BILL ANALYSIS                                                                                                                                                                                                    



                                                                  SB 46
                                                                  Page  1

          Date of Hearing:  June 18, 2013

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                Bob Wieckowski, Chair
                    SB 46 (Corbett) - As Amended:  April 15, 2013

                                  PROPOSED CONSENT

           SENATE VOTE  :  37-0
           
          SUBJECT  :  PERSONAL INFORMATION: SECURITY BREACH REQUIREMENTS

           KEY ISSUE  :  Should the personal information subject to existing  
          security breach requirements include a user name or email  
          address in combination with a password or security question and  
          answer that otherwise might permit improper AND DANGEROUS access  
          to an online account?

           FISCAL EFFECT  :  As currently in print this bill is keyed fiscal.

                                      SYNOPSIS
           
          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  Since that time, all but  
          four states have enacted similar security breach notification  
          laws, and governments around the world are considering enacting  
          such laws.  California's security breach notification statute  
          requires state agencies and businesses to notify residents when  
          the security of their personal information, as defined, is  
          breached.  That notification ensures that residents are aware of  
          the breach and allows them to take appropriate actions to  
          mitigate or prevent potential financial losses due to fraudulent  
          activity, as well as to limit the potential dissemination of  
          personal information.  This non-controversial bill appropriately  
          seeks to expand the personal information subject to existing  
          security breach requirements to include a user name or email  
          address in combination with a password or security question and  
          answer that otherwise might permit improper and dangerous access  
          to an online account.  The bill is supported by the Consumer  
          Federation of California, Privacy Rights Clearinghouse, and the  
          Department of Justice.  It has no known opposition.

           SUMMARY  :  Expands the personal information subject to existing  
          security breach requirements to include a user name or email  
          address in combination with a password or security question and  








                                                                  SB 46
                                                                  Page  2

          answer that otherwise might permit improper and dangerous access  
          to an online account.  Specifically,  this bill  defines personal  
          information in the security breach law to include a user name or  
          address, in combination with a password or security question and  
          answer, which could permit improper access to an online account.

           EXISTING LAW  :

          1)Provides that any agency, person or business that owns or  
            licenses computerized data that includes personal information  
            must disclose any security breach that leads or would  
            reasonably be believed to lead to unauthorized persons  
            obtaining unencrypted personal information.  (Civil Code  
            Sections 1798.29(a) and 1798.82(a).)  

          2)Defines personal information as an individual's first name or  
            first initial and last name, in combination with any one or  
            more of the following data elements, when either the name or  
            the data elements are not encrypted: 1) social security  
            number; 2) driver's license number or California  
            identification number; 3) account number, credit or debit card  
            number, in combination with any required security code, or  
            password that would permit access to an individual's financial  
            account; 4) medical information; and 5) health insurance  
            information.  (Civil Code Sections 1798.29(e).)

           COMMENTS  :  In 2003 California first enacted laws to ensure  
          residents are informed of data breaches aimed at the types of  
          personal information identity thieves sought most often at the  
          time:  financial information such as bank account numbers,  
          driver's license numbers and social security numbers.  Current  
          law also defines personal information to include medical history  
          and health insurance information.  Since then all but 4 states  
          have enacted similar laws. 

          Despite the rise in online banking, shopping and other financial  
          transactions, public agencies and private businesses are not  
          required to give notification of a data breach when a user name,  
          security question or password are compromised.  This bill would  
          update California's data breach laws by broadening the  
          definition of personal information to include a user name or  
          address, in combination with a password or security question and  
          answer that would permit access to an online account to keep up  
          with recent identity theft threats. 









                                                                  SB 46
                                                                  Page  3

          According to the author:

              [This bill] strengthens computer account protections  
              for the public by requiring the state and any person or  
              companies operating in California who maintain  
              computerized data about their clients or customers to  
              notify them when his or her password, username, or  
              answers to security questions have been [breached] for  
              an online account.

              SB 46 provides real-time notification that someone may  
              have obtained your password, username, or answers to  
              your security questions so the client or customer can  
              immediately change their access information and prevent  
              or limit financial losses and theft of personal data.

              Real-time notification would give California consumers  
              equal protection under the law.
           
           A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  That article  
          reported:

               Another month, another major security breach.  Yahoo  
               confirmed Thursday that about 400,000 user names and  
               passwords to Yahoo and other companies were stolen on  
               Wednesday.

               A group of hackers, known as the D33D Company, posted  
               online the user names and passwords for what appeared  
               to be 453,492 accounts belonging to Yahoo, and also  
               Gmail, AOL, Hotmail, Comcast, MSN, SBC Global,  
               Verizon, BellSouth and Live.com users.

               The hackers wrote a brief footnote to the data dump,  
               which has since been taken offline: "We hope that the  
               parties responsible for managing the security of this  
               subdomain will take this as a wake-up call, and not as  
               a threat."

               The breach comes just one month after millions of user  
               passwords for LinkedIn, the online social network for  
               professionals, were exposed by hackers who breached  








                                                                  SB 46
                                                                  Page  4

               its systems.  The breaches highlight the ease with  
               which hackers are able to infiltrate systems, even at  
               some of the most widely used and sophisticated  
               technology companies.

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  
          enforcement agencies, that increasingly "criminals are targeting  
          websites with inadequate security, including some social media  
          websites, to harvest email addresses, user names, and  
          passwords," and "[b]ecause most people do not use unique  
          passwords for each of their accounts, acquiring the information  
          on one account can give a thief access to [many different]  
          accounts."

          Responding to the increasing frequency of this type of security  
          breach, this bill would expand the coverage of California's  
          security breach notification law by specifically including user  
          names and email addresses, when compromised in conjunction with  
          passwords and security questions and answers. 
           
          Arguments in Support  :  The Consumer Federation of California,  
          the Privacy Rights Clearinghouse and the California Department  
          of Justice (DOJ) all support this bill, citing the need to  
          update California's 10-year-old personal information protection  
          laws.  Specifically, the DOJ finds that criminals are more often  
          targeting websites, especially social networking sites, to find  
          personal information like email addresses that are used as user  
          names for other online accounts.  Additionally, the DOJ points  
          to a recent case where a male hacker targeted and compromised  
          women's email accounts by finding answers to their security  
          questions on their social networking sites.  The hacker was then  
          able to use the woman's email accounts to blackmail the women  
          into sending him nude or semi-nude photos of themselves to him.   
          Police were able to track down 46 victims.  According to the DOJ  
          over 1 million Californians had their identities stolen in 2012.

          The Privacy Rights Clearinghouse notes in support that "many  
          individuals compound their exposure to financial loss and theft  
          of personal data when they use the same password or username or  
          answer to a security question for some or all of their online  
          accounts.  Thus a breach of one online account can have a  
          cascading effect upon the user's other accounts." 








                                                                  SB 46
                                                                  Page  5


           Right to Privacy in California  :  It should also be noted that  
          the right to privacy is a fundamental right protected by section  
          1, article I of the California Constitution.  The Legislature  
          has expressly codified that: 

               (1) The right to privacy is being threatened by the  
               indiscriminate collection, maintenance, and  
               dissemination of personal information and the lack of  
               effective laws and legal remedies.

               (2) The increasing use of computers and other  
               sophisticated information technology has greatly  
               magnified the potential risk to individual privacy  
               that can occur from the maintenance of personal  
               information.

               (3) In order to protect the privacy of individuals, it  
               is necessary that the maintenance and dissemination of  
               personal information be subject to strict limits.  
               (Civ. Code Sec. 1798.1 (emphasis added).)  

          As a result, expanding the scope of personal information subject  
          to existing security breach notification procedures would  
          manifestly further the Legislature's longstanding policy of  
          providing effective laws to protect an individual's privacy.

           REGISTERED SUPPORT / OPPOSITION  :

           Support 
           
          Consumer Federation of California
          Privacy Rights Clearinghouse
          California Department of Justice

           Opposition 
           
          None on file

           Analysis Prepared by  :   Drew Liebert and Kelly Bradfield / JUD.  
          / (916) 319-2334 












                                                                  SB 46
                                                                  Page  6