BILL ANALYSIS �
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 20|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
THIRD READING
Bill No: SB 20
Author: Simitian (D)
Amended: 3/4/09
Vote: 21
SENATE JUDICIARY COMMITTEE : 3-2, 2/24/09
AYES: Corbett, Florez, Leno
NOES: Harman, Walters
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill amends Californias security breach
notification law to provide that any agency, person, or
business required to issue a notification under existing
law must meet additional requirements regarding that
notification. This bill requires that security breach
notifications be written in plain language and contain
certain specified information, including contact
information regarding the breach, the types of information
breached, and the date, estimated date, or date range of
the breach. This bill provides that a security breach
notification may also include other specified information,
at the discretion of the entity issuing the notification.
This bill provides that any agency, person, or business
that must provide a security breach notification under
existing law to more than 500 California residents as a
CONTINUED
�
SB 20
Page
2
result of a single breach would be required to submit the
notification electronically to the Attorney General. This
bill amends the substitute notice provisions of
California's security breach notification law to require
that an entity providing substitute notice also provide
notice to the Office of Information Security and Privacy
Protection.
ANALYSIS : Existing law requires any agency, person, or
business that owns or licenses computerized data that
includes personal information to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with
the legitimate needs of law enforcement, as specified.
[Sections 1798.29(a) and (c) and 1798.82(a) and (c) of the
Civil Code]
Existing law requires any agency, person, or business that
maintains computerized data that includes personal
information that the agency, person, or business does not
own to notify the owner or licensee of the information of
any breach of the security of the data immediately
following discovery if the personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person. [Sections 1798.29(b) and 1798.82(b)
of the Civil Code]
Existing law defines "personal information," for purposes
of the breach notification statute, to include the
individual's first name or first initial and last name in
combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number, driver's license number
or California identification card number, or account
number, credit or debit card number, in combination with
any required security code, access code, or password that
would permit access to an individual's financial account,
medical information, or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
�
SB 20
Page
3
[Sections 1798.29(e) and (f) and 1798.82(e) and (f) of the
Civil Code]
This bill provides that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding
the notification including that it be written in plain
language. This bill also requires that the notification
include, at a minimum, the following information:
1. The name and contact information of the reporting
agency.
2. A list of the types of personal information that were or
are reasonably believed to have been the subject of the
breach.
3. The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided.
4. The date of the notice.
5. Whether the notification was delayed because of an
investigation by law enforcement.
6. A general description of the breach incident.
7. The estimated number of persons affected by the breach.
8. The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
bank account or credit card number, a social security
number, or a driver's license or California
identification card number.
This bill provides that an agency, person, or business may
also include the following information in a security breach
notification, at its discretion:
1. Information regarding what the entity has done to
protect individuals whose information has been breached.
2. Advice on steps that the individual may take to protect
�
SB 20
Page
4
himself/herself.
This bill requires any agency, person, or business that
must provide a security breach notification pursuant to
existing law to more than 500 California residents as a
result of a single breach of the security system to submit
the notification electronically to the Attorney General.
Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the
affected class of persons to be notified exceeds 500,000,
or if the entity does not have sufficient contact
information. Substitute notice must consist of (1)
electronic mail notice when the entity has an email address
for the affected individuals, (2) conspicuous posting of
the notice on the entity's Web site, and (3) notification
to major statewide media. [Sections 1798.29(g) and
1798.82(g) of the Civil Code]
This bill additionally requires notification to the Office
of Information Security and Privacy Protection when an
agency, person, or business uses substitute notice.
Prior Legislation
SB 364 (Simitian, 2008) would have required that breach
notifications be written in plain language and contain
specified information, such as the name of the entity that
maintained the computerized data at the time of the breach
and a description of the categories of personal information
that was breached. The bill passed the Senate by a vote of
38-2 on August 30, 2008, and was vetoed by the Governor.
In his veto message, the Governor stated:
"California's landmark law on data breach notification
has had many
beneficial results. Informing individuals whose personal
information
was compromised in a breach of what their risks are and
what they can
do to protect themselves is an important consumer
�
SB 20
Page
5
protection
benefit. The law has also provided a window on
information privacy
and security practices that has led organizations to make
many
improvements.
"Unfortunately, this bill could lead consumers to believe
that all
data breaches result in identity theft. Further, this
would place an
additional unnecessary cost on businesses without a
corresponding
consumer benefit."
AB 1656 (Jones, 2008) would have, among other things,
required a person, business, or agency who maintains
personal information to include specified items in a breach
notification to the owner or licensee of the information.
The bill would also have required that the specified items
be disclosed to affected California residents if the owner
or licensee of the information is also the issuer of the
credit or debit card. The bill passed the Senate by a vote
of 34-3 on August 27, 2008, and was vetoed by the Governor.
AB 779 (Jones, 2007) would have, among other things,
provided that the Office of Privacy Protection be notified
if substitute notice was used. The bill would also have
required any agency, person, or business that owns,
licenses, or maintains personal information related to
various payment devices to notify the owner, licensee, or
California resident of a security data breach. The
notification would have been required to contain certain
specified standard information, including, among other
things, when the breach occurred and the categories of
personal information breached. The bill passed the Senate
by a vote of 30-6 on September 6, 2007, and was vetoed by
the Governor.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
SUPPORT : (Verified 5/20/09)
�
SB 20
Page
6
California Public Interest Research Group
California School Employees Association
Consumer Federation of California
Privacy Rights Clearinghouse
OPPOSITION : (Verified 5/20/09)
Association of California Insurance Companies
California Bankers Association
California Business Properties Association
California Chamber of Commerce
California Financial Services Association
California Mortgage Bankers Association
Experian
Personal Insurance Federation of California
State Privacy and Security Coalition
State Farm Insurance
Tech America
ARGUMENTS IN SUPPORT : The author writes:
"Although California has a security breach notification
law (A.B. 700, Simitian/S.B. 1386, Peace - 2002), we do
not require public agencies, businesses, or persons
subject to that law to provide any standard set of
information about the breach to consumers. As a result,
security breach notification letters often lack important
information - such as the time of the breach or type of
information that was breached - or are confusing to
consumers. This leaves consumers uncertain about how to
respond to the breach or protect themselves from identity
theft, and leaves businesses and government entities that
have experienced a breach unsure about what to put in the
notices they send consumers.
"This bill would make relatively modest but helpful
changes to the current security breach notification
statutes to enhance consumer knowledge about, and
understanding of, security breaches by requiring that the
customer notification required by current law contain
specified information."
ARGUMENTS IN OPPOSITION : The California Business
�
SB 20
Page
7
Properties Association, California Chamber of Commerce,
California Financial Services Association, California
Mortgage Bankers Association, Experian, Personal Insurance
Federation of California, and State Privacy and Security
Coalition oppose this bill, raising concerns about the
specified items of information. They assert that the
requirement that the breach notification contain the
toll-free telephone numbers of major credit reporting
agencies leads consumers to believe that a breach will
result in identity theft, which is not necessarily the case
according to the groups. The organizations also question
whether it is necessary that a consumer receive
notification about the estimated number of people affected
by a breach. Finally, they argue that this bill's
requirement that the Office of Information Security and
Privacy Protection be notified when substitute notice is
used is unnecessary and, if notice to a government agency
is necessary, then it should go to the Attorney General.
State Farm argues that disclosing the date, estimated date,
or date range of the breach will provide a hacker with
important information about the security of a computer
system and will confirm to the hacker that his/her approach
used at that time was successful. State Farm also asserts
that reporting the number of persons affected by a breach
provides a hacker with information about the size of the
breached database which, it argues, allows a hacker to
focus his/her efforts on larger databases.
RJG:mw 5/20/09 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****