BILL ANALYSIS                                                                                                                                                                                                    Ó






                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                              2013-2014 Regular Session


          AB 1710 (Dickinson)
          As Amended  June 5, 2014
          Hearing Date: June 24, 2014
          Fiscal: No
          Urgency: No
          TMW


                                        SUBJECT
                                           
                           Personal Information:  Privacy

                                      DESCRIPTION  

          This bill would enact various changes to the Data Breach  
          Notification Law, including implementing a specific encryption  
          standard for the law's safe harbor provisions (breached  
          encrypted data is not subject to notification), expanding the  
          notification required by those who "maintain" but do not "own"  
          personal information, and requiring the source of the breach to  
          offer appropriate identity theft prevention and mitigation  
          services at no cost.  The bill would also explicitly ban the  
          sale, advertising for sale, or offering for sale of an  
          individual's social security number.  

          (This analysis reflects author's amendments to be offered in  
          Committee.) 

                                      BACKGROUND  

          On December 19, 2013, Target Corporation announced that it had  
          suffered a major data breach.  During the height of the  
          Christmas shopping season, hackers infiltrated the retailer's  
          point-of-sale network and stole the debit and credit card  
          information of an estimated 40 million Target shoppers.  As  
          forensic investigations into the breach progressed, Target  
          announced that the personally identifying information of  
          approximately 70 million Target customers had also been stolen  
          from the retailer's computer network.  According to press  
          reports, it appeared that the hackers behind the breach  
          successfully penetrated and lurked within Target's systems  
                                                                (more)



          AB 1710 (Dickinson)
          Page 2 of ?



          months before the breach occurred, remaining undetected while  
          waiting for the start of the holiday shopping season before  
          striking.

          The Target data breach - the second largest in United States  
          history - will have wide-ranging impacts on both consumers and  
          industry for a long time to come.  In the short-term, an untold  
          number of Californians whose card numbers or personal  
          information was stolen will be at greater risk of identity theft  
          and payment card fraud.  Financial institutions have already  
          expended over $170 million to reissue over 17 million credit and  
          debit cards that were compromised by the breach, a number likely  
          to grow over time.  (See http://www.cbanet.org.)  Multiple  
          class-action lawsuits have also been filed in jurisdictions  
          across the country, and the Attorneys General of several states  
          have initiated investigations into the breach.  Businesses that  
          were not directly affected by the breach are re-examining their  
          internal security, and many are likely to redouble efforts to  
          protect their networks from similar sorts of intrusions.

          Both the upscale retailer Neiman Marcus and the craft store  
          Michaels also reported data breaches during the 2013 holiday  
          season.  Indeed, in a notification circulated to certain  
          retailers in January, the Federal Bureau of Investigation (FBI)  
          revealed that the point-of-sale networks of no fewer than twenty  
          retailers were attacked by hackers in 2013.  Furthermore, the  
          scope of computer networks targeted by hackers intent on  
          stealing sensitive personal and financial information extends  
          far beyond the retail sector.  According to a database of  
          breaches maintained by the Privacy Rights Clearinghouse, nearly  
          200 different organizations were subject to malicious hacking  
          during the thirteen months that began in January 2013.  (See  
          http://www.privacyrights.org/data-breach.)  Besides retail, the  
          affected organizations spanned across the hospitality,  
          education, health care, telecommunications, news media, social  
          media, financial, and gaming sectors.  Since 2005, over 660  
          million records have been compromised in more than 4,100  
          publicly acknowledged data breaches.  

          The scale of recent attacks against major retailers has drawn  
          particular attention to the vulnerability of electronic payment  
          systems and to fraud prevention and data security efforts within  
          the retail environment.  Fundamentally, electronic payment  
          systems cannot function without the trust of those who use them.  
           Customers want assurances that their personal information is  
          safe when they swipe a credit or debit card at a point-of-sale  
                                                                      



          AB 1710 (Dickinson)
          Page 3 of ?



          terminal, or when they provide credit or debit card information  
          to a merchant online.  Retailers, card issuers, card networks,  
          and payment processors want assurances that customers who use a  
          card or card number in a transaction actually own or are  
          authorized to use the card.

          The task of safeguarding consumers' personal and financial  
          information has become a multi-billion dollar industry populated  
          by thousands of participants, each with a slightly different  
          role in a vast and extremely complex payment network.  The  
          variation and complexity of the payment card space and the  
          multitude of different entities that occupy it cannot and should  
          not be underestimated, but must be understood if policymakers  
          are to ensure the security of sensitive information within the  
          retail environment.

          On February 25, 2014, the Senate Banking and Financial  
          Institutions Committee and Senate Judiciary Committee jointly  
          convened an informational hearing titled, "Beyond the Breach:  
          Protecting Consumers' Personal Information in the Retail  
          Environment."  That joint hearing reviewed retail electronic  
          payment systems and gave members of the Committees and other  
          interested parties an opportunity to ask experts from across the  
          industry about efforts to combat fraud, prevent data breaches,  
          and keep sensitive personal and financial information safe.  The  
          Assembly Banking and Finance Committee and the Assembly  
          Judiciary Committee also held an oversight hearing to discuss  
          the current process for data breaches and how California can  
          improve this process, titled, "Is Our Personal Data Really Safe  
          and Secure: A Review of the Recent Data Breaches."  

          AB 1710 seeks to address data breaches by expanding the security  
          practices and notification required by those who "maintain" but  
          do not "own or license" personal information and requiring the  
          source of the breach to offer appropriate identity theft  
          prevention and mitigation services at no cost.  The bill would  
          also explicitly ban the sale, advertising for sale, or offering  
          for sale of an individual's social security number.  

                                CHANGES TO EXISTING LAW
           
          1.  Existing law  requires a business that owns or licenses  
            personal information about a California resident to implement  
            and maintain reasonable security procedures and practices  
            appropriate to the nature of the information, to protect the  
            personal information from unauthorized access, destruction,  
                                                                      



          AB 1710 (Dickinson)
          Page 4 of ?



            use, modification, or disclosure.  (Civ. Code Sec.  
            1798.81.5(b).)

             Existing law  further provides that a business that discloses  
            personal information about a California resident pursuant to a  
            contract with a nonaffiliated third party shall require by  
            contract that the third party implement and maintain  
            reasonable security procedures and practices appropriate to  
            the nature of the information, to protect the personal  
            information from unauthorized access, destruction, use,  
            modification, or disclosure.  (Civ. Code Sec. 1798.81.5(c).)
             
            Existing law  requires any agency, person, or business that  
            owns or licenses computerized data that includes personal  
            information to disclose a breach of the security of the system  
            to any California resident whose unencrypted personal  
            information was, or is reasonably believed to have been,  
            acquired by an unauthorized person.  The disclosure must be  
            made in the most expedient time possible and without  
            unreasonable delay, consistent with the legitimate needs of  
            law enforcement, as specified.  (Civ. Code Secs. 1798.29(a),  
            (c),1798.82(a), (c).)
             
            Existing law  requires any agency, person, or business that  
            maintains computerized data that includes personal information  
            that the agency, person, or business does not own to notify  
            the owner or licensee of the information of any security  
            breach immediately following discovery if the personal  
            information was, or is reasonably believed to have been,  
            acquired by an unauthorized person.  (Civ. Code Secs.  
            1798.29(b), 1798.82(b).)
             
            Existing law  defines "personal information," for purposes of  
            the breach notification statute, to include the individual's  
            first name or first initial and last name in combination with  
            one or more of the following data elements, when either the  
            name or the data elements are not encrypted: social security  
            number; driver's license number or California Identification  
            Card number; account number, credit or debit card number, in  
            combination with any required security code, access code, or  
            password that would permit access to an individual's financial  
            account; medical information; or health insurance information.  
             "Personal information" does not include publicly available  
            information that is lawfully made available to the general  
            public from federal, state, or local government records.   
            (Civ. Code Secs. 1798.29(g), (h), 1798.82(h), (i).)
                                                                      



          AB 1710 (Dickinson)
          Page 5 of ?




             This bill  would apply the above security practices and  
            notification requirements to businesses that maintain personal  
            information.

             This bill  would require a person or business that maintains  
            computerized data that includes personal information to notify  
            subject persons affecting 500 or more of the breach of the  
            security when credit card or debit card data was, or is  
            reasonably believed to have been, acquired by an unauthorized  
            person at the same time that notice is given to the owner or  
            licensee by United States mail if the person or business has a  
            mailing address for the subject persons or email notice if the  
            person or business has an email address for the subject  
            persons.  If the subject persons cannot be notified by mail or  
            email, this bill would require the person or business to  
            provide notice by the following methods:
                 conspicuous posting of the notice on the Internet Web  
               site page of the person or business, if the person or  
               business maintains an Internet Web site page, for at least  
               30 days; and
                 notification to major statewide media.

             This bill  would authorize the owner or licensee of  
            computerized data that includes personal information and a  
            person or business that maintains computerized data that  
            includes personal information to agree based on a written  
            contractual agreement which party will notify subject persons  
            of the breach of the security whose personal information was,  
            or is reasonably believed to have been acquired by an  
            unauthorized person.

             This bill  would require, if the person or business providing  
            the notification was the source of the breach, an offer to  
            provide appropriate identity theft prevention and mitigation  
            services, if any, to be provided at no cost to the affected  
            person for not less than 12 months, along with all information  
            necessary to take advantage of the offer to any person whose  
            information was or may have been breached if the breach  
            exposed or may have exposed personal information, as defined.

          2.  Existing law  prohibits businesses from requesting or  
            requiring as a condition to accepting a credit card as  
            payment, any personal identification information related to  
            the cardholder, but authorizes a business that accepts credit  
            cards to require, as a condition of accepting the card that  
                                                                      



          AB 1710 (Dickinson)
          Page 6 of ?



            the cardholder provides reasonable forms of identification,  
            including, but not limited to, a driver's license or state  
            identification card, provided that the identification is not  
            written or recorded.  (Civ. Code Sec. 1747.08.)

             Existing law  prohibits a person or entity from publicly  
            posting or publicly displaying a person's social security  
            number (SSN) and defines "publicly post" or "publicly display"  
            to mean intentionally communicating or otherwise making  
            available to the general public.  (Civ. Code Sec.  
            1798.85(a)(1).)

             Existing law  prohibits a person or entity from taking  
            specified actions that might compromise an individual's SSN,  
            including printing an SSN on any card required to access goods  
            or services, requiring a person to transmit an SSN over the  
            Internet without a secure connection or encryption, requiring  
            a person to use his or her SSN to access an Internet Web site,  
            except as specified, or printing an individual's SSN on any  
            materials that are mailed to the individual, unless the SSN is  
            required to be on the mailed document by state or federal law.  
             (Civ. Code Sec. 1798.85(a)(2)-(5).)
             
            This bill  would also prohibit a person or entity from selling,  
            advertising for sale, or offering to sell an individual's SSN.  


             This bill  would provide that "sell" would not include the  
            release of an individual's SSN if the release of the SSN is  
            incidental to a larger transaction and is necessary to  
            identify the individual in order to accomplish a legitimate  
            business purpose.

             This bill  would also provide that "sell" would not include the  
            release of an individual's SSN for a purpose specifically  
            authorized or specifically allowed by federal or state law.

             This bill  would clarify that the release of an SSN for the  
            purpose of marketing is not a legitimate business purpose.

                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
            
                                                                      



          AB 1710 (Dickinson)
          Page 7 of ?



            AB 1710 stems from the recent mega data breaches affecting  
            specified retailers.  Following these mega data breaches, the  
            Assembly Banking and Finance Committee and the Assembly  
            Judiciary Committee held an oversight hearing to discuss the  
            current process for data breaches and how California can  
            improve this process, titled, "Is Our Personal Data Really  
            Safe and Secure: A Review of the Recent Data Breaches."  AB  
            1710 addresses the issues raised at this hearing and reflects  
            the areas of law that need clarification.  The recent examples  
            of mega data breaches emphasized the importance of disclosure  
            and accountability.  All too often, data breaches happen and  
            consumers receive a notice in the mail from a financial  
            institution stating their personal information may have been  
            breached.  The consumer is not made aware where the personal  
            information was compromised and might interpret the letter to  
            believe the breach occurred at the financial institution.   
            Under existing law, financial institutions are considered the  
            owners of personal information and therefore must provide the  
            notification, although the breach most often did not occur at  
            a bank or credit union.  AB 1710 will provide clarity to  
            consumers because it will require the maintainers of personal  
            information which could be a retailer to disclose to a  
            consumer that a breach occurred and their personal information  
            may have been breached.  This allows a consumer to:  1) be  
            proactive by contacting their financial institution and/or  
            credit reporting agency; and, 2) have the option to not shop  
            at a retail establishment that may not maintain personal  
            information in a safe and secure manner. 

          2. Increasing data breach notification requirements  

          Existing law requires businesses that own or license  
          computerized data that includes personal information of  
          customers to disclose a breach of the security of the system to  
          any California resident whose unencrypted personal information  
          was, or is reasonably believed to have been, acquired by an  
          unauthorized person.  That disclosure must be made in the most  
          expedient time possible and without unreasonable delay.
          
           Proponents, the American Civil Liberties Union, Consumer  
          Federation of California, and Consumer Watchdog, argue that this  
          bill is necessary because "[c]onsumer privacy should never take  
          a back seat to the profit motive.  News reports suggest that  
          Neiman Marcus delayed issuing notice of a December 2013 breach  
          involving over one million credit cards until after the end of  
          the Christmas shopping season.  Withholding notice deprived  
                                                                      



          AB 1710 (Dickinson)
          Page 8 of ?



          consumers of information that might have led them to take  
          preventive measures such as the placement of a credit freeze on  
          their credit report before the damage is done. . . . Experience  
          shows that some businesses will only safeguard privacy when the  
          price for violating that privacy overcomes the appetite for data  
          marketing purposes."
           
           In addition to notifying the owner or licensee of the data, this  
          bill would require businesses that maintain data to notify  
          consumers if a breach of personal information affects 500 or  
          more consumers when credit card or debit card data was, or is  
          reasonably believed to have been, acquired by an unauthorized  
          person.  This notice would be required to be given by mail or  
          email, and, if the business does not have the consumer's mailing  
          or email address, the notice must be provided conspicuously on  
          the business's Internet Web site for at least 30 days and  
          through major statewide media.  With these various notification  
          methods, this bill seeks to ensure that consumers are informed  
          of security breaches so that consumers can take steps to protect  
          against unauthorized uses of their personal information.  This  
          bill would also require the person or business providing  
          notification that was the source of the breach to provide to  
          affected consumers with identity theft prevention and mitigation  
          services for a minimum of 12 months.

          This bill seeks to strike a balance between increased consumer  
          protection and business control over notification responsibility  
          by authorizing the owner or licensee of the computerized data to  
          contract with the party that maintains the data to decide which  
          party will notify subject persons of the data security breach of  
          the security.

          3.  Prohibiting sale of Social Security Numbers (SSNs)  

          Existing law prohibits businesses from requesting, or requiring  
          as a condition to accepting a credit card as payment, any  
          personal identification information related to the cardholder,  
          but authorizes a business that accepts credit cards to require,  
          as a condition of accepting the card that the cardholder  
          provides reasonable forms of identification, including, but not  
          limited to, a driver's license or state identification card,  
          provided that the identification is not written or recorded.   
          This bill would prohibit a business from selling, advertising  
          for sale, or offering to sell a consumer's SSN.

          Notably, this bill would clarify that the prohibition on selling  
                                                                      



          AB 1710 (Dickinson)
          Page 9 of ?



          an individual's SSN would not include the release of an  
          individual's SSN if the release of the SSN is incidental to a  
          larger transaction and is necessary to identify the individual  
          in order to accomplish a legitimate business purpose or for a  
          purpose specifically authorized or allowed by federal or state  
          law.  However, this bill would make the release of an SSN for  
          marking purposes unlawful.

          4.  Oppositions' concerns  

          Opponents assert that the new requirements and prohibitions on  
          entities that maintain personal and payment card information  
          establish new operational burdens and will result in unnecessary  
          dual notification of data breaches to consumers.  Further,  
          opponents argue that the identify theft mitigation requirements  
          are unnecessary because of existing industry services.   
          Opponents also contend that the encryption requirement is  
          unnecessary since encryption data is useless to hackers unless  
          they have the encryption keys.  Further, opponents argue that  
          government entities should not be exempt from the provisions of  
          this bill since they are a large repository of personal  
          information.

          5.  Author's amendments  

          In response to the oppositions' concerns raised above, the  
          author offers the following amendments to be taken in Committee.  


             Author's amendments  :

             1.   On page 4, in line 30, after "whose" insert  
               "unencrypted"


             2.   On page 4, in line 32, strike "unless the data was  
               encrypted", strike lines 33-35, and in line 36, strike  
               "from time to time"


             3.   On page 5, strike lines 7-8, and in line 9, strike  
               "affected by the breach" and insert: "(2) A person or  
               business that maintains computerized data that includes  
               personal information shall notify subject persons affecting  
               500 or more of the breach of the security when credit card  
               or debit card data was, or is reasonably believed to have  
                                                                      



          AB 1710 (Dickinson)
          Page 10 of ?



               been, acquired by an unauthorized person"


             4.   On page 5, between lines 18 and 19, insert "(3)  
               Notwithstanding (b) (1), the owner or licensee of  
               computerized data that include personal information and a  
               person or business that maintains computerized data that  
               includes personal information may agree based on a written  
               contractual agreement which party will notify subject  
               persons of the breach of the security whose personal  
               information was, or is reasonably believed to have been  
               acquired by an unauthorized person."


             5.   On page 6, in line 14, strike "24" and insert "12"


             6.   On page 7, in line 38, strike "in", strike lines 39-40,  
               and on page 8, strike lines 1-2.


           Support  :  American Civil Liberties Union; Consumer Attorneys of  
                                                   California; Consumer Federation of California (CFC); Consumer  
          Watchdog; Privacy Rights Clearinghouse (PRC); One Individual

           Opposition  :  American Council of Life Insurers; American  
          Insurance Association; Association of California Life and Health  
          Insurance Companies; Association of California Insurance  
          Companies; California Association of Collectors; California  
          Association of Licensed Investigators; California Bankers  
          Association; California Chamber of Commerce; California Cable  
          and Telecommunications Association; California Grocers  
          Association; California Hospital Association; California Hotel  
          and Lodging Association; California Manufacturers & Technology  
          Association; California Medical Association; California  
          Restaurant Association; California Retailers Association;  
          California Travel Association; CTIA The Wireless Association;  
          Direct Marketing Association; Internet Coalition; Motion Picture  
          Association of America; Personal Insurance Federation of  
          California; State Privacy and Security Coalition, Inc.;  
          TechAmerica; TechNet; The Internet Association

                                        HISTORY
           
           Source :  Author

                                                                      



          AB 1710 (Dickinson)
          Page 11 of ?



           Related Pending Legislation  :  None Known

           Prior Legislation  :

          SB 46 (Corbett, Ch. 396, Stats. 2013) revised certain data  
          elements included within the definition of personal information  
          under California's Data Breach Notification Law, by adding  
          certain information that would permit access to an online  
          account and imposed additional requirements on the disclosure of  
          a breach of the security of the system or data in situations  
          where the breach involves personal information that would permit  
          access to an online or email account.

          AB 555 (Salas, Ch. 103, Stats. 2013) provided an exemption from  
          the prohibition on posting or publicly releasing a person's  
          social security number (SSN) for an adult state correctional  
          facility, an adult city jail, or an adult county jail, that  
          releases an inmate's SSN, with the inmate's consent and upon  
          request by the county veterans service officer or the United  
          States Department of Veterans Affairs, for the purposes of  
          determining the inmate's status as a military veteran and his or  
          her eligibility for federal, state, or local veterans' benefits  
          or services.

          SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,  
          person, or business that is required to issue a security breach  
          notification pursuant to existing law to fulfill certain  
          additional requirements pertaining to the security breach  
          notification, and required any agency, person, or business that  
          is required to issue a security breach notification to more than  
          500 California residents to electronically submit a single  
          sample copy of that security breach notification to the Attorney  
          General.

          AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added  
          medical information and health insurance information to the data  
          elements that, when combined with the individual's name, would  
          constitute personal information requiring disclosure when  
          acquired, or believed to be acquired, by an unauthorized person  
          due to a security breach.

          AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that  
          owns or licenses personal information about a California  
          resident to implement and maintain reasonable security  
          procedures and practices to protect personal information from  
          unauthorized access, destruction, use, modification, or  
                                                                      



          AB 1710 (Dickinson)
          Page 12 of ?



          disclosure.  AB 1950 also required a business that discloses  
          personal information to a nonaffiliated third party, to require  
          by contract that those entities maintain reasonable security  
          procedures.

          AB 763 (Liu, Ch. 532, Stats. 2003) prohibited a SSN that is  
          otherwise permitted to be mailed from being printed, in whole or  
          in part, on a postcard or other mailer or visible on the  
          envelope or without the envelope having been opened.
          SB 1936 (Peace, Ch. 915, Stats. 2002) enacted California's Data  
          Breach Notification Law and required a state agency, or a person  
          or business that conducts business in California, that owns or  
          licenses computerized data that includes personal information to  
          disclose any breach of the security of the data to California's  
          residents whose unencrypted personal information was, or is  
          reasonably believed to have been, acquired by an unauthorized  
          person. SB 1936 permitted notifications to be delayed if a law  
          enforcement agency determines that it would impede a criminal  
          investigation, and required an agency, person, or business that  
          maintains computerized data that includes personal information  
          owned by another to notify the owner or licensee of the  
          information of any breach of security of the data.

          SB 168 (Bowen, Ch. 720, Stats. 2001) prohibited any person or  
          entity, not including a state or local agency, from using an  
          individual's SSN in certain ways, including posting it publicly  
          or requiring it for access to products or services.

           Prior Vote  :

          Assembly Floor (Ayes 43, Noes 25)
          Assembly Committee on Banking and Finance (Ayes 8, Noes 3)
          Assembly Committee on Judiciary (Ayes 6, Noes 3)

                                   **************