BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 83 (Gatto)
Version: June 25, 2015
Hearing Date: July 7, 2015
Fiscal: No
Urgency: No
TH
SUBJECT
Information Practices Act of 1977
DESCRIPTION
This bill would expand the definition of "personal information"
for which businesses must implement and maintain reasonable
security procedures and practices in order to protect the
information from unauthorized access, destruction, use,
modification, or disclosure. Specifically, this bill would add
geophysical location information, tax identification numbers,
passport numbers, biometric information, usernames or email
addresses in combination with passwords or other specified
authentication credentials, and signatures to the list of
protected personal information. This bill would also establish
certain minimum criteria for the reasonable security procedures
and practices that must be followed, including identifying
reasonably foreseeable internal and external risks and regularly
assessing the sufficiency of security safeguards in place to
control those risks.
BACKGROUND
In 2004, the Legislature enacted AB 1950 (Wiggins, Ch. 877,
Stats. 2004), which established broadly applicable security
standards for the protection of personal information about
California residents that is owned or leased by businesses.
Before AB 1950 became law, federal and state laws generally
provided only industry-specific requirements for the protection
of personal information. For example, state medical privacy
laws like the Confidentiality of Medical Information Act (Civ.
�
AB 83 (Gatto)
PageB of?
Code Sec. 56 et seq.) govern the use and sharing of medical
information by health care entities, but do not regulate this
information when obtained by other businesses.
AB 1950 required businesses that own or license personal
information -- including social security numbers, payment card
information, and medical information -- about a California
resident to implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. Despite this requirement, the frequency at which
data breaches expose the personal information of California
residents has increased dramatically since 2004. An October
2014 article in the Los Angeles Times made the following
observations about this trend:
Data breaches soared last year in California as cybercriminals
leaped over digital security gates to endanger the personal
data of millions of consumers, California Atty. Gen. Kamala
Harris said. Harris, in a report released Tuesday,
highlighted the effect that headline-producing data breaches
had on the Golden State: two massive hacks last year at Target
Corp. and daily deals website LivingSocial each hit roughly
7.5 million Californians. In all, 18.5 million people in the
state had their data stolen last year, a more than 600
[percent] jump from 2012. The number of breaches reported to
Harris' office climbed 28 [percent] to 167, and is expected to
rise again in 2014. "Data breaches ? threaten the privacy,
the security and the economic well-being of consumers and
businesses," Harris said at a news conference in Los Angeles.
California residents aren't any more prone to data hijacking
than others, but an unusual state law requires businesses and
state agencies to notify customers of any breach involving
more than 500 accounts. That law resulted in the California
Data Breach Report, which underscored the difficulties faced
by companies who are constantly racing against wily thieves to
secure sensitive information. The parade of companies that
has been targeted recently by hackers includes Home Depot,
Michaels, Neiman Marcus and P.F. Chang's.
Security experts predict that the number of breaches,
especially on a big scale, will keep growing. "The data
breaches are going to continue and will probably get worse
�
AB 83 (Gatto)
PageC of?
with the short term," said Jim Penrose, former chief of the
Operational Discovery Center at the National Security Agency.
. . .
Harris said businesses need to adopt stronger encryption
technologies that safeguard sensitive consumer data. And
retailers must make their breach notifications to consumers
more visible and should upgrade their systems to handle
payment cards equipped with microchips, which make cards more
difficult to counterfeit, Harris said. (Shan Li and Andrew
Khouri, Data Breaches Jump in California and are Expected to
Keep Climbing, Los Angeles Times (Oct. 28, 2014)
[as of Jun. 22, 2015].)
This bill responds to the growing frequency of data breaches by
adding additional requirements to the "reasonable security
procedures and practices" that businesses are mandated to
implement under existing law with respect to personal
information. Recognizing the sensitivity of such information,
this bill would also expand the definition of "personal
information" subject to protection to include tax identification
numbers, passport numbers, and any other unique
government-issued identification numbers; geophysical location
information; biometric information; usernames or email addresses
in combination with passwords or other specified account
credentials, and signatures.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people are by nature free and independent and have inalienable
rights. Among these are enjoying and defending life and
liberty, acquiring, possessing, and protecting property, and
pursuing and obtaining safety, happiness, and privacy. (Cal.
Const, art. I, Sec. 1.)
Existing law requires state agencies, under the Information
Practices Act (IPA), to establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
compliance with the IPA, to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in any injury. (Civ. Code Sec. 1798.21.)
Existing law requires a business that owns, licenses, or
�
AB 83 (Gatto)
PageD of?
maintains personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(b).)
Existing law requires a business that discloses personal
information about a California resident pursuant to a contract
with a nonaffiliated third party that is not subject to the
restriction above to require by contract that the third party
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(c).)
Existing law defines "personal information" to mean an
individual's first name or first initial and his or her last
name in combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted or redacted:
social security number;
driver's license number or California identification card
number;
account number, credit or debit card number, in combination
with any required security code, access code, or password that
would permit access to an individual's financial account; and
medical information, as specified. (Civ. Code Sec.
1798.81.5(d).)
Existing law states that "personal information" does not include
publicly available information that is lawfully made available
to the general public from federal, state, or local government
records. (Civ. Code Sec. 1798.81.5(d).)
This bill would specify that "reasonable security procedures and
practices" as they pertain to the storage and transmission of
personal information shall require, at a minimum, the security
of that information to the degree that any reasonably prudent
business would provide.
This bill would further specify that "reasonable security
procedures and practices" shall, at a minimum, require
businesses to:
�
AB 83 (Gatto)
PageE of?
identify reasonably foreseeable internal and external risks to
the privacy and security of personal information that could
result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of the information;
establish, implement, and maintain safeguards reasonably
designed to ensure the security of the personal information,
including, but not limited to, protecting against unauthorized
loss, misuse, alteration, destruction, access to, or use of
the information;
regularly assess the sufficiency of any safeguards in place to
control reasonably foreseeable internal and external risks,
and evaluate and adjust those safeguards in light of the
assessment; and
evaluate and adjust any material changes in the operations or
business arrangements of the business, or any other
circumstances, that create a material impact on the privacy or
security of personal information under control of the
business.
This bill would provide that the reasonableness of the security
procedures and practices shall be determined in light of all of
the following:
the type of personal information under the business's control;
the foreseeability of threats to the security of the
information;
the existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information; and
the cost of implementing and regularly reviewing the
safeguards.
This bill would expand the definition of "personal information"
to include the following:
a tax identification number, passport number, or any other
unique government-issued identification number;
geophysical location information;
biometric information;
a username or email address in combination with a password or
security question and answer that would permit access to an
online account; and
signature.
This bill would define geophysical location information to mean
any location data generated to assess the past or current
location of, or travel by, an individual, including but not
limited to, geographic coordinates, street address, or WiFi
�
AB 83 (Gatto)
PageF of?
positioning system.
This bill would define "biometric information" to mean data
generated by automatic measurements of an individual's
biological characteristics that are used by the owner or
licensee to authenticate an individual's identity, such as a
fingerprint, voice print, eye retinas or irises, or other unique
biological characteristic.
This bill would define "health insurance information" to mean an
individual's insurance policy number or subscriber
identification number, any unique identifier used by a health
insurer to identify the individual, or any information in an
individual's application and claims history, including any
appeals records.
COMMENT
1.Stated need for the bill
According to the author:
The California Information Practices Act of 1977 sets the
rules for the collection, maintenance and dissemination of
information that identifies an individual to guarantee that
privacy is protected to the greatest extent possible.
[California's data protection statutes], among other things,
[require] businesses that own, license, or maintain personal
information about Californians to provide reasonable security
for that information.
Before the United States was rocked by a December 2013 data
breach at Target stores that captured the information of
almost 40 million credit and debit cards, many consumers did
not think about the protection of their personal and
transaction data. Since the Target incident, however, data
breaches have haunted consumers, businesses, and government
entities, alike.
While credit card information is valuable and breaches have
affected businesses like Home Depot, Neiman Marcus and JP
Morgan Chase, credit card information is not the only lure.
Hackers have hit different branches of California government,
including the Bureau of Automotive Repair, Mt. Diablo Unified
School District and the California Department of Public
�
AB 83 (Gatto)
PageG of?
Health. In May 2014, hackers breached a database owned by
ride-sharing app Uber, which contained the names and drivers'
license numbers of 50,000 of its drivers. Then, in November
2014, Sony hackers not only released five unreleased films,
but they also posted 47,000 employee Social Security numbers
online, which appeared on more than 600 publicly-posted files.
These numbers appeared with other personal information, such
as full names, dates of birth, and home addresses. And, just
last February, 80 million Anthem clients had their names,
dates of birth, Social Security numbers, addresses, phone
numbers, email addresses and employment information stolen.
In today's world of computer and internet-based data storage,
no information is exempt or unattractive to those wanting to
breach our privacy and pry into our personal lives. Consumers
need the assurance that their data is being stored at robust
standards that are as flexible and timely as the changing
technology landscape.
2.Fundamental Right to Privacy
The right to privacy is a fundamental right protected by article
I, section 1 of the California Constitution. The Legislature
has expressly declared that "all individuals have a right of
privacy in information pertaining to them," and has found that:
(1) The right to privacy is being threatened by the
indiscriminate collection, maintenance, and dissemination of
personal information and the lack of effective laws and legal
remedies.
(2) The increasing use of computers and other sophisticated
information technology has greatly magnified the potential
risk to individual privacy that can occur from the maintenance
of personal information.
(3) In order to protect the privacy of individuals, it is
necessary that the maintenance and dissemination of personal
information be subject to strict limits. (Civ. Code Sec.
1798.1.)
This bill builds upon the fundamental right to privacy by
expanding the scope of personal information required to be kept
reasonably secure under existing law. The Civil Code imposes a
general obligation on all businesses "to implement and maintain
�
AB 83 (Gatto)
PageH of?
reasonable security procedures and practices." (Civ. Code Sec.
1798.81.5(b).) Already, businesses must reasonably protect
California residents' social security numbers, driver's license
or California ID card numbers, financial account numbers, and
medical information from unauthorized access and use. This bill
would add, among other things, tax identification numbers,
passport numbers, other unique government-issued identification
numbers, geophysical location information, biometric
information, and signatures to the list of protected "personal
information."
As authentication technologies move beyond usernames and
passwords, the use of biometric information and signatures to
secure sensitive accounts and computer systems is likely to
grow, making it an attractive target for hackers. Personal
information like tax identification numbers, passport numbers,
and other government-issued ID numbers, may be used by some to
commit identity theft. And locational information, particularly
that which covers a long time period, could be used to learn a
great deal of sensitive information about a person. As the U.S.
Supreme Court recently noted, this sort of information could
enable one to "ascertain, more or less at will, [the] political
and religious beliefs, sexual habits, and so on" of an
individual. (United States v. Jones (2012) 132 S. Ct. 945,
955-956 [internal citations and quotation marks omitted].)
Adding these additional classes of data to the existing list of
personal information subject to reasonable security protection
will help ensure that Californian's fundamental right to privacy
is protected.
3.Improved Data Security Standards
Existing law requires businesses that own, license, or maintain
personal information to implement and maintain reasonable
security procedures and practices to protect the information
from unauthorized access, destruction, use, modification, or
disclosure. (Civ. Code Sec. 1798.81.5(b).) This bill would
refine this existing duty by providing businesses with guidance
on what constitutes "reasonable security procedures and
practices." Specifically, this bill would require businesses to
identify reasonably foreseeable internal and external risks to
the privacy and security of personal information, and to
establish, implement, and maintain safeguards reasonably
designed to ensure the security of that information, as soon as
such information is acquired. More importantly, this bill would
�
AB 83 (Gatto)
PageI of?
place a continuing duty on businesses to regularly assess the
sufficiency of the safeguards in place to control reasonably
foreseeable internal and external risks, to evaluate and adjust
those safeguards in light of the assessment, and to evaluate and
adjust any material changes in the operations or business
arrangements of the business that create a material impact on
the privacy or security of personal information under its
control.
As the recent data breach at the Office of Personnel Management
made clear,<1> even state-of-the-art data security systems must
continually assess their vulnerability to unauthorized
penetration and intrusion, especially when faced with persistent
threats. This bill would require businesses that own, license,
or maintain personal information about California residents to
regularly evaluate the security procedures and practices they
use to protect that information in light of reasonably
foreseeable threats. This continuing obligation would bring
California's business security standard more in-line with the
standard required of state agencies, which requires agencies to
establish appropriate and reasonable administrative, technical,
and physical safeguards to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in injury. (Civ. Code Sec. 1798.21.)
4.Evaluating "Reasonableness"
This bill, like existing law, requires businesses to implement
security procedures and practices that are "reasonable" in
nature. This bill would provide guidelines to help businesses
determine what security measures are reasonable by stating that
the reasonableness of security procedures and practices shall be
determined in light of the following:
the type of personal information under the business's control;
the foreseeability of threats to the security of the
information;
---------------------------
<1> Last month, the Office of Personnel Management suffered a
massive data breach that revealed the personal information of an
estimated 4 to 18 million federal workers, including many with
secret-level security clearances. (See Adam Elkus, The
Devastating Breach of US Government Data Highlights an Illusory
Cybersecurity Paradox, Business Insider (Jun. 18, 2015)
[as of Jun. 23, 2015].)
�
AB 83 (Gatto)
PageJ of?
the existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information, and
the cost of implementing and regularly reviewing the
safeguards.
These guidelines should assist businesses as they decide where
investments in information technology security should be made.
An earlier version of this bill used the "degree of the privacy
risk" as one of the benchmarks for determining the
reasonableness of a business' security practices and procedures.
The use of the phrase "privacy risk" in that benchmark could
have potentially mislead businesses into evaluating security
standards in light of whether harm would result from the breach
of personal information under its control. Unlike other states,
California's data breach and data protection statutes are not
triggered upon a showing of harm. Rather, harm is presumed to
occur when protected information is compromised. To ensure that
this bill did not unintentionally incorporate a showing of harm
into California's data protection statutes, the author amended
the bill on June 25, 2015, to provide that the reasonableness of
security procedures and practices should be viewed instead in
light of the nature of the information under the business's
control. This alternate standard recognizes that some
additional security measures may be needed to protect data that
is more valuable to a hacker or data thief, not because of the
privacy risk resulting from its loss in a breach, but because
the thief can receive a higher price for it in the underground
market for stolen information.
1.Incorporation of Changes Proposed in AB 1541
This bill amends the same section of the Civil Code as AB 1541,
the Assembly Privacy and Consumer Protection Committee's privacy
omnibus bill. AB 1541 would add health insurance information,
and a username or email address combined with a password or
security question and answer for access to an online account, to
the definition of "personal information" for which businesses
must implement and maintain reasonable security procedures and
practices. In order to avoid the prospect of these two bills
chaptering one or the other out, the author decided to
incorporate the provisions from AB 1541 into this bill when this
bill was last amended. The Senate Judiciary Committee heard AB
1541 on June 16, 2015, and passed it out on a vote of 7-0. One
�
AB 83 (Gatto)
PageK of?
provision from AB 1541 was unintentionally omitted in the last
set of amendments, and the author offers the following technical
amendment to incorporate that missing provision into this bill.
Author's Amendments :
On page 3, line 10, insert "(v) Health insurance information."
2.Opposition Concerns
A coalition of business and industry groups, in opposition,
states that this bill will create unnecessary and costly
obligations and increased litigation exposure by requiring
businesses to develop and maintain heightened security
procedures for many types of data that do not pose a risk to
consumers. Summarizing these concerns, the California Chamber
of Commerce states:
The current California data security statute requires
businesses to "implement and maintain reasonable security
procedures and practices" in order to protect a consumer's
personal information from unauthorized access, destruction,
use, modification, or disclosure." This statute is designed
to protect highly sensitive personal data maintained by
businesses including social security numbers, health
information and financial account information. AB 83
significantly broadens the scope of the definition of
"personal information" under this statute, thereby requiring
businesses to expand security resources and face increased
litigation risk for data that has not been included in other
state or federal data security proposals and is not sensitive
for consumers.
As an example, the California Chamber of Commerce makes the
following observation:
AB 83 . . . adds "geophysical location information" to the
definition of personal information and creates a new, vague
and overbroad definition for this term. The definition for
geolocation information is overly expansive - it could include
general geolocation information such as a zip code or an area
code as opposed to the precise location of an individual. The
revelation of general geolocation information creates little
potential harm to a consumer. The definition is also
problematic because it would add a home address within the
�
AB 83 (Gatto)
PageL of?
personal information definition even though this information
is commonly made public for a variety of legitimate reasons
from mailing labels to telephone directories. Further, this
definition also lacks clarity regarding whether it would apply
to real time geolocation information or only location
information which is stored or logged.
The coalition in opposition raises similar concerns with the
addition of signatures and unique government-issued
identification numbers to California's data protection statute,
and notes that the statute would not apply to government
entities which, like private businesses, suffer security
breaches.
Support : California Credit Union League; Privacy Rights
Clearinghouse; Utility Reform Network
Opposition : California Chamber of Commerce; California Grocers
Association; California Retailers Association; CTIA - The
Wireless Association; Direct Marketing Association; TechNet
HISTORY
Source : Author
Related Pending Legislation : AB 1541 (Committee on Privacy and
Consumer Protection, 2015) would add health insurance
information, as defined, and a username or email address
combined with a password or security question and answer for
access to an online account, to the definition of "personal
information" for which businesses must implement and maintain
reasonable security procedures and practices to protect the
information from unauthorized access, destruction, use,
modification, or disclosure. This bill is pending on the Senate
Floor.
Prior Legislation :
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
Data Breach Notification Law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. This bill also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
�
AB 83 (Gatto)
PageM of?
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
Prior Vote :
Assembly Floor (Ayes 66, Noes 4)
Assembly Privacy and Consumer Protection Committee (Ayes 9, Noes
1)
**************