BILL ANALYSIS                                                                                                                                                                                                    

                                                                  SB 46
                                                                  Page  1

          SB 46 (Corbett)
          As Amended April 15, 2013
          Majority vote 

           SENATE VOTE  :37-0  
           JUDICIARY           9-0         APPROPRIATIONS      17-0        
          |Ayes:|Wieckowski, Wagner,       |Ayes:|Gatto, Harkey, Bigelow,   |
          |     |Alejo, Chau, Dickinson,   |     |Bocanegra, Bradford, Ian  |
          |     |Garcia, Maienschein,      |     |Calderon, Campos,         |
          |     |Muratsuchi, Stone         |     |Donnelly, Eggman, Gomez,  |
          |     |                          |     |Hall, Holden, Linder,     |
          |     |                          |     |Pan, Quirk, Wagner, Weber |
          |     |                          |     |                          |
           SUMMARY  :  Expands the personal information subject to existing  
          security breach requirements to include a user name or email  
          address in combination with a password or security question and  
          answer that otherwise might permit improper and dangerous access  
          to an online account.  Specifically,  this bill  defines personal  
          information in the security breach law to include a user name or  
          address, in combination with a password or security question and  
          answer, which could permit improper access to an online account.

           FISCAL EFFECT  :  According to the Assembly Appropriations  
          Committee, minor ongoing costs.  The California Technology  
          Agency indicates state agencies are already required to identify  
          all data elements involved in a data breach, including the data  
          elements added by this bill. 
          COMMENTS :  In 2003 California first enacted laws to ensure  
          residents are informed of data breaches aimed at the types of  
          personal information identity thieves sought most often at the  
          time:  financial information such as bank account numbers,  
          driver's license numbers and social security numbers.  Current  
          law also defines personal information to include medical history  
          and health insurance information.  Since then all but four  
          states have enacted similar laws. 

          Despite the rise in online banking, shopping and other financial  


                                                                  SB 46
                                                                  Page  2

          transactions, public agencies and private businesses are not  
          required to give notification of a data breach when a user name,  
          security question or password are compromised.  This bill would  
          update California's data breach laws by broadening the  
          definition of personal information to include a user name or  
          address, in combination with a password or security question and  
          answer that would permit access to an online account to keep up  
          with recent identity theft threats. 

          A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  That article  

               Another month, another major security breach.  Yahoo  
               confirmed Thursday that about 400,000 user names and  
               passwords to Yahoo and other companies were stolen on  

               A group of hackers, known as the D33D Company, posted  
               online the user names and passwords for what appeared  
               to be 453,492 accounts belonging to Yahoo, and also  
               Gmail, AOL, Hotmail, Comcast, MSN, SBC Global,  
               Verizon, BellSouth and users.

               The hackers wrote a brief footnote to the data dump,  
               which has since been taken offline: "We hope that the  
               parties responsible for managing the security of this  
               subdomain will take this as a wake-up call, and not as  
               a threat."

               The breach comes just one month after millions of user  
               passwords for LinkedIn, the online social network for  
               professionals, were exposed by hackers who breached  
               its systems.  The breaches highlight the ease with  
               which hackers are able to infiltrate systems, even at  
               some of the most widely used and sophisticated  
               technology companies.

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  


                                                                  SB 46
                                                                  Page  3

          enforcement agencies, that increasingly "criminals are targeting  
          websites with inadequate security, including some social media  
          websites, to harvest email addresses, user names, and  
          passwords," and "[b]ecause most people do not use unique  
          passwords for each of their accounts, acquiring the information  
          on one account can give a thief access to [many different]  

           Analysis Prepared by  :   Drew Liebert / JUD. / (916) 319-2334 

                                                                FN: 0001586