BILL ANALYSIS                                                                                                                                                                                                    

                                                                  SB 46
                                                                  Page  1

          Date of Hearing:   July 3, 2013

                                  Mike Gatto, Chair

                    SB 46 (Corbett) - As Amended:  April 15, 2013 

          Policy Committee:                             JudiciaryVote:9-0  

          Urgency:     No                   State Mandated Local Program:  
          No     Reimbursable:               


          This bill expands the types of personal information subject to  
          security breach notification requirements to include a user name  
          or email address in combination with a password or security  
          question and answer that would permit improper access to an  
          online account.

           FISCAL EFFECT  

          Minor ongoing costs. The California Technology Agency indicates  
          state agencies are already required to identify all data  
          elements involved in a data breach, including the data elements  
          added by this bill. 


           Background and Purpose  . California's first-in-the nation  
          security breach notification law, enacted in 2003, requires  
          state agencies and businesses to notify residents of a security  
          breach of their personal information, as defined. (All but four  
          states have since enacted similar laws.) Current law specifies  
          the information to be included in the notification and the  
          timelines within which to notify affected residents. In  
          addition, state agencies must submit to the Attorney General a  
          sample copy of the security breach notification when a breach  
          affects more than 500 residents.

          The initial legislation was intended to ensure residents were  
          informed of data breaches involving the types of personal  
          information identity thieves most often sought at that time:  
          financial information, such as bank account numbers, driver's  


                                                                  SB 46
                                                                  Page  2

          license numbers and social security numbers. Currently, the law  
          also defines personal information to include medical history and  
          health insurance information.  

          Despite the rise in online banking, shopping and other financial  
          transactions, public agencies and private businesses are not  
          required to give notification of a data breach when a user name,  
          security question or password are compromised. To keep up with  
          recent identity theft threats, SB 46 broadens the law's  
          definition of personal information to include a user name or  
          address, in combination with a password or security question and  
          answer that would permit access to an online account.

           Analysis Prepared by  :    Chuck Nicol / APPR. / (916) 319-2081