BILL ANALYSIS �
SB 20
Page 1
Date of Hearing: June 30, 2009
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
SB 20 (Simitian) - As Amended: June 16, 2009
SENATE VOTE : 26-9
SUBJECT : Personal Information: Privacy
KEY ISSUES :
1)Should California's Security Breach Notification law be
amended to require that notices be written in plain language
and contain standard information that is useful to the
affected person?
2)Should samples of breach notifications be sent to the Attorney
General's Office when breaches affect at least 500 persons?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
This bill seeks to strengthen California's existing breach
notification law by requiring that the notices contain specified
information and that a sample of the notice, under certain
circumstances, be sent to relevant state agencies so as to
improve state monitoring of large data breaches. Existing law
requires any agency, person, or business that keeps or maintains
the personal information of California residents to notify
affected residents in the event the data is compromised by a
security breach. This bill would require the notice to include
useful information to the affected person, such as the date and
scope of the breach, the type of information compromised, and
useful contact information that will allow the person to take
protective actions if necessary. In addition, sample copies of
the notification would be sent to the Attorney General in cases
that affect more than 500 persons. Furthermore, if substitute
notice is used, which is generally permitted in cases that
affect large numbers of persons, a copy would be provided to the
Office of Information Security. This bill is substantially
similar to the author's SB 364 of last year, which was vetoed by
the Governor. The bill is supported by consumer and privacy
�
SB 20
Page 2
groups and opposed primarily by representatives of the banking,
lending, and hi-tech businesses.
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of notice must be sent to appropriate state agencies, as
specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum all of the following
information:
a) The name and contact information of the reporting
agency, person, or business.
b) A list of the types of personal information, as defined,
that were reasonably believed to have been the subject of
the breach.
c) The date, estimated date, or date range of when the
breach occurred, if that information is possible to
determine at the time the notice is provided.
d) Whether the notification was delayed as a result of a
law enforcement investigation, if that information is
possible to determine at the time the notice is provided.
e) A general description of the breach incident.
f) The estimated number of persons affected by the breach,
if that information is possible to determine at the time
the notice is provided.
g) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General.
�
SB 20
Page 3
3)Provides that if substitute notice is used, as permitted by
existing law, then the reporting person, business, or agency
must also provide notification to the Office of Information
Security within the office of the State Chief Information
Officer.
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains , but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
(Civil Code Section 1798.29.)
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains , but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice may be used if the
person, business, or agency determines that the cost of
providing notice would exceed $250,000 or that the affected
class of subject persons exceeds 500,000, or the person,
business, or agency does not have sufficient contact
information. (Civil Code Sections 1798.29 (g) and 1798.82
(g).)
4)Provides that substitute notice, when used, shall consist of
all of the following:
�
SB 20
Page 4
a) E-mail notice when the e-mail address of subject persons
is known.
b) Conspicuous posting of the notice on the Web site of the
person, business, or agency if the person, business, or
agency maintains one.
c) Notification to major statewide media. (Id.)
5)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies. (Civil Code
Sections 1798.29 (h) and 1798.82 (h).)
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the state Attorney General's office for any breaches
that affect more than 500 California residents. Finally, this
bill would also provide that if "substitute notice" is used, as
permitted by existing law, then a copy of the notice should also
be sent to the Office of Information Security within the office
of the State Chief Information Officer.
Governor's Veto of SB 364 : This bill is substantially similar
to the author's SB 364 of last year, which the Governor vetoed.
The Governor vetoed last year's bill on the grounds that it
"could lead consumers to believe that all data breaches result
in identity theft" and because it "would place an additional
unnecessary cost on businesses without a corresponding consumer
benefit." None of the modest differences between this year's
�
SB 20
Page 5
bill and last year's SB 364 would appear to address this
concern.
However, it should be noted that the Governor's veto message
arguably speaks more to existing law than to the bill under
review. Existing law already requires a breach notice be sent
whenever the owner, licensor, or maintainer of data has reason
to believe that there has been unauthorized access to the data.
If a breach notice creates the erroneous assumption that an
identity theft has occurred - as the Governor claimed - then
this is already true of existing law. This bill merely requires
that the already required notice contain specified information
about the breach, including a general description of the breach.
This description, as well as the additional information to be
required in the notice, might, in fact, enable the consumer to
make a more informed and reasoned assessment of whether the
breach will likely result in identity theft. The Governor's
veto message, like many of the opposition arguments described
below, is really more relevant to the threshold that triggers a
breach notification, rather than the contents of the breach
notification. Yet this bill only amends the latter.
ARGUMENTS IN SUPPORT : According to the author, although
existing California law requires notices in the event of a data
breach, it is more or less silent on the required content of
those notices. As a result, the author contends, existing
notices often fail to provide the affected individual with
critical information about the nature and scope of the breach.
According to the author, without such information, the consumer
is often uncertain about how to respond to the breach. The
author believes that this measure will "make relatively modest
but helpful changes" that provide affected individuals with
useful knowledge about the security breach. Finally, the author
rejects as unfounded the argument made by some opponents that
revealing the exact time of the breach and the number of persons
affected will somehow provide information that will help the
computer hacker. The author responds that "the hacker already
knows when they [sic] have been successful. The point here is
to provide affected individuals with crucial information." The
author points out that the inclusion of the date of the breach -
which some opponents strenuously object to - allows the affected
consumer to examine their records and determine, with greater
precision, if they have been victimized by identity theft.
Similarly, the author also insists that knowing the number of
persons whose data has been breached is also important, since
�
SB 20
Page 6
"the size of the breach does have a bearing on the risk. If the
breach is small, an individual is more likely to be victimized."
The author also offers a rebuttal to the Governor's veto message
of last year's SB 364. The Governor's veto message, as noted
above, claimed that notices "could lead consumers to believe
that all data breaches result in identify theft." The author
concedes that while it may be true that not all breaches lead to
identify theft, our inconsistent and non-uniform reporting makes
it impossible to know the true breach-to-theft ratio. "Consumers
are certainly better off erring on the side of caution," the
author reasons, "and monitoring their credit reports more
closely."
The California Public Interest Research Group (CALPIRG) supports
this bill because it will provide persons affected by a security
breach "a standardized set of information regarding their
information security" and make it easier for those individual's
to take necessary steps to protect themselves from identity
theft. CALPIRG notes that the bill will also "establish a
reporting process for companies that will help to improve
security practices and breach reporting procedures."
Privacy Rights Clearinghouse and the Consumer Federation of
California support the bill for the reasons noted above, but
both add that, by requiring notices to be sent to state
agencies, this bill will allow the state to better investigate
criminal activity, monitor data breach trends, and centralize
information so that state policy makers can continue to improve
our breach notification laws.
ARGUMENTS IN OPPOSITION : This bill is opposed by various
business associations and groups representing the financial,
insurance, and high technology sector. Opponents contend, to
begin with, that "current breach notification requirements are
working" and that expanding the notice requirements will not
provide any more safeguards for the consumer. For example,
opponents claim that requiring notices to specify the number of
persons affected by the breach "is of no benefit to individual
consumers." (However, as noted above, the author responds that
knowing the number of person's affected gives the individual a
better idea of the probability that his or her information will
be used to commit identity theft. For example, if millions of
persons are affected, an individual might conclude that the
�
SB 20
Page 7
probability that his or her information will be used to commit
identity theft is not great enough to justify the hassle of
freezing credit reports or taking other steps; on the other
hand, if the individual is one of only a handful of persons
whose data is compromised, he or she may conclude that the risks
justify taking action.)
In addition to claiming that the bill is unnecessary because
existing law is working, opponents also allege that some of the
added requirements could unintentionally create greater harm.
For example, opponents argue that providing a consumer with
contact information for credit bureaus "inaccurately leads the
consumer to conclude that all data breaches result in fraud and
identity theft." Opponents contend that existing law already
creates a potential problem of "over-notification," noting that
businesses and agencies are required to issue notices whenever
they believe or "reasonably believe" that the data may have been
acquired by an unauthorized person. In short, individuals may
be prompted to freeze credit reports or take other steps that
create unnecessary inconveniences even though the chances of
identity theft are minimal or non-existent. In support of this
position, the opponents site a study by the Government
Accounting Office which concluded, according to the opponents,
that while data breaches are frequent, they "rarely" result in
identity theft or fraud. (See GAO, Data Breaches are Frequent,
but Evidence of Identity Theft is Limited: However the Full
Extent is Unknown, June 2007.)
State Farm Insurance opposes this bill because it believes that
providing information specifying the date of a breach and the
number of persons affected will actually assist the data
hackers. According to State Farm, "hackers often attempt to
break into a business' data system on a daily basis. Therefore,
reporting the date when the breach occurred simply confirms for
the hackers that the approach used at the time was successful.
Accordingly, this bill would exacerbate the problem of breaches
rather than reduce them."
OPPOSE UNLESS AMENDED : The California Credit Union League
(CCUL) opposes this bill unless it is amended to clarify that
the entity that must notify residents of the breach should only
be required to provide the specified information only to the
extent that it has knowledge of that information. CCUL supports
the concept of providing consumers with as much information as
is possible, but points out that breaches often occur at the
�
SB 20
Page 8
retail level. For example, if there is a breach involving
credit cards used at a particular retailer, existing law only
requires the retailer - as the "maintainer" of the data - to
notify the entity that "owns or licenses" the data, which is
typically the entity that issues the credit card. The owner or
licensor then has the responsibility, under existing law, of
notifying the individual resident whose personal information was
compromised. CCUL argues that a credit union, as the issuer of
the card, can only provide as much information about the breach
as is provided to it by the retailer where the breach occurred.
As such, CCUL opposes this bill unless it is amended to
stipulate that the specified information is only required "if
known." The most recent amendments to this bill partly address
this concern, by adding the knowledge qualification to some, but
not all, of the required pieces of information. CCUL has
expressed to the Committee that it greatly appreciates the
amendments taken by the author, but still seeks a more global
knowledge qualification before removing its opposition.
Possible Amendments: Although the author has already made
reasonable amendments to address many of the CCUL's concerns,
those concerns ultimately stem from another issue that the
author may wish to address by a simple amendment . That is, the
CCUL requests that the owner of the data only be required to
provide information to the extent that it has knowledge, in
part, because the credit union must often rely upon information
provided to it by the retailer.
Currently, however, it does not appear clear in the bill if the
notice elements required apply to both notices required by the
law: that is, the notice that the "maintainer" is required to
provide to the "owner," and the notice that the "owner or
licensor" is required to provide to the consumer. On the one
hand, the bill would appear to apply to both, since proposed
subdivision (d) applies to any notice required by "this
section." On the other hand, the required pieces of information
- and the rationale justifying the bill - appear appropriately
targeted at the consumer whose data has been affected. In
short, where the breaches originated with the retailer, the
"owner" (e.g. a credit union) can realistically only provide as
much information as is provided to it by the "maintainer" (i.e.
retailer).
The Committee therefore may wish to discuss with the author his
openness to amending the measure to adopt an approach similar to
�
SB 20
Page 9
that used in last year's AB 1656. That bill appropriately and
logically distinguished between the two different notices
required in subdivisions (a) and (b) of the current measure. In
AB 1656, the respective requirements for each notice were for
the most part the same, except, of course, that the
retailer/maintainer notice to the owner/licensor did not require
information regarding the protective steps that the resident
might choose to take.
Thus the author may wish to consider a brief clarification in
the bill that a retailer required to provide notice under
subdivision (b) of the relevant sections must provide the owner
or licensor with enough information to fulfill its obligations
under subdivision (a).
To achieve this potentially helpful clarification, the bill
could be amended at the end of subdivision (b) of Sections
1798.29 and 1798.82 to add the following statement:
The notice shall provide the owner or licensor with the
information described in subparagraphs (A) through (F) of
paragraph (2) of subdivision (d) of this section.
Proposed Technical Amendment to Existing Law : The author may
also wish to address an apparent error in existing law, though
not an error in this bill as such. Subdivision (a) of Sections
1798.29 and 1798.82 refer to the agency or business that "owns
or licenses" the data. Subdivision (b), however, referring to
these same entities, refers to the "owner or licensee."
However, the entity that "licenses" the personal data would be
the "licensor," not the "licensee." Therefore:
On page 2, line 16 change "licensee" to "licensor"
On page 5, line 12 change "licensee" to "licensor"
Recent Related Legislation : AB 364 (Simitian, 2008) was
substantially similar to the bill under review. The bill was
vetoed.
AB 1656 (Jones, 2008) included a provision substantially similar
to the enhanced notice provisions in the measure under review.
However, AB 1656 also limited the retailers' ability to retain
or store personal data; specified the retailer's duty to notify
the owner or licensor of the personal data; required a retailer
responsible for a breach to reimburse the owner/licensor under
�
SB 20
Page 10
certain circumstances. The bill was vetoed.
REGISTERED SUPPORT / OPPOSITION :
Support
California Public Interest Research Group (CALPIRG)
California School Employees Association
Consumer Federation of California
Privacy Rights Clearinghouse
Opposition
Association of California Insurance Companies
Association of California Life & Health Insurance Companies
California Bankers Association
California Business Properties Association
California Chamber of Commerce
California Credit Union League (unless amended)
California Financial Services Association
California Mortgage Bankers Association
Personal Insurance Federation of California
Securities Industry and Financial Markets Association
State Farm
State Privacy and Security Coalition
Tech America
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334