BILL ANALYSIS �Ó
AB 83
Page 1
Date of Hearing: April 30, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 83
(Gatto) - As Amended April 27, 2015
SUBJECT: Information Practices Act of 1977
SUMMARY: Requires businesses that own or maintain personal
information to secure that data to the extent that any
"reasonably prudent business" would provide, adds "geophysical
location information" to the definition of personal information,
and specifies certain requirements and considerations that must
be part of any set of reasonable security procedures and
practices. Specifically, this bill:
1)Defines, for purposes of the existing requirement that
businesses implement and maintain reasonable security
procedures and practices to protect personal information,
"reasonable security procedures and practices" as they pertain
to the storage and transmission of personal information to
require, at a minimum, the security of that information to the
degree that any reasonably prudent business would provide.
2)Requires, as part of "reasonable security procedures and
practices", a business to do, at a minimum, the following:
�
AB 83
Page 2
a) identify reasonably foreseeable internal and
external risks to the privacy and security of personal
information that could result in the unauthorized
disclosure, misuse, alteration, destruction, or other
compromise of such information;
b) establish, implement, and maintain safeguards
reasonably designed to ensure the security of such
personal information, including but not limited to,
protecting against unauthorized loss, misuse, alteration,
destruction, access to, or use of such information;
c) regularly assess the sufficiency of any safeguards
in place to control reasonably foreseeable internal and
external risks; and,
d) evaluate and adjust such safeguards in response to
regular sufficiency assessments, any material changes in
the operations or business arrangements of the business,
or any other circumstances that create a material impact
on the privacy or security of personal information under
control of the business.
3)Provides that the reasonableness of the security procedures
and practices shall be determined in light of:
a) the degree of the privacy risk associated with the
personal information under the business's control;
b) the foreseeability of threats to the security of
�
AB 83
Page 3
such information;
c) widely accepted practices in administrative,
technical, and physical safeguards for protecting
personal information; and,
d) the cost of implementing and regularly reviewing
such safeguards.
4)Adds "geophysical location information" to the definition of
"personal information" for purposes of existing data security
requirements for businesses that own, license or maintain such
personal information.
5)Defines "geophysical location information" to mean "any
personally identifiable information describing or concerning
the duration of the transportation service provided to an
individual, the location and route of a transportation service
provided to an individual, or, if applicable, the monetary
exchange associated with a transportation service provided to
an individual."
EXISTING LAW:
1)Requires a person or business that owns, licenses, or
maintains personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, and to
�
AB 83
Page 4
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civil Code
(CC) Section 1798.81.5(b))
2)Defines "personal information," for purposes of the data
security statute, to include the individual's first name or
first initial and last name in combination with one or more of
the following data elements, when either the name or the data
elements are not encrypted or redacted: Social Security
number; driver's license number or California Identification
Card number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; or medical information, as defined. Personal
information does not include publicly available information
that is lawfully made available to the general public from
government records. (CC 1798.81.5(d))
FISCAL EFFECT: None. This bill is currently keyed non-fiscal
by the Legislative Counsel.
COMMENTS:
1)Purpose of this bill . This bill is intended to clarify the
existing standard for the security of personal information
held by businesses by explicitly imposing a "reasonably
prudent business" standard, and specifying certain practices
and procedures that are inherently reasonable. This bill also
adds geophysical location information to the definition of
personal information as it applies to existing data security
requirements for businesses. AB 83 is author-sponsored.
2)Author's statement . According to the author, "Before the
United States was rocked by a December 2013 data breach at
Target stores that captured the information of almost 40
�
AB 83
Page 5
million credit and debit cards, many consumers did not think
about the protection of their personal and transaction data.
Since the Target incident, however, data breaches have haunted
consumers, businesses, and government entities, alike."
"While credit card information is valuable and breaches have
affected businesses like Home Depot, Neiman Marcus and JP
Morgan Chase, credit card information is not the only lure.
Hackers have hit different branches of California government,
including the Bureau of Automotive Repair, Mt. Diablo Unified
School District and the California Department of Public
Health. In May 2014, hackers breached a database owned by
ride-sharing app Uber, which contained the names and drivers'
license numbers of 50,000 of its drivers. Then, in November
2014, Sony hackers not only released five unreleased films,
but they also posted 47,000 employee Social Security numbers
online, which appeared on more than 600 publicly-posted files.
These numbers appeared with other personal information, such
as full names, dates of birth, and home addresses. And, just
last February, 80 million Anthem clients had their names,
dates of birth, Social Security numbers, addresses, phone
numbers, email addresses and employment information stolen.
"In today's world of computer and internet-based data storage,
no information is exempt or unattractive to those wanting to
breach our privacy and pry into our personal lives. Consumers
need the assurance that their data is being stored at robust
standards that are as flexible and timely as the changing
technology landscape.
"?[AB 83] applies a minimum standard for personal data
security, which is that of a "reasonably prudent business."
The standard is similar to that of a "reasonable person," a
standard applied regularly in tort law. Conceptually, it
means that a business failed in its duty of care (i.e., acted
negligently and is therefore subject to legal liability) if it
�
AB 83
Page 6
did not act as a reasonable and prudent business in the same
position would have."
3)Recent trends in data breaches. According to the California
Attorney General's October 2014 Data Breach report, California
is "uniquely impacted by data breaches. In 2012, 17 percent of
the data breaches recorded in the United States took place in
California - more than any other state. Even more troubling,
the number of reported breaches in California increased by 28
percent in 2013?and the number of Californians' records
affected increased by over 600 percent." The AG's office
received reports of 167 breaches affected more than 500
Californians for 2013, meaning that records containing
personal information of more than 18.5 million California
residents were compromised.
These breaches are not only growing more frequent, they are
expensive events to consumers and businesses alike. According
to the California Attorney General's February 2014
"Cybersecurity in the Golden State" report, one study found
that "the average cost to victims of a data breach per
compromised record is now $136, or $157 if it results from
malicious criminal conduct. Additionally, the study notes
that costs for businesses that are victims of Internet-based
attacks have risen 78 percent per year, on average, over the
past four years. And from 2010 through 2013, the time needed
to recover from a breach has increased 130 percent. Just as
there is a cost involved in cybersecurity protection, there is
a cost involved in not protecting the information stored in
your systems."
4)The "reasonably prudent business" standard . The core concept
of this bill is that "reasonable security procedures and
practices" for the maintenance and transmission of personal
�
AB 83
Page 7
information are those that a "reasonably prudent business"
would apply. This term is taken from the larger concept of
negligence in tort law and merits further explanation.
According to Black's Law Dictionary, the definition of
negligence is: "The omission to do something which a
reasonable man, guided by those considerations which
ordinarily regulate the conduct of human affairs, would do; or
doing something which a prudent and reasonable man would not
do. It must be determined in all cases by reference to the
situation and knowledge of the parties and all the attendant
circumstances."
In order to bring suit for negligence, a plaintiff must
generally prove five things: the existence of a legal duty to
exercise reasonable care; a failure to exercise reasonable
care; cause in fact of physical harm by the negligent conduct;
physical harm in the form of actual damages; and proximate
cause, a showing that the harm is within the scope of
liability.
From this, Anglo-American common law developed over many years
what is called the "reasonably prudent person" standard, which
tries to capture the relevant community's judgment as to how a
typical member of that community should behave in situations
that might pose a threat of harm (through action or inaction)
to the public. And while the specific circumstances of each
case will require different kinds of conduct and degrees of
care, the "reasonable person" is not an average person or a
typical person, but someone who would act "reasonably" under
the same or similar circumstances.
This standard applies to the first two elements of the
definition of negligence: duty and breach. One academic
treatise on the standard analyzed the application of the
standard this way:
�
AB 83
Page 8
"Duty is the standard of care the defendant owes for the
protection of others; it is a question of law for the
court. This standard is objective?[it is not] measured in
terms of the individual's own knowledge and abilities. To
be sure, there are some no-duty situations, and some
instances in which the standard might be heightened or
lowered, but by and large the court's input is limited to
defining the standard. The court therefore constructs 'an
ideal, a standard, the embodiment of all those qualities
which we demand of the good citizen.'"
"Application of this standard is left to the jury in the
second element of negligence, breach, which is a question
of fact. To determine whether the defendant breached a
duty of care owed to the plaintiff, the jury answers
whether the defendant acted like a reasonably prudent
person under the same or similar circumstances. If yes,
then the defendant is not negligent. If no, then the
defendant is negligent and will be liable if her breach was
the actual and proximate cause of plaintiff's damages. The
reasonably prudent person standard therefore functions as a
yardstick against which the jury measures the conduct of
the defendant." (The Poetics and Ethics of Negligence, by
Jeff Todd, 50 Cal. W. L. Rev. 75, 2013)
This same concept can be applied to a business as well, which
becomes the standard that would be exercised by the reasonably
prudent business (or manufacturer, or professional, etc.), in
order to determine whether negligence has occurred. But
context matters - the customary practices and general
procedures of the industry or profession influence whether or
not specific behaviors are reasonable.
Reasonable prudence standards are used throughout the
�
AB 83
Page 9
California Codes, with uses beyond the "reasonably prudent
person" including reasonably prudent home inspectors,
manufactured housing dealers, real estate licensees,
investors, and charter boat operators. The term "reasonably
prudent business" is only explicitly used once in existing
state law (Health and Safety Code Section 25395.42), which
requires an insured party seeking payments from cost-overrun
insurance under the Cleanup Loans and Environmental Assistance
to Neighborhoods Account.
This bill would import this standard and all relevant case law
to apply to the data protection efforts of businesses holding
the personal information of Californians, as well as specify
certain practices and considerations that must be part of any
set of "reasonable security practices and procedures."
5)Related legislation. AB 964 (Chau) of 2015 would require data
breach notifications made by businesses and public agencies to
include the date of discovery of the breach in their notice to
the Attorney General. AB 964 is currently pending in the
Assembly Privacy and Consumer Protection Committee.
AB 1541 (Privacy and Consumer Protection) of 2015 is the
Committee's annual omnibus bill and would make technical or
non-substantive corrections and clarification to existing
privacy-related law. AB 1541 is currently pending in the
Assembly Privacy and Consumer Protection Committee.
6)Previous legislation . AB 1710 (Dickinson), Chapter 855,
Statutes of 2014, required the source of the data breach to
offer appropriate identity theft prevention and mitigation
services to the affected person at no cost for not less than
12 months if the breach exposed or may have exposed specified
personal information; expanded existing security practice and
procedure provisions to businesses that own, license, or
maintain personal information about a California resident; and
prohibited the sale, advertisement for sale, or offer to sell
�
AB 83
Page 10
of an individual's social security number.
REGISTERED SUPPORT / OPPOSITION:
Support
Privacy Rights Clearinghouse (3/26/15 version)
The Utility Reform Network (TURN) (3/26/15 version)
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 83
Page 11