BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 964 (Chau)
Version: May 28, 2015
Hearing Date: July 7, 2015
Fiscal: No
Urgency: No
TH
SUBJECT
Civil law: privacy
DESCRIPTION
This bill would define "encrypted" as used in California's Data
Breach Notification Law to mean rendered unusable, unreadable,
or indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security.
BACKGROUND
In 2003, California's first-in-the-nation data breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
When the Legislature enacted SB 1386 (Peace, Ch. 915, Stats.
2002) and created California's Data Breach Notification Law, the
law included a safe harbor that generally exempted the exposure
of encrypted personal information from the law's notification
provisions. The inclusion of an encryption safe harbor was
�
AB 964 (Chau)
PageB of?
meant to incentivize organizations to encrypt personal
information under their control. However, the term "encryption"
was not defined in the original law, nor has it been defined by
subsequent legislation amending that part of the Civil Code.
This bill would add a definition of "encrypted" to the Data
Breach Notification Law, specifying that it means to render
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
CHANGES TO EXISTING LAW
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).)
Existing law defines "personal information," for purposes of the
breach notification statute, to include either a user name or
email address, in combination with a password or security
question and answer that would permit access to an online
account, or the individual's first name or first initial and
last name in combination with one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number; driver's license number or
California Identification Card number; account number, credit or
debit card number, in combination with any required security
code, access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not include
�
AB 964 (Chau)
PageC of?
publicly available information that is lawfully made available
to the general public from federal, state, or local government
records. (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and
(i).)
This bill would, for purposes of the above provisions, define
"encrypted" to mean rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security.
COMMENT
1.Stated need for the bill
The author writes:
California is a leader in protecting consumers and businesses
from emerging cyber threats. In 2003, California was the
first state in the nation to pass a law that required
businesses to notify customers when their personal information
has been stolen in a data breach. Data breaches involve
situations in which sensitive, protected or confidential data,
such as credit/debit card information, social security
numbers, and health records are stolen.
As more and more of our personal information is used in the
course of our daily lives, data breaches have become an almost
common occurrence. Recent data breaches on private and public
entities have shown us that these attacks are growing in
number and are becoming increasingly sophisticated.
In 2012, California was home to 17 [percent] of the data
breaches recorded in the United States, the most in the
nation. Even more troubling was the fact that, in 2013, the
number of breaches increased by 28 [percent]. Data breaches
pose a serious threat to governments, private industries, and
individuals. Data breaches on public entities can put
�
AB 964 (Chau)
PageD of?
critical infrastructures at risk from criminals and terrorist
activities. In addition, private industries risk losing
corporate secrets and billions of dollars. For consumers, the
loss of personal information can result in identify theft,
fraud, and personal embarrassment, all of which could take
years to repair and recover from, if ever.
. . .
[U]nder current law, if the personal information that was
stolen was encrypted, businesses are not required to provide
notice. This provision, serves to encourage businesses who
store personal information to adopt encryption so that if
information is stolen, that information would be deemed less
vulnerable to abuse. However, encryption is not clearly
defined in statue.
The bill would . . . clarify the statute by defining
"encrypted" to mean any data at issue that was rendered
unusable, unreadable, or indecipherable through a security
technology or methodology generally accepted in the field of
information security.
2.Right to Privacy and Encryption
California recognizes that the right to privacy is a fundamental
right, and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the
number of consumers, the data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The Attorney General's 2014 California Data Breach Report found
that, in 2012, "17 percent of the data breaches recorded in the
United States took place in California - more than any other
state" and that "the number of reported breaches in California
increased by 28 percent in 2013." (California Department of
Justice, California Data Breach Report (Oct. 2014)
[as of Jun. 23, 2015].) The frequency
of data breaches in California and the threat that such breaches
pose to California residents makes timely and effective
notification of a breach a matter of critical importance.
However, notification of data breaches involving encrypted
personal information has not traditionally raised the same
�
AB 964 (Chau)
PageE of?
policy concerns. This is because properly encrypted data is
much less valuable to whomever acquires it, since the encryption
functionally obscures the underlying data. Indeed, "[m]any
security experts insist that there ought to be a carve-out that
would allow companies to avoid disclosure requirements in a
breach that exposes properly encrypted sensitive data." (Brian
Krebs, Toward Better Privacy, Data Breach Laws
[as of Jun. 23, 2015].) California's Data Breach
Disclosure Law has such an exception, stating that notice of a
breach must be made when "unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person." (Civ. Code Secs. 1798.29(a), (c) and
1798.82(a), (c).)
Existing law does not provide a definition of "encryption."
Taken to an extreme, encryption could be something as simple as
a shift cypher, where each letter in a word is replaced by
another letter some fixed number of positions down the alphabet.
This bill would create a definition of "encryption," adapted
from an amendment to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat.
1936),<1> that provides businesses and government agencies with
some basic guidance as to the type of encryption that must be
used to take advantage of the Data Breach Disclosure Law's
notification safe harbor.
3.Security of Encryption Keys
Modern encryption technology works by encoding information in
such a way that only the person (or computer) with the
encryption key can decode it. In general, each computer
exchanging encrypted information has a secret key (code) that it
can use to encrypt a packet of information before it is sent
over a network to another computer, where it is then decrypted
using the same or a mathematically related key. Maintaining the
secrecy of an encryption key is what ensures compromised
encrypted messages cannot be read by an unauthorized person.
---------------------------
<1> HIPPA defines "unsecured protected health information," in
part, as "health information that is not secured by a technology
standard that renders protected health information unusable,
unreadable, or indecipherable to unauthorized individuals and is
developed or endorsed by a standards developing organization
that is accredited by the American National Standards
Institute." (See 42 U.S.C. Sec. 17932.)
�
AB 964 (Chau)
PageF of?
As noted above, the Data Breach Notification Law contains a safe
harbor for businesses and agencies that lose encrypted
information in a data breach. However, recent data breaches
have revealed instances where encrypted information was breached
along with the encryption key. For example, the ride-hailing
company Uber reported in late 2014 that "[t]housands of Uber
driver names and driver's license numbers may be in the hands of
an unauthorized third party due to a data breach," and that "one
of its many databases could have potentially been accessed
because one of the encryption keys required to unlock it had
been compromised." (Tracey Lien, Uber Security Breach May Have
Affected up to 50,000 Drivers, Los Angeles Times (Feb. 27, 2015)
[as of Jun. 24, 2015].) In breaches
such as this where an encryption key is taken along with
encrypted information, the compromised information has lost the
effectiveness of its encryption protection. While not addressed
in this bill, the Committee may wish to consider how best to
address the problem of compromised encryption keys in future
legislation.
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
SB 570 (Jackson, 2015) would require entities that must provide
affected individuals with notice of a data breach to provide
that notice in a specified format. Specifically, this bill
would require these entities to provide a one-page notice, if
written, entitled "Notice of Data Breach," in which the content
required by the Data Breach Notification Law is presented under
the following headings: "What Happened," "What Information Was
Involved," "What We Are Doing," "What You Can Do," and "For More
Information." This bill would state that additional information
may be provided as a supplement to the notice, would clarify the
requirements for providing substitute notice of a data breach,
and would make other technical and clarifying changes. This
�
AB 964 (Chau)
PageG of?
bill is pending in the Assembly Privacy and Consumer Protection
Committee.
AB 259 (Dababneh, 2015) would require an agency, if the agency
was the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. This bill is pending in the Senate Rules Committee.
Prior Legislation :
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
Data Breach Notification Law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. This bill also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements
included within the definition of personal information under
California's Data Breach Notification Law by adding certain
information that would permit access to an online account, and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1149 (Campos, Ch. 395, Stats. 2013) expanded existing
disclosure requirements concerning breaches of computerized data
owned or licensed by state agencies to "local agencies" as
defined by Government Code Section 6252(a). This bill also made
certain technical corrections to the security breach
notification law.
SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,
person, or business that is required to issue a security breach
notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
�
AB 964 (Chau)
PageH of?
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's Data
Breach Notification Law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California's
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
Prior Vote :
Assembly Floor (Ayes 69, Noes 7)
Assembly Appropriations Committee (Ayes 11, Noes 4)
Assembly Privacy and Consumer Protection Committee (Ayes 7, Noes
1)
**************
�
AB 964 (Chau)
PageI of?