BILL ANALYSIS �Ó
Senate Appropriations Committee Fiscal Summary
Senator Kevin de León, Chair
SB 46 (Corbett) - Personal information: privacy.
Amended: April 15, 2013 Policy Vote: Judiciary 6-0
Urgency: No Mandate: No
Hearing Date: May 6, 2013 Consultant: Jolie Onodera
This bill does not meet the criteria for referral to the
Suspense File.
Bill Summary: SB 46 would expand the scope of personal
information subject to existing security breach security
requirements to include a user name or email address, in
combination with a password or security question and answer that
would permit access to an online account.
Fiscal Impact:
Minor ongoing state costs, as the California Technology
Agency has indicated that state entities are already
required to identify all data elements involved in a data
breach, including the data elements added under the
provisions of this bill.
Minor, absorbable costs to the Department of Justice
(DOJ) to electronically receive copies of security breach
notifications affecting more than 500 residents.
Background: Existing law requires any state agency, and any
person or business conducting business in this state that owns
or licenses computerized data that includes personal information
to disclose any security breach concerning that data to any
California resident whose unencrypted personal information was,
or is believed to have been, acquired by an unauthorized person.
This notification ensures that residents are aware of the breach
and allows for appropriate action to mitigate or prevent
potential financial losses and limit the potential dissemination
of personal information due to fraudulent activity.
Current law specifies the information to be included in the
notification and the timelines within which to notify affected
residents. In addition, current law requires agencies to
electronically submit to the Attorney General a sample copy of a
security breach notification in which the single breach of the
�
SB 46 (Corbett)
Page 1
system affects more than 500 residents.
This bill seeks to expand the coverage of California's security
breach notification laws by specifically including user names
and email addresses, when compromised in conjunction with
passwords and security questions/answers.
Proposed Law: This bill would expand the scope of personal
information subject to existing security breach security
requirements to include a user name or email address, in
combination with a password or security question and answer that
would permit access to an online account.
Related Legislation: AB 1149 (Campos) 2013 would expand existing
disclosure requirements concerning breaches of computerized data
owned or licensed by state agencies to "local agencies," as
defined. This bill is currently pending a hearing in the
Assembly Committee on Judiciary.
Staff Comments: By expanding the scope of personal information
subject to existing security breach security requirements, this
bill could result in increased administrative costs to state
agencies for increased security breach notifications to all
affected persons.
The California Technology Agency (CTA) has indicated that
although there would be costs associated with the breach
notification process for any incidents involving the additional
notice-triggering data elements, costs to state agencies are
projected to be minor due to the fact that state entities are
currently required to identify all data elements involved in a
data breach, including the data elements added by this bill. In
addition, very few reports of data breaches involving these
particular data elements have been encountered.
The State Administrative Manual (SAM) Section 5350.2 outlines
the current reporting criteria for state entities which includes
any incident involving information classified as confidential,
personal or sensitive (user account credentials are considered
confidential information). Per CTA standard operating
procedures, when following up with state government entities,
all data elements associated with any compromise involving
information classified as confidential, personal, or sensitive,
are identified. CTA also indicated state entities subject to
�
SB 46 (Corbett)
Page 2
these policies are required to report these types of incidents,
and appropriate corrective action would include notifying the
user to change their password.
While costs to the state are estimated to be minor, costs to
private industry may be greater due to the types of publicized
incidents involving numerous free electronic mail account
providers.