BILL ANALYSIS Ó SB 24 Page 1 Date of Hearing: June 14, 2011 ASSEMBLY COMMITTEE ON JUDICIARY Mike Feuer, Chair SB 24 (Simitian) - As Amended: March 29, 2011 As Proposed to be Amended SENATE VOTE : 31-6 SUBJECT : Personal Information: Privacy KEY ISSUE : Should California's Security Breach Notification law be amended to require that notices be written in plain language and contain standard information that is useful to persons Affected by the breach? FISCAL EFFECT : As currently in print this bill is keyed fiscal. SYNOPSIS This bill would strengthen California's existing breach notification law by requiring notices to contain specified information. Existing law requires any agency, person, or business that keeps or maintains the personal information of California residents to notify affected residents in the event the data is compromised by a security breach. This bill would require the notice to be written in plain language and include useful information about the nature of the breach and contact information that allows the affected person to take corrective action. In addition, sample copies of the notification would be sent to the Attorney General in cases that affect more than 500 persons. Furthermore, if substitute notice is used, which existing law permits in certain cases, notice must also be provided to major statewide media and the appropriate state office. Finally, this bill would specify that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are deemed to have met the notice requirements of this bill if they meet the substantially similar federal notice requirements under HIPAA. This is the author's third effort to strengthen breach notification requirements. This bill is identical to the enrolled version of last year's SB 1166 by the same author. Despite the fact that the author took several amendments to remove all opposition to last year's bill, the SB 24 Page 2 measure was nevertheless vetoed by the prior Governor on the grounds that it was "unnecessary," because, the prior Governor believed then that there was no evidence of any problem with the notices that are provided under existing law. However, this bill passed off the Senate Floor on a bipartisan 31-6 vote. It is supported by several privacy and consumer groups. There is no known opposition. SUMMARY : Requires that a notice required under California's data security breach law must contain specified information and a copy of the notice must be sent to appropriate state agencies, as specified. Specifically, this bill : 1)Provides that when an agency, person, or business is required to issue a data security breach notification pursuant to existing law, that notification must be written in plain language and shall include at a minimum the following information: a) The name and contact information of the reporting agency, person, or business. b) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. c) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided. d) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided. e) A general description of the breach incident, if that information is possible to determine at the time the notice is provided. f) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or driver's license or state identification card number. 1)Provides that, at the discretion of the reporting agency, person, or business, the notification may include other information, including information about what the agency has done to protect the individuals affected by the breach and what steps those individuals may take to protect themselves. 2)Provides that an agency, person, or business that is required SB 24 Page 3 to issue a data security breach notification to more than 500 California residents must also submit a notification to the Attorney General, as specified. 3)Provides that if substitute notice is used, as permitted by existing law, then the reporting person, business, or agency must also provide notification to major statewide media and the Office of Information Security within the office of the State Chief Information Officer. 4)Specifies that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with the notice provisions of this bill if they have complied with substantially similar notices that are already required under federal law. EXISTING LAW : 1)Requires any state agency that owns or licenses computerized data that includes personal information to disclose any breach of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires any state agency that maintains, but does not own, personal information to notify the owner or licensor of the data of any breach. Provides further that disclosure shall be made in the most expedient time possible and without unreasonable delay. (Civil Code Section 1798.29.) 2)Requires any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information to disclose any breach of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires any person or business that maintains, but does not own, personal information to notify the owner or licensor of the data of any breach. Provides further that disclosure shall be made in the most expedient time possible and without unreasonable delay. (Civil Code Section 1798.82.) 3)Provides that notice required under the above provisions may be made by written notice or electronic notice, if the latter is consistent with federal electronic signature standards. Provides, however, that substitute notice, as specified, may SB 24 Page 4 be used if the person, business, or agency determines that the cost of providing notice would exceed $250,000 or that the affected class of subject persons exceeds 500,000, or the person, business, or agency does not have sufficient contact information. (Civil Code Sections 1798.29 (g) and 1798.82 (g).) 4)Notwithstanding the above notice requirements, a person, business, or agency that maintains its own notification procedures as part of an information security policy that is consistent with the requirements of the security breach law, shall be deemed to be in compliance with the notification of state law if the agency, person, or business notifies subject persons in accordance with its own policies. (Civil Code Sections 1798.29 (h) and 1798.82 (h).) 5)Requires, under federal law, that any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify any person whose personal information is compromised by a data security breach and specifies the required content of the notice. (Section 13402(f) of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.) COMMENTS : Under existing law, a person, business, or state agency that keeps, maintains, or leases computerized data that contains personal information must provide appropriate notices if that personal information is compromised as a result of a data breach. The law permits the person, business, or state agency to use "substitute notice" if the number of persons affected would make personal notice prohibitively expensive or impractical, or if the affected person's contact information is not available. However, beyond these provisions, existing law does not create any requirements as to the form and content of the required notices. This bill seeks to correct that deficiency by requiring notices to contain specified information that will be useful to the affected resident and ensure that there is greater uniformity in the content of security breach notices. In addition, this bill would require that notification be sent to the state Attorney General's office for any breaches that affect more than 500 California residents. This bill would also provide that if "substitute notice" is used, as permitted by existing law, then a copy of the notice should also be sent to the appropriate state office. Finally, this bill would specify that entities covered by the Health Insurance SB 24 Page 5 Portability and Accountability Act (HIPAA) are deemed to have met the notice requirements of this bill if they meet the substantially similar federal notice requirements under HIPAA. The last provision was added in response to concerns of the California Hospital Association, who contended that slight, no-substantial differences in the federal and state requirements would require hospitals and other HIPAA-covered entities to needlessly send two notices (one to meet the specific requirements of federal law and another to meet the specific requirements of state law), which could be a substantial expense in breaches that affected a large number of persons. Governor's Vetoes of Prior Legislation. This bill is nearly identical to the enrolled version of last year's SB 1166, and except for the exemption for HIPAA-covered entities, nearly identical to SB 20 of 2009, both by the same author. When SB 20 was heard by this Committee in 2009, it was opposed by several groups representing various businesses, including financial institutions and the hi-tech electronics industry. In order to address opposition concerns, the author took several amendments, including amendments that eliminated the requirement that the breach notice contain the number of persons affected (which opponents claimed was always subject to change and could require several notices). In addition, the author added qualifying amendments to make it clear that information about the scope and nature of the breach was required only to the extent that such information was available at the time the notice was provided. While these amendments apparently removed all of the registered opposition to the bill by the time SB 20 was passed by the Legislature, the bill was nevertheless vetoed by the former Governor as "unnecessary." When SB 1166 was heard by the Committee last year, the bill was only opposed by the California Hospital Association, which argued that, for HIPAA-covered entities, the requirements would be duplicative of notice requirements under federal law and potentially required hospitals and other HIPAA-covered entities to send two notices, one to meet the requirements of federal, and a second to meet the requirements of state law. To address this concern, the author took an amendment to last year's SB 1166 addressing this issue so that all opposition had been removed by the time the bill was enrolled. Nonetheless, the prior Governor vetoed the prior version of this measure. AUTHOR'S PROPOSED TECHNICAL AMENDMENT : The office of the State Chief Information Officer was recently renamed the California SB 24 Page 6 Technology Agency. Therefore, the author will take the following technical amendment in this Committee: - On page 5 line 6-7 delete "State Chief Information Officer" and insert: California Technology Agency ARGUMENTS IN SUPPORT : According to the author, California's first-in-the nation breach notification statute, which requires data holders to notify individuals in the event of a breach of their personal data, was based on the premise that individuals have a right to know when a data breach has occurred and affected them. If consumers are unaware of the fact that their personal information has been compromised, they are unable to take steps that might protect them from various kinds of fraud or identity theft. However, according to the author, there remains a troubling gap in our breach notification law: while current law requires data holders to notify individuals when there has been a data breach of personal information, it does not specify what kinds of information the notice must contain. This bill, the author contends, will establish "standard, core content for security breach notifications in California." The author believes that requiring a standard form will ensure that all consumers affected by a data breach will have adequate information describing the nature of the breach, the types of data that have been compromised, and contact information that will help the affected individual take necessary steps of self-protection. The American Civil Liberties Union (ACLU) believes that SB 24 will make security breach notices more "user-friendly" by requiring that they be written in plain language and contain specific information, including necessary contact information. The Consumer Federation of California (CFC) supports this bill for similar reasons, and also alleges that existing breach notifications "often lack important information - such as the time of the breach or type of information that was breach - or are confusing to consumers." This confusion, CFC maintains, leaves consumers uncertain as to how to go about protecting themselves from identity theft. Finally, Privacy Rights Clearinghouse (PRC) adds that, because California currently "lacks any centralizing reporting process for security breaches," it is "therefore difficult for state policy makers to SB 24 Page 7 assess or improve upon our state security breach laws." PRC believes that requiring that a copy of the notice be sent to the Attorney General will help the state monitor the problem and develop appropriate responses. The other organizations listed below support this bill for substantially the same reasons as those noted above. REGISTERED SUPPORT / OPPOSITION : Support American Civil Liberties Union Association of California health Care Districts California Association of Health Underwriters California School Employees Association California State Sheriffs' Association CALPIRG Consumer Federation of California Privacy Activism Privacy Rights Clearinghouse Opposition None on file Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334