BILL ANALYSIS �Ó
SB 46
Page 1
SENATE THIRD READING
SB 46 (Corbett)
As Amended April 15, 2013
Majority vote
SENATE VOTE :37-0
JUDICIARY 9-0 APPROPRIATIONS 17-0
-----------------------------------------------------------------
|Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Harkey, Bigelow, |
| |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian |
| |Garcia, Maienschein, | |Calderon, Campos, |
| |Muratsuchi, Stone | |Donnelly, Eggman, Gomez, |
| | | |Hall, Holden, Linder, |
| | | |Pan, Quirk, Wagner, Weber |
|-----+--------------------------+-----+--------------------------|
| | | | |
-----------------------------------------------------------------
SUMMARY : Expands the personal information subject to existing
security breach requirements to include a user name or email
address in combination with a password or security question and
answer that otherwise might permit improper and dangerous access
to an online account. Specifically, this bill defines personal
information in the security breach law to include a user name or
address, in combination with a password or security question and
answer, which could permit improper access to an online account.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, minor ongoing costs. The California Technology
Agency indicates state agencies are already required to identify
all data elements involved in a data breach, including the data
elements added by this bill.
COMMENTS : In 2003 California first enacted laws to ensure
residents are informed of data breaches aimed at the types of
personal information identity thieves sought most often at the
time: financial information such as bank account numbers,
driver's license numbers and social security numbers. Current
law also defines personal information to include medical history
and health insurance information. Since then all but four
states have enacted similar laws.
Despite the rise in online banking, shopping and other financial
�
SB 46
Page 2
transactions, public agencies and private businesses are not
required to give notification of a data breach when a user name,
security question or password are compromised. This bill would
update California's data breach laws by broadening the
definition of personal information to include a user name or
address, in combination with a password or security question and
answer that would permit access to an online account to keep up
with recent identity theft threats.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers. That article
reported:
Another month, another major security breach. Yahoo
confirmed Thursday that about 400,000 user names and
passwords to Yahoo and other companies were stolen on
Wednesday.
A group of hackers, known as the D33D Company, posted
online the user names and passwords for what appeared
to be 453,492 accounts belonging to Yahoo, and also
Gmail, AOL, Hotmail, Comcast, MSN, SBC Global,
Verizon, BellSouth and Live.com users.
The hackers wrote a brief footnote to the data dump,
which has since been taken offline: "We hope that the
parties responsible for managing the security of this
subdomain will take this as a wake-up call, and not as
a threat."
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for
professionals, were exposed by hackers who breached
its systems. The breaches highlight the ease with
which hackers are able to infiltrate systems, even at
some of the most widely used and sophisticated
technology companies.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
�
SB 46
Page 3
enforcement agencies, that increasingly "criminals are targeting
websites with inadequate security, including some social media
websites, to harvest email addresses, user names, and
passwords," and "[b]ecause most people do not use unique
passwords for each of their accounts, acquiring the information
on one account can give a thief access to [many different]
accounts."
Analysis Prepared by : Drew Liebert / JUD. / (916) 319-2334
FN: 0001586