BILL ANALYSIS                                                                                                                                                                                                    Ó




                   Senate Appropriations Committee Fiscal Summary
                            Senator Kevin de León, Chair


          SB 46 (Corbett) - Personal information: privacy.

          Amended: April 15, 2013         Policy Vote: Judiciary 6-0 
          Urgency: No                     Mandate: No
          Hearing Date: May 13, 2013      Consultant: Jolie Onodera
          
          This bill does not meet the criteria for referral to the  
          Suspense File.
          
          
          Bill Summary: SB 46 would expand the scope of personal  
          information subject to existing security breach security  
          requirements to include a user name or email address, in  
          combination with a password or security question and answer that  
          would permit access to an online account.

          Fiscal Impact: 
                 Minor ongoing state costs, as the California Technology  
               Agency has indicated that state entities are already  
               required to identify all data elements involved in a data  
               breach, including the data elements added under the  
               provisions of this bill. 
                 Minor, absorbable costs to the Department of Justice  
               (DOJ) to electronically receive copies of security breach  
               notifications affecting more than 500 residents.

          Background: Existing law requires any state agency, and any  
          person or business conducting business in this state that owns  
          or licenses computerized data that includes personal information  
          to disclose any security breach concerning that data to any  
          California resident whose unencrypted personal information was,  
          or is believed to have been, acquired by an unauthorized person.  
          This notification ensures that residents are aware of the breach  
          and allows for appropriate action to mitigate or prevent  
          potential financial losses and limit the potential dissemination  
          of personal information due to fraudulent activity. 

          Current law specifies the information to be included in the  
          notification and the timelines within which to notify affected  
          residents. In addition, current law requires agencies to  
          electronically submit to the Attorney General a sample copy of a  
          security breach notification in which the single breach of the  








          SB 46 (Corbett)
          Page 1


          system affects more than 500 residents.

          This bill seeks to expand the coverage of California's security  
          breach notification laws by specifically including user names  
          and email addresses, when compromised in conjunction with  
          passwords and security questions/answers.

          Proposed Law: This bill would expand the scope of personal  
          information subject to existing security breach security  
          requirements to include a user name or email address, in  
          combination with a password or security question and answer that  
          would permit access to an online account.

          Related Legislation: AB 1149 (Campos) 2013 would expand existing  
          disclosure requirements concerning breaches of computerized data  
          owned or licensed by state agencies to "local agencies," as  
          defined. This bill is currently pending a hearing in the  
          Assembly Committee on Judiciary.
          
          Staff Comments: By expanding the scope of personal information  
          subject to existing security breach security requirements, this  
          bill could result in increased administrative costs to state  
          agencies for increased security breach notifications to all  
          affected persons. 
          
          The California Technology Agency (CTA) has indicated that  
          although there would be costs associated with the breach  
          notification process for any incidents involving the additional  
          notice-triggering data elements, costs to state agencies are  
          projected to be minor due to the fact that state entities are  
          currently required to identify all data elements involved in a  
          data breach, including the data elements added by this bill. In  
          addition, very few reports of data breaches involving these  
          particular data elements have been encountered.

          The State Administrative Manual (SAM) Section 5350.2 outlines  
          the current reporting criteria for state entities which includes  
          any incident involving information classified as confidential,  
          personal or sensitive (user account credentials are considered  
          confidential information). Per CTA standard operating  
          procedures, when following up with state government entities,  
          all data elements associated with any compromise involving  
          information classified as confidential, personal, or sensitive,  
          are identified. CTA also indicated state entities subject to  








          SB 46 (Corbett)
          Page 2


          these policies are required to report these types of incidents,  
          and appropriate corrective action would include notifying the  
          user to change their password. 

          While costs to the state are estimated to be minor, costs to  
          private industry may be greater due to the types of publicized  
          incidents involving numerous free electronic mail account  
          providers.