BILL ANALYSIS Ó ------------------------------------------------------------ |SENATE RULES COMMITTEE | SB 24| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 445-6614 Fax: (916) | | |327-4478 | | ------------------------------------------------------------ UNFINISHED BUSINESS Bill No: SB 24 Author: Simitian (D), et al. Amended: 6/20/11 Vote: 21 SENATE JUDICIARY COMMITTEE : 4-0, 3/22/11 AYES: Evans, Harman, Corbett, Leno NO VOTE RECORDED: Blakeslee SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8 SENATE FLOOR : 31-6, 4/14/11 AYES: Alquist, Anderson, Blakeslee, Calderon, Cannella, Corbett, De León, DeSaulnier, Emmerson, Evans, Fuller, Hancock, Harman, Hernandez, Kehoe, Leno, Lieu, Liu, Lowenthal, Negrete McLeod, Padilla, Pavley, Price, Rubio, Simitian, Steinberg, Strickland, Vargas, Wright, Wyland, Yee NOES: Berryhill, Dutton, Huff, La Malfa, Runner, Walters NO VOTE RECORDED: Correa, Gaines, Wolk ASSEMBLY FLOOR : 60-16, 8/15/11 - See last page for vote SUBJECT : Privacy: security breach notifications SOURCE : Author DIGEST : This bill amends Californias security breach notification law to provide that any agency, person, or business required to issue a notification under existing CONTINUED SB 24 Page 2 law must meet additional requirements regarding that notification. This bill requires that security breach notifications be written in plain language and contain certain specified information, including, among other things, contact information regarding the breach, the types of information breached, and, if possible to determine, the date, estimated date, or date range of the breach. This bill provides that a security breach notification may also include other specified information, at the discretion of the entity issuing the notification. This bill requires that, any agency, person, or business that must provide a security breach notification under existing law to more than 500 California residents as a result of a single breach would be required to submit the notification electronically to the Attorney General. Assembly Amendments (1) add co-author, and (2) provide that notification of a branch of security be sent to the California Technology Agency rather than the State Chief Information Officer. ANALYSIS : Existing law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. (Civil Code ŬCIV] Sections 1798.29(a) and (c) and 1798.82(a) and (c)) Existing law requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (CIV Sections 1798.29(b) and 1798.82(b)) Existing law defines "personal information," for purposes of the breach notification statute, to include the SB 24 Page 3 individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (CIV Sections 1798.29(e) and (f) and 1798.82(e) and (f)) Existing law requires health care facilities to notify a patient if his or her medical information is accessed, used, or disclosed unlawfully or without authorization. Existing law, which requires the notification to be provided to the patient within five business days after the breach is detected unless notification would impede law enforcement's investigation of the incident, does not specify the information that must be contained in the notification. (Health and Safety Code Section 1280.15) Existing federal law, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), requires covered entities such as health care providers to notify a patient whose "unsecured protected health information" has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. The HITECH Act requires that notice of the breach include, to the extent possible, certain items of information, including the type of unsecured protected health information breached and the date of the breach. (42 United States Code 17932(f)) This bill provides that any agency, person, or business required to issue a security breach notification under existing law must also meet certain requirements regarding the notification including that it be written in plain language. This bill also requires that the notification include, at a minimum, the following information: SB 24 Page 4 1. The name and contact information of the reporting agency, person, or business; 2. A list of the types of personal information that were or breach; 3. Any of the following, if the information is possible to determine at the time the notice is provided: the date or estimated date of the breach, or date range within which the breach occurred; 4. The date of the notice; 5. Whether the notification was delayed because of an investigation by law enforcement, if the information is possible to determine at the time the notice is provided; 6. A general description of the breach incident, if the information is possible to determine at the time the notice is provided; and 7. The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number, or a driver's license or California Identification Card number. This bill provides that an agency, person, or business may also include the following information in a security breach notification, at its discretion: 1. Information regarding what the entity has done to protect individuals whose information has been breached; and 2. Advice on steps that the individual may take to protect himself or herself. This bill requires any agency, person, or business that must provide a security breach notification pursuant to existing law to more than 500 California residents as a result of a single breach of the security system to submit a single sample copy of the notification electronically to SB 24 Page 5 the Attorney General. That copy shall not be considered to be a record of complaint or investigation under the California Public Records Act. This bill provides that a "covered entity" under the federal Health Insurance Portability and Accountability Act is deemed to have complied with the bill's notification requirements regarding standardized content if the entity has complied completely with the notification requirements contained in the federal HITECH Act. Existing law requires an agency, person, or business to provide breach notification using either written notice, electronic notice, or substitute notice. An entity may use substitute notice when it demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of persons to be notified exceeds 500,000, or if the entity does not have sufficient contact information. Substitute notice must consist of: (a) e-mail notice when the entity has an e-mail address for the affected individuals; (b) conspicuous posting of the notice on the entity's Web site; and (c) notification to major statewide media. (CIV Sections 1798.29(g) and 1798.82(g)) This bill requires notification to the Office of Information Security within the California Technology Agency when an agency uses substitute notice and notification to the Office of Privacy Protection within the State and Consumer Services Agency when a person or business uses substitute notice. Prior Legislation SB 1166 (Simitian, 2010), which was vetoed, would have required that breach notifications be written in plain language and contain specified information. (See veto message below) SB 20 (Simitian, 2009), which was vetoed, was identical to SB 1166. (See veto message below) SB 364 (Simitian, 2008), which was vetoed, also would have required that breach notifications be written in plain language and contain specified information. SB 24 Page 6 AB 1656 (Jones, 2008), which was vetoed, would have, among other things, required a person, business, or agency that maintains personal information to include specified items in a breach notification to the owner or licensee of the information. AB 779 (Jones, 2007), which was vetoed, among other things, would have provided that the Office of Privacy Protection be notified if substitute notice was used and would have required an agency, person, or business that owns, licenses, or maintains personal information related to various payment devices to notify the owner, licensee, or California resident of a security data breach. The bill would also have required that the notification contain certain items of information, including, among other things, when the breach occurred and the categories of personal information breached. AB 2505 (Nunez, 2006), which died on the Senate Floor, would have provided that the Office of Privacy Protection be notified if substitute notice was used. SB 852 (Bowen, 2006), which died in the Assembly Business and Professions Committee, would have required that a security breach notification be issued regardless of whether or not the data breached was computerized. The bill would also have required notice to the Office of Privacy Protection. Governor Schwarzenegger stated the following in vetoing both SB 1166 and SB 20: "California's landmark law on data breach notification has had many beneficial results. Informing individuals whose personal information was compromised in a breach of what their risks are and what they can do to protect themselves is an important consumer protection benefit. This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this SB 24 Page 7 measure does not require the Attorney General to do anything with the notices. Since this measure would place additional unnecessary mandates on businesses without a corresponding consumer benefit, I am unable to sign this bill." FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes Local: No SUPPORT : (Verified 8/16/11) American Civil Liberties Union Association of California Healthcare Districts California Association of Health Underwriters California Attorney General California School Employees Association California State Sheriffs' Association Consumer Action Consumer Federation of California Privacy Activism Privacy Rights Clearinghouse ARGUMENTS IN SUPPORT : According to the author: "In 2002, California adopted a first-in-the-nation security breach notification statute (AB 700, Simitian, Chapter 1054, Statutes of 2002), that requires data holders to notify individuals when there has been a data breach of personal information. Since that time, 45 other states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have also enacted security breach notification laws that are modeled upon the California statute. This leaves Alabama, Kentucky, New Mexico and South Dakota as the only remaining states without a legal requirement to notify affected individuals in the event of a breach. "In addition, at least fourteen states ŬHawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming] and Puerto Rico have built upon California's model and added more detailed requirements for SBNs Ŭsecurity breach notifications] to include certain types of information. SB 24 Page 8 "And most of these states ŬAlaska, Hawaii, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia] require an entity that suffers a security breach to notify a state regulator, such as the Attorney General, as well as the affected individuals. "Even the federal government has weighed in; as of February 19, 2009, for breaches of personal medical information, individuals have to be notified and those notifications must contain certain specified content. "California's law is built on the premise that individuals have a right to know when a data breach has affected them. Quite simply, in order for consumers to protect themselves from the unauthorized acquisition and use of confidential information, the consumer has to know that an unauthorized acquisition has occurred. Without that knowledge, consumers aren't even aware of the need to protect themselves. "In the ensuing years, however, a gap has been identified in our state statute. While current law requires data holders to notify individuals when there has been a data breach of personal information, that same law is silent on what information should be contained in the notification. As a result, Ŭsecurity breach notification] letters vary greatly in the information provided, leaving consumers confused and businesses exposed. "Individuals are left to question what information was breached, when did the breach occur, and what should they do to protect themselves. Moreover data holders are left exposed and uncertain of what is expected of them in the event of a breach. SB 24 fills in this gap by establishing standard, core content for the notification letters, thereby ensuring the notifications actually work. "These relatively modest but helpful changes will enhance consumer knowledge about, and understanding of, security breaches and the steps they can take to protect SB 24 Page 9 themselves." Privacy Rights Clearinghouse echoes the author, writing that when breach notifications lack critical information such as the type of personal information breached and the date of the breach, consumers are left "uncertain about how to respond to the breach, or confused about how to protect themselves from identity theft. SB 24 addresses this confusion by standardizing the core content contained in security breach notices." In addition, there also appears to be evidence that the information provided to consumers in breach notification letters is insufficient. A 2007 study entitled "Security Breach Notification Laws: Views from Chief Security Officers" by the Samuelson Law, Technology, and Public Policy Clinic, at UC Berkeley School of Law found that 28 percent of consumers who received a breach notification letter did not "understand the data involved or the potential consequences of the breach after reading the letter." ASSEMBLY FLOOR : 60-16, 8/15/11 AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Beall, Block, Bradford, Brownley, Buchanan, Butler, Charles Calderon, Campos, Carter, Cedillo, Chesbro, Davis, Dickinson, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani, Beth Gaines, Galgiani, Gatto, Gordon, Hagman, Hall, Hayashi, Roger Hernández, Hill, Huber, Hueso, Huffman, Jeffries, Jones, Lara, Bonnie Lowenthal, Ma, Mendoza, Miller, Mitchell, Monning, Nestande, Olsen, Pan, Perea, V. Manuel Pérez, Portantino, Skinner, Solorio, Swanson, Torres, Wagner, Wieckowski, Williams, Yamada, John A. Pérez NOES: Bill Berryhill, Conway, Donnelly, Garrick, Grove, Halderman, Harkey, Knight, Logue, Mansoor, Morrell, Nielsen, Norby, Silva, Smyth, Valadao NO VOTE RECORDED: Blumenfield, Bonilla, Cook, Gorell RJG:kc 8/16/11 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE SB 24 Page 10 **** END ****