BILL ANALYSIS Ó AB 83 Page 1 Date of Hearing: April 30, 2015 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Mike Gatto, Chair AB 83 (Gatto) - As Amended April 27, 2015 SUBJECT: Information Practices Act of 1977 SUMMARY: Requires businesses that own or maintain personal information to secure that data to the extent that any "reasonably prudent business" would provide, adds "geophysical location information" to the definition of personal information, and specifies certain requirements and considerations that must be part of any set of reasonable security procedures and practices. Specifically, this bill: 1)Defines, for purposes of the existing requirement that businesses implement and maintain reasonable security procedures and practices to protect personal information, "reasonable security procedures and practices" as they pertain to the storage and transmission of personal information to require, at a minimum, the security of that information to the degree that any reasonably prudent business would provide. 2)Requires, as part of "reasonable security procedures and practices", a business to do, at a minimum, the following: AB 83 Page 2 a) identify reasonably foreseeable internal and external risks to the privacy and security of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information; b) establish, implement, and maintain safeguards reasonably designed to ensure the security of such personal information, including but not limited to, protecting against unauthorized loss, misuse, alteration, destruction, access to, or use of such information; c) regularly assess the sufficiency of any safeguards in place to control reasonably foreseeable internal and external risks; and, d) evaluate and adjust such safeguards in response to regular sufficiency assessments, any material changes in the operations or business arrangements of the business, or any other circumstances that create a material impact on the privacy or security of personal information under control of the business. 3)Provides that the reasonableness of the security procedures and practices shall be determined in light of: a) the degree of the privacy risk associated with the personal information under the business's control; b) the foreseeability of threats to the security of AB 83 Page 3 such information; c) widely accepted practices in administrative, technical, and physical safeguards for protecting personal information; and, d) the cost of implementing and regularly reviewing such safeguards. 4)Adds "geophysical location information" to the definition of "personal information" for purposes of existing data security requirements for businesses that own, license or maintain such personal information. 5)Defines "geophysical location information" to mean "any personally identifiable information describing or concerning the duration of the transportation service provided to an individual, the location and route of a transportation service provided to an individual, or, if applicable, the monetary exchange associated with a transportation service provided to an individual." EXISTING LAW: 1)Requires a person or business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, and to AB 83 Page 4 protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (Civil Code (CC) Section 1798.81.5(b)) 2)Defines "personal information," for purposes of the data security statute, to include the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: Social Security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or medical information, as defined. Personal information does not include publicly available information that is lawfully made available to the general public from government records. (CC 1798.81.5(d)) FISCAL EFFECT: None. This bill is currently keyed non-fiscal by the Legislative Counsel. COMMENTS: 1)Purpose of this bill . This bill is intended to clarify the existing standard for the security of personal information held by businesses by explicitly imposing a "reasonably prudent business" standard, and specifying certain practices and procedures that are inherently reasonable. This bill also adds geophysical location information to the definition of personal information as it applies to existing data security requirements for businesses. AB 83 is author-sponsored. 2)Author's statement . According to the author, "Before the United States was rocked by a December 2013 data breach at Target stores that captured the information of almost 40 AB 83 Page 5 million credit and debit cards, many consumers did not think about the protection of their personal and transaction data. Since the Target incident, however, data breaches have haunted consumers, businesses, and government entities, alike." "While credit card information is valuable and breaches have affected businesses like Home Depot, Neiman Marcus and JP Morgan Chase, credit card information is not the only lure. Hackers have hit different branches of California government, including the Bureau of Automotive Repair, Mt. Diablo Unified School District and the California Department of Public Health. In May 2014, hackers breached a database owned by ride-sharing app Uber, which contained the names and drivers' license numbers of 50,000 of its drivers. Then, in November 2014, Sony hackers not only released five unreleased films, but they also posted 47,000 employee Social Security numbers online, which appeared on more than 600 publicly-posted files. These numbers appeared with other personal information, such as full names, dates of birth, and home addresses. And, just last February, 80 million Anthem clients had their names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses and employment information stolen. "In today's world of computer and internet-based data storage, no information is exempt or unattractive to those wanting to breach our privacy and pry into our personal lives. Consumers need the assurance that their data is being stored at robust standards that are as flexible and timely as the changing technology landscape. "?[AB 83] applies a minimum standard for personal data security, which is that of a "reasonably prudent business." The standard is similar to that of a "reasonable person," a standard applied regularly in tort law. Conceptually, it means that a business failed in its duty of care (i.e., acted negligently and is therefore subject to legal liability) if it AB 83 Page 6 did not act as a reasonable and prudent business in the same position would have." 3)Recent trends in data breaches. According to the California Attorney General's October 2014 Data Breach report, California is "uniquely impacted by data breaches. In 2012, 17 percent of the data breaches recorded in the United States took place in California - more than any other state. Even more troubling, the number of reported breaches in California increased by 28 percent in 2013?and the number of Californians' records affected increased by over 600 percent." The AG's office received reports of 167 breaches affected more than 500 Californians for 2013, meaning that records containing personal information of more than 18.5 million California residents were compromised. These breaches are not only growing more frequent, they are expensive events to consumers and businesses alike. According to the California Attorney General's February 2014 "Cybersecurity in the Golden State" report, one study found that "the average cost to victims of a data breach per compromised record is now $136, or $157 if it results from malicious criminal conduct. Additionally, the study notes that costs for businesses that are victims of Internet-based attacks have risen 78 percent per year, on average, over the past four years. And from 2010 through 2013, the time needed to recover from a breach has increased 130 percent. Just as there is a cost involved in cybersecurity protection, there is a cost involved in not protecting the information stored in your systems." 4)The "reasonably prudent business" standard . The core concept of this bill is that "reasonable security procedures and practices" for the maintenance and transmission of personal AB 83 Page 7 information are those that a "reasonably prudent business" would apply. This term is taken from the larger concept of negligence in tort law and merits further explanation. According to Black's Law Dictionary, the definition of negligence is: "The omission to do something which a reasonable man, guided by those considerations which ordinarily regulate the conduct of human affairs, would do; or doing something which a prudent and reasonable man would not do. It must be determined in all cases by reference to the situation and knowledge of the parties and all the attendant circumstances." In order to bring suit for negligence, a plaintiff must generally prove five things: the existence of a legal duty to exercise reasonable care; a failure to exercise reasonable care; cause in fact of physical harm by the negligent conduct; physical harm in the form of actual damages; and proximate cause, a showing that the harm is within the scope of liability. From this, Anglo-American common law developed over many years what is called the "reasonably prudent person" standard, which tries to capture the relevant community's judgment as to how a typical member of that community should behave in situations that might pose a threat of harm (through action or inaction) to the public. And while the specific circumstances of each case will require different kinds of conduct and degrees of care, the "reasonable person" is not an average person or a typical person, but someone who would act "reasonably" under the same or similar circumstances. This standard applies to the first two elements of the definition of negligence: duty and breach. One academic treatise on the standard analyzed the application of the standard this way: AB 83 Page 8 "Duty is the standard of care the defendant owes for the protection of others; it is a question of law for the court. This standard is objective?[it is not] measured in terms of the individual's own knowledge and abilities. To be sure, there are some no-duty situations, and some instances in which the standard might be heightened or lowered, but by and large the court's input is limited to defining the standard. The court therefore constructs 'an ideal, a standard, the embodiment of all those qualities which we demand of the good citizen.'" "Application of this standard is left to the jury in the second element of negligence, breach, which is a question of fact. To determine whether the defendant breached a duty of care owed to the plaintiff, the jury answers whether the defendant acted like a reasonably prudent person under the same or similar circumstances. If yes, then the defendant is not negligent. If no, then the defendant is negligent and will be liable if her breach was the actual and proximate cause of plaintiff's damages. The reasonably prudent person standard therefore functions as a yardstick against which the jury measures the conduct of the defendant." (The Poetics and Ethics of Negligence, by Jeff Todd, 50 Cal. W. L. Rev. 75, 2013) This same concept can be applied to a business as well, which becomes the standard that would be exercised by the reasonably prudent business (or manufacturer, or professional, etc.), in order to determine whether negligence has occurred. But context matters - the customary practices and general procedures of the industry or profession influence whether or not specific behaviors are reasonable. Reasonable prudence standards are used throughout the AB 83 Page 9 California Codes, with uses beyond the "reasonably prudent person" including reasonably prudent home inspectors, manufactured housing dealers, real estate licensees, investors, and charter boat operators. The term "reasonably prudent business" is only explicitly used once in existing state law (Health and Safety Code Section 25395.42), which requires an insured party seeking payments from cost-overrun insurance under the Cleanup Loans and Environmental Assistance to Neighborhoods Account. This bill would import this standard and all relevant case law to apply to the data protection efforts of businesses holding the personal information of Californians, as well as specify certain practices and considerations that must be part of any set of "reasonable security practices and procedures." 5)Related legislation. AB 964 (Chau) of 2015 would require data breach notifications made by businesses and public agencies to include the date of discovery of the breach in their notice to the Attorney General. AB 964 is currently pending in the Assembly Privacy and Consumer Protection Committee. AB 1541 (Privacy and Consumer Protection) of 2015 is the Committee's annual omnibus bill and would make technical or non-substantive corrections and clarification to existing privacy-related law. AB 1541 is currently pending in the Assembly Privacy and Consumer Protection Committee. 6)Previous legislation . AB 1710 (Dickinson), Chapter 855, Statutes of 2014, required the source of the data breach to offer appropriate identity theft prevention and mitigation services to the affected person at no cost for not less than 12 months if the breach exposed or may have exposed specified personal information; expanded existing security practice and procedure provisions to businesses that own, license, or maintain personal information about a California resident; and prohibited the sale, advertisement for sale, or offer to sell AB 83 Page 10 of an individual's social security number. REGISTERED SUPPORT / OPPOSITION: Support Privacy Rights Clearinghouse (3/26/15 version) The Utility Reform Network (TURN) (3/26/15 version) Opposition None on file. Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200 AB 83 Page 11