BILL ANALYSIS �Ó
AB 964
Page 1
Date of Hearing: April 30, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 964
(Chau) - As Amended April 23, 2015
SUBJECT: Civil law: privacy
SUMMARY: Requires data breach notifications made by businesses
and public agencies to include the date of discovery of the
breach in the notice to the Attorney General. Specifically,
this bill:
1)Requires business and public agencies, for purposes of
existing data breach notification requirements, to include the
date of the discovery of the breach in the notice made to the
Attorney General.
2)Defines, for purposes of the existing data breach notification
requirements for businesses and public agencies, the term
"encrypted" to mean "rendered unusable, unreadable, or
indecipherable through a security technology or methodology
generally accepted in the field of information security."
3)Imposes a reasonableness standard on the extent of the
measures necessary to determine the scope of a breach and
restore the reasonable integrity of the data system, which are
currently grounds for delay of the disclosure.
�
AB 964
Page 2
4)Makes other technical or non-substantive changes.
EXISTING LAW:
1)Requires a public agency, or a person or business conducting
business in California, that owns or licenses computerized
data that includes personal information to disclose a breach
of the security of the system or data following discovery or
notification of the security breach, to any California
resident whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. (Civil Code (CC) Section 1798.29; CC 1798.82)
2)Requires the disclosure to be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, or any measures necessary
to determine the scope of the breach and restore the
reasonable integrity of the data system. (CC 1798.29(a); CC
1798.82(a))
3)Requires a public agency, or a person or business conducting
business in California, that is required to issue a security
breach notification to more than 500 California residents as a
result of a single breach of the security system, to
electronically submit that security breach notification to the
Attorney General as well. (CC 1798.29(e); CC 1798.82(f))
�
AB 964
Page 3
4)Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: Social Security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
Personal information also includes a user name or email
address, in combination with a password or security question
and answer that would permit access to an online account. (CC
1798.29(g); CC 1798.82(h))
5)Defines "personal information," for purposes of the breach
notification statute, to exclude publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
1798.29(h); CC 1798.82(i))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to improve the
public tracking of data breaches by including the date of the
breach discovery in the required notice to the Attorney
General, while also providing a clarifying definition of the
term "encrypted." The bill also imposes a reasonableness
requirement on a business' efforts to respond to a breach
before notifying the victims. AB 964 is author-sponsored.
�
AB 964
Page 4
2)Author's statement . According to the author, "any person or
business or state agency that is required to issue a security
breach notification to more than 500 California residents as a
result of a single breach of the security system shall
electronically submit a single sample copy of that security
breach notification? to the Attorney General? Currently, when
businesses and state agencies submit their sample copy of the
security breach notification they do so through a form which
provides the option and place to enter 'Date of Discovery of
Breach.' The date of discovery of breach is important,
because it starts the clock for notice to a consumer."
"Furthermore, under current law, if the personal information
that was stolen was encrypted, businesses and agencies are not
required to provide notice. This provision, serves to
encourage businesses and agencies who store personal
information to adopt encryption so that if information is
stolen, that information would be deemed less vulnerable to
abuse. However, encryption is not clearly defined in statue."
3)Data breaches are a fast-growing threat . 2014 was a
record-setting year in terms of the number of security
breaches reported. According to a January 2015 report by the
California Attorney General's Office, 187 breaches were
reported to the California Department of Justice in 2014,
compared to 167 in 2013 and 131 in 2012.
According to the Identity Theft Resource Center, there were 783
data breaches reported nationwide in 2014 - a 27.5% increase
over the previous year. The Privacy Rights Clearinghouse
reports that more than 815 million records have been
compromised in more than 4,489 publicly acknowledged data
breaches since 2005.
�
AB 964
Page 5
4)California's Data Breach Notification Law . California's Data
Breach Notification Law requires, in part, that public
agencies and businesses notify California residents of
security breaches if their unencrypted personal information
was, or was reasonably believed to have been, accessed by an
unauthorized person.
"Personal information" is defined as a person's first name or
first initial and last name in combination with one or more of
the following data elements, when either the name or the data
elements are not encrypted: Social Security number; driver's
license number or California identification card number;
account number, credit or debit card number, in combination
with any required security code, access code, or password;
medical information; or, health insurance information.
Personal information also includes "a user name or email
address in combination with a password or security question
and answer that would permit access to an online account."
The disclosure must be made in "the most expedient time possible
and without unreasonable delay," and must also be "consistent
with the legitimate needs of law enforcement?or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system." Breaches that
affect more than 500 California residents must submit a single
copy of the notification to the Attorney General.
While the law contains multiple provisions that speak to the
content of the notice, the notice itself may be written or
electronic. Businesses may also provide "substitute" notice
in cases where the cost of notice exceeds $250,000, affects
more than 500,000 people, or where there is insufficient
contact information. A substitute notice includes an email
notice where possible, plus conspicuous posting on the
business' website and notification to statewide media.
Companies may also use their own notification procedures
instead, if those procedures are otherwise consistent with the
�
AB 964
Page 6
timing requirements of the law.
Provisions of the notification law cannot be waived, and any
customer injured by a violation has a right to bring suit in
civil court for an injunction and for any damages, attorney's
fees and court costs.
5)Technical amendment . According to the author's office, the
inclusion of the word "reasonably" as a qualifier for the
measures a business may take to respond to a breach and
thereby delay notification was a drafting error on the part of
Legislative Counsel. The term should be removed to properly
reflect the intent of the author and to prevent further
differentiation between the data breach provisions for
businesses and those for public agencies.
On page 7, line 4, strike the word "reasonably"
6)Related legislation . AB 83 (Gatto) requires businesses that
own or maintain personal information to secure that data to
the extent that any 'reasonably prudent business' would
provide, and specifies certain requirements and considerations
that must be part of any reasonable security procedures and
practices. AB 83 is currently pending in the Assembly Privacy
and Consumer Protection Committee.
AB 259 (Dababneh) requires a public agency that is the source of
a data breach to offer at least 12 months of identity-theft
prevention and mitigation services at no cost to affected
consumers. AB 259 is currently on the Suspense File in the
Assembly Appropriations Committee.
�
AB 964
Page 7
SB 34 (Hill) amends the Data Breach Notification Law to add to
the definition of "personal information" any information or
data collected through the use or operation of an automated
license plate recognition system." SB 34 is currently pending
in the Senate Appropriations Committee.
SB 570 (Jackson) amends the Data Breach Notification Law to
revise the language of the breach notification itself to make
it clearer and more conspicuous. SB 570 is currently pending
in the Senate Judiciary Committee.
7)Prior legislation . AB 1710 (Dickinson and Wieckowski),
Chapter 855, Statutes of 2014, required, among other things,
that businesses that maintain, own or license the personal
information of California residents to use reasonable and
appropriate security measures to protect the information.
SB 46 (Corbett), Chapter 396, Statutes of 2013, revised
certain data elements included within the definition of
personal information under California's Data Breach
Notification Law to include online account information.
SB 24 (Simitian), Chapter 197, Statutes of 2011, standardized
the breach notification that an agency, person, or business
must issue in the event of a data breach, and required any
agency, person, or business that is required to issue a
security breach notification to more than 500 California
residents to electronically submit a single sample copy of
that security breach notification to the Attorney General.
AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a
business that owns or licenses personal information about a
�
AB 964
Page 8
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted
California's Data Breach Notification Law, requiring a state
agency, a person or business that conducts business in
California that owns or licenses computerized data that
includes personal information to disclose in specified ways,
any breach of the security of the data, as to any resident of
California whose unencrypted personal information was or is
reasonably believed to have been acquired by an unauthorized
person.
REGISTERED SUPPORT / OPPOSITION:
Support
None received.
Opposition
America's Health Insurance Plans (3/26/15 version)
�
AB 964
Page 9
California Bankers Association (3/26/15 version)
California Chamber of Commerce (3/26/15 version)
California Credit Union League (3/26/15 version)
California Grocers Association (3/26/15 version)
California Hospital Association (3/26/15 version)
California Land Title Association (3/26/15 version)
California Medical Association (3/26/15 version)
California Retailers Association (3/26/15 version)
CTIA - The Wireless Association (3/26/15 version)
Direct Marketing Association (3/26/15 version)
Internet Association (3/26/15 version)
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 964
Page 10