BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | SB 46| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: SB 46 Author: Corbett (D) Amended: 4/15/13 Vote: 21 SENATE JUDICIARY COMMITTEE : 6-0, 4/23/13 AYES: Evans, Anderson, Corbett, Jackson, Leno, Monning NO VOTE RECORDED: Walters SENATE APPROPRIATIONS COMMITTEE : 5-0, 5/13/13 AYES: De León, Hill, Lara, Padilla, Steinberg NO VOTE RECORDED: Walters, Gaines SUBJECT : Personal information: privacy SOURCE : Author DIGEST : This bill expands the scope of personal information subject to existing security breach disclosure requirements to include a user name or email address, in combination with a password or security question and answer that permits access to an online account. ANALYSIS : Existing law: 1.Requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any CONTINUED SB 46 Page 2 California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. 2.Requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 3.Defines "personal information," for purposes of the breach notification statute, to include the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; or health insurance information. This bill expands the scope of "personal information," for purposes of the breach notification statute, to include a user name or email address, acquired in combination with a password or security question and answer that permits access to an online account. Background In 2003, California's first-in-the nation security breach notification law went into effect. Since that time, all but four states have enacted similar security breach notification laws, and governments around the world are considering enacting such laws. California's security breach notification statute requires state agencies and businesses to notify residents when the security of their personal information, as defined, is breached. That notification ensures that residents are aware of the breach and allows them to take appropriate actions to mitigate or prevent potential financial losses due to fraudulent CONTINUED SB 46 Page 3 activity, as well as to limit the potential dissemination of personal information. A July 12, 2012, New York Times article entitled "Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an example of a recent security breach that likely involved the personal information of California consumers. That article reported: Another month, another major security breach. Yahoo confirmed Thursday that about 400,000 user names and passwords to Yahoo and other companies were stolen on Wednesday. A group of hackers, known as the D33D Company, posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. The hackers wrote a brief footnote to the data dump, which has since been taken offline: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." The breach comes just one month after millions of user passwords for LinkedIn, the online social network for professionals, were exposed by hackers who breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely used and sophisticated technology companies. The California Attorney General notes that "[w]ith 12.6 million victims in 2012, including over 1 million Californians, identity theft continues to be a significant crime." The Attorney General's specialized eCrime Unit finds, along with other law enforcement agencies, that increasingly "criminals are targeting Internet Web sites with inadequate security, including some social media Internet Web sites, to harvest email addresses, user names, and passwords," and "[b]ecause most people do not use unique passwords for each of their accounts, acquiring the information on one account can give a thief access to [many different] accounts." CONTINUED SB 46 Page 4 FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes Local: No According to the Senate Appropriations Committee: Minor ongoing state costs, as the California Technology Agency has indicated that state entities are already required to identify all data elements involved in a data breach, including the data elements added under the provisions of this bill. Minor, absorbable costs to the Department of Justice to electronically receive copies of security breach notifications affecting more than 500 residents. SUPPORT : (Verified 5/15/13) Consumer Federation of California Office of the Attorney General Privacy Rights Clearinghouse ARGUMENTS IN SUPPORT : According to the author's office: Senate Bill 46 strengthens computer account protections for the public by requiring the state and any person or companies operating in California who maintain computerized data about their clients or customers to notify them when his/her password, username, or answers to security questions have been [breached] for an online account. SB 46 provides real-time notification that someone may have obtained your password, username, or answers to your security questions so the client or customer can immediately change their access information and prevent or limit financial losses and theft of personal data. (AL:nl):ej 5/15/13 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END **** CONTINUED SB 46 Page 5 CONTINUED