BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 83 (Gatto)
Version: August 19, 2016
Hearing Date: August 24, 2016
Fiscal: No
Urgency: No
TH
PURSUANT TO SENATE RULE 29.10
SUBJECT
Personal Data
DESCRIPTION
This bill modifies the scope of "personal information" for which
businesses must implement and maintain reasonable security
procedures and practices in order to protect the information
from unauthorized access, destruction, use, modification, or
disclosure. Specifically, this bill adds geolocation
information, tax identification numbers, passport numbers,
biometric information, military identification numbers, and
government issued employment identification numbers, to the list
of protected personal information. This bill reduces the scope
of protected personal information that falls within the
definition of "health insurance information," and expands the
scope of personal information excluded from these protections
when the information has been made publicly available. This
bill also specifies certain criteria for determining the
reasonableness of security procedures and practices, including
the cost of implementing these procedures and practices, and the
size of the business tasked with such responsibilities.
BACKGROUND
In 2004, the Legislature enacted AB 1950 (Wiggins, Ch. 877,
Stats. 2004), which established broadly applicable security
standards for the protection of personal information about
California residents that is owned or leased by businesses.
Before AB 1950 became law, federal and state laws generally
�
AB 83 (Gatto)
PageB of?
provided only industry-specific requirements for the protection
of personal information. For example, state medical privacy
laws like the Confidentiality of Medical Information Act (Civ.
Code Sec. 56 et seq.) govern the use and sharing of medical
information by health care entities, but do not regulate this
information when obtained by other businesses.
AB 1950 required businesses that own or license personal
information -- including social security numbers, payment card
information, and medical information -- about a California
resident to implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. Despite this requirement, the frequency at which
data breaches expose the personal information of California
residents has increased dramatically since 2004. An October
2014 article in the Los Angeles Times made the following
observations about this trend:
Data breaches soared last year in California as cybercriminals
leaped over digital security gates to endanger the personal
data of millions of consumers, California Atty. Gen. Kamala
Harris said. Harris, in a report released Tuesday,
highlighted the effect that headline-producing data breaches
had on the Golden State: two massive hacks last year at Target
Corp. and daily deals website LivingSocial each hit roughly
7.5 million Californians. In all, 18.5 million people in the
state had their data stolen last year, a more than 600
[percent] jump from 2012. The number of breaches reported to
Harris' office climbed 28 [percent] to 167, and is expected to
rise again in 2014. "Data breaches ? threaten the privacy,
the security and the economic well-being of consumers and
businesses," Harris said at a news conference in Los Angeles.
California residents aren't any more prone to data hijacking
than others, but an unusual state law requires businesses and
state agencies to notify customers of any breach involving
more than 500 accounts. That law resulted in the California
Data Breach Report, which underscored the difficulties faced
by companies who are constantly racing against wily thieves to
secure sensitive information. The parade of companies that
has been targeted recently by hackers includes Home Depot,
Michaels, Neiman Marcus and P.F. Chang's.
�
AB 83 (Gatto)
PageC of?
Security experts predict that the number of breaches,
especially on a big scale, will keep growing. "The data
breaches are going to continue and will probably get worse
with the short term," said Jim Penrose, former chief of the
Operational Discovery Center at the National Security Agency.
. . .
Harris said businesses need to adopt stronger encryption
technologies that safeguard sensitive consumer data. And
retailers must make their breach notifications to consumers
more visible and should upgrade their systems to handle
payment cards equipped with microchips, which make cards more
difficult to counterfeit, Harris said. (Shan Li and Andrew
Khouri, Data Breaches Jump in California and are Expected to
Keep Climbing, Los Angeles Times (Oct. 28, 2014)
[as of Aug. 22, 2016].)
This bill responds to the growing frequency of data breaches by
adding additional requirements to the "reasonable security
procedures and practices" that businesses are mandated to
implement under existing law with respect to personal
information. This bill also adds new categories of personal
information subject to protection, including individual tax
identification numbers, passport numbers, military
identification numbers, government issued employment
identification numbers, geolocation information, and biometric
information.
An earlier version of this bill was heard by this Committee on
July 7, 2016, and was approved on a vote of 5-1. This bill was
subsequently amended and has been re-referred to this Committee
pursuant to Senate Rule 29.10.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people are by nature free and independent and have inalienable
rights. Among these are enjoying and defending life and
liberty, acquiring, possessing, and protecting property, and
pursuing and obtaining safety, happiness, and privacy. (Cal.
Const, art. I, Sec. 1.)
Existing law requires state agencies, under the Information
Practices Act (IPA), to establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
�
AB 83 (Gatto)
PageD of?
compliance with the IPA, to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in any injury. (Civ. Code Sec. 1798.21.)
Existing law requires a business that owns, licenses, or
maintains personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(b).)
Existing law requires a business that discloses personal
information about a California resident pursuant to a contract
with a nonaffiliated third party that is not subject to the
restriction above to require by contract that the third party
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(c).)
Existing law defines "personal information" to mean an
individual's first name or first initial and his or her last
name in combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted or redacted:
social security number;
driver's license number or California identification card
number;
account number, credit or debit card number, in combination
with any required security code, access code, or password that
would permit access to an individual's financial account;
medical information; and
health insurance information. (Civ. Code Sec. 1798.81.5(d).)
Existing law specifies that "personal information" also includes
a username or email address in combination with a password or
security question and answer that would permit access to an
online account. (Civ. Code Sec. 1798.81.5(d).)
Existing law states that "personal information" does not include
publicly available information that is lawfully made available
to the general public from federal, state, or local government
�
AB 83 (Gatto)
PageE of?
records. (Civ. Code Sec. 1798.81.5(d).)
This bill modifies the above provision to state that "personal
information" does not include publicly available information
that is lawfully made available to the general public.
This bill expands the definition of "personal information" to
include the following:
an individual tax identification number, passport number,
military identification number, or government issued
employment identification number;
geolocation information; and
biometric information.
This bill states that for purposes of the above provisions,
"reasonable security procedures and practices" as they pertain
to the storage and transmission of personal information shall
require the security of that information to the degree that any
reasonably prudent business would provide, including undertaking
reasonable efforts, appropriate to the nature of the
information, to:
identify reasonably foreseeable internal and external risks to
the security of personal information that could result in the
unauthorized disclosure, misuse, alteration, destruction, or
other compromise of the information; and
establish, implement, and maintain safeguards reasonably
designed to secure the personal information, including, but
not limited to, protecting against unauthorized access,
acquisition, destruction, use, modification, or disclosure of
the information; and
regularly assess the sufficiency of these safeguards to
control reasonably foreseeable internal and external risks,
and evaluate and adjust those safeguards in light of the
assessment.
This bill states that the reasonableness of the security
procedures and practices appropriate to the nature of the
information shall be determined in light of all of the
following:
the type of personal information under the business's control;
the foreseeability of threats to the security of the
information;
the existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information;
�
AB 83 (Gatto)
PageF of?
the cost of implementing and regularly assessing the
safeguards; and
the size of the business.
This bill defines "geolocation information" to mean location
data generated by a consumer device capable of connecting to the
Internet that directly identifies the precise physical location
of the identified individual at particular times and that is
compiled and retained. This bill specifies that geolocation
information does not include the contents of a communication or
information used solely for 911 emergency purposes.
This bill defines "biometric information" to mean data generated
by automatic measurements of an individual's fingerprint, voice
print, eye retinas or irises, identifying DNA information, or
unique facial characteristics, which are used by the owner or
licensee to uniquely authenticate an individual's identity.
This bill modifies the definition of "health insurance
information" to mean an individual's health insurance policy
number or subscriber identification number, any unique
identifier used by a health insurer to identify the individual,
or any medical information in an individual's insurance
application and claims history, including any appeals records.
COMMENT
1.Stated need for the bill
According to the author:
The California Information Practices Act of 1977 sets the
rules for the collection, maintenance and dissemination of
information that identifies an individual to guarantee that
privacy is protected to the greatest extent possible.
California's data protection statutes, among other things,
require businesses that own, license, or maintain personal
information about Californians to provide reasonable security
for that information.
Before the United States was rocked by a December 2013 data
breach at Target stores that captured the information of
almost 40 million credit and debit cards, many consumers did
not think about the protection of their personal and
transaction data. Since the Target incident, however, data
�
AB 83 (Gatto)
PageG of?
breaches have haunted consumers, businesses, and government
entities, alike.
While credit card information is valuable and breaches have
affected businesses like Home Depot, Neiman Marcus and JP
Morgan Chase, credit card information is not the only lure.
Hackers have hit different branches of California government,
including the Bureau of Automotive Repair, Mt. Diablo Unified
School District and the California Department of Public
Health. In May 2014, hackers breached a database owned by
ride-sharing app Uber, which contained the names and drivers'
license numbers of 50,000 of its drivers. Then, in November
2014, Sony hackers not only released five unreleased films,
but they also posted 47,000 employee Social Security numbers
online, which appeared on more than 600 publicly-posted files.
These numbers appeared with other personal information, such
as full names, dates of birth, and home addresses.
One of the most alarming parts of increasingly-frequent
cyberattacks is the risk of breached biometric information,
which entities and businesses are storing at an alarming rate.
In 2013, a German hacking group discovered how to breach
Apple's biometric security system using a high-resolution
image of a fingerprint, and in 2015, the Federal Office of
Personnel Management revealed that 5.6 million people's
fingerprints were stolen as part of a larger breach. While
biometric information makes it easier to prove and
authenticate your own identity, coupled with it are increased
security concerns. Unlike a debit card, password or even
social security number, an individual's fingerprint, iris
pattern, or voice print cannot be changed with the stroke of a
keyboard.
In today's world of computer and internet-based data storage,
no information is exempt or unattractive to those wanting to
breach our privacy and pry into our personal lives. Consumers
need the assurance that their data is being stored at robust
standards that are as flexible and timely as the changing
technology landscape.
2.Fundamental right to privacy
The right to privacy is a fundamental right protected by article
I, section 1 of the California Constitution. The Legislature
has expressly declared that "all individuals have a right of
�
AB 83 (Gatto)
PageH of?
privacy in information pertaining to them," and has found that:
(1) The right to privacy is being threatened by the
indiscriminate collection, maintenance, and dissemination of
personal information and the lack of effective laws and legal
remedies.
(2) The increasing use of computers and other sophisticated
information technology has greatly magnified the potential
risk to individual privacy that can occur from the maintenance
of personal information.
(3) In order to protect the privacy of individuals, it is
necessary that the maintenance and dissemination of personal
information be subject to strict limits. (Civ. Code Sec.
1798.1.)
This bill seeks to build upon the fundamental right to privacy
by expanding the scope of personal information required to be
kept reasonably secure under existing law. The Civil Code
imposes a general obligation on all businesses "to implement and
maintain reasonable security procedures and practices." (Civ.
Code Sec. 1798.81.5(b).) Already, businesses must reasonably
protect California residents' social security numbers, driver's
license or California ID card numbers, financial account
numbers, and medical information from unauthorized access and
use. This bill would add, among other things, individual tax
identification numbers, passport numbers, geolocation
information, and biometric information to the list of protected
"personal information."
As authentication technologies move beyond usernames and
passwords, the use of biometric information to secure sensitive
accounts and computer systems is likely to grow, making it an
attractive target for hackers. Personal information like tax
identification numbers, passport numbers, and other
government-issued ID numbers, may be used by some to commit
identity theft. And locational information, particularly that
which covers a long time period, could be used to learn a great
deal of sensitive information about a person. As the U.S.
Supreme Court recently noted, this sort of information could
enable one to "ascertain, more or less at will, [the] political
and religious beliefs, sexual habits, and so on" of an
individual. (United States v. Jones (2012) 132 S. Ct. 945,
955-956 [internal citations and quotation marks omitted].)
Adding these additional classes of data to the existing list of
�
AB 83 (Gatto)
PageI of?
personal information subject to reasonable security protection
will help ensure that Californians' fundamental right to privacy
is protected.
3.Limiting existing protections
While certain aspects of this bill enhance the protection of
sensitive personal information, other recently amended sections
of the bill could greatly reduce or limit the scope of existing
protections. Under existing law, for example, personal
information exempted from the data security standards in this
section of the Civil Code includes publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. This
bill would enlarge the scope of personal information subject to
this exemption beyond government records to include "publicly
available information that is lawfully made available to the
general public." Such a change, without further clarification,
could greatly enlarge the scope of information subject to the
current "public records" exemption. According to a coalition of
privacy organizations opposed to the amended version of this
bill:
[e]xcept where existing law specifically prohibits disclosure
of certain types of personal information, this information
could otherwise be made lawfully available to the general
public and would therefore no longer be considered personal
information . . . This revised definition would mean that
personal information from social media accounts, fitness
applications, and even other more sensitive personal health
and educational data would be exempt from the protections
outlined in both the current law and the proposed amendments.
The exemption also implicates information that someone could
observe from the street, such as a person's entrance to an AA
meeting, placing it outside the definition of personal
information. This change to existing law would represent an
enormous step backwards for California's consumer privacy and
protection laws.
Recent amendments to this bill also re-define the term "health
insurance information" - a category of personal information
protected under existing law - in a manner that restricts the
scope of personal information subject to protection. According
to the opposition coalition:
�
AB 83 (Gatto)
PageJ of?
[c]urrent law defines all information contained in an
individual's insurance application and claims history -- not
only that which is purely medical in nature -- as personal
health insurance information. Such documents contain a wealth
of personal information and, as such, are afforded protections
under current law. Recent amendments to AB 83, however, limit
the definition of health insurance information only to include
the specific "medical" information, thereby narrowing the
scope of information afforded these protections by removing
existing protections for other sensitive information included
as part of an individual's health insurance information.
4.Improved data security standards
Existing law requires businesses that own, license, or maintain
personal information to implement and maintain reasonable
security procedures and practices to protect the information
from unauthorized access, destruction, use, modification, or
disclosure. (Civ. Code Sec. 1798.81.5(b).) This bill would
refine this existing duty by providing businesses with guidance
on what constitutes "reasonable security procedures and
practices." Specifically, this bill would require businesses to
identify reasonably foreseeable internal and external risks to
the security of personal information, and to establish,
implement, and maintain safeguards reasonably designed to ensure
the security of that information, as soon as such information is
acquired. More importantly, this bill would place a continuing
duty on businesses to regularly assess the sufficiency of the
safeguards in place to control reasonably foreseeable internal
and external risks, to evaluate and adjust those safeguards in
light of the assessment.
As the recent data breach at the Office of Personnel Management
made clear,<1> even state-of-the-art data security systems must
continually assess their vulnerability to unauthorized
penetration and intrusion, especially when faced with persistent
threats. This bill would require businesses that own, license,
---------------------------
<1> Last year, the Office of Personnel Management suffered a
massive data breach that revealed the personal information of an
estimated 4 to 18 million federal workers, including many with
secret-level security clearances. (See Adam Elkus, The
Devastating Breach of US Government Data Highlights an Illusory
Cybersecurity Paradox, Business Insider (Jun. 18, 2015)
[as of Aug. 23, 2016].)
�
AB 83 (Gatto)
PageK of?
or maintain personal information about California residents to
regularly evaluate the security procedures and practices they
use to protect that information in light of reasonably
foreseeable threats. This continuing obligation would bring
California's business security standard more in-line with the
standard required of state agencies, which requires agencies to
establish appropriate and reasonable administrative, technical,
and physical safeguards to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in injury. (Civ. Code Sec. 1798.21.)
5.Evaluating "reasonableness"
This bill, like existing law, requires businesses to implement
security procedures and practices that are "reasonable" in
nature. This bill would provide guidelines to help businesses
determine what security measures are reasonable by stating that
the reasonableness of security procedures and practices shall be
determined in light of the following:
the type of personal information under the business's control;
the foreseeability of threats to the security of the
information;
the existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information; and
the cost of implementing and regularly reviewing the
safeguards.
Although not set out explicitly in existing law, a reviewing
court would likely consider these factors, and others, when
determining whether a business has acted reasonably in
protecting the personal information of California residents.
Recent amendments, however, add a further condition to the
reasonableness of security practices and procedures based on the
size of the business holding personal information - a concept
that is completely new to California's data security law. Under
existing law, all businesses that hold covered personal
information are subject to the same standard of care for
securing that covered information, regardless of their size or
technological sophistication. To the extent standards of care
differ in this area of California law, they differ based upon
the nature of the information held and the related threat of
misappropriation or breach, recognizing that some additional
�
AB 83 (Gatto)
PageL of?
security measures may be needed to protect data that is more
valuable to a hacker or data thief because of its relative value
in the underground market for stolen information. Existing law
does not evaluate the reasonableness of security measures based
on the size of a business, its market capitalization, the
technological prowess of its employees, or any other factor
unrelated to the information itself. This proposed change to
the reasonableness standard, in effect, means that the same
sensitive information held by two different sized businesses
would receive different levels of protection, even though the
harm resulting from a breach would be the same. Such a change
could greatly expose Californians' personal information to
breach just because it happens to be held by, for example, a
small startup company instead of Amazon.com or Google.
1.Other opposition concerns
The coalition of privacy organizations opposed to this bill also
raise concerns with the proposed definitions of "geolocation"
and "biometric" information as modified by the latest round of
amendments. They write:
The definition of "geolocational information," as amended,
eliminates the clear language previously contained in the bill
and replaces it with a series of loopholes that exempt the
vast majority of geolocational tracking activities from
coverage under this bill. Specifically, the definition:
recognizes geolocation information only when that
information is generated by "a consumer device capable of
connecting to the internet." This definition exempts
information contained from cell phones and electronic
devices that do not directly connect to the internet.
Because this definition recognizes geolocation only when
that information is "generated by a consumer device," it
also exempts geolocational information or coordinates that
are collected from satellites and cell phone towers . . .
requires that the specific individual responsible for
generating the geolocational information must be directly
identifiable in order to be included in the definition.
This provides an enormous loophole in which businesses and
technology providers can claim they were unsure who
"specifically" was using a device or application at the
time the coordinates were generated . . .
requires that the information "directly identifies the
precise physical location of the identified individual at
�
AB 83 (Gatto)
PageM of?
particular times." With no definition of "precise,"
particularly when this language is coupled with "at
particular times," this language appears to exempt data
collected through approximate, but still easily
identifiable, coordinates, thereby creating another large
loophole.
requires that in order to be considered, the information
must be "compiled and retained" by the entity. Given that
neither of these words are defined, it is unclear who and
what would fall under the scope of this definition . . .
The definition appears to also exempt out data simply
collected through the use of a device or application and
immediately transferred to a third-party service provider,
implying that no one is responsible for securing the
information.
The definition of "biometric information" is similarly
problematic. It includes only a list of some types of
biometric information and is not representative of the broad
scope of biological and behavioral information used to
identify and authenticate individuals . . . The definition as
amended is extremely limited and will result in the same types
of data, with the same security implications, being subject to
different requirements based upon their intended use - even if
the data itself could in fact be used in the same manner.
Support : California Credit Union League; Utility Reform Network
Opposition : American Civil Liberties Union of California;
California Grocers Association; Consumer Federation of
California; CTIA - The Wireless Association; Direct Marketing
Association; Electronic Frontier Foundation; Privacy Rights
Clearinghouse; World Privacy Forum
HISTORY
Source : Author
Related Pending Legislation :
SB 1444 (Hertzberg, 2016) requires state agencies that own or
license computerized data that includes personal information to
prepare a security plan that details the agency's strategy to
respond to a security breach of that information and its
associated consequences. The bill lists certain minimum
requirements to be included in an agency's security plan,
�
AB 83 (Gatto)
PageN of?
including a requirement to inventory personal information stored
or transmitted by the agency and procedures for facilitating
communication between an incident response team, agency
officials, and individuals affected by a breach. The bill is on
the Senate inactive file.
Prior Legislation :
AB 1541 (Committee on Privacy and Consumer Protection, Ch. 96,
Stats. 2015) added health insurance information, as defined, and
a username or email address combined with a password or security
question and answer for access to an online account, to the
definition of "personal information" for which businesses must
implement and maintain reasonable security procedures and
practices to protect the information from unauthorized access,
destruction, use, modification, or disclosure.
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
Data Breach Notification Law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. This bill also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
Prior Vote :
Senate Judiciary Committee (Ayes 5, Noes 1)
Assembly Floor (Ayes 66, Noes 4)
Assembly Privacy and Consumer Protection Committee (Ayes 9, Noes
1)
**************
�
AB 83 (Gatto)
PageO of?