BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                      AB 83


                                                                    Page  1





          Date of Hearing:  April 30, 2015


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                  Mike Gatto, Chair


          AB 83  
          (Gatto) - As Amended April 27, 2015


          SUBJECT:  Information Practices Act of 1977


          SUMMARY:  Requires businesses that own or maintain personal  
          information to secure that data to the extent that any  
          "reasonably prudent business" would provide, adds "geophysical  
          location information" to the definition of personal information,  
          and specifies certain requirements and considerations that must  
          be part of any set of reasonable security procedures and  
          practices.  Specifically, this bill:  


          1)Defines, for purposes of the existing requirement that  
            businesses implement and maintain reasonable security  
            procedures and practices to protect personal information,  
            "reasonable security procedures and practices" as they pertain  
            to the storage and transmission of personal information to  
            require, at a minimum, the security of that information to the  
            degree that any reasonably prudent business would provide.



          2)Requires, as part of "reasonable security procedures and  
            practices", a business to do, at a minimum, the following: 










                                                                      AB 83


                                                                    Page  2






               a)     identify reasonably foreseeable internal and  
                 external risks to the privacy and security of personal  
                 information that could result in the unauthorized  
                 disclosure, misuse, alteration, destruction, or other  
                 compromise of such information;



               b)     establish, implement, and maintain safeguards  
                 reasonably designed to ensure the security of such  
                 personal information, including but not limited to,  
                 protecting against unauthorized loss, misuse, alteration,  
                 destruction, access to, or use of such information;



               c)     regularly assess the sufficiency of any safeguards  
                 in place to control reasonably foreseeable internal and  
                 external risks; and,



               d)     evaluate and adjust such safeguards in response to  
                 regular sufficiency assessments, any material changes in  
                 the operations or business arrangements of the business,  
                 or any other circumstances that create a material impact  
                 on the privacy or security of personal information under  
                 control of the business.



          3)Provides that the reasonableness of the security procedures  
            and practices shall be determined in light of:

               a)     the degree of the privacy risk associated with the  
                 personal information under the business's control;

               b)     the foreseeability of threats to the security of  








                                                                      AB 83


                                                                    Page  3





                 such information;





               c)     widely accepted practices in administrative,  
                 technical, and physical safeguards for protecting  
                 personal information; and,



               d)     the cost of implementing and regularly reviewing  
                 such safeguards.



          4)Adds "geophysical location information" to the definition of  
            "personal information" for purposes of existing data security  
            requirements for businesses that own, license or maintain such  
            personal information.  

          5)Defines "geophysical location information" to mean "any  
            personally identifiable information describing or concerning  
            the duration of the transportation service provided to an  
            individual, the location and route of a transportation service  
            provided to an individual, or, if applicable, the monetary  
            exchange associated with a transportation service provided to  
            an individual."


          
          EXISTING LAW:  


          1)Requires a person or business that owns, licenses, or  
            maintains personal information about a California resident to  
            implement and maintain reasonable security procedures and  
            practices appropriate to the nature of the information, and to  








                                                                      AB 83


                                                                    Page  4





            protect the personal information from unauthorized access,  
            destruction, use, modification, or disclosure.  (Civil Code  
            (CC) Section 1798.81.5(b))

          2)Defines "personal information," for purposes of the data  
            security statute, to include the individual's first name or  
            first initial and last name in combination with one or more of  
            the following data elements, when either the name or the data  
            elements are not encrypted or redacted: Social Security  
            number; driver's license number or California Identification  
            Card number; account number, credit or debit card number, in  
            combination with any required security code, access code, or  
            password that would permit access to an individual's financial  
            account; or medical information, as defined.  Personal  
            information does not include publicly available information  
            that is lawfully made available to the general public from  
            government records.  (CC 1798.81.5(d))


          FISCAL EFFECT:  None.  This bill is currently keyed non-fiscal  
          by the Legislative Counsel.


          COMMENTS:  


           1)Purpose of this bill  .  This bill is intended to clarify the  
            existing standard for the security of personal information  
            held by businesses by explicitly imposing a "reasonably  
            prudent business" standard, and specifying certain practices  
            and procedures that are inherently reasonable.  This bill also  
            adds geophysical location information to the definition of  
            personal information as it applies to existing data security  
            requirements for businesses.  AB 83 is author-sponsored. 


           2)Author's statement  .  According to the author, "Before the  
            United States was rocked by a December 2013 data breach at  
            Target stores that captured the information of almost 40  








                                                                      AB 83


                                                                    Page  5





            million credit and debit cards, many consumers did not think  
            about the protection of their personal and transaction data.   
            Since the Target incident, however, data breaches have haunted  
            consumers, businesses, and government entities, alike."


            "While credit card information is valuable and breaches have  
            affected businesses like Home Depot, Neiman Marcus and JP  
            Morgan Chase, credit card information is not the only lure.  
            Hackers have hit different branches of California government,  
            including the Bureau of Automotive Repair, Mt. Diablo Unified  
            School District and the California Department of Public  
            Health.  In May 2014, hackers breached a database owned by  
            ride-sharing app Uber, which contained the names and drivers'  
            license numbers of 50,000 of its drivers.  Then, in November  
            2014, Sony hackers not only released five unreleased films,  
            but they also posted 47,000 employee Social Security numbers  
            online, which appeared on more than 600 publicly-posted files.  
             These numbers appeared with other personal information, such  
            as full names, dates of birth, and home addresses.  And, just  
            last February, 80 million Anthem clients had their names,  
            dates of birth, Social Security numbers, addresses, phone  
            numbers, email addresses and employment information stolen.


            "In today's world of computer and internet-based data storage,  
            no information is exempt or unattractive to those wanting to  
            breach our privacy and pry into our personal lives.  Consumers  
            need the assurance that their data is being stored at robust  
            standards that are as flexible and timely as the changing  
            technology landscape.


            "?[AB 83] applies a minimum standard for personal data  
            security, which is that of a "reasonably prudent business."   
            The standard is similar to that of a "reasonable person," a  
            standard applied regularly in tort law.  Conceptually, it  
            means that a business failed in its duty of care (i.e., acted  
            negligently and is therefore subject to legal liability) if it  








                                                                      AB 83


                                                                    Page  6





            did not act as a reasonable and prudent business in the same  
            position would have."


           3)Recent trends in data breaches.   According to the California  
            Attorney General's October 2014 Data Breach report, California  
            is "uniquely impacted by data breaches. In 2012, 17 percent of  
            the data breaches recorded in the United States took place in  
            California - more than any other state. Even more troubling,  
            the number of reported breaches in California increased by 28  
            percent in 2013?and the number of Californians' records  
            affected increased by over 600 percent."  The AG's office  
            received reports of 167 breaches affected more than 500  
            Californians for 2013, meaning that records containing  
            personal information of more than 18.5 million California  
            residents were compromised.  

            These breaches are not only growing more frequent, they are  
            expensive events to consumers and businesses alike.  According  
            to the California Attorney General's February 2014  
            "Cybersecurity in the Golden State" report, one study found  
            that "the average cost to victims of a data breach per  
            compromised record is now $136, or $157 if it results from  
            malicious criminal conduct.  Additionally, the study notes  
            that costs for businesses that are victims of Internet-based  
            attacks have risen 78 percent per year, on average, over the  
            past four years.  And from 2010 through 2013, the time needed  
            to recover from a breach has increased 130 percent.  Just as  
            there is a cost involved in cybersecurity protection, there is  
            a cost involved in not protecting the information stored in  
            your systems."





           4)The "reasonably prudent business" standard  .  The core concept  
            of this bill is that "reasonable security procedures and  
            practices" for the maintenance and transmission of personal  








                                                                      AB 83


                                                                    Page  7





            information are those that a "reasonably prudent business"  
            would apply.  This term is taken from the larger concept of  
            negligence in tort law and merits further explanation.  

          According to Black's Law Dictionary, the definition of  
            negligence is: "The omission to do something which a  
            reasonable man, guided by those considerations which  
            ordinarily regulate the conduct of human affairs, would do; or  
            doing something which a prudent and reasonable man would not  
            do.  It must be determined in all cases by reference to the  
            situation and knowledge of the parties and all the attendant  
            circumstances."  

          In order to bring suit for negligence, a plaintiff must  
            generally prove five things: the existence of a legal duty to  
            exercise reasonable care; a failure to exercise reasonable  
            care; cause in fact of physical harm by the negligent conduct;  
            physical harm in the form of actual damages; and proximate  
            cause, a showing that the harm is within the scope of  
            liability.

          From this, Anglo-American common law developed over many years  
            what is called the "reasonably prudent person" standard, which  
            tries to capture the relevant community's judgment as to how a  
            typical member of that community should behave in situations  
            that might pose a threat of harm (through action or inaction)  
            to the public.  And while the specific circumstances of each  
            case will require different kinds of conduct and degrees of  
            care, the "reasonable person" is not an average person or a  
            typical person, but someone who would act "reasonably" under  
            the same or similar circumstances.



            This standard applies to the first two elements of the  
            definition of negligence: duty and breach.  One academic  
            treatise on the standard analyzed the application of the  
            standard this way:









                                                                      AB 83


                                                                    Page  8







               "Duty is the standard of care the defendant owes for the  
               protection of others; it is a question of law for the  
               court.  This standard is objective?[it is not] measured in  
               terms of the individual's own knowledge and abilities.  To  
               be sure, there are some no-duty situations, and some  
               instances in which the standard might be heightened or  
               lowered, but by and large the court's input is limited to  
               defining the standard.  The court therefore constructs 'an  
               ideal, a standard, the embodiment of all those qualities  
               which we demand of the good citizen.'" 



               "Application of this standard is left to the jury in the  
               second element of negligence, breach, which is a question  
               of fact.  To determine whether the defendant breached a  
               duty of care owed to the plaintiff, the jury answers  
               whether the defendant acted like a reasonably prudent  
               person under the same or similar circumstances.  If yes,  
               then the defendant is not negligent.  If no, then the  
               defendant is negligent and will be liable if her breach was  
               the actual and proximate cause of plaintiff's damages.  The  
               reasonably prudent person standard therefore functions as a  
               yardstick against which the jury measures the conduct of  
               the defendant." (The Poetics and Ethics of Negligence, by  
               Jeff Todd, 50 Cal. W. L. Rev. 75, 2013)
            This same concept can be applied to a business as well, which  
            becomes the standard that would be exercised by the reasonably  
            prudent business (or manufacturer, or professional, etc.), in  
            order to determine whether negligence has occurred.  But  
            context matters - the customary practices and general  
            procedures of the industry or profession influence whether or  
            not specific behaviors are reasonable.  



            Reasonable prudence standards are used throughout the  








                                                                      AB 83


                                                                    Page  9





            California Codes, with uses beyond the "reasonably prudent  
            person" including reasonably prudent home inspectors,  
            manufactured housing dealers, real estate licensees,  
            investors, and charter boat operators.  The term "reasonably  
            prudent business" is only explicitly used once in existing  
            state law (Health and Safety Code Section 25395.42), which  
            requires an insured party seeking payments from cost-overrun  
            insurance under the Cleanup Loans and Environmental Assistance  
            to Neighborhoods Account. 

            This bill would import this standard and all relevant case law  
            to apply to the data protection efforts of businesses holding  
            the personal information of Californians, as well as specify  
            certain practices and considerations that must be part of any  
            set of "reasonable security practices and procedures."  



           5)Related legislation.   AB 964 (Chau) of 2015 would require data  
            breach notifications made by businesses and public agencies to  
            include the date of discovery of the breach in their notice to  
            the Attorney General.  AB 964 is currently pending in the  
            Assembly Privacy and Consumer Protection Committee. 

          AB 1541 (Privacy and Consumer Protection) of 2015 is the  
            Committee's annual omnibus bill and would make technical or  
            non-substantive corrections and clarification to existing  
            privacy-related law.  AB 1541 is currently pending in the  
            Assembly Privacy and Consumer Protection Committee. 

           6)Previous legislation  .  AB 1710 (Dickinson), Chapter 855,  
            Statutes of 2014, required the source of the data breach to  
            offer appropriate identity theft prevention and mitigation  
            services to the affected person at no cost for not less than  
            12 months if the breach exposed or may have exposed specified  
            personal information; expanded existing security practice and  
            procedure provisions to businesses that own, license, or  
            maintain personal information about a California resident; and  
            prohibited the sale, advertisement for sale, or offer to sell  








                                                                      AB 83


                                                                    Page  10





            of an individual's social security number.


          REGISTERED SUPPORT / OPPOSITION:




          Support


          Privacy Rights Clearinghouse (3/26/15 version)


          The Utility Reform Network (TURN)  (3/26/15 version)




          Opposition


          None on file.




          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200



















                                                                      AB 83


                                                                    Page  11