BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                      



           ------------------------------------------------------------ 
          |SENATE RULES COMMITTEE            |                    SB 24|
          |Office of Senate Floor Analyses   |                         |
          |1020 N Street, Suite 524          |                         |
          |(916) 445-6614         Fax: (916) |                         |
          |327-4478                          |                         |
           ------------------------------------------------------------ 
           
                                         
                              UNFINISHED BUSINESS


          Bill No:  SB 24
          Author:   Simitian (D), et al.
          Amended:  6/20/11
          Vote:     21

           
           SENATE JUDICIARY COMMITTEE  :  4-0, 3/22/11
          AYES:  Evans, Harman, Corbett, Leno
          NO VOTE RECORDED:  Blakeslee
           
          SENATE APPROPRIATIONS COMMITTEE  :  Senate Rule 28.8
           
          SENATE FLOOR  :  31-6, 4/14/11
          AYES:  Alquist, Anderson, Blakeslee, Calderon, Cannella, 
            Corbett, 
          De León, DeSaulnier, Emmerson, Evans, Fuller, Hancock, 
            Harman, Hernandez, Kehoe, Leno, Lieu, Liu, Lowenthal, 
            Negrete McLeod, Padilla, Pavley, Price, Rubio, Simitian, 
            Steinberg, Strickland, Vargas, Wright, Wyland, Yee
          NOES:  Berryhill, Dutton, Huff, La Malfa, Runner, Walters
          NO VOTE RECORDED:  Correa, Gaines, Wolk

           ASSEMBLY FLOOR :  60-16, 8/15/11 - See last page for vote


           SUBJECT  :    Privacy:  security breach notifications

           SOURCE  :     Author


           DIGEST  :    This bill amends Californias security breach 
          notification law to provide that any agency, person, or 
          business required to issue a notification under existing 
                                                           CONTINUED





                                                                 SB 24
                                                                Page 
          2

          law must meet additional requirements regarding that 
          notification.  This bill requires that security breach 
          notifications be written in plain language and contain 
          certain specified information, including, among other 
          things, contact information regarding the breach, the types 
          of information breached, and, if possible to determine, the 
          date, estimated date, or date range of the breach.  This 
          bill provides that a security breach notification may also 
          include other specified information, at the discretion of 
          the entity issuing the notification.  This bill requires 
          that, any agency, person, or business that must provide a 
          security breach notification under existing law to more 
          than 500 California residents as a result of a single 
          breach would be required to submit the notification 
          electronically to the Attorney General.  

           Assembly Amendments  (1) add co-author, and (2) provide that 
          notification of a branch of security be sent to the 
          California Technology Agency rather than the State Chief 
          Information Officer.

           ANALYSIS  :      Existing law requires any agency, person, or 
          business that owns or licenses computerized data that 
          includes personal information to disclose a breach of the 
          security of the system to any California resident whose 
          unencrypted personal information was, or is reasonably 
          believed to have been, acquired by an unauthorized person.  
          The disclosure must be made in the most expedient time 
          possible and without unreasonable delay, consistent with 
          the legitimate needs of law enforcement, as specified.  
          (Civil Code ŬCIV] Sections 1798.29(a) and (c) and 
          1798.82(a) and (c))

          Existing law requires any agency, person, or business that 
          maintains computerized data that includes personal 
          information that the agency, person, or business does not 
          own to notify the owner or licensee of the information of 
          any security breach immediately following discovery if the 
          personal information was, or is reasonably believed to have 
          been, acquired by an unauthorized person.  (CIV Sections 
          1798.29(b) and 1798.82(b))

          Existing law defines "personal information," for purposes 
          of the breach notification statute, to include the 







                                                                 SB 24
                                                                Page 
          3

          individual's first name or first initial and last name in 
          combination with any one or more of the following data 
          elements, when either the name or the data elements are not 
          encrypted: social security number; driver's license number 
          or California Identification Card number; account number, 
          credit or debit card number, in combination with any 
          required security code, access code, or password that would 
          permit access to an individual's financial account; medical 
          information; or health insurance information.  "Personal 
          information" does not include publicly available 
          information that is lawfully made available to the general 
          public from federal, state, or local government records.  
          (CIV Sections 1798.29(e) and (f) and 1798.82(e) and (f))

          Existing law requires health care facilities to notify a 
          patient if his or her medical information is accessed, 
          used, or disclosed unlawfully or without authorization.  
          Existing law, which requires the notification to be 
          provided to the patient within five business days after the 
          breach is detected unless notification would impede law 
          enforcement's investigation of the incident, does not 
          specify the information that must be contained in the 
          notification.   (Health and Safety Code Section 1280.15)

          Existing federal law, the Health Information Technology for 
          Economic and Clinical Health Act (HITECH Act), requires 
          covered entities such as health care providers to notify a 
          patient whose "unsecured protected health information" has 
          been, or is reasonably believed to have been, accessed, 
          acquired, or disclosed as a result of the breach.  The 
          HITECH Act requires that notice of the breach include, to 
          the extent possible, certain items of information, 
          including the type of unsecured protected health 
          information breached and the date of the breach.  (42 
          United States Code 17932(f))

          This bill provides that any agency, person, or business 
          required to issue a security breach notification under 
          existing law must also meet certain requirements regarding 
          the notification including that it be written in plain 
          language.  

          This bill also requires that the notification include, at a 
          minimum, the following information: 







                                                                 SB 24
                                                                Page 
          4


          1. The name and contact information of the reporting 
             agency, person, or business; 

          2. A list of the types of personal information that were or 
             breach;

          3. Any of the following, if the information is possible to 
             determine at the time the notice is provided:  the date 
             or estimated date of the breach, or date range within 
             which the breach occurred; 

          4. The date of the notice; 

          5. Whether the notification was delayed because of an 
             investigation by law enforcement, if the information is 
             possible to determine at the time the notice is 
             provided;

          6. A general description of the breach incident, if the 
             information is possible to determine at the time the 
             notice is provided; and 

          7. The toll-free telephone numbers and addresses of the 
             major credit reporting agencies if the breach exposed a 
             social security number, or a driver's license or 
             California Identification Card number. 

          This bill provides that an agency, person, or business may 
          also include the following information in a security breach 
          notification, at its discretion: 

          1. Information regarding what the entity has done to 
             protect individuals whose information has been breached; 
             and 

          2. Advice on steps that the individual may take to protect 
             himself or herself. 

          This bill requires any agency, person, or business that 
          must provide a security breach notification pursuant to 
          existing law to more than 500 California residents as a 
          result of a single breach of the security system to submit 
          a single sample copy of the notification electronically to 







                                                                 SB 24
                                                                Page 
          5

          the Attorney General.  That copy shall not be considered to 
          be a record of complaint or investigation under the 
          California Public Records Act. 

          This bill provides that a "covered entity" under the 
          federal Health Insurance Portability and Accountability Act 
          is deemed to have complied with the bill's notification 
          requirements regarding standardized content if the entity 
          has complied completely with the notification requirements 
          contained in the federal HITECH Act.  

          Existing law requires an agency, person, or business to 
          provide breach notification using either written notice, 
          electronic notice, or substitute notice.  An entity may use 
          substitute notice when it demonstrates that the cost of 
          providing notice would exceed $250,000, or that the 
          affected class of persons to be notified exceeds 500,000, 
          or if the entity does not have sufficient contact 
          information.  Substitute notice must consist of:  (a) 
          e-mail notice when the entity has an e-mail address for the 
          affected individuals; (b) conspicuous posting of the notice 
          on the entity's Web site; and (c) notification to major 
          statewide media.  (CIV Sections 1798.29(g) and 1798.82(g))

          This bill requires notification to the Office of 
          Information Security within the California Technology 
          Agency when an agency uses substitute notice and 
          notification to the Office of Privacy Protection within the 
          State and Consumer Services Agency when a person or 
          business uses substitute notice.

           Prior Legislation
           
          SB 1166 (Simitian, 2010), which was vetoed, would have 
          required that breach notifications be written in plain 
          language and contain specified information.  (See veto 
          message below)

          SB 20 (Simitian, 2009), which was vetoed, was identical to 
          SB 1166.  (See veto message below)

          SB 364 (Simitian, 2008), which was vetoed, also would have 
          required that breach notifications be written in plain 
          language and contain specified information.  







                                                                 SB 24
                                                                Page 
          6


          AB 1656 (Jones, 2008), which was vetoed, would have, among 
          other things, required a person, business, or agency that 
          maintains personal information to include specified items 
          in a breach notification to the owner or licensee of the 
          information.  
                                                                      
                 
          AB 779 (Jones, 2007), which was vetoed, among other things, 
          would have provided that the Office of Privacy Protection 
          be notified if substitute notice was used and would have 
          required an agency, person, or business that owns, 
          licenses, or maintains personal information related to 
          various payment devices to notify the owner, licensee, or 
          California resident of a security data breach.  The bill 
          would also have required that the notification contain 
          certain items of information, including, among other 
          things, when the breach occurred and the categories of 
          personal information breached.  

          AB 2505 (Nunez, 2006), which died on the Senate Floor, 
          would have provided that the Office of Privacy Protection 
          be notified if substitute notice was used.  

          SB 852 (Bowen, 2006), which died in the Assembly Business 
          and Professions Committee, would have required that a 
          security breach notification be issued regardless of 
          whether or not the data breached was computerized.  The 
          bill would also have required notice to the Office of 
          Privacy Protection.  

          Governor Schwarzenegger stated the following in vetoing 
          both SB 1166 and SB 20:

            "California's landmark law on data breach notification 
            has had many beneficial results.  Informing individuals 
            whose personal information was compromised in a breach of 
            what their risks are and what they can do to protect 
            themselves is an important consumer protection benefit.  
            This bill is unnecessary, however, because there is no 
            evidence that there is a problem with the information 
            provided to consumers.  Moreover, there is no additional 
            consumer benefit gained by requiring the Attorney General 
            to become a repository of breach notices when this 







                                                                 SB 24
                                                                Page 
          7

            measure does not require the Attorney General to do 
            anything with the notices.  Since this measure would 
            place additional unnecessary mandates on businesses 
            without a corresponding consumer benefit, I am unable to 
            sign this bill."

           FISCAL EFFECT :    Appropriation:  No   Fiscal Com.:  Yes   
          Local:  No

           SUPPORT  :   (Verified  8/16/11)

          American Civil Liberties Union
          Association of California Healthcare Districts
          California Association of Health Underwriters
          California Attorney General
          California School Employees Association
          California State Sheriffs' Association
          Consumer Action
          Consumer Federation of California
          Privacy Activism
          Privacy Rights Clearinghouse

           ARGUMENTS IN SUPPORT  :    According to the author: 

            "In 2002, California adopted a first-in-the-nation 
            security breach notification statute (AB 700, Simitian, 
            Chapter 1054, Statutes of 2002), that requires data 
            holders to notify individuals when there has been a data 
            breach of personal information.  Since that time, 45 
            other states, as well as the District of Columbia, Puerto 
            Rico, and the U.S. Virgin Islands, have also enacted 
            security breach notification laws that are modeled upon 
            the California statute.  This leaves Alabama, Kentucky, 
            New Mexico and South Dakota as the only remaining states 
            without a legal requirement to notify affected 
            individuals in the event of a breach.

            "In addition, at least fourteen states ŬHawaii, Iowa, 
            Maryland, Massachusetts, Minnesota, New Hampshire, New 
            York, North Carolina, Oregon, Vermont, Virginia, West 
            Virginia, Wisconsin, and Wyoming] and Puerto Rico have 
            built upon California's model and added more detailed 
            requirements for SBNs Ŭsecurity breach notifications] to 
            include certain types of information. 







                                                                 SB 24
                                                                Page 
          8

                         
            "And most of these states ŬAlaska, Hawaii, Louisiana, 
            Maine, Maryland, Massachusetts, New Hampshire, New 
            Jersey, New York, North Carolina, South Carolina, 
            Vermont, and Virginia] require an entity that suffers a 
            security breach to notify a state regulator, such as the 
            Attorney General, as well as the affected individuals.

            "Even the federal government has weighed in; as of 
            February 19, 2009, for breaches of personal medical 
            information, individuals have to be notified and those 
            notifications must contain certain specified content.

            "California's law is built on the premise that 
            individuals have a right to know when a data breach has 
            affected them.  Quite simply, in order for consumers to 
            protect themselves from the unauthorized acquisition and 
            use of confidential information, the consumer has to know 
            that an unauthorized acquisition has occurred.  Without 
            that knowledge, consumers aren't even aware of the need 
            to protect themselves.

            "In the ensuing years, however, a gap has been identified 
            in our state statute.  While current law requires data 
            holders to notify individuals when there has been a data 
            breach of personal information, that same law is silent 
            on what information should be contained in the 
            notification.  As a result, Ŭsecurity breach 
            notification] letters vary greatly in the information 
            provided, leaving consumers confused and businesses 
            exposed. 

            "Individuals are left to question what information was 
            breached, when did the breach occur, and what should they 
            do to protect themselves.  Moreover data holders are left 
            exposed and uncertain of what is expected of them in the 
            event of a breach.  SB 24 fills in this gap by 
            establishing standard, core content for the notification 
            letters, thereby ensuring the notifications actually 
            work.

            "These relatively modest but helpful changes will enhance 
            consumer knowledge about, and understanding of, security 
            breaches and the steps they can take to protect 







                                                                 SB 24
                                                                Page 
          9

            themselves."

          Privacy Rights Clearinghouse echoes the author, writing 
          that when breach notifications lack critical information 
          such as the type of personal information breached and the 
          date of the breach, consumers are left "uncertain about how 
          to respond to the breach, or confused about how to protect 
          themselves from identity theft.  SB 24 addresses this 
          confusion by standardizing the core content contained in 
          security breach notices."

          In addition, there also appears to be evidence that the 
          information provided to consumers in breach notification 
          letters is insufficient.  A 2007 study entitled "Security 
          Breach Notification Laws: Views from Chief Security 
          Officers" by the Samuelson Law, Technology, and Public 
          Policy Clinic, at UC Berkeley School of Law found that 28 
          percent of consumers who received a breach notification 
          letter did not "understand the data involved or the 
          potential consequences of the breach after reading the 
          letter."


           ASSEMBLY FLOOR  :  60-16, 8/15/11
          AYES:  Achadjian, Alejo, Allen, Ammiano, Atkins, Beall, 
            Block, Bradford, Brownley, Buchanan, Butler, Charles 
            Calderon, Campos, Carter, Cedillo, Chesbro, Davis, 
            Dickinson, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani, 
            Beth Gaines, Galgiani, Gatto, Gordon, Hagman, Hall, 
            Hayashi, Roger Hernández, Hill, Huber, Hueso, Huffman, 
            Jeffries, Jones, Lara, Bonnie Lowenthal, Ma, Mendoza, 
            Miller, Mitchell, Monning, Nestande, Olsen, Pan, Perea, 
            V. Manuel Pérez, Portantino, Skinner, Solorio, Swanson, 
            Torres, Wagner, Wieckowski, Williams, Yamada, John A. 
            Pérez
          NOES:  Bill Berryhill, Conway, Donnelly, Garrick, Grove, 
            Halderman, Harkey, Knight, Logue, Mansoor, Morrell, 
            Nielsen, Norby, Silva, Smyth, Valadao
          NO VOTE RECORDED:  Blumenfield, Bonilla, Cook, Gorell

          RJG:kc  8/16/11   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  SEE ABOVE








                                                                 SB 24
                                                                Page 
          10

                                ****  END  ****