BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 46|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 46
Author: Corbett (D)
Amended: 4/15/13
Vote: 21
SENATE JUDICIARY COMMITTEE : 6-0, 4/23/13
AYES: Evans, Anderson, Corbett, Jackson, Leno, Monning
NO VOTE RECORDED: Walters
SENATE APPROPRIATIONS COMMITTEE : 5-0, 5/13/13
AYES: De León, Hill, Lara, Padilla, Steinberg
NO VOTE RECORDED: Walters, Gaines
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill expands the scope of personal information
subject to existing security breach disclosure requirements to
include a user name or email address, in combination with a
password or security question and answer that permits access to
an online account.
ANALYSIS :
Existing law:
1.Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
CONTINUED
�
SB 46
Page
2
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified.
2.Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
3.Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: social security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
This bill expands the scope of "personal information," for
purposes of the breach notification statute, to include a user
name or email address, acquired in combination with a password
or security question and answer that permits access to an online
account.
Background
In 2003, California's first-in-the nation security breach
notification law went into effect. Since that time, all but
four states have enacted similar security breach notification
laws, and governments around the world are considering enacting
such laws. California's security breach notification statute
requires state agencies and businesses to notify residents when
the security of their personal information, as defined, is
breached. That notification ensures that residents are aware of
the breach and allows them to take appropriate actions to
mitigate or prevent potential financial losses due to fraudulent
CONTINUED
�
SB 46
Page
3
activity, as well as to limit the potential dissemination of
personal information.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers. That article
reported:
Another month, another major security breach. Yahoo
confirmed Thursday that about 400,000 user names and
passwords to Yahoo and other companies were stolen on
Wednesday.
A group of hackers, known as the D33D Company, posted
online the user names and passwords for what appeared to be
453,492 accounts belonging to Yahoo, and also Gmail, AOL,
Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and
Live.com users.
The hackers wrote a brief footnote to the data dump, which
has since been taken offline: "We hope that the parties
responsible for managing the security of this subdomain
will take this as a wake-up call, and not as a threat."
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for
professionals, were exposed by hackers who breached its
systems. The breaches highlight the ease with which
hackers are able to infiltrate systems, even at some of the
most widely used and sophisticated technology companies.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
enforcement agencies, that increasingly "criminals are targeting
Internet Web sites with inadequate security, including some
social media Internet Web sites, to harvest email addresses,
user names, and passwords," and "[b]ecause most people do not
use unique passwords for each of their accounts, acquiring the
information on one account can give a thief access to [many
different] accounts."
CONTINUED
�
SB 46
Page
4
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
According to the Senate Appropriations Committee:
Minor ongoing state costs, as the California Technology
Agency has indicated that state entities are already
required to identify all data elements involved in a data
breach, including the data elements added under the
provisions of this bill.
Minor, absorbable costs to the Department of Justice to
electronically receive copies of security breach
notifications affecting more than 500 residents.
SUPPORT : (Verified 5/15/13)
Consumer Federation of California
Office of the Attorney General
Privacy Rights Clearinghouse
ARGUMENTS IN SUPPORT : According to the author's office:
Senate Bill 46 strengthens computer account protections for
the public by requiring the state and any person or
companies operating in California who maintain computerized
data about their clients or customers to notify them when
his/her password, username, or answers to security questions
have been [breached] for an online account.
SB 46 provides real-time notification that someone may have
obtained your password, username, or answers to your
security questions so the client or customer can immediately
change their access information and prevent or limit
financial losses and theft of personal data.
(AL:nl):ej 5/15/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED
�
SB 46
Page
5
CONTINUED