitigate the harm.
Notifications provide an opportunity for consumer education
that ? has been bypassed by notification letters that focus
more on obfuscated language and legal jargon than direct
communication. ? Breach notification letters are difficult
to read and understand; ? Notification laws ? should
incorporate some basic guidelines regarding clarity of
language, a description of the incident, and steps that
consumers can take to protect themselves ?.
The author contends that this bill's requirements for
standardized content of breach notifications will help to fill
the information gap in current law. The author also notes
that ten other states- including Michigan, New Hampshire, New
York, and North Carolina-have breach notification laws which
contain similar requirements pertaining to standardized notice
content.
4.Notification to Attorney General where more than 500
California residents affected by a single breach
This bill would require an agency, person, or business to
submit a security breach notification electronically to the
Attorney General when more than 500 California residents are
affected by a single breach of the security system. The
author indicates that similar provisions are contained in
other state breach laws. For example, several state laws
require notification to the Attorney General, credit reporting
�
SB 20 (Simitian)
Page 7 of ?
agencies, and-in the case of New York-the Office of Cyber
Security and Critical Infrastructure Coordination. By
requiring notification to the Attorney General in cases where
more than 500 California residents are affected by a single
breach, this bill would allow the Attorney General to look at
trends and investigate a major breach, if it deemed it to be
necessary. In addition, the author's office indicates that
the Attorney General currently receives some security breach
notifications so additional notices will be consistent with
current practice.
5. Stakeholder concerns
While not opposed to this bill, the California Credit Union
League (CCUL) raises concerns about the bill's requirement
that security breach notifications include specified items of
information. In particular, the CCUL points out that some
items of information may not be known to an entity at the time
the notification is provided. For example, if a breach
occurred at the retailer level, the affected credit union
might not know whether a law enforcement investigation delayed
notification or the estimated number of persons affected. As
a result, CCUL has requested that the author amend the bill to
provide that the specified items of information must be
included in the security breach notification "if available at
the time the notice is provided." Committee staff notes that
this language has the potential to undermine the purpose of
the bill: providing uniform breach notifications. The author
is considering this request and is currently in conversations
with the CCUL.
6. Opposition arguments
The California Business Properties Association, California
Chamber of Commerce, California Financial Services
Association, California Mortgage Bankers Association,
Experian, Personal Insurance Federation of California, and
State Privacy and Security Coalition oppose this measure,
raising concerns about the specified items of information.
They assert that the requirement that the breach notification
contain the toll-free telephone numbers of major credit
reporting agencies leads consumers to believe that a breach
will result in identity theft, which is not necessarily the
case according to the groups. The organizations also question
whether it is necessary that a consumer receive notification
about the estimated number of people affected by a breach.
�
SB 20 (Simitian)
Page 8 of ?
Finally, they argue that this bill's requirement that the
Office of Information Security and Privacy Protection be
notified when substitute notice is used is unnecessary and, if
notice to a government agency is necessary, then it should go
to the Attorney General.
State Farm argues that disclosing the date, estimated date, or
date range of the breach will provide a hacker with important
information about the security of a computer system and will
confirm to the hacker that his or her approach used at that
time was successful. State Farm also asserts that reporting
the number of persons affected by a breach provides a hacker
with information about the size of the breached database
which, it argues, allows a hacker to focus his or her efforts
on larger databases.
7. Suggested technical amendments
On Page 2, line 34, delete ", as defined in subdivision (g),"
On page 6, line 1, delete ", as defined in subdivision (g),"
Support: Consumer Federation of California
Opposition: Association of California Insurance Companies;
California Bankers Association; California Business
Properties Association; California Chamber of
Commerce; California Financial Services Association;
California Mortgage Bankers Association; Experian;
Personal Insurance Federation of California; State
Farm; State Privacy and Security Coalition ; Tech
America
HISTORY
Source: Author
Related Pending Legislation: None Known
Prior Legislation: SB 364 (Simitian of 2008) would have
required that breach notifications be written in
plain language and contain specified information,
such as the name of the entity that maintained the
computerized data at the time of the breach and a
description of the categories of personal
information that was breached. This bill was
�
SB 20 (Simitian)
Page 9 of ?
vetoed.
AB 1656 (Jones of 2008) would have, among other
things, required a person, business, or agency who
maintains personal information to include
specified items in a breach notification to the
owner or licensee of the information. The bill
would also have required that the specified items
be disclosed to affected California residents if
the owner or licensee of the information is also
the issuer of the credit or debit card. This bill
was vetoed.
AB 779 (Jones of 2007) would have, among a number
of other things, provided that the Office of
Privacy Protection (OPP, now OISPP) be notified if
substitute notice was used. The bill would also
have required any agency, person, or business that
owns, licenses, or maintains personal information
related to various payment devices to notify the
owner, licensee, or California resident of a
security data breach. The notification would have
been required to contain certain specified
standard information, including, among other
things, when the breach occurred and the
categories of personal information breached. This
bill was vetoed.
AB 2505 (Nunez of 2006) would have provided that
the OPP be notified if substitute notice was used.
This bill died on the Senate Floor.
SB 852 (Bowen of 2006) would have required a
security breach notification whether or not the
data breached was computerized and would have
required notice to the OPP. This bill died in the
Assembly Business and Professions Committee.
**************