BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 964| |Office of Senate Floor Analyses | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 964 Author: Chau (D) Amended: 5/28/15 in Assembly Vote: 21 SENATE JUDICIARY COMMITTEE: 5-1, 7/7/15 AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski NOES: Moorlach NO VOTE RECORDED: Anderson ASSEMBLY FLOOR: 69-7, 6/3/15 - See last page for vote SUBJECT: Civil law: privacy SOURCE: Author DIGEST: This bill defines the word "encrypted" as used in California's Data Breach Notification Law to mean rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. ANALYSIS: Existing law: 1)Requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most AB 964 Page 2 expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a), (c).) 2)Requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own to notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).) 3)Defines "personal information," for purposes of the breach notification statute, to include either a user name or email address, in combination with a password or security question and answer that would permit access to an online account, or the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted: social security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information; or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and (i).) This bill defines, for purposes of the above provisions, the word "encrypted" to mean rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. Background In 2003, California's first-in-the-nation data breach notification law went into effect. (See Civ. Code Secs. 1798.29(a), 1798.82(a).) Since that time, all but three states have enacted similar security breach notification laws, and AB 964 Page 3 governments around the world have or are considering enacting such laws. California's breach notification statute requires state agencies, local agencies, and businesses to notify residents when the security of their personal information is breached. This notification requirement ensures that residents are made aware of a breach, thus allowing them to take appropriate action to mitigate or prevent potential financial losses due to fraudulent activity. When the Legislature enacted SB 1386 (Peace, Chapter 915, Statutes of 2002) and created California's Data Breach Notification Law, the law included a safe harbor that generally exempted the exposure of encrypted personal information from the law's notification provisions. The inclusion of an encryption safe harbor was meant to incentivize organizations to encrypt personal information under their control. However, the term "encryption" was not defined in the original law, nor has it been defined by subsequent legislation amending that part of the Civil Code. This bill adds a definition of the word "encrypted" to the Data Breach Notification Law, specifying that it means to render unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. Comments The author writes: California is a leader in protecting consumers and businesses from emerging cyber threats. In 2003, California was the first state in the nation to pass a law that required businesses to notify customers when their personal information has been stolen in a data breach. Data breaches involve situations in which sensitive, protected or confidential data, such as credit/debit card information, social security numbers, and health records are stolen. As more and more of our personal information is used in the course of our daily lives, data breaches have become an almost common occurrence. Recent data breaches on private and public entities have shown us that these attacks are AB 964 Page 4 growing in number and are becoming increasingly sophisticated. In 2012, California was home to 17 percent of the data breaches recorded in the United States, the most in the nation. Even more troubling was the fact that, in 2013, the number of breaches increased by 28 percent. Data breaches pose a serious threat to governments, private industries, and individuals. Data breaches on public entities can put critical infrastructures at risk from criminals and terrorist activities. In addition, private industries risk losing corporate secrets and billions of dollars. For consumers, the loss of personal information can result in identify theft, fraud, and personal embarrassment, all of which could take years to repair and recover from, if ever. Under current law, if the personal information that was stolen was encrypted, businesses are not required to provide notice. This provision serves to encourage businesses who store personal information to adopt encryption so that if information is stolen, that information would be less vulnerable to abuse. However, encryption is not clearly defined in statue. The bill would clarify the statute by defining "encrypted" to mean any data at issue that was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security. Related/Prior Legislation SB 570 (Jackson, 2015) requires entities that must provide affected individuals with notice of a data breach to provide that notice in a specified format. Specifically, this bill requires these entities to provide a notice entitled "Notice of Data Breach," in which the content required by the Data Breach Notification Law is presented under the following headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." This bill states that additional information may be provided as a supplement to the notice, clarifies the requirements for providing substitute notice of a data breach, and makes other AB 964 Page 5 technical and clarifying changes. This bill is pending in the Assembly Appropriations Committee. AB 259 (Dababneh, 2015) requires an agency, if the agency was the source of a breach and the breach compromised a person's social security number, driver's license number, or California identification card number, to offer the person identity theft prevention and mitigation services at no cost for not less than 12 months. This bill is pending in the Senate Judiciary Committee. AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended California's Data Breach Notification Law to require a person or business to offer appropriate identity theft prevention and mitigation services to an affected person at no cost for not less than 12 months if the person or business was the source of a data breach. This bill also prohibited the sale, advertisement for sale, or offer to sell an individual's social security number. SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data elements included within the definition of personal information under California's Data Breach Notification Law by adding certain information that would permit access to an online account, and imposed additional requirements on the disclosure of a breach of the security of the system or data in situations where the breach involves personal information that would permit access to an online or email account. AB 1149 (Campos, Chapter 395, Statutes of 2013) expanded existing disclosure requirements concerning breaches of computerized data owned or licensed by state agencies to "local agencies" as defined by Government Code Section 6252(a). This bill also made certain technical corrections to the security breach notification law. SB 24 (Simitian, Chapter 197, Statutes of 2011) required any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, and required any agency, person, or business that is required to issue a security breach notification to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the Attorney AB 964 Page 6 General. AB 1298 (Jones, Chapter 699, Statutes of 2007), among other things, added medical information and health insurance information to the data elements that, when combined with the individual's name, would constitute personal information requiring disclosure when acquired, or believed to be acquired, by an unauthorized person due to a security breach. AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. AB 1950 also required a business that discloses personal information to a nonaffiliated third party to require by contract that those entities maintain reasonable security procedures. SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted California's Data Breach Notification Law and required a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to California's residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. SB 1386 permitted notifications to be delayed if a law enforcement agency determines that it would impede a criminal investigation, and required an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data. FISCAL EFFECT: Appropriation: No Fiscal Com.:NoLocal: No SUPPORT: (Verified7/7/15) None received AB 964 Page 7 OPPOSITION: (Verified7/7/15) None received ASSEMBLY FLOOR: 69-7, 6/3/15 AYES: Achadjian, Alejo, Travis Allen, Baker, Bloom, Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chau, Chávez, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Cristina Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Roger Hernández, Holden, Irwin, Jones-Sawyer, Lackey, Levine, Lopez, Low, Maienschein, Mayes, McCarty, Medina, Mullin, Nazarian, Obernolte, O'Donnell, Olsen, Perea, Quirk, Rendon, Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams, Wood, Atkins NOES: Bigelow, Beth Gaines, Harper, Kim, Mathis, Melendez, Patterson NO VOTE RECORDED: Chang, Gallagher, Jones, Linder Prepared by:Tobias Halvarson / JUD. / (916) 651-4113 7/10/15 14:06:05 **** END ****