BILL ANALYSIS                                                                                                                                                                                                    Ó


          |SENATE RULES COMMITTEE            |                         SB 46|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
                                    THIRD READING

          Bill No:  SB 46
          Author:   Corbett (D)
          Amended:  4/15/13
          Vote:     21

           SENATE JUDICIARY COMMITTEE  :  6-0, 4/23/13
          AYES:  Evans, Anderson, Corbett, Jackson, Leno, Monning
          NO VOTE RECORDED:  Walters

           SENATE APPROPRIATIONS COMMITTEE  :  5-0, 5/13/13
          AYES:  De León, Hill, Lara, Padilla, Steinberg
          NO VOTE RECORDED:  Walters, Gaines

           SUBJECT  :    Personal information:  privacy

           SOURCE  :     Author

           DIGEST  :    This bill expands the scope of personal information  
          subject to existing security breach disclosure requirements to  
          include a user name or email address, in combination with a  
          password or security question and answer that permits access to  
          an online account.

           ANALYSIS  :    

          Existing law:

          1.Requires any agency, person, or business that owns or licenses  
            computerized data that includes personal information to  
            disclose a breach of the security of the system to any  


                                                                      SB 46

            California resident whose unencrypted personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.  The disclosure must be made in the most  
            expedient time possible and without unreasonable delay,  
            consistent with the legitimate needs of law enforcement, as  

          2.Requires any agency, person, or business that maintains  
            computerized data that includes personal information that the  
            agency, person, or business does not own to notify the owner  
            or licensee of the information of any security breach  
            immediately following discovery if the personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.

          3.Defines "personal information," for purposes of the breach  
            notification statute, to include the individual's first name  
            or first initial and last name in combination with one or more  
            of the following data elements, when either the name or the  
            data elements are not encrypted:  social security number;  
            driver's license number or California Identification Card  
            number; account number, credit or debit card number, in  
            combination with any required security code, access code, or  
            password that would permit access to an individual's financial  
            account; medical information; or health insurance information.

          This bill expands the scope of "personal information," for  
          purposes of the breach notification statute, to include a user  
          name or email address, acquired in combination with a password  
          or security question and answer that permits access to an online  

          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  Since that time, all but  
          four states have enacted similar security breach notification  
          laws, and governments around the world are considering enacting  
          such laws.  California's security breach notification statute  
          requires state agencies and businesses to notify residents when  
          the security of their personal information, as defined, is  
          breached.  That notification ensures that residents are aware of  
          the breach and allows them to take appropriate actions to  
          mitigate or prevent potential financial losses due to fraudulent  



                                                                      SB 46

          activity, as well as to limit the potential dissemination of  
          personal information.

          A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  That article  

               Another month, another major security breach.  Yahoo  
               confirmed Thursday that about 400,000 user names and  
               passwords to Yahoo and other companies were stolen on  

               A group of hackers, known as the D33D Company, posted  
               online the user names and passwords for what appeared to be  
               453,492 accounts belonging to Yahoo, and also Gmail, AOL,  
               Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and  

               The hackers wrote a brief footnote to the data dump, which  
               has since been taken offline:  "We hope that the parties  
               responsible for managing the security of this subdomain  
               will take this as a wake-up call, and not as a threat."

               The breach comes just one month after millions of user  
               passwords for LinkedIn, the online social network for  
               professionals, were exposed by hackers who breached its  
               systems.  The breaches highlight the ease with which  
               hackers are able to infiltrate systems, even at some of the  
               most widely used and sophisticated technology companies.

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  
          enforcement agencies, that increasingly "criminals are targeting  
          Internet Web sites with inadequate security, including some  
          social media Internet Web sites, to harvest email addresses,  
          user names, and passwords," and "[b]ecause most people do not  
          use unique passwords for each of their accounts, acquiring the  
          information on one account can give a thief access to [many  
          different] accounts."



                                                                      SB 46

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  No

          According to the Senate Appropriations Committee:

                 Minor ongoing state costs, as the California Technology  
               Agency has indicated that state entities are already  
               required to identify all data elements involved in a data  
               breach, including the data elements added under the  
               provisions of this bill.

                 Minor, absorbable costs to the Department of Justice to  
               electronically receive copies of security breach  
               notifications affecting more than 500 residents.

           SUPPORT  :   (Verified  5/15/13)

          Consumer Federation of California
          Office of the Attorney General
          Privacy Rights Clearinghouse

           ARGUMENTS IN SUPPORT  :    According to the author's office:

            Senate Bill 46 strengthens computer account protections for  
            the public by requiring the state and any person or  
            companies operating in California who maintain computerized  
            data about their clients or customers to notify them when  
            his/her password, username, or answers to security questions  
            have been [breached] for an online account.

            SB 46 provides real-time notification that someone may have  
            obtained your password, username, or answers to your  
            security questions so the client or customer can immediately  
            change their access information and prevent or limit  
            financial losses and theft of personal data.

          (AL:nl):ej  5/15/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****



                                                                      SB 46