BILL ANALYSIS �
SB 20
Page 1
SENATE THIRD READING
SB 20 (Simitian)
As Amended August 25, 2009
Majority vote
SENATE VOTE :26-9
JUDICIARY 7-3 APPROPRIATIONS 12-1
------------------------------------------------------------------
|Ayes:|Feuer, Brownley, Evans, |Ayes:|De Leon, Ammiano, Charles |
| |Jones, Krekorian, Lieu, | |Calderon, Coto, Davis, |
| |Monning | |Fuentes, Hall, John A. |
| | | |Perez, Skinner, Solorio, |
| | | |Torlakson, Hill |
| | | | |
|-----+--------------------------+-----+---------------------------|
|Nays:|Tran, Knight, Silva |Nays:|Audra Strickland |
| | | | |
------------------------------------------------------------------
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of notice must be sent to appropriate state agencies, as
specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum all of the following
information:
a) The name and contact information of the reporting
agency, person, or business;
b) A list of the types of personal information, as defined,
that were reasonably believed to have been the subject of
the breach;
c) The date, estimated date, or date range of when the
breach occurred, if that information is possible to
determine at the time the notice is provided;
d) Whether the notification was delayed as a result of a
law enforcement investigation, if that information is
�
SB 20
Page 2
possible to determine at the time the notice is provided;
e) A general description of the breach incident, if that
information is possible to determine at the time the notice
is provided; and,
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General.
3)Provides that if substitute notice is used, as permitted by
existing law, then the reporting person, business, or agency
must also provide notification to the Office of Information
Security within the office of the State Chief Information
Officer.
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains , but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
�
SB 20
Page 3
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains , but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice may be used if the
person, business, or agency determines that the cost of
providing notice would exceed $250,000 or that the affected
class of subject persons exceeds 500,000, or the person,
business, or agency does not have sufficient contact
information.
4)Provides that substitute notice, when used, shall consist of
all of the following:
a) E-mail notice when the e-mail address of subject persons
is known;
b) Conspicuous posting of the notice on the Web site of the
person, business, or agency if the person, business, or
agency maintains one; and,
c) Notification to major statewide media.
5)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies.
FISCAL EFFECT : According to the Assembly Appropriations
analysis, minor absorbable costs for state agencies to comply
with the specified notification requirements.
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
�
SB 20
Page 4
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the state Attorney General's office for any breaches
that affect more than 500 California residents. Finally, this
bill would also provide that if "substitute notice" is used, as
permitted by existing law, then a copy of the notice should also
be sent to the Office of Information Security within the office
of the State Chief Information Officer.
According to the author, although existing California law
requires notices in the event of a data breach, it is more or
less silent on the required content of those notices. As a
result, the author contends, existing notices often fail to
provide the affected individual with critical information about
the nature and scope of the breach. According to the author,
without such information, the consumer is often uncertain about
how to respond to the breach. The author believes that this
measure will "make relatively modest but helpful changes" that
provide affected individuals with useful knowledge about the
security breach. Finally, the author rejects as unfounded the
argument made by some opponents that revealing the exact time of
the breach and the number of persons affected will somehow
provide information that will help the computer hacker. The
author responds that "the hacker already knows when they [sic]
have been successful. The point here is to provide affected
individuals with crucial information." The author points out
that the inclusion of the date of the breach - which some
opponents strenuously object to - allows the affected consumer
to examine their records and determine, with greater precision,
if they have been victimized by identity theft.
Two recent amendments - one deleting the requirement that the
notice include the number of persons affected, and a second
clarifying that the notice may include an estimated date or date
�
SB 20
Page 5
range in lieu of a specific date of a breach - have apparently
removed all previously registered opposition to the bill.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0002366