BILL ANALYSIS �Ó
AB 964
Page 1
ASSEMBLY THIRD READING
AB
964 (Chau)
As Amended May 13, 2015
Majority vote
-------------------------------------------------------------------
|Committee |Votes |Ayes |Noes |
| | | | |
| | | | |
|----------------+------+--------------------+----------------------|
|Privacy |7-1 |Gatto, Calderon, |Wilk |
| | |Chau, Cooper, | |
| | |Dababneh, Gordon, | |
| | |Low | |
| | | | |
|----------------+------+--------------------+----------------------|
|Appropriations |11-4 |Gomez, Bloom, |Bigelow, Chang, |
| | |Bonta, Calderon, |Gallagher, Wagner |
| | |Eggman, Eduardo | |
| | |Garcia, Holden, | |
| | |Quirk, Rendon, | |
| | |Weber, Wood | |
| | | | |
| | | | |
-------------------------------------------------------------------
SUMMARY: Requires data breach notifications made by businesses
and public agencies to include the date of discovery of the breach
in the notice to the Attorney General. Specifically, this bill:
�
AB 964
Page 2
1)Requires business and public agencies, for purposes of existing
data breach notification requirements, to include the date of
the discovery of the breach in the notice made to the Attorney
General.
2)Defines, for purposes of the existing data breach notification
requirements for businesses and public agencies, the term
"encrypted" to mean "rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security."
3)Makes other technical or non-substantive changes.
FISCAL EFFECT: According to the Assembly Appropriations
Committee, there is a negligible fiscal impact.
COMMENTS:
1)Purpose of this bill. This bill is intended to improve the
public tracking of data breaches by including the date of the
breach discovery in the required notice to the Attorney General,
while also providing a clarifying definition of the term
"encrypted." This bill also imposes a reasonableness
requirement on a business' efforts to respond to a breach before
notifying the victims. This bill is sponsored by the author.
2)Data breaches are a fast-growing threat. 2014 was a
record-setting year in terms of the number of security breaches
reported. According to a January 2015 report by the California
Attorney General's Office, 187 breaches were reported to the
California Department of Justice in 2014, compared to 167 in
�
AB 964
Page 3
2013 and 131 in 2012.
According to the Identity Theft Resource Center, there were 783
data breaches reported nationwide in 2014 - a 27.5% increase
over the previous year. The Privacy Rights Clearinghouse
reports that more than 815 million records have been compromised
in more than 4,489 publicly acknowledged data breaches since
2005.
3)Related legislation. AB 83 (Gatto) of the current legislative
session requires businesses that own or maintain personal
information to secure that data to the extent that any
"reasonably prudent business" would provide, and specifies
certain requirements and considerations that must be part of any
reasonable security procedures and practices. AB 83 is
currently pending referral in the Senate Rules Committee.
AB 259 (Dababneh) of the current legislative session requires a
public agency that is the source of a data breach to offer at
least 12 months of identity-theft prevention and mitigation
services at no cost to affected consumers. AB 259 is currently
pending in the Assembly Appropriations Committee.
SB 34 (Hill) of the current legislative session amends the Data
Breach Notification Law to add to the definition of "personal
information" any information or data collected through the use
or operation of an automated license plate recognition system.
SB 34 is currently pending on the Assembly Floor.
SB 570 (Jackson) of the current legislative session amends the
Data Breach Notification Law to revise the language of the
breach notification itself to make it clearer and more
conspicuous. SB 570 is currently pending on the Senate Floor.
�
AB 964
Page 4
4)Prior legislation. AB 1710 (Dickinson), Chapter 855, Statutes
of 2014, required, among other things, that businesses that
maintain, own or license the personal information of California
residents to use reasonable and appropriate security measures to
protect the information.
SB 24 (Simitian), Chapter 197, Statutes of 2011, standardized
the breach notification that an agency, person, or business must
issue in the event of a data breach, and required any agency,
person, or business that is required to issue a security breach
notification to more than 500 California residents to
electronically submit a single sample copy of that security
breach notification to the Attorney General.
AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure.
SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted
California's Data Breach Notification Law.
Analysis Prepared by:
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0000462
�
AB 964
Page 5