BILL ANALYSIS                                                                                                                                                                                                    



                                                                  SB 46
                                                                  Page  1

          SENATE THIRD READING
          SB 46 (Corbett)
          As Amended  August 30, 2013
          Majority vote 

           SENATE VOTE  :37-0  
           
           JUDICIARY           9-0         APPROPRIATIONS      17-0        
           
           ----------------------------------------------------------------- 
          |Ayes:|Wieckowski, Wagner,       |Ayes:|Gatto, Harkey, Bigelow,   |
          |     |Alejo, Chau, Dickinson,   |     |Bocanegra, Bradford, Ian  |
          |     |Garcia, Maienschein,      |     |Calderon, Campos,         |
          |     |Muratsuchi, Stone         |     |Donnelly, Eggman, Gomez,  |
          |     |                          |     |Hall, Holden, Linder,     |
          |     |                          |     |Pan, Quirk, Wagner, Weber |
          |-----+--------------------------+-----+--------------------------|
          |     |                          |     |                          |
           ----------------------------------------------------------------- 
           SUMMARY  :  Expands the personal information subject to existing  
          security breach requirements to include a user name or email  
          address in combination with a password or security question and  
          answer, as specified.  Specifically,  this bill  :

          1)Defines personal information in the security breach law to  
            include a user name or address, in combination with a password  
            or security question and answer, which could permit improper  
            access to an online account.

          2)Specifies that in case of a breach of a user name or email  
            address, in combination with a password or security question  
            and answer, and no other personal information, the responsible  
            person or agency may comply with the notification requirement  
            by providing the security breach notification in electronic  
            form and direct the person whose information has been breached  
            to promptly change his or her user name or security question  
            and answer, as applicable, or to take other appropriate steps.  
             

          3)Specifies that in case of a breach of specified personal  
            information involving login credentials of an email account,  
            the responsible person or agency shall not comply by sending  
            the security breach notification to an email address, but may,  
            instead, comply with the notification requirement by another  
            method that provides clear and conspicuous notice, as  








                                                                  SB 46
                                                                  Page  2

            specified. 

          4)Specifies that for purposes of the provisions of this bill the  
            word "agency" includes a local agency.

          5)Incorporates amendments of AB 1149 (Campos) of the current  
            legislative session for chaptering out purposes.  
           
          FISCAL EFFECT :  According to the Assembly Appropriations  
          Committee, minor ongoing costs.  The California Technology  
          Agency indicates state agencies are already required to identify  
          all data elements involved in a data breach, including the data  
          elements added by this bill. 
           
          COMMENTS  :  In 2003 California first enacted laws to ensure  
          residents are informed of data breaches aimed at the types of  
          personal information identity thieves sought most often at the  
          time:  financial information such as bank account numbers,  
          driver's license numbers and social security numbers.  Current  
          law also defines personal information to include medical history  
          and health insurance information.  Since then all but four  
          states have enacted similar laws. 

          Despite the rise in online banking, shopping and other financial  
          transactions, public agencies and private businesses are not  
          required to give notification of a data breach when a user name,  
          security question or password are compromised.  This bill would  
          update California's data breach laws by broadening the  
          definition of personal information to include a user name or  
          address, in combination with a password or security question and  
          answer that would permit access to an online account to keep up  
          with recent identity theft threats. 

          A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  
          enforcement agencies, that increasingly "criminals are targeting  
          websites with inadequate security, including some social media  
          websites, to harvest email addresses, user names, and  








                                                                  SB 46
                                                                  Page  3

          passwords," and "[b]ecause most people do not use unique  
          passwords for each of their accounts, acquiring the information  
          on one account can give a thief access to [many different]  
          accounts."


           Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334 


                                                                FN: 0001908