BILL ANALYSIS �Ó
SB 24
Page 1
Date of Hearing: July 6, 2011
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Felipe Fuentes, Chair
SB 24 (Simitian) - As Amended: June 20, 2011
Policy Committee:
JudiciaryVote:10-0
Urgency: No State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill establishes additional notification requirements
following a security breach of a computerized data system.
Specifically, this bill:
1)Requires the notification required by state agencies and
private entities following a security breach to contain
specified information, including the types of personal
information believed to have been breached, a general
description of the breach, whether notification was delayed
due to a law enforcement investigation, and toll-free phone
numbers and addresses of major credit reporting agencies if
the breach exposed a social security number or a driver's
license or California identification card number.
2)Requires the notification to also include, if possible to
determine at the time the notice is provided, any of the
following: (a) the date of the breach; (b) the estimated date
of the breach; or (c) the date range within which the breach
occurred.
3)Provides state agencies and private entities discretion to
include in the breach notification:
a) Information on steps taken to protect individuals whose
personal information has been breached.
b) Advice on what such individuals can do to protect
themselves.
4)Exempts a private entity from the above notification
�
SB 24
Page 2
requirements if the entity complies with data breach
notification requirements in the federal Health Information
Technology for Economic and Clinical Health Act.
5)Requires a state agency or private entity that is required to
notify more than 500 California residents of a breach to
electronically submit a copy of the notification, excluding
any personally identifiable information, to the Attorney
General.
6)Requires the breach notification to be submitted, in the case
of a state agency, to the Office of Information Security
within the California Technology Agency, and in the case of a
private entity, to the Office of Privacy Protection within the
State and Consumer Services Agency.
FISCAL EFFECT
Minor absorbable costs for state agencies to comply with the
specified notification requirements.
COMMENTS
1)Purpose . Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must notify anyone whose
personal information is compromised as a result of a data
breach. The law permits the person, business, or state agency
to use "substitute notice" if the number of persons affected
would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information
is not available. Beyond these provisions, existing law does
not create any requirements as to the form and content of the
required notices. This bill seeks to correct that deficiency.
2)Prior Legislation . Both SB 1166 (Simitian) of 2010 and SB 20
(Simitian) of 2009, almost identical bills with no registered
opposition, were vetoed by Governor Schwarzenegger, who
argued, in part, that "there is no evidence that there is a
problem with the information provided to consumers" in the
event of a data breach.
Three other similar, but more expansive bills-SB 364
�
SB 24
Page 3
(Simitian) of 2008, AB 1656 (Jones) of 2008, and AB 779
(Jones) of 2007 were also vetoed.
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081