BILL ANALYSIS Ó AB 964 Page 1 ASSEMBLY THIRD READING AB 964 (Chau) As Amended May 28, 2015 Majority vote ----------------------------------------------------------------- |Committee |Votes |Ayes |Noes | | | | | | | | | | | |----------------+------+--------------------+--------------------| |Privacy |7-1 |Gatto, Calderon, |Wilk | | | |Chau, Cooper, | | | | |Dababneh, Gordon, | | | | |Low | | | | | | | |----------------+------+--------------------+--------------------| |Appropriations |11-4 |Gomez, Bloom, |Bigelow, Chang, | | | |Bonta, Calderon, |Gallagher, Wagner | | | |Eggman, Eduardo | | | | |Garcia, Holden, | | | | |Quirk, Rendon, | | | | |Weber, Wood | | | | | | | | | | | | ----------------------------------------------------------------- SUMMARY: Defines, for purposes of the existing data breach notification requirements for businesses and public agencies, the term "encrypted" to mean "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security AB 964 Page 2 technology or methodology generally accepted in the field of information security." FISCAL EFFECT: According to the Assembly Appropriations Committee, there is a negligible fiscal impact. COMMENTS: 1)Data breaches are a fast-growing threat. 2014 was a record-setting year in terms of the number of security breaches reported. According to a January 2015 report by the California Attorney General's Office, 187 breaches were reported to the California Department of Justice in 2014, compared to 167 in 2013 and 131 in 2012. According to the Identity Theft Resource Center, there were 783 data breaches reported nationwide in 2014 - a 27.5% increase over the previous year. The Privacy Rights Clearinghouse reports that more than 815 million records have been compromised in more than 4,489 publicly acknowledged data breaches since 2005. 2)Related legislation. AB 83 (Gatto) of the current legislative session requires businesses that own or maintain personal information to secure that data to the extent that any "reasonably prudent business" would provide, and specifies certain requirements and considerations that must be part of any reasonable security procedures and practices. AB 83 is pending in the Senate Judiciary Committee. AB 259 (Dababneh) of the current legislative session requires a public agency that is the source of a data breach to offer at least 12 months of identity-theft prevention and mitigation services at no cost to affected consumers. AB 259 is pending on the suspense file in the Assembly Appropriations Committee. SB 34 (Hill) of the current legislative session amends the Data Breach Notification Law to add to the definition of "personal AB 964 Page 3 information" any information or data collected through the use or operation of an automated license plate recognition system. SB 34 is pending in the Assembly Transportation Committee. SB 570 (Jackson) of the current legislative session amends the Data Breach Notification Law to revise the language of the breach notification itself to make it clearer and more conspicuous. SB 570 is pending on the Senate Floor. 3)Prior legislation. AB 1710 (Dickinson), Chapter 855, Statutes of 2014, required, among other things, that businesses that maintain, own or license the personal information of California residents to use reasonable and appropriate security measures to protect the information. AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted California's Data Breach Notification Law. Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200 FN: 0000549 AB 964 Page 4