BILL ANALYSIS �Ó
SB 46
Page 1
SENATE THIRD READING
SB 46 (Corbett)
As Amended August 30, 2013
Majority vote
SENATE VOTE :37-0
JUDICIARY 9-0 APPROPRIATIONS 17-0
-----------------------------------------------------------------
|Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Harkey, Bigelow, |
| |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian |
| |Garcia, Maienschein, | |Calderon, Campos, |
| |Muratsuchi, Stone | |Donnelly, Eggman, Gomez, |
| | | |Hall, Holden, Linder, |
| | | |Pan, Quirk, Wagner, Weber |
|-----+--------------------------+-----+--------------------------|
| | | | |
-----------------------------------------------------------------
SUMMARY : Expands the personal information subject to existing
security breach requirements to include a user name or email
address in combination with a password or security question and
answer, as specified. Specifically, this bill :
1)Defines personal information in the security breach law to
include a user name or address, in combination with a password
or security question and answer, which could permit improper
access to an online account.
2)Specifies that in case of a breach of a user name or email
address, in combination with a password or security question
and answer, and no other personal information, the responsible
person or agency may comply with the notification requirement
by providing the security breach notification in electronic
form and direct the person whose information has been breached
to promptly change his or her user name or security question
and answer, as applicable, or to take other appropriate steps.
3)Specifies that in case of a breach of specified personal
information involving login credentials of an email account,
the responsible person or agency shall not comply by sending
the security breach notification to an email address, but may,
instead, comply with the notification requirement by another
method that provides clear and conspicuous notice, as
�
SB 46
Page 2
specified.
4)Specifies that for purposes of the provisions of this bill the
word "agency" includes a local agency.
5)Incorporates amendments of AB 1149 (Campos) of the current
legislative session for chaptering out purposes.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, minor ongoing costs. The California Technology
Agency indicates state agencies are already required to identify
all data elements involved in a data breach, including the data
elements added by this bill.
COMMENTS : In 2003 California first enacted laws to ensure
residents are informed of data breaches aimed at the types of
personal information identity thieves sought most often at the
time: financial information such as bank account numbers,
driver's license numbers and social security numbers. Current
law also defines personal information to include medical history
and health insurance information. Since then all but four
states have enacted similar laws.
Despite the rise in online banking, shopping and other financial
transactions, public agencies and private businesses are not
required to give notification of a data breach when a user name,
security question or password are compromised. This bill would
update California's data breach laws by broadening the
definition of personal information to include a user name or
address, in combination with a password or security question and
answer that would permit access to an online account to keep up
with recent identity theft threats.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
enforcement agencies, that increasingly "criminals are targeting
websites with inadequate security, including some social media
websites, to harvest email addresses, user names, and
�
SB 46
Page 3
passwords," and "[b]ecause most people do not use unique
passwords for each of their accounts, acquiring the information
on one account can give a thief access to [many different]
accounts."
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0001908