BILL ANALYSIS                                                                                                                                                                                                    Ó






                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2013-2014 Regular Session


          SB 46 (Corbett)
          As Amended April 15, 2013
          Hearing Date: April 23, 2013
          Fiscal: Yes
          Urgency: No
          TH
                    

                                        SUBJECT
                                             
                            Personal Information: Privacy

                                      DESCRIPTION  

          Existing law requires any state agency, and any person or  
          business conducting business in California, that owns or  
          licenses computerized data that includes personal information as  
          defined, to disclose any security breach concerning that data to  
          any California resident whose unencrypted personal information  
          was, or is believed to have been, acquired by an unauthorized  
          person.  Personal information covered by existing disclosure  
          requirements includes an individual's first name and last name,  
          or first initial and last name, when acquired in combination  
          with, among other things, a social security number, driver's  
          license or California Identification Card number, financial  
          account number, or medical information.

          This bill would expand the scope of personal information subject  
          to existing security breach disclosure requirements to include a  
          user name or email address, in combination with a password or  
          security question and answer that would permit access to an  
          online account.

                                      BACKGROUND  

          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  (See Civ. Code Secs.  
          1798.29(a), 1798.82(a).)  Since that time, all but four states  
          have enacted similar security breach notification laws, and  
          governments around the world are considering enacting such laws.  
           California's security breach notification statute requires  
                                                                (more)



          SB 46 (Corbett)
          Page 2 of ?



          state agencies and businesses to notify residents when the  
          security of their personal information, as defined, is breached.  
           That notification ensures that residents are aware of the  
          breach and allows them to take appropriate actions to mitigate  
          or prevent potential financial losses due to fraudulent  
          activity, as well as to limit the potential dissemination of  
          personal information.

          A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  That article  
          reported:

            Another month, another major security breach.  Yahoo  
            confirmed Thursday that about 400,000 user names and  
            passwords to Yahoo and other companies were stolen on  
            Wednesday.

            A group of hackers, known as the D33D Company, posted online  
            the user names and passwords for what appeared to be 453,492  
            accounts belonging to Yahoo, and also Gmail, AOL, Hotmail,  
            Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com  
            users.

            The hackers wrote a brief footnote to the data dump, which  
            has since been taken offline: "We hope that the parties  
            responsible for managing the security of this subdomain will  
            take this as a wake-up call, and not as a threat."

            The breach comes just one month after millions of user  
            passwords for LinkedIn, the online social network for  
            professionals, were exposed by hackers who breached its  
            systems. The breaches highlight the ease with which hackers  
            are able to infiltrate systems, even at some of the most  
            widely used and sophisticated technology companies.

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  
          enforcement agencies, that increasingly "criminals are targeting  
          websites with inadequate security, including some social media  
          websites, to harvest email addresses, user names, and  
          passwords," and "[b]ecause most people do not use unique  
          passwords for each of their accounts, acquiring the information  
                                                                      



          SB 46 (Corbett)
          Page 3 of ?



          on one account can give a thief access to [many different]  
          accounts."

          Responding to the increasing frequency of this type of security  
          breach, this bill would expand the coverage of California's  
          security breach notification law by specifically including user  
          names and email addresses, when compromised in conjunction with  
          passwords and security questions and answers. 

                                CHANGES TO EXISTING LAW
           
           Existing law  requires any agency, person, or business that owns  
          or licenses computerized data that includes personal information  
          to disclose a breach of the security of the system to any  
          California resident whose unencrypted personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  The disclosure must be made in the most  
          expedient time possible and without unreasonable delay,  
          consistent with the legitimate needs of law enforcement, as  
          specified.  (Civ. Code Secs. 1798.29(a) and (c) and 1798.82(a)  
          and (c).)

           Existing law  requires any agency, person, or business that  
          maintains computerized data that includes personal information  
          that the agency, person, or business does not own to notify the  
          owner or licensee of the information of any security breach  
          immediately following discovery if the personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  (Civ. Code Secs. 1798.29(b) and  
          1798.82(b).)

           Existing law  defines "personal information," for purposes of the  
          breach notification statute, to include the individual's first  
          name or first initial and last name in combination with one or  
          more of the following data elements, when either the name or the  
          data elements are not encrypted: social security number;  
          driver's license number or California Identification Card  
          number; account number, credit or debit card number, in  
          combination with any required security code, access code, or  
          password that would permit access to an individual's financial  
          account; medical information; or health insurance information.   
          "Personal information" does not include publicly available  
          information that is lawfully made available to the general  
          public from federal, state, or local government records.  (Civ.  
          Code Secs. 1798.29(g) and (h) and 1798.82(h) and (i).)
          
                                                                      



          SB 46 (Corbett)
          Page 4 of ?



          This bill  would expand the scope of "personal information," for  
          purposes of the breach notification statute, to include a user  
          name or email address, acquired in combination with a password  
          or security question and answer that would permit access to an  
          online account.

                                        COMMENT
           
          1.   Stated need for the bill  

          According to the author:

            Senate Bill 46 strengthens computer account protections for  
            the public by requiring the state and any person or  
            companies operating in California who maintain computerized  
            data about their clients or customers to notify them when  
            his or her password, username, or answers to security  
            questions have been [breached] for an online account.

            SB 46 provides real-time notification that someone may have  
            obtained your password, username, or answers to your  
            security questions so the client or customer can immediately  
            change their access information and prevent or limit  
            financial losses and theft of personal data.

            Real-time notification would give California consumers equal  
            protection under the law.

          2.   Expansion to include password, username or security question  
          information  

          Under existing law, an agency, person, or business must disclose  
          a data breach to any California resident whose unencrypted  
          personal information was, or is reasonably believed to have  
          been, acquired by an unauthorized person.  Personal information  
          is specifically defined as an individual's first name or first  
          initial and last name in combination with one or more of five  
          specified data elements - those elements include, among other  
          things, one's social security number and driver's license  
          number.  This bill would expand the scope of personal  
          information subject to the existing security breach law's  
          notification requirement to include an individual's user name or  
          email address, in combination with a password or security  
          question and answer that would permit access to an online  
          account.

                                                                      



          SB 46 (Corbett)
          Page 5 of ?



          The California Attorney General, writing in support of this  
          bill, has found that criminals increasingly use stolen user  
          names, passwords, or security questions and answers to take  
          control of online accounts.  The Attorney General notes, "[i]n a  
          recent data breach targeting California law enforcement, [a]  
          website operator did not notify users that their user names and  
          passwords had been compromised" because notification "was not  
          required under existing law."  The hacker behind the breach  
          "published the stolen information online and encouraged attacks  
          against other accounts," and because "[m]any of the victims used  
          the same or similar passwords on other secure state or financial  
          websites," the victims were unknowingly exposed to significant  
          potential financial losses.  Privacy Rights Clearinghouse, also  
          writing in support, states:

               Some of the most prominent breaches reported by the media  
               in recent years have included data elements such as  
               usernames and passwords, not covered by California's data  
               breach law. Access to such personal information could lead  
               to spear-phishing as well as other ploys to obtain  
               additional data from the affected individuals, resulting in  
               identity theft.  SB 46 would expand the data elements  
               included in the definition of "personal information" to  
               include "a username or email address, in combination with a  
               password or security question that would permit access to  
               an online account."

          Staff notes that requiring disclosure of security breaches  
          involving user names, passwords, or security questions and  
          answers would allow those whose information has been  
          disseminated to take actions to minimize the impact of that  
          disclosure.  As Privacy Rights Clearinghouse notes, "[m]any  
          individuals compound their exposure to financial loss and theft  
          of personal data [because] they use the same password or  
          username or answer to a security question for some or all of  
          their online accounts."  Consequently, "a breach of one online  
          account can have a cascading effect upon the user's other  
          accounts."  If existing disclosure requirements were expanded to  
          include disclosures of security breaches involving user names,  
          passwords, and security questions and answers, California  
          residents would be better equipped to proactively change their  
          passwords and other login credentials on other online accounts  
          before those accounts are compromised.
          3.    Effect if individual's name is the same as the username  

          According to the author, the California Chamber of Commerce  
                                                                      



          SB 46 (Corbett)
          Page 6 of ?



          expressed initial concern that if existing law were expanded to  
          require notification for security breaches involving user names,  
          some confusion regarding notification requirements could arise  
          when a compromised user name contained elements of an  
          individual's first name or first initial plus last name.  As  
          noted above, "personal information" under the existing security  
          breach notification law is defined as an individual's first name  
          or first initial plus last name in combination with certain  
          enumerated data elements.  The introduced version of this bill  
          expanded the list of enumerated data elements to include, among  
          other things, a person's username.  That expansion created a  
          potential overlap between an individual's first name or first  
          initial plus last name and their username which could, under  
          certain circumstances, render the security breach notification  
          law's notification requirements somewhat confusing.  To  
          illustrate, if a user named Bob Smith had a user name of  
          "bsmith," and a security breach results in a disclosure of only  
          the term "bsmith," confusion could arise as to whether this bill  
          would require notification to Bob Smith.  In that case, the term  
          "bsmith" could meet both the criteria for an individual's name  
          and the data element of username, thus, arguably requiring  
          disclosure to the consumer.

          Staff notes that the bill, as amended on April 15, 2013, has  
          eliminated this potential point of confusion.  The revised  
          provision requiring notification of a security breach concerning  
          an individual's user name is no longer linked with the breach of  
          an individual's first name or first initial plus last name.   
          Rather, "personal information" subject to disclosure  
          requirements under this bill as amended would include either (1)  
          an individual's first name or first initial plus last name in  
          combination with the currently enumerated data elements, or (2)  
          a user name or email address, in combination with a password or  
          security question and answer that would permit access to an  
          online account.  The author notes that the California Chamber of  
          Commerce does not object to the amended version of the bill.

          4.   Privacy as a fundamental right in California

           It should also be noted that the right to privacy is a  
          fundamental right protected by section 1, article I of the  
          California Constitution.  The Legislature has expressly codified  
          that: 

               (1) The right to privacy is being threatened by the  
               indiscriminate collection, maintenance, and dissemination  
                                                                      



          SB 46 (Corbett)
          Page 7 of ?



               of personal information and the lack of effective laws and  
               legal remedies.

                (2) The increasing use of computers and other  
               sophisticated information technology has greatly magnified  
               the potential risk to individual privacy that can occur  
               from the maintenance of personal information.

                (3) In order to protect the privacy of individuals, it is  
               necessary that the maintenance and dissemination of  
               personal information be subject to strict limits. (Civ.  
               Code Sec. 1798.1 (emphasis added).)  

          As a result, expanding the scope of personal information subject  
          to existing security breach notification procedures would  
          further the Legislature's longstanding policy of providing  
          effective laws to protect an individual's privacy.


           Support  :  Privacy Rights Clearinghouse; California Attorney  
          General

           Opposition  :  None Known

                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  :  AB 1149 (Campos, 2013), would  
          expand existing disclosure requirements concerning breaches of  
          computerized data owned or licensed by state agencies to "local  
          agencies" as defined by Government Code Section 6252(a).  This  
          bill would also make certain technical corrections to the  
          security breach notification law, and would provide that, if the  
          Commission on State Mandates determines that the bill contains  
          costs mandated by the state, reimbursement for those costs would  
          be made pursuant to Government Code Section 17500 et. seq.  The  
          amendments and renumbering of Civil Code Sections 1798.29 and  
          1798.82 called for in AB 1149 may conflict with overlapping  
          renumbering called for in this bill (SB 46).

           Prior Legislation  :  None Known

                                   **************
                                          

                                                                      



          SB 46 (Corbett)
          Page 8 of ?