BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 83|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 83
Author: Gatto (D)
Amended: 7/15/15 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-1, 7/7/15
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Moorlach
NO VOTE RECORDED: Anderson
ASSEMBLY FLOOR: 66-4, 5/7/15 - See last page for vote
SUBJECT: Information Practices Act of 1977
SOURCE: Author
DIGEST: This bill expands the definition of "personal
information" for which businesses must implement and maintain
reasonable security procedures and practices in order to protect
the information from unauthorized access, destruction, use,
modification, or disclosure. Specifically, this bill adds
geophysical location information, tax identification numbers,
passport numbers, biometric information, health insurance
information, usernames or email addresses in combination with
passwords or other specified authentication credentials, and
signatures to the list of protected personal information. This
bill also establishes certain minimum criteria for the
reasonable security procedures and practices that must be
followed, including identifying reasonably foreseeable internal
and external risks and regularly assessing the sufficiency of
security safeguards in place to control those risks.
�
AB 83
Page 2
ANALYSIS:
Existing law:
1)Provides, in the California Constitution, that all people are
by nature free and independent and have inalienable rights.
Among these are enjoying and defending life and liberty,
acquiring, possessing, and protecting property, and pursuing
and obtaining safety, happiness, and privacy. (Cal. Const,
art. I, Sec. 1.)
2)Requires state agencies, under the Information Practices Act
(IPA), to establish appropriate and reasonable administrative,
technical, and physical safeguards to ensure compliance with
the IPA, to ensure the security and confidentiality of
records, and to protect against anticipated threats or hazards
to their security or integrity which could result in any
injury. (Civ. Code Sec. 1798.21.)
3)Requires a business that owns, licenses, or maintains personal
information about a California resident to implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(b).)
4)Requires a business that discloses personal information about
a California resident pursuant to a contract with a
nonaffiliated third party that is not subject to the
restriction above to require by contract that the third party
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civ. Code
Sec. 1798.81.5(c).)
5)Defines "personal information" to mean an individual's first
name or first initial and his or her last name in combination
with any one or more of the following data elements, when
either the name or the data elements are not encrypted or
redacted:
Social security number;
�
AB 83
Page 3
Driver's license number or California identification
card number;
Account number, credit or debit card number, in
combination with any required security code, access code,
or password that would permit access to an individual's
financial account; and
Medical information, as specified. (Civ. Code Sec.
1798.81.5(d).)
1)States that "personal information" does not include publicly
available information that is lawfully made available to the
general public from federal, state, or local government
records. (Civ. Code Sec. 1798.81.5(d).)
This bill:
1)Specifies that "reasonable security procedures and practices"
as they pertain to the storage and transmission of personal
information shall require, at a minimum, the security of that
information to the degree that any reasonably prudent business
would provide.
2)Specifies that "reasonable security procedures and practices"
shall, at a minimum, require businesses to:
Identify reasonably foreseeable internal and external
risks to the privacy and security of personal information
that could result in the unauthorized disclosure, misuse,
alteration, destruction, or other compromise of the
information;
Establish, implement, and maintain safeguards reasonably
designed to ensure the security of the personal
information, including, but not limited to, protecting
against unauthorized loss, misuse, alteration, destruction,
access to, or use of the information;
Regularly assess the sufficiency of any safeguards in
place to control reasonably foreseeable internal and
external risks, and evaluate and adjust those safeguards in
light of the assessment; and
�
AB 83
Page 4
Evaluate and adjust any material changes in the
operations or business arrangements of the business, or any
other circumstances, that create a material impact on the
privacy or security of personal information under control
of the business.
1)Provides that the reasonableness of the security procedures
and practices shall be determined in light of all of the
following:
The type of personal information under the business's
control;
The foreseeability of threats to the security of the
information;
The existence of widely accepted practices in
administrative, technical, and physical safeguards for
protecting personal information; and
The cost of implementing and regularly reviewing the
safeguards.
1)Expands the definition of "personal information" to include
the following:
A tax identification number, passport number, or any
other unique government-issued identification number;
Geophysical location information;
Health insurance information;
Biometric information;
A username or email address in combination with a
password or security question and answer that would permit
access to an online account; and
Signature.
1)Defines geophysical location information to mean any location
data generated to assess the past or current location of, or
�
AB 83
Page 5
travel by, an individual, including but not limited to,
geographic coordinates, street address, or WiFi positioning
system.
2)Defines "biometric information" to mean data generated by
automatic measurements of an individual's biological
characteristics that are used by the owner or licensee to
authenticate an individual's identity, such as a fingerprint,
voice print, eye retinas or irises, or other unique biological
characteristic.
3)Defines "health insurance information" to mean an individual's
insurance policy number or subscriber identification number,
any unique identifier used by a health insurer to identify the
individual, or any information in an individual's application
and claims history, including any appeals records.
Background
In 2004, the Legislature enacted AB 1950 (Wiggins, Chapter 877,
Statutes of 2004), which established broadly applicable security
standards for the protection of personal information about
California residents that is owned or leased by businesses.
Before AB 1950 became law, federal and state laws generally
provided only industry-specific requirements for the protection
of personal information. For example, state medical privacy
laws like the Confidentiality of Medical Information Act (Civ.
Code Sec. 56 et seq.) govern the use and sharing of medical
information by health care entities, but do not regulate this
information when obtained by other businesses.
AB 1950 required businesses that own or license personal
information -- including social security numbers, payment card
information, and medical information -- about a California
resident to implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. Despite this requirement, the frequency at which
data breaches expose the personal information of California
residents has increased dramatically since 2004. An October
2014 article in the Los Angeles Times made the following
observations about this trend:
�
AB 83
Page 6
Data breaches soared last year in California as cybercriminals
leaped over digital security gates to endanger the personal
data of millions of consumers, California Atty. Gen. Kamala
Harris said. Harris, in a report released Tuesday,
highlighted the effect that headline-producing data breaches
had on the Golden State: two massive hacks last year at Target
Corp. and daily deals website LivingSocial each hit roughly
7.5 million Californians. In all, 18.5 million people in the
state had their data stolen last year, a more than 600
[percent] jump from 2012. The number of breaches reported to
Harris' office climbed 28 [percent] to 167, and is expected to
rise again in 2014. "Data breaches ? threaten the privacy,
the security and the economic well-being of consumers and
businesses," Harris said at a news conference in Los Angeles.
California residents aren't any more prone to data hijacking
than others, but an unusual state law requires businesses and
state agencies to notify customers of any breach involving
more than 500 accounts. That law resulted in the California
Data Breach Report, which underscored the difficulties faced
by companies who are constantly racing against wily thieves to
secure sensitive information. The parade of companies that
has been targeted recently by hackers includes Home Depot,
Michaels, Neiman Marcus and P.F. Chang's.
Security experts predict that the number of breaches,
especially on a big scale, will keep growing. "The data
breaches are going to continue and will probably get worse
with the short term," said Jim Penrose, former chief of the
Operational Discovery Center at the National Security Agency.
. . .
Harris said businesses need to adopt stronger encryption
technologies that safeguard sensitive consumer data. And
retailers must make their breach notifications to consumers
more visible and should upgrade their systems to handle
payment cards equipped with microchips, which make cards more
difficult to counterfeit, Harris said. (Shan Li and Andrew
Khouri, Data Breaches Jump in California and are Expected to
Keep Climbing, Los Angeles Times (Oct. 28, 2014)
Page 7
procedures and practices" that businesses are mandated to
implement under existing law with respect to personal
information. Recognizing the sensitivity of such information,
this bill also expands the definition of "personal information"
subject to protection to include tax identification numbers,
passport numbers, and any other unique government-issued
identification numbers; geophysical location information; health
insurance information; biometric information; usernames or email
addresses in combination with passwords or other specified
account credentials, and signatures.
Comments
According to the author:
The California Information Practices Act of 1977 sets the
rules for the collection, maintenance and dissemination of
information that identifies an individual to guarantee that
privacy is protected to the greatest extent possible.
California's data protection statutes, among other things,
require businesses that own, license, or maintain personal
information about Californians to provide reasonable security
for that information.
Before the United States was rocked by a December 2013 data
breach at Target stores that captured the information of
almost 40 million credit and debit cards, many consumers did
not think about the protection of their personal and
transaction data. Since the Target incident, however, data
breaches have haunted consumers, businesses, and government
entities, alike.
While credit card information is valuable and breaches have
affected businesses like Home Depot, Neiman Marcus and JP
Morgan Chase, credit card information is not the only lure.
Hackers have hit different branches of California government,
including the Bureau of Automotive Repair, Mt. Diablo Unified
School District and the California Department of Public
Health. In May 2014, hackers breached a database owned by
ride-sharing app Uber, which contained the names and drivers'
license numbers of 50,000 of its drivers. Then, in November
2014, Sony hackers not only released five unreleased films,
but they also posted 47,000 employee Social Security numbers
online, which appeared on more than 600 publicly-posted files.
�
AB 83
Page 8
These numbers appeared with other personal information, such
as full names, dates of birth, and home addresses. And, just
last February, 80 million Anthem clients had their names,
dates of birth, Social Security numbers, addresses, phone
numbers, email addresses and employment information stolen.
In today's world of computer and internet-based data storage,
no information is exempt or unattractive to those wanting to
breach our privacy and pry into our personal lives. Consumers
need the assurance that their data is being stored at robust
standards that are as flexible and timely as the changing
technology landscape.
Related/Prior Legislation
AB 1541 (Committee on Privacy and Consumer Protection, Chapter
96, Statutes of 2015) adds health insurance information, as
defined, and a username or email address combined with a
password or security question and answer for access to an online
account, to the definition of "personal information" for which
businesses must implement and maintain reasonable security
procedures and practices to protect the information from
unauthorized access, destruction, use, modification, or
disclosure.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's Data Breach Notification Law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. The bill also prohibited the sale, advertisement
for sale, or offer to sell an individual's social security
number.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
�
AB 83
Page 9
FISCAL EFFECT: Appropriation: No Fiscal
Com.:NoLocal: No
SUPPORT: (Verified7/7/15)
California Credit Union League
Privacy Rights Clearinghouse
Utility Reform Network
OPPOSITION: (Verified7/7/15)
California Chamber of Commerce
California Grocers Association
California Retailers Association
CTIA - The Wireless Association
Direct Marketing Association
TechNet
ARGUMENTS IN SUPPORT: According to the Utility Reform
Network, AB 83 requires businesses that collect, maintain, or
disseminate information that identifies an individual to meet
stronger standards for protecting their stored data.
Specifically, this bill defines "private data" to include
medical information, financial information, geolocation or
travel information, and any combination of information that
identifies an individual - including a maiden name, social
security number or date of birth. This bill then applies a
minimum standard for the security of this private data. The
California Information Practices Act is meant to guarantee that
privacy is protected to the greatest extent possible. AB 83
updates this Act to ensure that our privacy protection standards
continue to meet the highest standards.
ARGUMENTS IN OPPOSITION: According to the California Chamber
of Commerce, the current California data security statute
requires businesses to "implement and maintain reasonable
security procedures and practices" in order to protect a
consumer's personal information from unauthorized access,
destruction, use, modification, or disclosure." This statute
is designed to protect highly sensitive personal data maintained
by businesses including social security numbers, health
information and financial account information. AB 83
�
AB 83
Page 10
significantly broadens the scope of the definition of "personal
information" under this statute, thereby requiring businesses to
expand security resources and face increased litigation risk for
data that has not been included in other state or federal data
security proposals and is not sensitive for consumers.
ASSEMBLY FLOOR: 66-4, 5/7/15
AYES: Achadjian, Alejo, Baker, Bigelow, Bloom, Bonilla, Bonta,
Brown, Burke, Calderon, Chang, Chau, Chávez, Chiu, Chu,
Cooley, Cooper, Dababneh, Daly, Dodd, Eggman, Frazier, Beth
Gaines, Cristina Garcia, Eduardo Garcia, Gatto, Gipson, Gomez,
Gonzalez, Gordon, Gray, Grove, Hadley, Holden, Irwin,
Jones-Sawyer, Lackey, Levine, Linder, Lopez, Low, Maienschein,
Mathis, Mayes, McCarty, Medina, Melendez, Mullin, Obernolte,
O'Donnell, Olsen, Perea, Quirk, Rendon, Ridley-Thomas,
Rodriguez, Salas, Santiago, Mark Stone, Thurmond, Ting, Weber,
Wilk, Williams, Wood, Atkins
NOES: Travis Allen, Jones, Kim, Patterson
NO VOTE RECORDED: Brough, Campos, Dahle, Gallagher, Harper,
Roger Hernández, Nazarian, Steinorth, Wagner, Waldron
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
7/15/15 16:47:02
**** END ****