BILL ANALYSIS �Ó
SB 46
Page 1
Date of Hearing: June 18, 2013
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
SB 46 (Corbett) - As Amended: April 15, 2013
PROPOSED CONSENT
SENATE VOTE : 37-0
SUBJECT : PERSONAL INFORMATION: SECURITY BREACH REQUIREMENTS
KEY ISSUE : Should the personal information subject to existing
security breach requirements include a user name or email
address in combination with a password or security question and
answer that otherwise might permit improper AND DANGEROUS access
to an online account?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
In 2003, California's first-in-the nation security breach
notification law went into effect. Since that time, all but
four states have enacted similar security breach notification
laws, and governments around the world are considering enacting
such laws. California's security breach notification statute
requires state agencies and businesses to notify residents when
the security of their personal information, as defined, is
breached. That notification ensures that residents are aware of
the breach and allows them to take appropriate actions to
mitigate or prevent potential financial losses due to fraudulent
activity, as well as to limit the potential dissemination of
personal information. This non-controversial bill appropriately
seeks to expand the personal information subject to existing
security breach requirements to include a user name or email
address in combination with a password or security question and
answer that otherwise might permit improper and dangerous access
to an online account. The bill is supported by the Consumer
Federation of California, Privacy Rights Clearinghouse, and the
Department of Justice. It has no known opposition.
SUMMARY : Expands the personal information subject to existing
security breach requirements to include a user name or email
address in combination with a password or security question and
�
SB 46
Page 2
answer that otherwise might permit improper and dangerous access
to an online account. Specifically, this bill defines personal
information in the security breach law to include a user name or
address, in combination with a password or security question and
answer, which could permit improper access to an online account.
EXISTING LAW :
1)Provides that any agency, person or business that owns or
licenses computerized data that includes personal information
must disclose any security breach that leads or would
reasonably be believed to lead to unauthorized persons
obtaining unencrypted personal information. (Civil Code
Sections 1798.29(a) and 1798.82(a).)
2)Defines personal information as an individual's first name or
first initial and last name, in combination with any one or
more of the following data elements, when either the name or
the data elements are not encrypted: 1) social security
number; 2) driver's license number or California
identification number; 3) account number, credit or debit card
number, in combination with any required security code, or
password that would permit access to an individual's financial
account; 4) medical information; and 5) health insurance
information. (Civil Code Sections 1798.29(e).)
COMMENTS : In 2003 California first enacted laws to ensure
residents are informed of data breaches aimed at the types of
personal information identity thieves sought most often at the
time: financial information such as bank account numbers,
driver's license numbers and social security numbers. Current
law also defines personal information to include medical history
and health insurance information. Since then all but 4 states
have enacted similar laws.
Despite the rise in online banking, shopping and other financial
transactions, public agencies and private businesses are not
required to give notification of a data breach when a user name,
security question or password are compromised. This bill would
update California's data breach laws by broadening the
definition of personal information to include a user name or
address, in combination with a password or security question and
answer that would permit access to an online account to keep up
with recent identity theft threats.
�
SB 46
Page 3
According to the author:
[This bill] strengthens computer account protections
for the public by requiring the state and any person or
companies operating in California who maintain
computerized data about their clients or customers to
notify them when his or her password, username, or
answers to security questions have been [breached] for
an online account.
SB 46 provides real-time notification that someone may
have obtained your password, username, or answers to
your security questions so the client or customer can
immediately change their access information and prevent
or limit financial losses and theft of personal data.
Real-time notification would give California consumers
equal protection under the law.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers. That article
reported:
Another month, another major security breach. Yahoo
confirmed Thursday that about 400,000 user names and
passwords to Yahoo and other companies were stolen on
Wednesday.
A group of hackers, known as the D33D Company, posted
online the user names and passwords for what appeared
to be 453,492 accounts belonging to Yahoo, and also
Gmail, AOL, Hotmail, Comcast, MSN, SBC Global,
Verizon, BellSouth and Live.com users.
The hackers wrote a brief footnote to the data dump,
which has since been taken offline: "We hope that the
parties responsible for managing the security of this
subdomain will take this as a wake-up call, and not as
a threat."
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for
professionals, were exposed by hackers who breached
�
SB 46
Page 4
its systems. The breaches highlight the ease with
which hackers are able to infiltrate systems, even at
some of the most widely used and sophisticated
technology companies.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
enforcement agencies, that increasingly "criminals are targeting
websites with inadequate security, including some social media
websites, to harvest email addresses, user names, and
passwords," and "[b]ecause most people do not use unique
passwords for each of their accounts, acquiring the information
on one account can give a thief access to [many different]
accounts."
Responding to the increasing frequency of this type of security
breach, this bill would expand the coverage of California's
security breach notification law by specifically including user
names and email addresses, when compromised in conjunction with
passwords and security questions and answers.
Arguments in Support : The Consumer Federation of California,
the Privacy Rights Clearinghouse and the California Department
of Justice (DOJ) all support this bill, citing the need to
update California's 10-year-old personal information protection
laws. Specifically, the DOJ finds that criminals are more often
targeting websites, especially social networking sites, to find
personal information like email addresses that are used as user
names for other online accounts. Additionally, the DOJ points
to a recent case where a male hacker targeted and compromised
women's email accounts by finding answers to their security
questions on their social networking sites. The hacker was then
able to use the woman's email accounts to blackmail the women
into sending him nude or semi-nude photos of themselves to him.
Police were able to track down 46 victims. According to the DOJ
over 1 million Californians had their identities stolen in 2012.
The Privacy Rights Clearinghouse notes in support that "many
individuals compound their exposure to financial loss and theft
of personal data when they use the same password or username or
answer to a security question for some or all of their online
accounts. Thus a breach of one online account can have a
cascading effect upon the user's other accounts."
�
SB 46
Page 5
Right to Privacy in California : It should also be noted that
the right to privacy is a fundamental right protected by section
1, article I of the California Constitution. The Legislature
has expressly codified that:
(1) The right to privacy is being threatened by the
indiscriminate collection, maintenance, and
dissemination of personal information and the lack of
effective laws and legal remedies.
(2) The increasing use of computers and other
sophisticated information technology has greatly
magnified the potential risk to individual privacy
that can occur from the maintenance of personal
information.
(3) In order to protect the privacy of individuals, it
is necessary that the maintenance and dissemination of
personal information be subject to strict limits.
(Civ. Code Sec. 1798.1 (emphasis added).)
As a result, expanding the scope of personal information subject
to existing security breach notification procedures would
manifestly further the Legislature's longstanding policy of
providing effective laws to protect an individual's privacy.
REGISTERED SUPPORT / OPPOSITION :
Support
Consumer Federation of California
Privacy Rights Clearinghouse
California Department of Justice
Opposition
None on file
Analysis Prepared by : Drew Liebert and Kelly Bradfield / JUD.
/ (916) 319-2334
�
SB 46
Page 6