BILL ANALYSIS �
SB 20
Page 1
Date of Hearing: August 19, 2009
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Kevin De Leon, Chair
SB 20 (Simitian) - As Amended: July 23, 2009
Policy Committee: JudiciaryVote:7-3
Urgency: No State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill establishes additional notification requirements
following a security breach of a computerized data system.
Specifically, this bill:
1)Requires the notification required by state agencies and
private entities following a security breach to contain
specified information, including the types of personal
information believed to have been breached, a general
description of the breach and the number of persons affected,
and toll-free phone numbers and addresses of major credit
reporting agencies if the breach exposed a bank account or
credit card number, a social security number, or a driver's
license or California identification card number.
2)Requires the notification to also include, if possible to
determine at the time the notice is provided, any of the
following: (a) the date of the breach; (b) the estimated date
of the breach; or (c) the date range within which the breach
occurred.
3)Provides state agencies and private entities discretion to
include in the breach notification:
a) Information on steps taken to protect individuals whose
personal information has been breached.
b) Advice on what such individuals can do to protect
themselves.
4)Requires a state agency or private entity that is required to
notify more than 500 California residents of a breach to
�
SB 20
Page 2
electronically submit a copy of the notification, excluding
any personally identifiable information, to the Attorney
General.
5)Requires the breach notification to be submitted, in the case
of a state agency, to the Office of Information Security
within the office of the State Chief Information Officer, and
in the case of a private entity, to the Office of Privacy
Protection within the State and Consumer Services Agency.
FISCAL EFFECT
Minor absorbable costs for state agencies to comply with the
specified notification requirements.
COMMENTS
1)Purpose . Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must notify anyone whose
personal information is compromised as a result of a data
breach. The law permits the person, business, or state agency
to use "substitute notice" if the number of persons affected
would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information
is not available. Beyond these provisions, existing law does
not create any requirements as to the form and content of the
required notices. This bill seeks to correct that deficiency.
2)Prior Legislation . SB 364 (Simitian) of 2008, which contained
similar, but somewhat more expansive notification
requirements, was vetoed. The governor argued that the bill
"could lead consumers to believe that all data breaches result
in identity theft" and expressed concern that the bill would
"place an additional unnecessary cost on businesses without a
corresponding consumer benefit."
AB 1656 (Jones) of 2008, which also required specified
information in the breach notification and, in addition,
required that specified items be disclosed to affected
California residents if the owner or licensee of the
information was the issuer of the credit or debit card, was
also vetoed. In 2007, a similar bill, AB 779 (Jones) was also
�
SB 20
Page 3
vetoed.
3)Opposition . Several companies and associations representing
insurers, bankers, and other business interests are opposed to
the notifications containing information involving the date of
the breach and the number of persons affected. These entities
believe such provisions "are unnecessary, not helpful to
customers, and may actually be harmful to customers and
companies attempting to protect their information systems from
hackers." The author's most recent amendments, described
above in #2 of the analysis summary, attempt to address
opposition concerns regarding providing the breach date in the
notification.
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081