BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 46|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 46
Author: Corbett (D)
Amended: 8/30/13
Vote: 21
SENATE JUDICIARY COMMITTEE : 6-0, 4/23/13
AYES: Evans, Anderson, Corbett, Jackson, Leno, Monning
NO VOTE RECORDED: Walters
SENATE APPROPRIATIONS COMMITTEE : 5-0, 5/13/13
AYES: De León, Hill, Lara, Padilla, Steinberg
NO VOTE RECORDED: Walters, Gaines
SENATE FLOOR : 37-0, 5/16/13
AYES: Anderson, Beall, Berryhill, Block, Calderon, Cannella,
Corbett, Correa, De León, DeSaulnier, Emmerson, Evans, Fuller,
Gaines, Galgiani, Hancock, Hernandez, Hill, Hueso, Huff,
Jackson, Knight, Lara, Leno, Lieu, Liu, Monning, Nielsen,
Padilla, Pavley, Roth, Steinberg, Walters, Wolk, Wright,
Wyland, Yee
NO VOTE RECORDED: Price, Vacancy, Vacancy
ASSEMBLY FLOOR : 77-0, 9/3/13 - See last page for vote
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill expands the scope of personal information
subject to existing security breach disclosure requirements to
CONTINUED
�
SB 46
Page
2
include a user name or email address, in combination with a
password or security question and answer that permits access to
an online account. This bill also imposes additional
requirements on the disclosure of a breach of the security of
the system or data in situations where the breach involves
personal information that permits access to an online or email
account.
Assembly Amendments impose additional requirements on the
disclosure of a breach of the security of the system or data in
situations where the breach involves personal information that
would permit access to an online or email account, specify that
for purposes of this bill the word "agency" includes a local
agency, make technical and conforming changes and add language
to prevent chaptering out issues with AB 1149 (Campos).
ANALYSIS :
Existing law:
1.Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified.
2.Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
3.Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: social security number,
driver's license number or California Identification Card
CONTINUED
�
SB 46
Page
3
number, account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
This bill:
1.Expands the scope of "personal information," for purposes of
the breach notification statute, to include a user name or
email address, acquired in combination with a password or
security question and answer that permits access to an online
account.
2.Specifies that in case of a breach of a user name or email
address, in combination with a password or security question
and answer, and no other personal information, the responsible
person or agency may comply with the notification requirement
by providing the security breach notification in electronic
form and direct the person whose information has been breached
to promptly change his/her user name or security question and
answer, as applicable, or to take other appropriate steps.
3.Specifies that in case of a breach of specified personal
information involving login credentials of an email account,
the responsible person or agency does not comply by sending
the security breach notification to an email address, but may,
instead, comply with the notification requirement by another
method that provides clear and conspicuous notice, as
specified.
4.Specifies that for purposes of the provisions of this bill the
word "agency" includes a local agency.
5.Adds language to prevent chaptering-out issues with AB 1149
(Campos).
Background
In 2003, California's first-in-the nation security breach
notification law went into effect. Since that time, all but
four states have enacted similar security breach notification
laws, and governments around the world are considering enacting
such laws. California's security breach notification statute
requires state agencies and businesses to notify residents when
CONTINUED
�
SB 46
Page
4
the security of their personal information, as defined, is
breached. That notification ensures that residents are aware of
the breach and allows them to take appropriate actions to
mitigate or prevent potential financial losses due to fraudulent
activity, as well as to limit the potential dissemination of
personal information.
A July 12, 2012, New York Times article entitled "Breach Extends
Beyond Yahoo to Gmail, Hotmail, AOL Users," chronicled an
example of a recent security breach that likely involved the
personal information of California consumers. That article
reported:
Another month, another major security breach. Yahoo
confirmed Thursday that about 400,000 user names and
passwords to Yahoo and other companies were stolen on
Wednesday.
A group of hackers, known as the D33D Company, posted
online the user names and passwords for what appeared to be
453,492 accounts belonging to Yahoo, and also Gmail, AOL,
Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and
Live.com users.
The hackers wrote a brief footnote to the data dump, which
has since been taken offline: "We hope that the parties
responsible for managing the security of this subdomain
will take this as a wake-up call, and not as a threat."
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for
professionals, were exposed by hackers who breached its
systems. The breaches highlight the ease with which
hackers are able to infiltrate systems, even at some of the
most widely used and sophisticated technology companies.
The California Attorney General notes that "[w]ith 12.6 million
victims in 2012, including over 1 million Californians, identity
theft continues to be a significant crime." The Attorney
General's specialized eCrime Unit finds, along with other law
enforcement agencies, that increasingly "criminals are targeting
Internet Web sites with inadequate security, including some
social media Internet Web sites, to harvest email addresses,
user names, and passwords," and "[b]ecause most people do not
CONTINUED
�
SB 46
Page
5
use unique passwords for each of their accounts, acquiring the
information on one account can give a thief access to [many
different] accounts."
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
According to the Senate Appropriations Committee:
Minor ongoing state costs, as the California Technology
Agency has indicated that state entities are already
required to identify all data elements involved in a data
breach, including the data elements added under the
provisions of this bill.
Minor, absorbable costs to the Department of Justice to
electronically receive copies of security breach
notifications affecting more than 500 residents.
SUPPORT : (Verified 9/3/13)
Consumer Federation of California
Office of the Attorney General
Privacy Rights Clearinghouse
ARGUMENTS IN SUPPORT : According to the author's office:
Senate Bill 46 strengthens computer account protections for
the public by requiring the state and any person or
companies operating in California who maintain computerized
data about their clients or customers to notify them when
his/her password, username, or answers to security
questions have been [breached] for an online account.
SB 46 provides real-time notification that someone may have
obtained your password, username, or answers to your
security questions so the client or customer can
immediately change their access information and prevent or
limit financial losses and theft of personal data.
ASSEMBLY FLOOR : 77-0, 9/3/13
AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom,
Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian
Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley,
CONTINUED
�
SB 46
Page
6
Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox, Frazier,
Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon, Gorell,
Gray, Grove, Hagman, Harkey, Roger Hernández, Holden, Jones,
Jones-Sawyer, Levine, Linder, Logue, Lowenthal, Maienschein,
Mansoor, Medina, Melendez, Mitchell, Morrell, Mullin,
Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson, Perea,
V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas, Skinner,
Stone, Ting, Wagner, Waldron, Weber, Wieckowski, Wilk,
Williams, Yamada, John A. Pérez
NO VOTE RECORDED: Hall, Vacancy, Vacancy
AL:nl:ej 9/3/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED