BILL ANALYSIS �
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 20|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
VETO
Bill No: SB 20
Author: Simitian (D)
Amended: 8/25/09
Vote: 21
SENATE JUDICIARY COMMITTEE : 3-2, 2/24/09
AYES: Corbett, Florez, Leno
NOES: Harman, Walters
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SENATE FLOOR : 26-9, 4/27/09
AYES: Aanestad, Alquist, Ashburn, Cedillo, Corbett, Cox,
DeSaulnier, Ducheny, Florez, Hancock, Kehoe, Leno, Liu,
Lowenthal, Maldonado, Negrete McLeod, Oropeza, Padilla,
Pavley, Romero, Simitian, Steinberg, Wiggins, Wolk,
Wright, Yee
NOES: Benoit, Correa, Harman, Hollingsworth, Huff, Runner,
Strickland, Walters, Wyland
NO VOTE RECORDED: Calderon, Cogdill, Denham, Dutton,
Vacancy
SENATE FLOOR : 31-7, 9/4/09
AYES: Aanestad, Alquist, Ashburn, Calderon, Cedillo,
Corbett, Correa, Cox, DeSaulnier, Ducheny, Florez,
Hancock, Harman, Kehoe, Leno, Liu, Lowenthal, Maldonado,
Negrete McLeod, Padilla, Pavley, Price, Romero, Runner,
Simitian, Steinberg, Strickland, Wolk, Wright, Wyland,
Yee
NOES: Benoit, Cogdill, Denham, Dutton, Hollingsworth,
Huff, Walters
NO VOTE RECORDED: Oropeza, Wiggins
CONTINUED
�
SB 20
Page
2
ASSEMBLY FLOOR : 56-13, 9/1/09 - See last page for vote
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill amends Californias security breach
notification law to provide that any agency, person, or
business required to issue a notification under existing
law must meet additional requirements regarding that
notification. This bill requires that security breach
notifications be written in plain language and contain
certain specified information, including contact
information regarding the breach, the types of information
breached, and the date, estimated date, or date range of
the breach. This bill provides that a security breach
notification may also include other specified information,
at the discretion of the entity issuing the notification.
This bill provides that any agency, person, or business
that must provide a security breach notification under
existing law to more than 500 California residents as a
result of a single breach would be required to submit the
notification electronically to the Attorney General. This
bill amends the substitute notice provisions of
California's security breach notification law to require
that an entity providing substitute notice also provide
notice to the Office of Privacy Protection within the State
and Consumer Services Agency.
Assembly Amendments (1) require the notice be sent to only
the Office of Privacy Protection within the State and
Consumer Services Agency, and (2) add technical/clarifying
language as to information to be included in the required
notice.
ANALYSIS : Existing law requires any agency, person, or
business that owns or licenses computerized data that
includes personal information to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
�
SB 20
Page
3
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with
the legitimate needs of law enforcement, as specified.
[Sections 1798.29(a) and (c) and 1798.82(a) and (c) of the
Civil Code]
Existing law requires any agency, person, or business that
maintains computerized data that includes personal
information that the agency, person, or business does not
own to notify the owner or licensee of the information of
any breach of the security of the data immediately
following discovery if the personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person. [Sections 1798.29(b) and 1798.82(b)
of the Civil Code]
Existing law defines "personal information," for purposes
of the breach notification statute, to include the
individual's first name or first initial and last name in
combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number, driver's license number
or California identification card number, or account
number, credit or debit card number, in combination with
any required security code, access code, or password that
would permit access to an individual's financial account,
medical information, or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
[Sections 1798.29(e) and (f) and 1798.82(e) and (f) of the
Civil Code]
This bill provides that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding
the notification including that it be written in plain
language. This bill also requires that the notification
include, at a minimum, the following information:
1. The name and contact information of the reporting
agency.
2. A list of the types of personal information that were or
�
SB 20
Page
4
are reasonably believed to have been the subject of the
breach.
3. If the information is possible to determine at the time
the notice is provided, then any of the following: (a)
the date of the breach, (b) the estimated date of the
breach, or (c) the date range within which the breach
occurred. The notification shall also include the date
of the notice.
4. The date of the notice.
5. Whether the notification was delayed because of an
investigation by law enforcement, if that information is
possible to determine at the time the notice is
provided.
6. A general description of the breach incident if that
information is possible at the time the notice is
provided.
7. The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number, or a driver's license or
California identification card number.
This bill provides that an agency, person, or business may
also include the following information in a security breach
notification, at its discretion:
1. Information regarding what the entity has done to
protect individuals whose information has been breached.
2. Advice on steps that the individual may take to protect
himself/herself.
This bill requires any agency, person, or business that is
required to provide a security breach notification,
pursuant to existing law, to more than 500 California
residents as a result of a single breach of the security
system to submit the notification electronically, excluding
any personally identifiable information, to the Attorney
General.
�
SB 20
Page
5
Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the
affected class of persons to be notified exceeds 500,000,
or if the entity does not have sufficient contact
information. Substitute notice must consist of (1)
electronic mail notice when the entity has an email address
for the affected individuals, (2) conspicuous posting of
the notice on the entity's Web site, and (3) notification
to major statewide media. [Sections 1798.29(g) and
1798.82(g) of the Civil Code]
This bill additionally requires notification to the Office
of Privacy Protection within the State and Consumer
Services Agency when an agency, person, or business uses
substitute notice.
Prior Legislation
SB 364 (Simitian, 2008) would have required that breach
notifications be written in plain language and contain
specified information, such as the name of the entity that
maintained the computerized data at the time of the breach
and a description of the categories of personal information
that was breached. The bill passed the Senate by a vote of
38-2 on August 30, 2008, and was vetoed by the Governor.
In his veto message, the Governor stated:
"California's landmark law on data breach notification
has had many
beneficial results. Informing individuals whose personal
information
was compromised in a breach of what their risks are and
what they can
do to protect themselves is an important consumer
protection
benefit. The law has also provided a window on
information privacy
and security practices that has led organizations to make
many
improvements.
�
SB 20
Page
6
"Unfortunately, this bill could lead consumers to believe
that all
data breaches result in identity theft. Further, this
would place an
additional unnecessary cost on businesses without a
corresponding
consumer benefit."
AB 1656 (Jones, 2008) would have, among other things,
required a person, business, or agency who maintains
personal information to include specified items in a breach
notification to the owner or licensee of the information.
The bill would also have required that the specified items
be disclosed to affected California residents if the owner
or licensee of the information is also the issuer of the
credit or debit card. The bill passed the Senate by a vote
of 34-3 on August 27, 2008, and was vetoed by the Governor.
AB 779 (Jones, 2007) would have, among other things,
provided that the Office of Privacy Protection be notified
if substitute notice was used. The bill would also have
required any agency, person, or business that owns,
licenses, or maintains personal information related to
various payment devices to notify the owner, licensee, or
California resident of a security data breach. The
notification would have been required to contain certain
specified standard information, including, among other
things, when the breach occurred and the categories of
personal information breached. The bill passed the Senate
by a vote of 30-6 on September 6, 2007, and was vetoed by
the Governor.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
SUPPORT : (Verified 9/2/09)
American Civil Liberties Union
California Public Interest Research Group
California School Employees Association
Consumer Federation of California
Los Angeles County District Attorney
Privacy Rights Clearinghouse
�
SB 20
Page
7
ARGUMENTS IN SUPPORT : The author writes:
"Although California has a security breach notification
law (A.B. 700, Simitian/S.B. 1386, Peace - 2002), we do
not require public agencies, businesses, or persons
subject to that law to provide any standard set of
information about the breach to consumers. As a result,
security breach notification letters often lack important
information - such as the time of the breach or type of
information that was breached - or are confusing to
consumers. This leaves consumers uncertain about how to
respond to the breach or protect themselves from identity
theft, and leaves businesses and government entities that
have experienced a breach unsure about what to put in the
notices they send consumers.
"This bill would make relatively modest but helpful
changes to the current security breach notification
statutes to enhance consumer knowledge about, and
understanding of, security breaches by requiring that the
customer notification required by current law contain
specified information."
GOVERNOR'S VETO MESSAGE:
"I am returning Senate Bill 20 without my signature.
"This bill would require any agency, person, or
business that must issue an information security
breach notification pursuant to existing law to also
fulfill certain additional requirements pertaining to
the security breach notification.
"California's landmark law on data breach
notification has had many beneficial results.
Informing individuals whose personal information was
compromised in a breach of what their risks are and
what they can do to protect themselves is an
important consumer protection benefit. This bill is
unnecessary, however, because there is no evidence
that there is a problem with the information provided
�
SB 20
Page
8
to consumers. Moreover, there is no additional
consumer benefit gained by requiring the Attorney
General to become a repository of breach notices when
this measure does not require the Attorney General to
do anything with the notices. Since this measure
would place additional unnecessary mandates on
businesses without a corresponding consumer benefit,
I am unable to sign this bill."
ASSEMBLY FLOOR :
AYES: Ammiano, Arambula, Beall, Block, Blumenfield,
Brownley, Caballero, Carter, Chesbro, Cook, Coto, Davis,
De La Torre, De Leon, Emmerson, Eng, Evans, Feuer, Fong,
Fuentes, Furutani, Galgiani, Hall, Hayashi, Hernandez,
Hill, Huber, Huffman, Jones, Krekorian, Lieu, Logue,
Bonnie Lowenthal, Ma, Mendoza, Monning, Nava, Niello,
Nielsen, John A. Perez, V. Manuel Perez, Portantino,
Ruskin, Salas, Saldana, Skinner, Solorio, Audra
Strickland, Swanson, Torlakson, Torres, Torrico, Tran,
Villines, Yamada, Bass
NOES: Adams, Anderson, Tom Berryhill, DeVore, Fuller,
Gaines, Garrick, Gilmore, Knight, Miller, Nestande,
Silva, Smyth
NO VOTE RECORDED: Bill Berryhill, Blakeslee, Buchanan,
Charles Calderon, Conway, Duvall, Fletcher, Hagman,
Harkey, Jeffries, Vacancy
RJG:mw 1/6/10 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****