BILL ANALYSIS Ó Senate Appropriations Committee Fiscal Summary Senator Kevin de León, Chair SB 46 (Corbett) - Personal information: privacy. Amended: April 15, 2013 Policy Vote: Judiciary 6-0 Urgency: No Mandate: No Hearing Date: May 6, 2013 Consultant: Jolie Onodera This bill does not meet the criteria for referral to the Suspense File. Bill Summary: SB 46 would expand the scope of personal information subject to existing security breach security requirements to include a user name or email address, in combination with a password or security question and answer that would permit access to an online account. Fiscal Impact: Minor ongoing state costs, as the California Technology Agency has indicated that state entities are already required to identify all data elements involved in a data breach, including the data elements added under the provisions of this bill. Minor, absorbable costs to the Department of Justice (DOJ) to electronically receive copies of security breach notifications affecting more than 500 residents. Background: Existing law requires any state agency, and any person or business conducting business in this state that owns or licenses computerized data that includes personal information to disclose any security breach concerning that data to any California resident whose unencrypted personal information was, or is believed to have been, acquired by an unauthorized person. This notification ensures that residents are aware of the breach and allows for appropriate action to mitigate or prevent potential financial losses and limit the potential dissemination of personal information due to fraudulent activity. Current law specifies the information to be included in the notification and the timelines within which to notify affected residents. In addition, current law requires agencies to electronically submit to the Attorney General a sample copy of a security breach notification in which the single breach of the SB 46 (Corbett) Page 1 system affects more than 500 residents. This bill seeks to expand the coverage of California's security breach notification laws by specifically including user names and email addresses, when compromised in conjunction with passwords and security questions/answers. Proposed Law: This bill would expand the scope of personal information subject to existing security breach security requirements to include a user name or email address, in combination with a password or security question and answer that would permit access to an online account. Related Legislation: AB 1149 (Campos) 2013 would expand existing disclosure requirements concerning breaches of computerized data owned or licensed by state agencies to "local agencies," as defined. This bill is currently pending a hearing in the Assembly Committee on Judiciary. Staff Comments: By expanding the scope of personal information subject to existing security breach security requirements, this bill could result in increased administrative costs to state agencies for increased security breach notifications to all affected persons. The California Technology Agency (CTA) has indicated that although there would be costs associated with the breach notification process for any incidents involving the additional notice-triggering data elements, costs to state agencies are projected to be minor due to the fact that state entities are currently required to identify all data elements involved in a data breach, including the data elements added by this bill. In addition, very few reports of data breaches involving these particular data elements have been encountered. The State Administrative Manual (SAM) Section 5350.2 outlines the current reporting criteria for state entities which includes any incident involving information classified as confidential, personal or sensitive (user account credentials are considered confidential information). Per CTA standard operating procedures, when following up with state government entities, all data elements associated with any compromise involving information classified as confidential, personal, or sensitive, are identified. CTA also indicated state entities subject to SB 46 (Corbett) Page 2 these policies are required to report these types of incidents, and appropriate corrective action would include notifying the user to change their password. While costs to the state are estimated to be minor, costs to private industry may be greater due to the types of publicized incidents involving numerous free electronic mail account providers.