BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Hannah-Beth Jackson, Chair 2013-2014 Regular Session AB 1710 (Dickinson) As Amended June 5, 2014 Hearing Date: June 24, 2014 Fiscal: No Urgency: No TMW SUBJECT Personal Information: Privacy DESCRIPTION This bill would enact various changes to the Data Breach Notification Law, including implementing a specific encryption standard for the law's safe harbor provisions (breached encrypted data is not subject to notification), expanding the notification required by those who "maintain" but do not "own" personal information, and requiring the source of the breach to offer appropriate identity theft prevention and mitigation services at no cost. The bill would also explicitly ban the sale, advertising for sale, or offering for sale of an individual's social security number. (This analysis reflects author's amendments to be offered in Committee.) BACKGROUND On December 19, 2013, Target Corporation announced that it had suffered a major data breach. During the height of the Christmas shopping season, hackers infiltrated the retailer's point-of-sale network and stole the debit and credit card information of an estimated 40 million Target shoppers. As forensic investigations into the breach progressed, Target announced that the personally identifying information of approximately 70 million Target customers had also been stolen from the retailer's computer network. According to press reports, it appeared that the hackers behind the breach successfully penetrated and lurked within Target's systems (more) AB 1710 (Dickinson) Page 2 of ? months before the breach occurred, remaining undetected while waiting for the start of the holiday shopping season before striking. The Target data breach - the second largest in United States history - will have wide-ranging impacts on both consumers and industry for a long time to come. In the short-term, an untold number of Californians whose card numbers or personal information was stolen will be at greater risk of identity theft and payment card fraud. Financial institutions have already expended over $170 million to reissue over 17 million credit and debit cards that were compromised by the breach, a number likely to grow over time. (See http://www.cbanet.org.) Multiple class-action lawsuits have also been filed in jurisdictions across the country, and the Attorneys General of several states have initiated investigations into the breach. Businesses that were not directly affected by the breach are re-examining their internal security, and many are likely to redouble efforts to protect their networks from similar sorts of intrusions. Both the upscale retailer Neiman Marcus and the craft store Michaels also reported data breaches during the 2013 holiday season. Indeed, in a notification circulated to certain retailers in January, the Federal Bureau of Investigation (FBI) revealed that the point-of-sale networks of no fewer than twenty retailers were attacked by hackers in 2013. Furthermore, the scope of computer networks targeted by hackers intent on stealing sensitive personal and financial information extends far beyond the retail sector. According to a database of breaches maintained by the Privacy Rights Clearinghouse, nearly 200 different organizations were subject to malicious hacking during the thirteen months that began in January 2013. (See http://www.privacyrights.org/data-breach.) Besides retail, the affected organizations spanned across the hospitality, education, health care, telecommunications, news media, social media, financial, and gaming sectors. Since 2005, over 660 million records have been compromised in more than 4,100 publicly acknowledged data breaches. The scale of recent attacks against major retailers has drawn particular attention to the vulnerability of electronic payment systems and to fraud prevention and data security efforts within the retail environment. Fundamentally, electronic payment systems cannot function without the trust of those who use them. Customers want assurances that their personal information is safe when they swipe a credit or debit card at a point-of-sale AB 1710 (Dickinson) Page 3 of ? terminal, or when they provide credit or debit card information to a merchant online. Retailers, card issuers, card networks, and payment processors want assurances that customers who use a card or card number in a transaction actually own or are authorized to use the card. The task of safeguarding consumers' personal and financial information has become a multi-billion dollar industry populated by thousands of participants, each with a slightly different role in a vast and extremely complex payment network. The variation and complexity of the payment card space and the multitude of different entities that occupy it cannot and should not be underestimated, but must be understood if policymakers are to ensure the security of sensitive information within the retail environment. On February 25, 2014, the Senate Banking and Financial Institutions Committee and Senate Judiciary Committee jointly convened an informational hearing titled, "Beyond the Breach: Protecting Consumers' Personal Information in the Retail Environment." That joint hearing reviewed retail electronic payment systems and gave members of the Committees and other interested parties an opportunity to ask experts from across the industry about efforts to combat fraud, prevent data breaches, and keep sensitive personal and financial information safe. The Assembly Banking and Finance Committee and the Assembly Judiciary Committee also held an oversight hearing to discuss the current process for data breaches and how California can improve this process, titled, "Is Our Personal Data Really Safe and Secure: A Review of the Recent Data Breaches." AB 1710 seeks to address data breaches by expanding the security practices and notification required by those who "maintain" but do not "own or license" personal information and requiring the source of the breach to offer appropriate identity theft prevention and mitigation services at no cost. The bill would also explicitly ban the sale, advertising for sale, or offering for sale of an individual's social security number. CHANGES TO EXISTING LAW 1. Existing law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, AB 1710 (Dickinson) Page 4 of ? use, modification, or disclosure. (Civ. Code Sec. 1798.81.5(b).) Existing law further provides that a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (Civ. Code Sec. 1798.81.5(c).) Existing law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. (Civ. Code Secs. 1798.29(a), (c),1798.82(a), (c).) Existing law requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).) Existing law defines "personal information," for purposes of the breach notification statute, to include the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (Civ. Code Secs. 1798.29(g), (h), 1798.82(h), (i).) AB 1710 (Dickinson) Page 5 of ? This bill would apply the above security practices and notification requirements to businesses that maintain personal information. This bill would require a person or business that maintains computerized data that includes personal information to notify subject persons affecting 500 or more of the breach of the security when credit card or debit card data was, or is reasonably believed to have been, acquired by an unauthorized person at the same time that notice is given to the owner or licensee by United States mail if the person or business has a mailing address for the subject persons or email notice if the person or business has an email address for the subject persons. If the subject persons cannot be notified by mail or email, this bill would require the person or business to provide notice by the following methods: conspicuous posting of the notice on the Internet Web site page of the person or business, if the person or business maintains an Internet Web site page, for at least 30 days; and notification to major statewide media. This bill would authorize the owner or licensee of computerized data that includes personal information and a person or business that maintains computerized data that includes personal information to agree based on a written contractual agreement which party will notify subject persons of the breach of the security whose personal information was, or is reasonably believed to have been acquired by an unauthorized person. This bill would require, if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, to be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information, as defined. 2. Existing law prohibits businesses from requesting or requiring as a condition to accepting a credit card as payment, any personal identification information related to the cardholder, but authorizes a business that accepts credit cards to require, as a condition of accepting the card that AB 1710 (Dickinson) Page 6 of ? the cardholder provides reasonable forms of identification, including, but not limited to, a driver's license or state identification card, provided that the identification is not written or recorded. (Civ. Code Sec. 1747.08.) Existing law prohibits a person or entity from publicly posting or publicly displaying a person's social security number (SSN) and defines "publicly post" or "publicly display" to mean intentionally communicating or otherwise making available to the general public. (Civ. Code Sec. 1798.85(a)(1).) Existing law prohibits a person or entity from taking specified actions that might compromise an individual's SSN, including printing an SSN on any card required to access goods or services, requiring a person to transmit an SSN over the Internet without a secure connection or encryption, requiring a person to use his or her SSN to access an Internet Web site, except as specified, or printing an individual's SSN on any materials that are mailed to the individual, unless the SSN is required to be on the mailed document by state or federal law. (Civ. Code Sec. 1798.85(a)(2)-(5).) This bill would also prohibit a person or entity from selling, advertising for sale, or offering to sell an individual's SSN. This bill would provide that "sell" would not include the release of an individual's SSN if the release of the SSN is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. This bill would also provide that "sell" would not include the release of an individual's SSN for a purpose specifically authorized or specifically allowed by federal or state law. This bill would clarify that the release of an SSN for the purpose of marketing is not a legitimate business purpose. COMMENT 1. Stated need for the bill The author writes: AB 1710 (Dickinson) Page 7 of ? AB 1710 stems from the recent mega data breaches affecting specified retailers. Following these mega data breaches, the Assembly Banking and Finance Committee and the Assembly Judiciary Committee held an oversight hearing to discuss the current process for data breaches and how California can improve this process, titled, "Is Our Personal Data Really Safe and Secure: A Review of the Recent Data Breaches." AB 1710 addresses the issues raised at this hearing and reflects the areas of law that need clarification. The recent examples of mega data breaches emphasized the importance of disclosure and accountability. All too often, data breaches happen and consumers receive a notice in the mail from a financial institution stating their personal information may have been breached. The consumer is not made aware where the personal information was compromised and might interpret the letter to believe the breach occurred at the financial institution. Under existing law, financial institutions are considered the owners of personal information and therefore must provide the notification, although the breach most often did not occur at a bank or credit union. AB 1710 will provide clarity to consumers because it will require the maintainers of personal information which could be a retailer to disclose to a consumer that a breach occurred and their personal information may have been breached. This allows a consumer to: 1) be proactive by contacting their financial institution and/or credit reporting agency; and, 2) have the option to not shop at a retail establishment that may not maintain personal information in a safe and secure manner. 2. Increasing data breach notification requirements Existing law requires businesses that own or license computerized data that includes personal information of customers to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. That disclosure must be made in the most expedient time possible and without unreasonable delay. Proponents, the American Civil Liberties Union, Consumer Federation of California, and Consumer Watchdog, argue that this bill is necessary because "[c]onsumer privacy should never take a back seat to the profit motive. News reports suggest that Neiman Marcus delayed issuing notice of a December 2013 breach involving over one million credit cards until after the end of the Christmas shopping season. Withholding notice deprived AB 1710 (Dickinson) Page 8 of ? consumers of information that might have led them to take preventive measures such as the placement of a credit freeze on their credit report before the damage is done. . . . Experience shows that some businesses will only safeguard privacy when the price for violating that privacy overcomes the appetite for data marketing purposes." In addition to notifying the owner or licensee of the data, this bill would require businesses that maintain data to notify consumers if a breach of personal information affects 500 or more consumers when credit card or debit card data was, or is reasonably believed to have been, acquired by an unauthorized person. This notice would be required to be given by mail or email, and, if the business does not have the consumer's mailing or email address, the notice must be provided conspicuously on the business's Internet Web site for at least 30 days and through major statewide media. With these various notification methods, this bill seeks to ensure that consumers are informed of security breaches so that consumers can take steps to protect against unauthorized uses of their personal information. This bill would also require the person or business providing notification that was the source of the breach to provide to affected consumers with identity theft prevention and mitigation services for a minimum of 12 months. This bill seeks to strike a balance between increased consumer protection and business control over notification responsibility by authorizing the owner or licensee of the computerized data to contract with the party that maintains the data to decide which party will notify subject persons of the data security breach of the security. 3. Prohibiting sale of Social Security Numbers (SSNs) Existing law prohibits businesses from requesting, or requiring as a condition to accepting a credit card as payment, any personal identification information related to the cardholder, but authorizes a business that accepts credit cards to require, as a condition of accepting the card that the cardholder provides reasonable forms of identification, including, but not limited to, a driver's license or state identification card, provided that the identification is not written or recorded. This bill would prohibit a business from selling, advertising for sale, or offering to sell a consumer's SSN. Notably, this bill would clarify that the prohibition on selling AB 1710 (Dickinson) Page 9 of ? an individual's SSN would not include the release of an individual's SSN if the release of the SSN is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose or for a purpose specifically authorized or allowed by federal or state law. However, this bill would make the release of an SSN for marking purposes unlawful. 4. Oppositions' concerns Opponents assert that the new requirements and prohibitions on entities that maintain personal and payment card information establish new operational burdens and will result in unnecessary dual notification of data breaches to consumers. Further, opponents argue that the identify theft mitigation requirements are unnecessary because of existing industry services. Opponents also contend that the encryption requirement is unnecessary since encryption data is useless to hackers unless they have the encryption keys. Further, opponents argue that government entities should not be exempt from the provisions of this bill since they are a large repository of personal information. 5. Author's amendments In response to the oppositions' concerns raised above, the author offers the following amendments to be taken in Committee. Author's amendments : 1. On page 4, in line 30, after "whose" insert "unencrypted" 2. On page 4, in line 32, strike "unless the data was encrypted", strike lines 33-35, and in line 36, strike "from time to time" 3. On page 5, strike lines 7-8, and in line 9, strike "affected by the breach" and insert: "(2) A person or business that maintains computerized data that includes personal information shall notify subject persons affecting 500 or more of the breach of the security when credit card or debit card data was, or is reasonably believed to have AB 1710 (Dickinson) Page 10 of ? been, acquired by an unauthorized person" 4. On page 5, between lines 18 and 19, insert "(3) Notwithstanding (b) (1), the owner or licensee of computerized data that include personal information and a person or business that maintains computerized data that includes personal information may agree based on a written contractual agreement which party will notify subject persons of the breach of the security whose personal information was, or is reasonably believed to have been acquired by an unauthorized person." 5. On page 6, in line 14, strike "24" and insert "12" 6. On page 7, in line 38, strike "in", strike lines 39-40, and on page 8, strike lines 1-2. Support : American Civil Liberties Union; Consumer Attorneys of California; Consumer Federation of California (CFC); Consumer Watchdog; Privacy Rights Clearinghouse (PRC); One Individual Opposition : American Council of Life Insurers; American Insurance Association; Association of California Life and Health Insurance Companies; Association of California Insurance Companies; California Association of Collectors; California Association of Licensed Investigators; California Bankers Association; California Chamber of Commerce; California Cable and Telecommunications Association; California Grocers Association; California Hospital Association; California Hotel and Lodging Association; California Manufacturers & Technology Association; California Medical Association; California Restaurant Association; California Retailers Association; California Travel Association; CTIA The Wireless Association; Direct Marketing Association; Internet Coalition; Motion Picture Association of America; Personal Insurance Federation of California; State Privacy and Security Coalition, Inc.; TechAmerica; TechNet; The Internet Association HISTORY Source : Author AB 1710 (Dickinson) Page 11 of ? Related Pending Legislation : None Known Prior Legislation : SB 46 (Corbett, Ch. 396, Stats. 2013) revised certain data elements included within the definition of personal information under California's Data Breach Notification Law, by adding certain information that would permit access to an online account and imposed additional requirements on the disclosure of a breach of the security of the system or data in situations where the breach involves personal information that would permit access to an online or email account. AB 555 (Salas, Ch. 103, Stats. 2013) provided an exemption from the prohibition on posting or publicly releasing a person's social security number (SSN) for an adult state correctional facility, an adult city jail, or an adult county jail, that releases an inmate's SSN, with the inmate's consent and upon request by the county veterans service officer or the United States Department of Veterans Affairs, for the purposes of determining the inmate's status as a military veteran and his or her eligibility for federal, state, or local veterans' benefits or services. SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, and required any agency, person, or business that is required to issue a security breach notification to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the Attorney General. AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added medical information and health insurance information to the data elements that, when combined with the individual's name, would constitute personal information requiring disclosure when acquired, or believed to be acquired, by an unauthorized person due to a security breach. AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or AB 1710 (Dickinson) Page 12 of ? disclosure. AB 1950 also required a business that discloses personal information to a nonaffiliated third party, to require by contract that those entities maintain reasonable security procedures. AB 763 (Liu, Ch. 532, Stats. 2003) prohibited a SSN that is otherwise permitted to be mailed from being printed, in whole or in part, on a postcard or other mailer or visible on the envelope or without the envelope having been opened. SB 1936 (Peace, Ch. 915, Stats. 2002) enacted California's Data Breach Notification Law and required a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to California's residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. SB 1936 permitted notifications to be delayed if a law enforcement agency determines that it would impede a criminal investigation, and required an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data. SB 168 (Bowen, Ch. 720, Stats. 2001) prohibited any person or entity, not including a state or local agency, from using an individual's SSN in certain ways, including posting it publicly or requiring it for access to products or services. Prior Vote : Assembly Floor (Ayes 43, Noes 25) Assembly Committee on Banking and Finance (Ayes 8, Noes 3) Assembly Committee on Judiciary (Ayes 6, Noes 3) **************