BILL ANALYSIS Ó SB 24 Page 1 SENATE THIRD READING SB 24 (Simitian) As Amended June 20, 2011 Majority vote SENATE VOTE :31-6 JUDICIARY 10-0 APPROPRIATIONS 12-4 ----------------------------------------------------------------- |Ayes:|Feuer, Wagner, Atkins, |Ayes:|Fuentes, Blumenfield, | | |Dickinson, Beth Gaines, | |Bradford, Charles | | |Huber, Huffman, Jones, | |Calderon, Campos, Gatto, | | |Monning, Wieckowski | |Hall, Hill, Lara, | | | | |Mitchell, Solorio, Wagner | | | | | | |-----+--------------------------+-----+--------------------------| | | |Nays:|Harkey, Donnelly, | | | | |Nielsen, Norby | ----------------------------------------------------------------- SUMMARY : Requires that a notice required under California's data security breach law must contain specified information and a copy of the notice must be sent to appropriate state agencies, as specified. Specifically, this bill : 1)Provides that when an agency, person, or business is required to issue a data security breach notification pursuant to existing law, that notification must be written in plain language and shall include at a minimum the following information: a) The name and contact information of the reporting agency, person, or business; b) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; c) The date, estimated date, or date range within which the breach occurred, if that information is possible to determine at the time the notice is provided; SB 24 Page 2 d) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; e) A general description of the breach incident, if that information is possible to determine at the time the notice is provided; and, f) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or driver's license or state identification card number. 1)Provides that, at the discretion of the reporting agency, person, or business, the notification may include other information, including information about what the agency has done to protect the individuals affected by the breach and what steps those individuals may take to protect themselves. 2)Provides that an agency, person, or business that is required to issue a data security breach notification to more than 500 California residents must also submit a notification to the Attorney General, as specified. 3)Provides that if substitute notice is used, as permitted by existing law, then a reporting agency must notify major statewide media and the Office of Information Security within the California Technology Agency, and a reporting person or business must notify major statewide media and the Office of Privacy Protection within the State and Consumer Services Agency. 4)Specifies that entities covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with the notice provisions of this bill if they have complied with substantially similar notices that are already required under federal law. EXISTING LAW : 1)Requires any state agency that owns or licenses computerized SB 24 Page 3 data that includes personal information to disclose any breach of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires any state agency that maintains, but does not own, personal information to notify the owner or licensor of the data of any breach. Provides further that disclosure shall be made in the most expedient time possible and without unreasonable delay. 2)Requires any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information to disclose any breach of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires any person or business that maintains, but does not own, personal information to notify the owner or licensor of the data of any breach. Provides further that disclosure shall be made in the most expedient time possible and without unreasonable delay. 3)Provides that notice required under the above provisions may be made by written notice or electronic notice, if the latter is consistent with federal electronic signature standards. Provides, however, that substitute notice, as specified, may be used if the person, business, or agency determines that the cost of providing notice would exceed $250,000 or that the affected class of subject persons exceeds 500,000, or the person, business, or agency does not have sufficient contact information. 4)Provides that, notwithstanding the above notice requirements, a person, business, or agency that maintains its own notification procedures as part of an information security policy that is consistent with the requirements of the security breach law, shall be deemed to be in compliance with the notification of state law if the agency, person, or business notifies subject persons in accordance with its own policies. 5)Requires, under federal law, that any entity covered by HIPAA, to notify any person whose personal information is compromised by a data security breach and specifies the required content SB 24 Page 4 of the notice. FISCAL EFFECT : According to the Assembly Appropriations Committee, minor absorbable costs for state agencies to comply with the specified notification requirements. COMMENTS : Under existing law, a person, business, or state agency that keeps, maintains, or leases computerized data that contains personal information must provide appropriate notices if that personal information is compromised as a result of a data breach. The law permits the person, business, or state agency to use "substitute notice" if the number of persons affected would make personal notice prohibitively expensive or impractical, or if the affected person's contact information is not available. However, beyond these provisions, existing law does not create any requirements as to the form and content of the required notices. This bill seeks to correct that deficiency by requiring notices to contain specified information that will be useful to the affected resident and ensure that there is greater uniformity in the content of security breach notices. In addition, this bill would require that notification be sent to the State Attorney General's office for any breaches that affect more than 500 California residents. This bill would also provide that if "substitute notice" is used, as permitted by existing law, then a copy of the notice should also be sent to major statewide media and a designated state office. Finally, this bill would specify that entities covered by HIPAA are deemed to have met the notice requirements of this bill if they meet the substantially similar federal notice requirements under HIPAA. According to the author, California's first-in-the nation breach notification statute, which requires data holders to notify individuals in the event of a breach of their personal data, was based on the premise that individuals have a right to know when a data breach has occurred and affected them. If consumers are unaware of the fact that their personal information has been compromised, they are unable to take steps that might protect them from various kinds of fraud or identity theft. However, according to the author, there remains a troubling gap in our breach notification law: while current law requires data holders to notify individuals when there has been a data breach SB 24 Page 5 of personal information, it does not specify what kinds of information the notice must contain. This bill, the author contends, will establish "standard, core content for security breach notifications in California." The author believes that requiring a standard form will ensure that all consumers affected by a data breach will have adequate information describing the nature of the breach, the types of data that have been compromised, and contact information that will help the affected individual take necessary steps of self-protection. Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334 FN: 0001505