BILL ANALYSIS �Ó
AB 1710
Page 1
ASSEMBLY THIRD READING
AB 1710 (Dickinson and Wieckowski)
As Amended May 8, 2014
Majority vote
JUDICIARY 6-3 BANKING & FINANCE 8-3
-----------------------------------------------------------------
|Ayes:|Wieckowski, Alejo, Chau, |Ayes:|Dickinson, Bonta, Chau, |
| |Dickinson, Garcia, Stone | |Gatto, Perea, Rodriguez, |
| | | |Weber, Williams |
|-----+--------------------------+-----+--------------------------|
|Nays:|Wagner, Gorell, |Nays:|Allen, Achadjian, Linder |
| |Maienschein | | |
| | | | |
-----------------------------------------------------------------
SUMMARY : Enhances privacy protections for sensitive personal
information. Specifically, this bill :
1)Provides that existing personal information data security
obligations apply to businesses that maintain personal
information, in addition to those who own or license the
information.
2)Provides that the existing exemption from data breach notification
requirements for encrypted data would require the data to be
encrypted in conformance with the National Institute of Standards
and Technology, Federal Information Processing Standards
Publication 197, as amended from time to time.
3)Provides that, in the event of a breach, in addition to notifying
the owner or licensee of the data, the person or business that
maintains the data shall notify persons affected by the breach, at
the same time that notice is given to the owner or licensee, by
United States mail if the person or business has a mailing address
for the subject persons or email notice if the person or business
has an email address for the subject persons. If the subject
persons cannot be notified by mail or email, the person or
business shall provide notice by the following methods: a)
conspicuous posting of the notice on the Internet Web site page of
the person or business, if the person or business maintains an
Internet Web site page, for at least 30 days; and, b) notification
to major statewide media.
�
AB 1710
Page 2
4)Provides that if the person or business providing the notification
was the source of the breach, an offer to provide appropriate
identity theft prevention and mitigation services, if any, shall
be provided at no cost to the affected person for not less than 24
months, along with all information necessary to take advantage of
the offer to any person whose information was or may have been
breached if the breach exposed or may have exposed two kinds of
personal information: social security numbers (SSNs) and driver's
license numbers.
5)Provides that a person or entity may not sell, advertise for sale,
or offer to sell an individual's social security number except as
permitted.
FISCAL EFFECT : None
COMMENTS : The authors explain that this bill is the result of a
joint oversight hearing of the Assembly Judiciary and Banking and
Finance Committees regarding the massive recent consumer information
data breaches by Target, Neiman Marcus and other retailers. To
provide better protections and incentives for data security, the
bill has five elements:
1)Reasonable security procedures and practices for businesses that
maintain personal information in light of the nature of the
information.
2)Appropriate encryption standards in order to warrant an exemption
from existing data breach notification law.
3)Direct notification to consumers when a business that maintains
personal information is the source of a data breach.
4)An offer to provide appropriate identity theft prevention and
mitigation services, if any, by the person or business that was
the source of a breach of social security numbers and driver's
license numbers.
5)Prohibition against the sale of SSNs.
Retail data breaches of sensitive personal information continue to
be a widespread and persistent problem, as shown by the recent large
incidents at Target and Neiman Marcus stores involving the loss of
over 110 million credit and debit card numbers and other consumer
�
AB 1710
Page 3
records. According to a Javelin Strategy and Research report,
credit card fraud has increased as much as 87% since 2010,
culminating in aggregate losses of $6 billion nationwide.
According to many analysts, future data breaches may be inevitable.
Sometimes these breaches are caused or exacerbated by carelessness.
According to the 2014 Verizon Data Breach Investigations Report, two
out of three breaches last year were accomplished simply by logging
in using lost or stolen credentials. In other cases, companies are
the victims of sophisticated and elaborate attacks. In either case,
however, these breaches impose significant costs and risks for
consumer and financial services companies, among others.
Existing law requires a business that owns or licenses personal
information about a California resident to implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information and to protect the personal information
from unauthorized access, destruction, use, modification, or
disclosure. Inexplicably, the statute does not apply these same
reasonable security standards to businesses that maintain but do not
own or license personal information. This bill would close this
loophole by extending these provisions to businesses that maintain
personal information about a California resident.
Under existing law, businesses that own, license, or maintain
computerized data that includes personal information shall disclose
a breach of the security of the system following discovery or
notification of the breach to a resident of California whose
unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person.
The exemption for "encrypted" information appears to be absolute.
As long as the data is encrypted in any fashion, however negligible,
no notice is required despite the potential vulnerability of the
information to decryption. When the data breach law was enacted
years ago, this broad "safe harbor" may have served to encourage
businesses who store consumer personal information to adopt any form
of encryption. Now however encryption standards have improved, and
this bill would instead require that the data be encrypted to a
reasonable standard specified by the National Institute of Standards
and Technology. This is the standard recommended by the Attorney
General. (See California Department of Justice 2012 Date Breach
Report, available at:
http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_
�
AB 1710
Page 4
rpt.pdf.)
In addition, the bill seeks to speed and improve consumer
notification when a breach occurs by specifying that the person or
business that maintains the data shall notify persons affected by
the breach at the same time that notice is given to the owner or
licensee. This notice would be either by United States mail if the
person or business has a mailing address for the subject persons or
email notice if the person or business has an email address for the
subject persons. If the subject persons cannot be notified by mail
or email, the person or business shall provide notice by the
following methods: a) conspicuous posting of the notice on the
Internet Web site page of the person or business, if the person or
business maintains an Internet Web site page, for at least 30 days;
and b) notification to major statewide media.
Lastly, the bill seeks to protect consumers from the harms of
identity theft that typically flow from a breach of the most
sensitive personal information - SSNs and driver's license numbers.
Under existing law, a business that loses control of this
information is required to do no more than notify the affected
consumers, placing all costs and responsibility on the innocent
consumers to protect themselves. In the interest of consumer
relations, many companies voluntarily do more, such as offering
credit monitoring and other services. Nevertheless, no preventive
or mitigating steps are currently required. Under this measure, the
person that was the source of the breach would be required to offer
appropriate identity theft prevention and mitigation services, if
any are available, at no cost to the affected person for not less
than 24 months, along with all information necessary to take
advantage of the offer to any person whose information was or may
have been breached if the breach exposed or may have exposed two
kinds of personal information: SSNs and driver's license numbers.
Existing law regulates the publication and dissemination of SSNs in
myriad ways. Perhaps surprisingly, however, the outright sale of
SSNs is not prohibited.
In response to growing concerns about identity theft, the Individual
Reference Services Group (IRSG) was established in the 1990's as a
self-regulatory mechanism for the industry. Composed of companies
specializing in identification and location services, the IRSG in
conjunction with the Federal Trade Commission developed a
comprehensive set of self-regulatory principles backed by audits and
�
AB 1710
Page 5
government enforcement. These principles however allowed the sale
of SSNs without the knowledge and permission of the data subject, in
a tiered system of standards contingent on how the numbers were
acquired. The IRSG dissolved shortly after passage of the federal
Gramm-Leach-Bliley Act in 1999, but many data brokers continue to
conform to the group's principles.
In October 2013, according to a report from Krebs Security, the
credit reporting bureau Experian reportedly sold SSNs through its
subsidiary, Court Ventures, to Hieu Minh Ngo, who allegedly operated
an identity theft service called SuperGet.info. Though many credit
reporting bureaus such as Experian hold sensitive information, they
often sell that information to third parties that offer services
such as fraud prevention. According to Krebs, Ngo posed as a United
States-based private investigator to gain access to individuals' SSN
data.
This bill would close this apparent loophole by expressly
prohibiting a person or entity from selling, advertising for sale,
or offering to sell an individual's SSN except where the SSN is
incidental to the transaction.
Analysis Prepared by : Kevin G. Baker / JUD. / (916) 319-2334 FN:
0003403