BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  SB 24
                                                                  Page  1

          Date of Hearing:   June 14, 2011

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                  Mike Feuer, Chair
                    SB 24 (Simitian) - As Amended:  March 29, 2011

                              As Proposed to be Amended

           SENATE VOTE  :   31-6

           SUBJECT  :  Personal Information: Privacy

           KEY ISSUE  :  Should California's Security Breach Notification law 
          be amended to require that notices be written in plain language 
          and contain standard information that is useful to persons 
          Affected by the breach?  

           FISCAL EFFECT  :  As currently in print this bill is keyed fiscal. 


                                      SYNOPSIS
          
          This bill would strengthen California's existing breach 
          notification law by requiring notices to contain specified 
          information.  Existing law requires any agency, person, or 
          business that keeps or maintains the personal information of 
          California residents to notify affected residents in the event 
          the data is compromised by a security breach.  This bill would 
          require the notice to be written in plain language and include 
          useful information about the nature of the breach and contact 
          information that allows the affected person to take corrective 
          action.  In addition, sample copies of the notification would be 
          sent to the Attorney General in cases that affect more than 500 
          persons.  Furthermore, if substitute notice is used, which 
          existing law permits in certain cases, notice must also be 
          provided to major statewide media and the appropriate state 
          office.  Finally, this bill would specify that entities covered 
          by the Health Insurance Portability and Accountability Act 
          (HIPAA) are deemed to have met the notice requirements of this 
          bill if they meet the substantially similar federal notice 
          requirements under HIPAA.  This is the author's third effort to 
          strengthen breach notification requirements.  This bill is 
          identical to the enrolled version of last year's SB 1166 by the 
          same author.  Despite the fact that the author took several 
          amendments to remove all opposition to last year's bill, the 








                                                                  SB 24
                                                                  Page  2

          measure was nevertheless vetoed by the prior Governor on the 
          grounds that it was "unnecessary," because, the prior Governor 
          believed then that there was no evidence of any problem with the 
          notices that are provided under existing law.  However, this 
          bill passed off the Senate Floor on a bipartisan 31-6 vote.  It 
          is supported by several privacy and consumer groups.  There is 
          no known opposition. 

           SUMMARY  :  Requires that a notice required under California's 
          data security breach law must contain specified information and 
          a copy of the notice must be sent to appropriate state agencies, 
          as specified.  Specifically,  this bill  :   

          1)Provides that when an agency, person, or business is required 
            to issue a data security breach notification pursuant to 
            existing law, that notification must be written in plain 
            language and shall include at a minimum the following 
            information:

             a)   The name and contact information of the reporting 
               agency, person, or business.
             b)   A list of the types of personal information that were or 
               are reasonably believed to have been the subject of a 
               breach.  
             c)   The date, estimated date, or date range within which the 
               breach occurred, if that information is possible to 
               determine at the time the notice is provided.
             d)   Whether the notification was delayed as a result of a 
               law enforcement investigation, if that information is 
               possible to determine at the time the notice is provided.
             e)   A general description of the breach incident, if that 
               information is possible to determine at the time the notice 
               is provided. 
             f)   The toll-free telephone numbers and addresses of the 
               major credit reporting agencies if the breach exposed a 
               social security number or driver's license or state 
               identification card number. 

          1)Provides that, at the discretion of the reporting agency, 
            person, or business, the notification may include other 
            information, including information about what the agency has 
            done to protect the individuals affected by the breach and 
            what steps those individuals may take to protect themselves. 

          2)Provides that an agency, person, or business that is required 








                                                                  SB 24
                                                                  Page  3

            to issue a data security breach notification to more than 500 
            California residents must also submit a notification to the 
            Attorney General, as specified. 

          3)Provides that if substitute notice is used, as permitted by 
            existing law, then the reporting person, business, or agency 
            must also provide notification to major statewide media and 
            the Office of Information Security within the office of the 
            State Chief Information Officer. 

          4)Specifies that entities covered by the Health Insurance 
            Portability and Accountability Act (HIPAA) will be deemed to 
            have complied with the notice provisions of this bill if they 
            have complied with substantially similar notices that are 
            already required under federal law. 

           EXISTING LAW  : 

          1)Requires any state agency that owns or licenses computerized 
            data that includes personal information to disclose any breach 
            of the data to any resident of California whose unencrypted 
            personal information was, or is reasonably believed to have 
            been, acquired by an unauthorized person.  Requires any state 
            agency that maintains, but does not own, personal information 
            to notify the owner or licensor of the data of any breach.  
            Provides further that disclosure shall be made in the most 
            expedient time possible and without unreasonable delay.  
            (Civil Code Section 1798.29.)

          2)Requires any person or business that conducts business in 
            California, and that owns or licenses computerized data that 
            includes personal information to disclose any breach of the 
            data to any resident of California whose unencrypted personal 
            information was, or is reasonably believed to have been, 
            acquired by an unauthorized person.  Requires any person or 
            business that maintains, but does not own, personal 
            information to notify the owner or licensor of the data of any 
            breach.  Provides further that disclosure shall be made in the 
            most expedient time possible and without unreasonable delay.  
            (Civil Code Section 1798.82.) 

          3)Provides that notice required under the above provisions may 
            be made by written notice or electronic notice, if the latter 
            is consistent with federal electronic signature standards. 
            Provides, however, that substitute notice, as specified, may 








                                                                  SB 24
                                                                  Page  4

            be used if the person, business, or agency determines that the 
            cost of providing notice would exceed $250,000 or that the 
            affected class of subject persons exceeds 500,000, or the 
            person, business, or agency does not have sufficient contact 
            information.  (Civil Code Sections 1798.29 (g) and 1798.82 
            (g).)

          4)Notwithstanding the above notice requirements, a person, 
            business, or agency that maintains its own notification 
            procedures as part of an information security policy that is 
            consistent with the requirements of the security breach law, 
            shall be deemed to be in compliance with the notification of 
            state law if the agency, person, or business notifies subject 
            persons in accordance with its own policies.  (Civil Code 
            Sections 1798.29 (h) and 1798.82 (h).) 

          5)Requires, under federal law, that any entity covered by the 
            Health Insurance Portability and Accountability Act (HIPAA), 
            to notify any person whose personal information is compromised 
            by a data security breach and specifies the required content 
            of the notice.  (Section 13402(f) of the 2009 Health 
            Information Technology for Economic and Clinical Health 
            (HITECH) Act.) 

           COMMENTS  :  Under existing law, a person, business, or state 
          agency that keeps, maintains, or leases computerized data that 
          contains personal information must provide appropriate notices 
          if that personal information is compromised as a result of a 
          data breach.  The law permits the person, business, or state 
          agency to use "substitute notice" if the number of persons 
          affected would make personal notice prohibitively expensive or 
          impractical, or if the affected person's contact information is 
          not available.  However, beyond these provisions, existing law 
          does not create any requirements as to the form and content of 
          the required notices.  This bill seeks to correct that 
          deficiency by requiring notices to contain specified information 
          that will be useful to the affected resident and ensure that 
          there is greater uniformity in the content of security breach 
          notices.  In addition, this bill would require that notification 
          be sent to the state Attorney General's office for any breaches 
          that affect more than 500 California residents.  This bill would 
          also provide that if "substitute notice" is used, as permitted 
          by existing law, then a copy of the notice should also be sent 
          to the appropriate state office.  Finally, this bill would 
          specify that entities covered by the Health Insurance 








                                                                  SB 24
                                                                  Page  5

          Portability and Accountability Act (HIPAA) are deemed to have 
          met the notice requirements of this bill if they meet the 
          substantially similar federal notice requirements under HIPAA.  
          The last provision was added in response to concerns of the 
          California Hospital Association, who contended that slight, 
          no-substantial differences in the federal and state requirements 
          would require hospitals and other HIPAA-covered entities to 
          needlessly send two notices (one to meet the specific 
          requirements of federal law and another to meet the specific 
          requirements of state law), which could be a substantial expense 
          in breaches that affected a large number of persons. 

           Governor's Vetoes of Prior Legislation.   This bill is nearly 
          identical to the enrolled version of last year's SB 1166, and 
          except for the exemption for HIPAA-covered entities, nearly 
          identical to SB 20 of 2009, both by the same author.  When SB 20 
          was heard by this Committee in 2009, it was opposed by several 
          groups representing various businesses, including financial 
          institutions and the hi-tech electronics industry.  In order to 
          address opposition concerns, the author took several amendments, 
          including amendments that eliminated the requirement that the 
          breach notice contain the number of persons affected (which 
          opponents claimed was always subject to change and could require 
          several notices).  In addition, the author added qualifying 
          amendments to make it clear that information about the scope and 
          nature of the breach was required only to the extent that such 
          information was available at the time the notice was provided.  
          While these amendments apparently removed all of the registered 
          opposition to the bill by the time SB 20 was passed by the 
          Legislature, the bill was nevertheless vetoed by the former 
          Governor as "unnecessary."  When SB 1166 was heard by the 
          Committee last year, the bill was only opposed by the California 
          Hospital Association, which argued that, for HIPAA-covered 
          entities, the requirements would be duplicative of notice 
          requirements under federal law and potentially required 
          hospitals and other HIPAA-covered entities to send two notices, 
          one to meet the requirements of federal, and a second to meet 
          the requirements of state law.  To address this concern, the 
          author took an amendment to last year's SB 1166 addressing this 
          issue so that all opposition had been removed by the time the 
          bill was enrolled.  Nonetheless, the prior Governor vetoed the 
          prior version of this measure. 

           AUTHOR'S PROPOSED TECHNICAL AMENDMENT  :  The office of the State 
          Chief Information Officer was recently renamed the California 








                                                                  SB 24
                                                                  Page  6

          Technology Agency.  Therefore, the author will take the 
          following technical amendment in this Committee:

               -      On page 5 line 6-7 delete "State Chief Information 
                 Officer" and insert:

          California Technology Agency

           
          ARGUMENTS IN SUPPORT  :  According to the author, California's 
          first-in-the nation breach notification statute, which requires 
          data holders to notify individuals in the event of a breach of 
          their personal data, was based on the premise that individuals 
          have a right to know when a data breach has occurred and 
          affected them.  If consumers are unaware of the fact that their 
          personal information has been compromised, they are unable to 
          take steps that might protect them from various kinds of fraud 
          or identity theft.  However, according to the author, there 
          remains a troubling gap in our breach notification law: while 
          current law requires data holders to notify individuals when 
          there has been a data breach of personal information, it does 
          not specify what kinds of information the notice must contain.  
          This bill, the author contends, will establish "standard, core 
          content for security breach notifications in California."  The 
          author believes that requiring a standard form will ensure that 
          all consumers affected by a data breach will have adequate 
          information describing the nature of the breach, the types of 
          data that have been compromised, and contact information that 
          will help the affected individual take necessary steps of 
          self-protection. 

          The American Civil Liberties Union (ACLU) believes that SB 24 
          will make security breach notices more "user-friendly" by 
          requiring that they be written in plain language and contain 
          specific information, including necessary contact information.  
          The Consumer Federation of California (CFC) supports this bill 
          for similar reasons, and also alleges that existing breach 
          notifications "often lack important information - such as the 
          time of the breach or type of information that was breach - or 
          are confusing to consumers."  This confusion, CFC maintains, 
          leaves consumers uncertain as to how to go about protecting 
          themselves from identity theft.  Finally, Privacy Rights 
          Clearinghouse (PRC) adds that, because California currently 
          "lacks any centralizing reporting process for security 
          breaches," it is "therefore difficult for state policy makers to 








                                                                  SB 24
                                                                  Page  7

          assess or improve upon our state security breach laws."  PRC 
          believes that requiring that a copy of the notice be sent to the 
          Attorney General will help the state monitor the problem and 
          develop appropriate responses.  The other organizations listed 
          below support this bill for substantially the same reasons as 
          those noted above. 

           REGISTERED SUPPORT / OPPOSITION  :

           Support 
           
          American Civil Liberties Union
          Association of California health Care Districts 
          California Association of Health Underwriters 
          California School Employees Association 
          California State Sheriffs' Association 
          CALPIRG
          Consumer Federation of California
          Privacy Activism
          Privacy Rights Clearinghouse

           Opposition 
           
          None on file


           Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334