BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Noreen Evans, Chair 2013-2014 Regular Session SB 46 (Corbett) As Amended April 15, 2013 Hearing Date: April 23, 2013 Fiscal: Yes Urgency: No TH SUBJECT Personal Information: Privacy DESCRIPTION Existing law requires any state agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information as defined, to disclose any security breach concerning that data to any California resident whose unencrypted personal information was, or is believed to have been, acquired by an unauthorized person. Personal information covered by existing disclosure requirements includes an individual's first name and last name, or first initial and last name, when acquired in combination with, among other things, a social security number, driver's license or California Identification Card number, financial account number, or medical information. This bill would expand the scope of personal information subject to existing security breach disclosure requirements to include a user name or email address, in combination with a password or security question and answer that would permit access to an online account. BACKGROUND In 2003, California's first-in-the nation security breach notification law went into effect. (See Civ. Code Secs. 1798.29(a), 1798.82(a).) Since that time, all but four states have enacted similar security breach notification laws, and governments around the world are considering enacting such laws. California's security breach notification statute requires (more) SB 46 (Corbett) Page 2 of ? state agencies and businesses to notify residents when the security of their personal information, as defined, is breached. That notification ensures that residents are aware of the breach and allows them to take appropriate actions to mitigate or prevent potential financial losses due to fraudulent activity, as well as to limit the potential dissemination of personal information. A July 12, 2012, New York Times article entitled "Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an example of a recent security breach that likely involved the personal information of California consumers. That article reported: Another month, another major security breach. Yahoo confirmed Thursday that about 400,000 user names and passwords to Yahoo and other companies were stolen on Wednesday. A group of hackers, known as the D33D Company, posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. The hackers wrote a brief footnote to the data dump, which has since been taken offline: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." The breach comes just one month after millions of user passwords for LinkedIn, the online social network for professionals, were exposed by hackers who breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely used and sophisticated technology companies. The California Attorney General notes that "[w]ith 12.6 million victims in 2012, including over 1 million Californians, identity theft continues to be a significant crime." The Attorney General's specialized eCrime Unit finds, along with other law enforcement agencies, that increasingly "criminals are targeting websites with inadequate security, including some social media websites, to harvest email addresses, user names, and passwords," and "[b]ecause most people do not use unique passwords for each of their accounts, acquiring the information SB 46 (Corbett) Page 3 of ? on one account can give a thief access to [many different] accounts." Responding to the increasing frequency of this type of security breach, this bill would expand the coverage of California's security breach notification law by specifically including user names and email addresses, when compromised in conjunction with passwords and security questions and answers. CHANGES TO EXISTING LAW Existing law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. (Civ. Code Secs. 1798.29(a) and (c) and 1798.82(a) and (c).) Existing law requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Civ. Code Secs. 1798.29(b) and 1798.82(b).) Existing law defines "personal information," for purposes of the breach notification statute, to include the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (Civ. Code Secs. 1798.29(g) and (h) and 1798.82(h) and (i).) SB 46 (Corbett) Page 4 of ? This bill would expand the scope of "personal information," for purposes of the breach notification statute, to include a user name or email address, acquired in combination with a password or security question and answer that would permit access to an online account. COMMENT 1. Stated need for the bill According to the author: Senate Bill 46 strengthens computer account protections for the public by requiring the state and any person or companies operating in California who maintain computerized data about their clients or customers to notify them when his or her password, username, or answers to security questions have been [breached] for an online account. SB 46 provides real-time notification that someone may have obtained your password, username, or answers to your security questions so the client or customer can immediately change their access information and prevent or limit financial losses and theft of personal data. Real-time notification would give California consumers equal protection under the law. 2. Expansion to include password, username or security question information Under existing law, an agency, person, or business must disclose a data breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Personal information is specifically defined as an individual's first name or first initial and last name in combination with one or more of five specified data elements - those elements include, among other things, one's social security number and driver's license number. This bill would expand the scope of personal information subject to the existing security breach law's notification requirement to include an individual's user name or email address, in combination with a password or security question and answer that would permit access to an online account. SB 46 (Corbett) Page 5 of ? The California Attorney General, writing in support of this bill, has found that criminals increasingly use stolen user names, passwords, or security questions and answers to take control of online accounts. The Attorney General notes, "[i]n a recent data breach targeting California law enforcement, [a] website operator did not notify users that their user names and passwords had been compromised" because notification "was not required under existing law." The hacker behind the breach "published the stolen information online and encouraged attacks against other accounts," and because "[m]any of the victims used the same or similar passwords on other secure state or financial websites," the victims were unknowingly exposed to significant potential financial losses. Privacy Rights Clearinghouse, also writing in support, states: Some of the most prominent breaches reported by the media in recent years have included data elements such as usernames and passwords, not covered by California's data breach law. Access to such personal information could lead to spear-phishing as well as other ploys to obtain additional data from the affected individuals, resulting in identity theft. SB 46 would expand the data elements included in the definition of "personal information" to include "a username or email address, in combination with a password or security question that would permit access to an online account." Staff notes that requiring disclosure of security breaches involving user names, passwords, or security questions and answers would allow those whose information has been disseminated to take actions to minimize the impact of that disclosure. As Privacy Rights Clearinghouse notes, "[m]any individuals compound their exposure to financial loss and theft of personal data [because] they use the same password or username or answer to a security question for some or all of their online accounts." Consequently, "a breach of one online account can have a cascading effect upon the user's other accounts." If existing disclosure requirements were expanded to include disclosures of security breaches involving user names, passwords, and security questions and answers, California residents would be better equipped to proactively change their passwords and other login credentials on other online accounts before those accounts are compromised. 3. Effect if individual's name is the same as the username According to the author, the California Chamber of Commerce SB 46 (Corbett) Page 6 of ? expressed initial concern that if existing law were expanded to require notification for security breaches involving user names, some confusion regarding notification requirements could arise when a compromised user name contained elements of an individual's first name or first initial plus last name. As noted above, "personal information" under the existing security breach notification law is defined as an individual's first name or first initial plus last name in combination with certain enumerated data elements. The introduced version of this bill expanded the list of enumerated data elements to include, among other things, a person's username. That expansion created a potential overlap between an individual's first name or first initial plus last name and their username which could, under certain circumstances, render the security breach notification law's notification requirements somewhat confusing. To illustrate, if a user named Bob Smith had a user name of "bsmith," and a security breach results in a disclosure of only the term "bsmith," confusion could arise as to whether this bill would require notification to Bob Smith. In that case, the term "bsmith" could meet both the criteria for an individual's name and the data element of username, thus, arguably requiring disclosure to the consumer. Staff notes that the bill, as amended on April 15, 2013, has eliminated this potential point of confusion. The revised provision requiring notification of a security breach concerning an individual's user name is no longer linked with the breach of an individual's first name or first initial plus last name. Rather, "personal information" subject to disclosure requirements under this bill as amended would include either (1) an individual's first name or first initial plus last name in combination with the currently enumerated data elements, or (2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account. The author notes that the California Chamber of Commerce does not object to the amended version of the bill. 4. Privacy as a fundamental right in California It should also be noted that the right to privacy is a fundamental right protected by section 1, article I of the California Constitution. The Legislature has expressly codified that: (1) The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination SB 46 (Corbett) Page 7 of ? of personal information and the lack of effective laws and legal remedies. (2) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information. (3) In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits. (Civ. Code Sec. 1798.1 (emphasis added).) As a result, expanding the scope of personal information subject to existing security breach notification procedures would further the Legislature's longstanding policy of providing effective laws to protect an individual's privacy. Support : Privacy Rights Clearinghouse; California Attorney General Opposition : None Known HISTORY Source : Author Related Pending Legislation : AB 1149 (Campos, 2013), would expand existing disclosure requirements concerning breaches of computerized data owned or licensed by state agencies to "local agencies" as defined by Government Code Section 6252(a). This bill would also make certain technical corrections to the security breach notification law, and would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs would be made pursuant to Government Code Section 17500 et. seq. The amendments and renumbering of Civil Code Sections 1798.29 and 1798.82 called for in AB 1149 may conflict with overlapping renumbering called for in this bill (SB 46). Prior Legislation : None Known ************** SB 46 (Corbett) Page 8 of ?