BILL ANALYSIS �
SB 20
Page 1
Date of Hearing: July 15, 2009
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Kevin De Leon, Chair
SB 20 (Simitian) - As Amended: July 7, 2009
Policy Committee: JudiciaryVote:7-3
Urgency: No State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill establishes additional notification requirements
following a security breach of a computerized data system.
Specifically, this bill:
1)Requires the notification required by state agencies and
private entities following a security breach to contain
specified information, including the date and time of the
breach, the types of personal information believed to have
been breached, a general description of the breach and the
number of persons affected, and toll-free phone numbers and
addresses of major credit reporting agencies if the breach
exposed a bank account or credit card number, a social
security number, or a driver's license or California
identification card number.
2)Provides state agencies and private entities discretion to
include in the breach notification:
a) Information on steps taken to protect individuals whose
personal information has been breached.
b) Advice on what such individuals can do to protect
themselves.
3)Requires a state agency or private entity that is required to
notify more than 500 California residents of a breach to
electronically submit a copy of the notification, excluding
any personally identifiable information, to the Attorney
General.
4)Requires the breach notification to be submitted, in the case
�
SB 20
Page 2
of a state agency, to the Office of Information Security
within the office of the State Chief Information Officer, and
in the case of a private entity, to the Office of Privacy
Protection within the State and Consumer Services Agency.
FISCAL EFFECT
Minor absorbable costs for state agencies to comply with the
specified notification requirements.
COMMENTS
1)Purpose . Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must notify anyone whose
personal information is compromised as a result of a data
breach. The law permits the person, business, or state agency
to use "substitute notice" if the number of persons affected
would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information
is not available. Beyond these provisions, existing law does
not create any requirements as to the form and content of the
required notices. This bill seeks to correct that deficiency.
2)Prior Legislation . SB 364 (Simitian) of 2008, which contained
similar, but somewhat more expansive notification
requirements, was vetoed. The governor argued that the bill
"could lead consumers to believe that all data breaches result
in identity theft" and expressed concern that the bill would
"place an additional unnecessary cost on businesses without a
corresponding consumer benefit."
AB 1656 (Jones) of 2008, which also required specified
information in the breach notification and, in addition,
required that specified items be disclosed to affected
California residents if the owner or licensee of the
information was the issuer of the credit or debit card, was
also vetoed. In 2007, a similar bill, AB 779 (Jones) was also
vetoed.
3)Opposition . Several companies and associations representing
insurers, bankers, and other business interests are opposed to
the notifications containing the date of the breach and the
number of persons affected. These entities believe such
provisions "are unnecessary, not helpful to customers, and may
�
SB 20
Page 3
actually be harmful to customers and companies attempting to
protect their information systems from hackers."
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081