BILL ANALYSIS �Ó
SB 24
Page 1
Date of Hearing: June 14, 2011
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
SB 24 (Simitian) - As Amended: March 29, 2011
As Proposed to be Amended
SENATE VOTE : 31-6
SUBJECT : Personal Information: Privacy
KEY ISSUE : Should California's Security Breach Notification law
be amended to require that notices be written in plain language
and contain standard information that is useful to persons
Affected by the breach?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
This bill would strengthen California's existing breach
notification law by requiring notices to contain specified
information. Existing law requires any agency, person, or
business that keeps or maintains the personal information of
California residents to notify affected residents in the event
the data is compromised by a security breach. This bill would
require the notice to be written in plain language and include
useful information about the nature of the breach and contact
information that allows the affected person to take corrective
action. In addition, sample copies of the notification would be
sent to the Attorney General in cases that affect more than 500
persons. Furthermore, if substitute notice is used, which
existing law permits in certain cases, notice must also be
provided to major statewide media and the appropriate state
office. Finally, this bill would specify that entities covered
by the Health Insurance Portability and Accountability Act
(HIPAA) are deemed to have met the notice requirements of this
bill if they meet the substantially similar federal notice
requirements under HIPAA. This is the author's third effort to
strengthen breach notification requirements. This bill is
identical to the enrolled version of last year's SB 1166 by the
same author. Despite the fact that the author took several
amendments to remove all opposition to last year's bill, the
�
SB 24
Page 2
measure was nevertheless vetoed by the prior Governor on the
grounds that it was "unnecessary," because, the prior Governor
believed then that there was no evidence of any problem with the
notices that are provided under existing law. However, this
bill passed off the Senate Floor on a bipartisan 31-6 vote. It
is supported by several privacy and consumer groups. There is
no known opposition.
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of the notice must be sent to appropriate state agencies,
as specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum the following
information:
a) The name and contact information of the reporting
agency, person, or business.
b) A list of the types of personal information that were or
are reasonably believed to have been the subject of a
breach.
c) The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided.
d) Whether the notification was delayed as a result of a
law enforcement investigation, if that information is
possible to determine at the time the notice is provided.
e) A general description of the breach incident, if that
information is possible to determine at the time the notice
is provided.
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
�
SB 24
Page 3
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General, as specified.
3)Provides that if substitute notice is used, as permitted by
existing law, then the reporting person, business, or agency
must also provide notification to major statewide media and
the Office of Information Security within the office of the
State Chief Information Officer.
4)Specifies that entities covered by the Health Insurance
Portability and Accountability Act (HIPAA) will be deemed to
have complied with the notice provisions of this bill if they
have complied with substantially similar notices that are
already required under federal law.
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains, but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
(Civil Code Section 1798.29.)
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains, but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
�
SB 24
Page 4
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information. (Civil Code Sections 1798.29 (g) and 1798.82
(g).)
4)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies. (Civil Code
Sections 1798.29 (h) and 1798.82 (h).)
5)Requires, under federal law, that any entity covered by the
Health Insurance Portability and Accountability Act (HIPAA),
to notify any person whose personal information is compromised
by a data security breach and specifies the required content
of the notice. (Section 13402(f) of the 2009 Health
Information Technology for Economic and Clinical Health
(HITECH) Act.)
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the state Attorney General's office for any breaches
that affect more than 500 California residents. This bill would
also provide that if "substitute notice" is used, as permitted
by existing law, then a copy of the notice should also be sent
to the appropriate state office. Finally, this bill would
specify that entities covered by the Health Insurance
�
SB 24
Page 5
Portability and Accountability Act (HIPAA) are deemed to have
met the notice requirements of this bill if they meet the
substantially similar federal notice requirements under HIPAA.
The last provision was added in response to concerns of the
California Hospital Association, who contended that slight,
no-substantial differences in the federal and state requirements
would require hospitals and other HIPAA-covered entities to
needlessly send two notices (one to meet the specific
requirements of federal law and another to meet the specific
requirements of state law), which could be a substantial expense
in breaches that affected a large number of persons.
Governor's Vetoes of Prior Legislation. This bill is nearly
identical to the enrolled version of last year's SB 1166, and
except for the exemption for HIPAA-covered entities, nearly
identical to SB 20 of 2009, both by the same author. When SB 20
was heard by this Committee in 2009, it was opposed by several
groups representing various businesses, including financial
institutions and the hi-tech electronics industry. In order to
address opposition concerns, the author took several amendments,
including amendments that eliminated the requirement that the
breach notice contain the number of persons affected (which
opponents claimed was always subject to change and could require
several notices). In addition, the author added qualifying
amendments to make it clear that information about the scope and
nature of the breach was required only to the extent that such
information was available at the time the notice was provided.
While these amendments apparently removed all of the registered
opposition to the bill by the time SB 20 was passed by the
Legislature, the bill was nevertheless vetoed by the former
Governor as "unnecessary." When SB 1166 was heard by the
Committee last year, the bill was only opposed by the California
Hospital Association, which argued that, for HIPAA-covered
entities, the requirements would be duplicative of notice
requirements under federal law and potentially required
hospitals and other HIPAA-covered entities to send two notices,
one to meet the requirements of federal, and a second to meet
the requirements of state law. To address this concern, the
author took an amendment to last year's SB 1166 addressing this
issue so that all opposition had been removed by the time the
bill was enrolled. Nonetheless, the prior Governor vetoed the
prior version of this measure.
AUTHOR'S PROPOSED TECHNICAL AMENDMENT : The office of the State
Chief Information Officer was recently renamed the California
�
SB 24
Page 6
Technology Agency. Therefore, the author will take the
following technical amendment in this Committee:
- On page 5 line 6-7 delete "State Chief Information
Officer" and insert:
California Technology Agency
ARGUMENTS IN SUPPORT : According to the author, California's
first-in-the nation breach notification statute, which requires
data holders to notify individuals in the event of a breach of
their personal data, was based on the premise that individuals
have a right to know when a data breach has occurred and
affected them. If consumers are unaware of the fact that their
personal information has been compromised, they are unable to
take steps that might protect them from various kinds of fraud
or identity theft. However, according to the author, there
remains a troubling gap in our breach notification law: while
current law requires data holders to notify individuals when
there has been a data breach of personal information, it does
not specify what kinds of information the notice must contain.
This bill, the author contends, will establish "standard, core
content for security breach notifications in California." The
author believes that requiring a standard form will ensure that
all consumers affected by a data breach will have adequate
information describing the nature of the breach, the types of
data that have been compromised, and contact information that
will help the affected individual take necessary steps of
self-protection.
The American Civil Liberties Union (ACLU) believes that SB 24
will make security breach notices more "user-friendly" by
requiring that they be written in plain language and contain
specific information, including necessary contact information.
The Consumer Federation of California (CFC) supports this bill
for similar reasons, and also alleges that existing breach
notifications "often lack important information - such as the
time of the breach or type of information that was breach - or
are confusing to consumers." This confusion, CFC maintains,
leaves consumers uncertain as to how to go about protecting
themselves from identity theft. Finally, Privacy Rights
Clearinghouse (PRC) adds that, because California currently
"lacks any centralizing reporting process for security
breaches," it is "therefore difficult for state policy makers to
�
SB 24
Page 7
assess or improve upon our state security breach laws." PRC
believes that requiring that a copy of the notice be sent to the
Attorney General will help the state monitor the problem and
develop appropriate responses. The other organizations listed
below support this bill for substantially the same reasons as
those noted above.
REGISTERED SUPPORT / OPPOSITION :
Support
American Civil Liberties Union
Association of California health Care Districts
California Association of Health Underwriters
California School Employees Association
California State Sheriffs' Association
CALPIRG
Consumer Federation of California
Privacy Activism
Privacy Rights Clearinghouse
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334