BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 1710|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 1710
Author: Dickinson (D) and Wieckowski (D)
Amended: 7/1/14 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 5-2, 6/24/14
AYES: Jackson, Corbett, Lara, Leno, Monning
NOES: Anderson, Vidak
ASSEMBLY FLOOR : 43-25, 5/27/14 - See last page for vote
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill enacts various changes to the Data Breach
Notification Law, including implementing a specific encryption
standard for the law's safe harbor provisions, expanding the
notification required by those who "maintain" but do not "own"
personal information, and requiring the source of the breach to
offer appropriate identity theft prevention and mitigation
services at no cost. This bill also explicitly bans the sale,
advertising for sale, or offering for sale of an individual's
social security number.
ANALYSIS : Existing law requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
CONTINUED
�
AB 1710
Page
2
destruction, use, modification, or disclosure.
Existing law further provides that a business that discloses
personal information about a California resident pursuant to a
contract with a nonaffiliated third party shall require by
contract that the third party implement and maintain reasonable
security procedures and practices appropriate to the nature of
the information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure.
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified.
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person.
Existing law defines "personal information," for purposes of the
breach notification statute, to include the individual's first
name or first initial and last name in combination with one or
more of the following data elements, when either the name or the
data elements are not encrypted: social security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
This bill applies the above security practices and notification
CONTINUED
�
AB 1710
Page
3
requirements to businesses that maintain personal information.
This bill requires a person or business that maintains
computerized data that includes personal information to notify
subject persons affecting 500 or more of the breach of the
security when credit card or debit card data was, or is
reasonably believed to have been, acquired by an unauthorized
person at the same time that notice is given to the owner or
licensee by United States mail if the person or business has a
mailing address for the subject persons or email notice if the
person or business has an email address for the subject persons.
If the subject persons cannot be notified by mail or email,
this bill requires the person or business to provide notice by
the following methods:
Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business
maintains an Internet Web site page, for at least 30 days; and
Notification to major statewide media.
This bill authorizes the owner or licensee of computerized data
that includes personal information and a person or business that
maintains computerized data that includes personal information
to agree based on a written contractual agreement which party
will notify subject persons of the breach of the security whose
personal information was, or is reasonably believed to have been
acquired by an unauthorized person.
This bill requires, if the person or business providing the
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, to be provided at no cost to the affected person for not
less than 12 months, along with all information necessary to
take advantage of the offer to any person whose information was
or may have been breached if the breach exposed or may have
exposed personal information.
Existing law prohibits businesses from requesting or requiring
as a condition to accepting a credit card as payment, any
personal identification information related to the cardholder,
but authorizes a business that accepts credit cards to require,
as a condition of accepting the card that the cardholder
provides reasonable forms of identification, including, but not
CONTINUED
�
AB 1710
Page
4
limited to, a driver's license or state identification card,
provided that the identification is not written or recorded.
Existing law prohibits a person or entity from publicly posting
or publicly displaying a person's social security number (SSN)
and defines "publicly post" or "publicly display" to mean
intentionally communicating or otherwise making available to the
general public.
Existing law prohibits a person or entity from taking specified
actions that might compromise an individual's SSN, including
printing an SSN on any card required to access goods or
services, requiring a person to transmit an SSN over the
Internet without a secure connection or encryption, requiring a
person to use his/her SSN to access an Internet Web site, except
as specified, or printing an individual's SSN on any materials
that are mailed to the individual, unless the SSN is required to
be on the mailed document by state or federal law.
This bill prohibits a person or entity from selling, advertising
for sale, or offering to sell an individual's SSN.
This bill provides that "sell" does not include the release of
an individual's SSN if the release of the SSN is incidental to a
larger transaction and is necessary to identify the individual
in order to accomplish a legitimate business purpose.
This bill also provides that "sell" does not include the release
of an individual's SSN for a purpose specifically authorized or
specifically allowed by federal or state law.
This bill clarifies that the release of an SSN for the purpose
of marketing is not a legitimate business purpose.
Background
On December 19, 2013, Target Corporation announced that it had
suffered a major data breach. During the height of the
Christmas shopping season, hackers infiltrated the retailer's
point-of-sale network and stole the debit and credit card
information of an estimated 40 million Target shoppers. As
forensic investigations into the breach progressed, Target
announced that the personally identifying information of
approximately 70 million Target customers had also been stolen
CONTINUED
�
AB 1710
Page
5
from the retailer's computer network. According to press
reports, it appeared that the hackers behind the breach
successfully penetrated and lurked within Target's systems
months before the breach occurred, remaining undetected while
waiting for the start of the holiday shopping season before
striking.
The Target data breach - the second largest in United States
history - will have wide-ranging impacts on both consumers and
industry for a long time to come. In the short-term, an untold
number of Californians whose card numbers or personal
information was stolen will be at greater risk of identity theft
and payment card fraud. Financial institutions have already
expended over $170 million to reissue over 17 million credit and
debit cards that were compromised by the breach, a number likely
to grow over time. (See http://www.cbanet.org.) Multiple
class-action lawsuits have also been filed in jurisdictions
across the country, and the Attorneys General of several states
have initiated investigations into the breach. Businesses that
were not directly affected by the breach are re-examining their
internal security, and many are likely to redouble efforts to
protect their networks from similar sorts of intrusions.
Both the upscale retailer Neiman Marcus and the craft store
Michaels also reported data breaches during the 2013 holiday
season. Indeed, in a notification circulated to certain
retailers in January, the Federal Bureau of Investigation
revealed that the point-of-sale networks of no fewer than twenty
retailers were attacked by hackers in 2013. Furthermore, the
scope of computer networks targeted by hackers intent on
stealing sensitive personal and financial information extends
far beyond the retail sector. According to a database of
breaches maintained by the Privacy Rights Clearinghouse, nearly
200 different organizations were subject to malicious hacking
during the 13 months that began in January 2013. (See
http://www.privacyrights.org/data-breach.) Besides retail, the
affected organizations spanned across the hospitality,
education, health care, telecommunications, news media, social
media, financial, and gaming sectors. Since 2005, over 660
million records have been compromised in more than 4,100
publicly acknowledged data breaches.
The scale of recent attacks against major retailers has drawn
particular attention to the vulnerability of electronic payment
CONTINUED
�
AB 1710
Page
6
systems and to fraud prevention and data security efforts within
the retail environment. Fundamentally, electronic payment
systems cannot function without the trust of those who use them.
Customers want assurances that their personal information is
safe when they swipe a credit or debit card at a point-of-sale
terminal, or when they provide credit or debit card information
to a merchant online. Retailers, card issuers, card networks,
and payment processors want assurances that customers who use a
card or card number in a transaction actually own or are
authorized to use the card.
The task of safeguarding consumers' personal and financial
information has become a multi-billion dollar industry populated
by thousands of participants, each with a slightly different
role in a vast and extremely complex payment network. The
variation and complexity of the payment card space and the
multitude of different entities that occupy it cannot and should
not be underestimated, but must be understood if policymakers
are to ensure the security of sensitive information within the
retail environment.
On February 25, 2014, the Senate Banking and Financial
Institutions Committee and the Senate Judiciary Committee
jointly convened an informational hearing titled, "Beyond the
Breach: Protecting Consumers' Personal Information in the
Retail Environment." That joint hearing reviewed retail
electronic payment systems and gave members of the Committees
and other interested parties an opportunity to ask experts from
across the industry about efforts to combat fraud, prevent data
breaches, and keep sensitive personal and financial information
safe. The Assembly Banking and Finance Committee and the
Assembly Judiciary Committee also held an oversight hearing to
discuss the current process for data breaches and how California
can improve this process, titled, "Is Our Personal Data Really
Safe and Secure: A Review of the Recent Data Breaches."
Prior Legislation
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised certain
data elements included within the definition of personal
information under California's Data Breach Notification Law, by
adding certain information that would permit access to an online
account and imposed additional requirements on the disclosure of
a breach of the security of the system or data in situations
CONTINUED
�
AB 1710
Page
7
where the breach involves personal information that would permit
access to an online or email account.
AB 555 (Salas, Chapter 103, Statutes of 2013) provided an
exemption from the prohibition on posting or publicly releasing
a person's SSN for an adult state correctional facility, an
adult city jail, or an adult county jail, that releases an
inmate's SSN, with the inmate's consent and upon request by the
county veterans service officer or the United States Department
of Veterans Affairs, for the purposes of determining the
inmate's status as a military veteran and his/her eligibility
for federal, state, or local veterans' benefits or services.
SB 24 (Simitian, Chapter 197, Statutes of 2011) required any
agency, person, or business that is required to issue a security
breach notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party, to require by contract that those entities maintain
reasonable security procedures.
AB 763 (Liu, Chapter 532, Statutes of 2003) prohibited a SSN
that is otherwise permitted to be mailed from being printed, in
whole or in part, on a postcard or other mailer or visible on
the envelope or without the envelope having been opened.
SB 1936 (Peace, Chapter 915, Statutes of 2002) enacted
California's Data Breach Notification Law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose unencrypted
CONTINUED
�
AB 1710
Page
8
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1936 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
SB 168 (Bowen, Chapter 720, Statutes of 2001) prohibited any
person or entity, not including a state or local agency, from
using an individual's SSN in certain ways, including posting it
publicly or requiring it for access to products or services.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 7/1/14)
American Civil Liberties Union
Consumer Attorneys of California
Consumer Federation of California
Consumer Watchdog
Privacy Rights Clearinghouse
OPPOSITION : (Verified 7/1/14)
California Bankers Association
California Chamber of Commerce
California Grocers Association
California Hotel and Lodging Association
California Restaurant Association
California Retailers Association
Direct Marketing Association
Motion Picture Association of America
ARGUMENTS IN SUPPORT : The author writes:
AB 1710 stems from the recent mega data breaches affecting
specified retailers. Following these mega data breaches, the
Assembly Banking and Finance Committee and the Assembly
Judiciary Committee held an oversight hearing to discuss the
current process for data breaches and how California can improve
this process, titled, "Is Our Personal Data Really Safe and
CONTINUED
�
AB 1710
Page
9
Secure: A Review of the Recent Data Breaches." AB 1710
addresses the issues raised at this hearing and reflects the
areas of law that need clarification. The recent examples of
mega data breaches emphasized the importance of disclosure and
accountability. All too often, data breaches happen and
consumers receive a notice in the mail from a financial
institution stating their personal information may have been
breached. The consumer is not made aware where the personal
information was compromised and might interpret the letter to
believe the breach occurred at the financial institution. Under
existing law, financial institutions are considered the owners
of personal information and therefore must provide the
notification, although the breach most often did not occur at a
bank or credit union. AB 1710 will provide clarity to consumers
because it will require the maintainers of personal information
which could be a retailer to disclose to a consumer that a
breach occurred and their personal information may have been
breached. This allows a consumer to: (1) be proactive by
contacting their financial institution and/or credit reporting
agency; and (2) have the option to not shop at a retail
establishment that may not maintain personal information in a
safe and secure manner.
ARGUMENTS IN OPPOSITION : Opponents assert that the new
requirements and prohibitions on entities that maintain personal
and payment card information establish new operational burdens
and will result in unnecessary dual notification of data
breaches to consumers. Further, opponents argue that the
identify theft mitigation requirements are unnecessary because
of existing industry services. Further, opponents argue that
government entities should not be exempt from the provisions of
this bill since they are a large repository of personal
information.
ASSEMBLY FLOOR : 43-25, 5/27/14
AYES: Alejo, Ammiano, Bloom, Bocanegra, Bonilla, Bonta,
Bradford, Ian Calderon, Campos, Chau, Chesbro, Cooley,
Dababneh, Dickinson, Fong, Garcia, Gatto, Gomez, Gonzalez,
Gordon, Gray, Hall, Roger Hernández, Holden, Jones-Sawyer,
Levine, Lowenthal, Mullin, Nazarian, Perea, John A. Pérez,
Quirk, Rendon, Ridley-Thomas, Rodriguez, Skinner, Stone, Ting,
Weber, Wieckowski, Williams, Yamada, Atkins
NOES: Achadjian, Allen, Bigelow, Chávez, Conway, Dahle,
Donnelly, Fox, Beth Gaines, Gorell, Grove, Hagman, Harkey,
CONTINUED
�
AB 1710
Page
10
Jones, Linder, Logue, Maienschein, Mansoor, Melendez,
Muratsuchi, Nestande, Olsen, Wagner, Waldron, Wilk
NO VOTE RECORDED: Brown, Buchanan, Daly, Eggman, Frazier,
Medina, Pan, Patterson, V. Manuel Pérez, Quirk-Silva, Salas,
Vacancy
AL:e 7/2/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED