BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
SB 46 (Corbett)
As Amended April 15, 2013
Hearing Date: April 23, 2013
Fiscal: Yes
Urgency: No
TH
SUBJECT
Personal Information: Privacy
DESCRIPTION
Existing law requires any state agency, and any person or
business conducting business in California, that owns or
licenses computerized data that includes personal information as
defined, to disclose any security breach concerning that data to
any California resident whose unencrypted personal information
was, or is believed to have been, acquired by an unauthorized
person. Personal information covered by existing disclosure
requirements includes an individual's first name and last name,
or first initial and last name, when acquired in combination
with, among other things, a social security number, driver's
license or California Identification Card number, financial
account number, or medical information.
This bill would expand the scope of personal information subject
to existing security breach disclosure requirements to include a
user name or email address, in combination with a password or
security question and answer that would permit access to an
online account.
BACKGROUND
In 2003, California's first-in-the nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but four states
have enacted similar security breach notification laws, and
governments around the world are considering enacting such laws.
California's security breach notification statute requires
(more)
�
SB 46 (Corbett)
Page 2 of ?
state agencies and businesses to notify residents when the
security of their personal information, as defined, is breached.
That notification ensures that residents are aware of the
breach and allows them to take appropriate actions to mitigate
or prevent potential financial losses due to fraudulent
activity, as well as to limit the potential dissemination of
personal information.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers. That article
reported:
Another month, another major security breach. Yahoo
confirmed Thursday that about 400,000 user names and
passwords to Yahoo and other companies were stolen on
Wednesday.
A group of hackers, known as the D33D Company, posted online
the user names and passwords for what appeared to be 453,492
accounts belonging to Yahoo, and also Gmail, AOL, Hotmail,
Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com
users.
The hackers wrote a brief footnote to the data dump, which
has since been taken offline: "We hope that the parties
responsible for managing the security of this subdomain will
take this as a wake-up call, and not as a threat."
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for
professionals, were exposed by hackers who breached its
systems. The breaches highlight the ease with which hackers
are able to infiltrate systems, even at some of the most
widely used and sophisticated technology companies.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
enforcement agencies, that increasingly "criminals are targeting
websites with inadequate security, including some social media
websites, to harvest email addresses, user names, and
passwords," and "[b]ecause most people do not use unique
passwords for each of their accounts, acquiring the information
�
SB 46 (Corbett)
Page 3 of ?
on one account can give a thief access to [many different]
accounts."
Responding to the increasing frequency of this type of security
breach, this bill would expand the coverage of California's
security breach notification law by specifically including user
names and email addresses, when compromised in conjunction with
passwords and security questions and answers.
CHANGES TO EXISTING LAW
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a) and (c) and 1798.82(a)
and (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b) and
1798.82(b).)
Existing law defines "personal information," for purposes of the
breach notification statute, to include the individual's first
name or first initial and last name in combination with one or
more of the following data elements, when either the name or the
data elements are not encrypted: social security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (Civ.
Code Secs. 1798.29(g) and (h) and 1798.82(h) and (i).)
�
SB 46 (Corbett)
Page 4 of ?
This bill would expand the scope of "personal information," for
purposes of the breach notification statute, to include a user
name or email address, acquired in combination with a password
or security question and answer that would permit access to an
online account.
COMMENT
1. Stated need for the bill
According to the author:
Senate Bill 46 strengthens computer account protections for
the public by requiring the state and any person or
companies operating in California who maintain computerized
data about their clients or customers to notify them when
his or her password, username, or answers to security
questions have been [breached] for an online account.
SB 46 provides real-time notification that someone may have
obtained your password, username, or answers to your
security questions so the client or customer can immediately
change their access information and prevent or limit
financial losses and theft of personal data.
Real-time notification would give California consumers equal
protection under the law.
2. Expansion to include password, username or security question
information
Under existing law, an agency, person, or business must disclose
a data breach to any California resident whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Personal information
is specifically defined as an individual's first name or first
initial and last name in combination with one or more of five
specified data elements - those elements include, among other
things, one's social security number and driver's license
number. This bill would expand the scope of personal
information subject to the existing security breach law's
notification requirement to include an individual's user name or
email address, in combination with a password or security
question and answer that would permit access to an online
account.
�
SB 46 (Corbett)
Page 5 of ?
The California Attorney General, writing in support of this
bill, has found that criminals increasingly use stolen user
names, passwords, or security questions and answers to take
control of online accounts. The Attorney General notes, "[i]n a
recent data breach targeting California law enforcement, [a]
website operator did not notify users that their user names and
passwords had been compromised" because notification "was not
required under existing law." The hacker behind the breach
"published the stolen information online and encouraged attacks
against other accounts," and because "[m]any of the victims used
the same or similar passwords on other secure state or financial
websites," the victims were unknowingly exposed to significant
potential financial losses. Privacy Rights Clearinghouse, also
writing in support, states:
Some of the most prominent breaches reported by the media
in recent years have included data elements such as
usernames and passwords, not covered by California's data
breach law. Access to such personal information could lead
to spear-phishing as well as other ploys to obtain
additional data from the affected individuals, resulting in
identity theft. SB 46 would expand the data elements
included in the definition of "personal information" to
include "a username or email address, in combination with a
password or security question that would permit access to
an online account."
Staff notes that requiring disclosure of security breaches
involving user names, passwords, or security questions and
answers would allow those whose information has been
disseminated to take actions to minimize the impact of that
disclosure. As Privacy Rights Clearinghouse notes, "[m]any
individuals compound their exposure to financial loss and theft
of personal data [because] they use the same password or
username or answer to a security question for some or all of
their online accounts." Consequently, "a breach of one online
account can have a cascading effect upon the user's other
accounts." If existing disclosure requirements were expanded to
include disclosures of security breaches involving user names,
passwords, and security questions and answers, California
residents would be better equipped to proactively change their
passwords and other login credentials on other online accounts
before those accounts are compromised.
3. Effect if individual's name is the same as the username
According to the author, the California Chamber of Commerce
�
SB 46 (Corbett)
Page 6 of ?
expressed initial concern that if existing law were expanded to
require notification for security breaches involving user names,
some confusion regarding notification requirements could arise
when a compromised user name contained elements of an
individual's first name or first initial plus last name. As
noted above, "personal information" under the existing security
breach notification law is defined as an individual's first name
or first initial plus last name in combination with certain
enumerated data elements. The introduced version of this bill
expanded the list of enumerated data elements to include, among
other things, a person's username. That expansion created a
potential overlap between an individual's first name or first
initial plus last name and their username which could, under
certain circumstances, render the security breach notification
law's notification requirements somewhat confusing. To
illustrate, if a user named Bob Smith had a user name of
"bsmith," and a security breach results in a disclosure of only
the term "bsmith," confusion could arise as to whether this bill
would require notification to Bob Smith. In that case, the term
"bsmith" could meet both the criteria for an individual's name
and the data element of username, thus, arguably requiring
disclosure to the consumer.
Staff notes that the bill, as amended on April 15, 2013, has
eliminated this potential point of confusion. The revised
provision requiring notification of a security breach concerning
an individual's user name is no longer linked with the breach of
an individual's first name or first initial plus last name.
Rather, "personal information" subject to disclosure
requirements under this bill as amended would include either (1)
an individual's first name or first initial plus last name in
combination with the currently enumerated data elements, or (2)
a user name or email address, in combination with a password or
security question and answer that would permit access to an
online account. The author notes that the California Chamber of
Commerce does not object to the amended version of the bill.
4. Privacy as a fundamental right in California
It should also be noted that the right to privacy is a
fundamental right protected by section 1, article I of the
California Constitution. The Legislature has expressly codified
that:
(1) The right to privacy is being threatened by the
indiscriminate collection, maintenance, and dissemination
�
SB 46 (Corbett)
Page 7 of ?
of personal information and the lack of effective laws and
legal remedies.
(2) The increasing use of computers and other
sophisticated information technology has greatly magnified
the potential risk to individual privacy that can occur
from the maintenance of personal information.
(3) In order to protect the privacy of individuals, it is
necessary that the maintenance and dissemination of
personal information be subject to strict limits. (Civ.
Code Sec. 1798.1 (emphasis added).)
As a result, expanding the scope of personal information subject
to existing security breach notification procedures would
further the Legislature's longstanding policy of providing
effective laws to protect an individual's privacy.
Support : Privacy Rights Clearinghouse; California Attorney
General
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : AB 1149 (Campos, 2013), would
expand existing disclosure requirements concerning breaches of
computerized data owned or licensed by state agencies to "local
agencies" as defined by Government Code Section 6252(a). This
bill would also make certain technical corrections to the
security breach notification law, and would provide that, if the
Commission on State Mandates determines that the bill contains
costs mandated by the state, reimbursement for those costs would
be made pursuant to Government Code Section 17500 et. seq. The
amendments and renumbering of Civil Code Sections 1798.29 and
1798.82 called for in AB 1149 may conflict with overlapping
renumbering called for in this bill (SB 46).
Prior Legislation : None Known
**************
�
SB 46 (Corbett)
Page 8 of ?