BILL ANALYSIS Ó SB 46 Page 1 SENATE THIRD READING SB 46 (Corbett) As Amended April 15, 2013 Majority vote SENATE VOTE :37-0 JUDICIARY 9-0 APPROPRIATIONS 17-0 ----------------------------------------------------------------- |Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Harkey, Bigelow, | | |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian | | |Garcia, Maienschein, | |Calderon, Campos, | | |Muratsuchi, Stone | |Donnelly, Eggman, Gomez, | | | | |Hall, Holden, Linder, | | | | |Pan, Quirk, Wagner, Weber | |-----+--------------------------+-----+--------------------------| | | | | | ----------------------------------------------------------------- SUMMARY : Expands the personal information subject to existing security breach requirements to include a user name or email address in combination with a password or security question and answer that otherwise might permit improper and dangerous access to an online account. Specifically, this bill defines personal information in the security breach law to include a user name or address, in combination with a password or security question and answer, which could permit improper access to an online account. FISCAL EFFECT : According to the Assembly Appropriations Committee, minor ongoing costs. The California Technology Agency indicates state agencies are already required to identify all data elements involved in a data breach, including the data elements added by this bill. COMMENTS : In 2003 California first enacted laws to ensure residents are informed of data breaches aimed at the types of personal information identity thieves sought most often at the time: financial information such as bank account numbers, driver's license numbers and social security numbers. Current law also defines personal information to include medical history and health insurance information. Since then all but four states have enacted similar laws. Despite the rise in online banking, shopping and other financial SB 46 Page 2 transactions, public agencies and private businesses are not required to give notification of a data breach when a user name, security question or password are compromised. This bill would update California's data breach laws by broadening the definition of personal information to include a user name or address, in combination with a password or security question and answer that would permit access to an online account to keep up with recent identity theft threats. A July 12, 2012, New York Times article entitled "Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an example of a recent security breach that likely involved the personal information of California consumers. That article reported: Another month, another major security breach. Yahoo confirmed Thursday that about 400,000 user names and passwords to Yahoo and other companies were stolen on Wednesday. A group of hackers, known as the D33D Company, posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. The hackers wrote a brief footnote to the data dump, which has since been taken offline: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." The breach comes just one month after millions of user passwords for LinkedIn, the online social network for professionals, were exposed by hackers who breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely used and sophisticated technology companies. The California Attorney General notes that "[w]ith 12.6 million victims in 2012, including over 1 million Californians, identity theft continues to be a significant crime." The Attorney General's specialized eCrime Unit finds, along with other law SB 46 Page 3 enforcement agencies, that increasingly "criminals are targeting websites with inadequate security, including some social media websites, to harvest email addresses, user names, and passwords," and "[b]ecause most people do not use unique passwords for each of their accounts, acquiring the information on one account can give a thief access to [many different] accounts." Analysis Prepared by : Drew Liebert / JUD. / (916) 319-2334 FN: 0001586