BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                       SB 
                                                                 24
                                                                       Page 
                                                                  1


          SENATE THIRD READING
          SB 24 (Simitian)
          As Amended June 20, 2011
          Majority vote 

           SENATE VOTE  :31-6  
           
           JUDICIARY           10-0        APPROPRIATIONS      12-4        
           
           ----------------------------------------------------------------- 
          |Ayes:|Feuer, Wagner, Atkins,    |Ayes:|Fuentes, Blumenfield,     |
          |     |Dickinson, Beth Gaines,   |     |Bradford, Charles         |
          |     |Huber, Huffman, Jones,    |     |Calderon, Campos, Gatto,  |
          |     |Monning, Wieckowski       |     |Hall, Hill, Lara,         |
          |     |                          |     |Mitchell, Solorio, Wagner |
          |     |                          |     |                          |
          |-----+--------------------------+-----+--------------------------|
          |     |                          |Nays:|Harkey, Donnelly,         |
          |     |                          |     |Nielsen, Norby            |
           ----------------------------------------------------------------- 

           SUMMARY  :  Requires that a notice required under California's 
          data security breach law must contain specified information and 
          a copy of the notice must be sent to appropriate state agencies, 
          as specified.  Specifically,  this bill  :   

          1)Provides that when an agency, person, or business is required 
            to issue a data security breach notification pursuant to 
            existing law, that notification must be written in plain 
            language and shall include at a minimum the following 
            information:

             a)   The name and contact information of the reporting 
               agency, person, or business;

             b)   A list of the types of personal information that were or 
               are reasonably believed to have been the subject of a 
               breach; 

             c)   The date, estimated date, or date range within which the 
               breach occurred, if that information is possible to 
               determine at the time the notice is provided;








                                                                       SB 
                                                                 24
                                                                       Page 
                                                                  2



             d)   Whether the notification was delayed as a result of a 
               law enforcement investigation, if that information is 
               possible to determine at the time the notice is provided;

             e)   A general description of the breach incident, if that 
               information is possible to determine at the time the notice 
               is provided; and, 

             f)   The toll-free telephone numbers and addresses of the 
               major credit reporting agencies if the breach exposed a 
               social security number or driver's license or state 
               identification card number. 

          1)Provides that, at the discretion of the reporting agency, 
            person, or business, the notification may include other 
            information, including information about what the agency has 
            done to protect the individuals affected by the breach and 
            what steps those individuals may take to protect themselves. 

          2)Provides that an agency, person, or business that is required 
            to issue a data security breach notification to more than 500 
            California residents must also submit a notification to the 
            Attorney General, as specified. 

          3)Provides that if substitute notice is used, as permitted by 
            existing law, then a reporting agency must notify major 
            statewide media and the Office of Information Security within 
            the California Technology Agency, and a reporting person or 
            business must notify major statewide media and the Office of 
            Privacy Protection within the State and Consumer Services 
            Agency. 

          4)Specifies that entities covered by the Health Insurance 
            Portability and Accountability Act (HIPAA) will be deemed to 
            have complied with the notice provisions of this bill if they 
            have complied with substantially similar notices that are 
            already required under federal law. 

           EXISTING LAW  : 

          1)Requires any state agency that owns or licenses computerized 








                                                                       SB 
                                                                 24
                                                                       Page 
                                                                  3


            data that includes personal information to disclose any breach 
            of the data to any resident of California whose unencrypted 
            personal information was, or is reasonably believed to have 
            been, acquired by an unauthorized person.  Requires any state 
            agency that maintains, but does not own, personal information 
            to notify the owner or licensor of the data of any breach.  
            Provides further that disclosure shall be made in the most 
            expedient time possible and without unreasonable delay.  

          2)Requires any person or business that conducts business in 
            California, and that owns or licenses computerized data that 
            includes personal information to disclose any breach of the 
            data to any resident of California whose unencrypted personal 
            information was, or is reasonably believed to have been, 
            acquired by an unauthorized person.  Requires any person or 
            business that maintains, but does not own, personal 
            information to notify the owner or licensor of the data of any 
            breach.  Provides further that disclosure shall be made in the 
            most expedient time possible and without unreasonable delay.  

          3)Provides that notice required under the above provisions may 
            be made by written notice or electronic notice, if the latter 
            is consistent with federal electronic signature standards. 
            Provides, however, that substitute notice, as specified, may 
            be used if the person, business, or agency determines that the 
            cost of providing notice would exceed $250,000 or that the 
            affected class of subject persons exceeds 500,000, or the 
            person, business, or agency does not have sufficient contact 
            information.  

          4)Provides that, notwithstanding the above notice requirements, 
            a person, business, or agency that maintains its own 
            notification procedures as part of an information security 
            policy that is consistent with the requirements of the 
            security breach law, shall be deemed to be in compliance with 
            the notification of state law if the agency, person, or 
            business notifies subject persons in accordance with its own 
            policies.  

          5)Requires, under federal law, that any entity covered by HIPAA, 
            to notify any person whose personal information is compromised 
            by a data security breach and specifies the required content 








                                                                       SB 
                                                                 24
                                                                       Page 
                                                                  4


            of the notice.  

           FISCAL EFFECT  :  According to the Assembly Appropriations 
          Committee, minor absorbable costs for state agencies to comply 
          with the specified notification requirements.
           
          COMMENTS  :  Under existing law, a person, business, or state 
          agency that keeps, maintains, or leases computerized data that 
          contains personal information must provide appropriate notices 
          if that personal information is compromised as a result of a 
          data breach.  The law permits the person, business, or state 
          agency to use "substitute notice" if the number of persons 
          affected would make personal notice prohibitively expensive or 
          impractical, or if the affected person's contact information is 
          not available.  However, beyond these provisions, existing law 
          does not create any requirements as to the form and content of 
          the required notices.  This bill seeks to correct that 
          deficiency by requiring notices to contain specified information 
          that will be useful to the affected resident and ensure that 
          there is greater uniformity in the content of security breach 
          notices.  In addition, this bill would require that notification 
          be sent to the State Attorney General's office for any breaches 
          that affect more than 500 California residents.  This bill would 
          also provide that if "substitute notice" is used, as permitted 
          by existing law, then a copy of the notice should also be sent 
          to major statewide media and a designated state office.  
          Finally, this bill would specify that entities covered by HIPAA 
          are deemed to have met the notice requirements of this bill if 
          they meet the substantially similar federal notice requirements 
          under HIPAA.  

          According to the author, California's first-in-the nation breach 
          notification statute, which requires data holders to notify 
          individuals in the event of a breach of their personal data, was 
          based on the premise that individuals have a right to know when 
          a data breach has occurred and affected them.  If consumers are 
          unaware of the fact that their personal information has been 
          compromised, they are unable to take steps that might protect 
          them from various kinds of fraud or identity theft.  However, 
          according to the author, there remains a troubling gap in our 
          breach notification law:  while current law requires data 
          holders to notify individuals when there has been a data breach 








                                                                       SB 
                                                                 24
                                                                       Page 
                                                                  5


          of personal information, it does not specify what kinds of 
          information the notice must contain.  This bill, the author 
          contends, will establish "standard, core content for security 
          breach notifications in California."  The author believes that 
          requiring a standard form will ensure that all consumers 
          affected by a data breach will have adequate information 
          describing the nature of the breach, the types of data that have 
          been compromised, and contact information that will help the 
          affected individual take necessary steps of self-protection. 


           Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334 


                                                                FN: 0001505