BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                         SB 46|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                 UNFINISHED BUSINESS


          Bill No:  SB 46
          Author:   Corbett (D)
          Amended:  8/30/13
          Vote:     21


           SENATE JUDICIARY COMMITTEE  :  6-0, 4/23/13
          AYES:  Evans, Anderson, Corbett, Jackson, Leno, Monning
          NO VOTE RECORDED:  Walters

           SENATE APPROPRIATIONS COMMITTEE  :  5-0, 5/13/13
          AYES:  De León, Hill, Lara, Padilla, Steinberg
          NO VOTE RECORDED:  Walters, Gaines

           SENATE FLOOR  : 37-0, 5/16/13
          AYES:  Anderson, Beall, Berryhill, Block, Calderon, Cannella,  
            Corbett, Correa, De León, DeSaulnier, Emmerson, Evans, Fuller,  
            Gaines, Galgiani, Hancock, Hernandez, Hill, Hueso, Huff,  
            Jackson, Knight, Lara, Leno, Lieu, Liu, Monning, Nielsen,  
            Padilla, Pavley, Roth, Steinberg, Walters, Wolk, Wright,  
            Wyland, Yee
          NO VOTE RECORDED:  Price, Vacancy, Vacancy

           ASSEMBLY FLOOR  :  77-0, 9/3/13 - See last page for vote


           SUBJECT  :    Personal information:  privacy

           SOURCE  :     Author


           DIGEST  :    This bill expands the scope of personal information  
          subject to existing security breach disclosure requirements to  
                                                                CONTINUED





                                                                      SB 46
                                                                     Page  
          2

          include a user name or email address, in combination with a  
          password or security question and answer that permits access to  
          an online account.  This bill also imposes additional  
          requirements on the disclosure of a breach of the security of  
          the system or data in situations where the breach involves  
          personal information that permits access to an online or email  
          account.

           Assembly Amendments  impose additional requirements on the  
          disclosure of a breach of the security of the system or data in  
          situations where the breach involves personal information that  
          would permit access to an online or email account, specify that  
          for purposes of this bill the word "agency" includes a local  
          agency, make technical and conforming changes and add language  
          to prevent chaptering out issues with AB 1149 (Campos).

          ANALYSIS  :    

          Existing law:

          1.Requires any agency, person, or business that owns or licenses  
            computerized data that includes personal information to  
            disclose a breach of the security of the system to any  
            California resident whose unencrypted personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.  The disclosure must be made in the most  
            expedient time possible and without unreasonable delay,  
            consistent with the legitimate needs of law enforcement, as  
            specified.

          2.Requires any agency, person, or business that maintains  
            computerized data that includes personal information that the  
            agency, person, or business does not own to notify the owner  
            or licensee of the information of any security breach  
            immediately following discovery if the personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.

          3.Defines "personal information," for purposes of the breach  
            notification statute, to include the individual's first name  
            or first initial and last name in combination with one or more  
            of the following data elements, when either the name or the  
            data elements are not encrypted:  social security number,  
            driver's license number or California Identification Card  

                                                                CONTINUED





                                                                      SB 46
                                                                     Page  
          3

            number, account number, credit or debit card number, in  
            combination with any required security code, access code, or  
            password that would permit access to an individual's financial  
            account; medical information; or health insurance information.

          This bill:

          1.Expands the scope of "personal information," for purposes of  
            the breach notification statute, to include a user name or  
            email address, acquired in combination with a password or  
            security question and answer that permits access to an online  
            account.

          2.Specifies that in case of a breach of a user name or email  
            address, in combination with a password or security question  
            and answer, and no other personal information, the responsible  
            person or agency may comply with the notification requirement  
            by providing the security breach notification in electronic  
            form and direct the person whose information has been breached  
            to promptly change his/her user name or security question and  
            answer, as applicable, or to take other appropriate steps.

          3.Specifies that in case of a breach of specified personal  
            information involving login credentials of an email account,  
            the responsible person or agency does not comply by sending  
            the security breach notification to an email address, but may,  
            instead, comply with the notification requirement by another  
            method that provides clear and conspicuous notice, as  
            specified. 

          4.Specifies that for purposes of the provisions of this bill the  
            word "agency" includes a local agency. 

          5.Adds language to prevent chaptering-out issues with AB 1149  
            (Campos).

           Background
           
          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  Since that time, all but  
          four states have enacted similar security breach notification  
          laws, and governments around the world are considering enacting  
          such laws.  California's security breach notification statute  
          requires state agencies and businesses to notify residents when  

                                                                CONTINUED





                                                                      SB 46
                                                                     Page  
          4

          the security of their personal information, as defined, is  
          breached.  That notification ensures that residents are aware of  
          the breach and allows them to take appropriate actions to  
          mitigate or prevent potential financial losses due to fraudulent  
          activity, as well as to limit the potential dissemination of  
          personal information.

          A July 12, 2012, New York Times article entitled "Breach Extends  
          Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an  
          example of a recent security breach that likely involved the  
          personal information of California consumers.  That article  
          reported:

               Another month, another major security breach.  Yahoo  
               confirmed Thursday that about 400,000 user names and  
               passwords to Yahoo and other companies were stolen on  
               Wednesday.

               A group of hackers, known as the D33D Company, posted  
               online the user names and passwords for what appeared to be  
               453,492 accounts belonging to Yahoo, and also Gmail, AOL,  
               Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and  
               Live.com users.

               The hackers wrote a brief footnote to the data dump, which  
               has since been taken offline:  "We hope that the parties  
               responsible for managing the security of this subdomain  
               will take this as a wake-up call, and not as a threat."

               The breach comes just one month after millions of user  
               passwords for LinkedIn, the online social network for  
               professionals, were exposed by hackers who breached its  
               systems.  The breaches highlight the ease with which  
               hackers are able to infiltrate systems, even at some of the  
               most widely used and sophisticated technology companies.

          The California Attorney General notes that "[w]ith 12.6 million  
          victims in 2012, including over 1 million Californians, identity  
          theft continues to be a significant crime."  The Attorney  
          General's specialized eCrime Unit finds, along with other law  
          enforcement agencies, that increasingly "criminals are targeting  
          Internet Web sites with inadequate security, including some  
          social media Internet Web sites, to harvest email addresses,  
          user names, and passwords," and "[b]ecause most people do not  

                                                                CONTINUED





                                                                      SB 46
                                                                     Page  
          5

          use unique passwords for each of their accounts, acquiring the  
          information on one account can give a thief access to [many  
          different] accounts."

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  No

          According to the Senate Appropriations Committee:

                 Minor ongoing state costs, as the California Technology  
               Agency has indicated that state entities are already  
               required to identify all data elements involved in a data  
               breach, including the data elements added under the  
               provisions of this bill.

                 Minor, absorbable costs to the Department of Justice to  
               electronically receive copies of security breach  
               notifications affecting more than 500 residents.

           SUPPORT  :   (Verified  9/3/13)

          Consumer Federation of California
          Office of the Attorney General
          Privacy Rights Clearinghouse

           ARGUMENTS IN SUPPORT  :    According to the author's office:

               Senate Bill 46 strengthens computer account protections for  
               the public by requiring the state and any person or  
               companies operating in California who maintain computerized  
               data about their clients or customers to notify them when  
               his/her password, username, or answers to security  
               questions have been [breached] for an online account.

               SB 46 provides real-time notification that someone may have  
               obtained your password, username, or answers to your  
               security questions so the client or customer can  
               immediately change their access information and prevent or  
               limit financial losses and theft of personal data.

           ASSEMBLY FLOOR  :  77-0, 9/3/13
          AYES:  Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom,  
            Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian  
            Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley,  

                                                                CONTINUED





                                                                      SB 46
                                                                     Page  
          6

            Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox, Frazier,  
            Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon, Gorell,  
            Gray, Grove, Hagman, Harkey, Roger Hernández, Holden, Jones,  
            Jones-Sawyer, Levine, Linder, Logue, Lowenthal, Maienschein,  
            Mansoor, Medina, Melendez, Mitchell, Morrell, Mullin,  
            Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson, Perea,  
            V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas, Skinner,  
            Stone, Ting, Wagner, Waldron, Weber, Wieckowski, Wilk,  
            Williams, Yamada, John A. Pérez
          NO VOTE RECORDED:  Hall, Vacancy, Vacancy


          AL:nl:ej  9/3/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****




























                                                                CONTINUED