BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 964|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 964
Author: Chau (D)
Amended: 5/28/15 in Assembly
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-1, 7/7/15
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Moorlach
NO VOTE RECORDED: Anderson
ASSEMBLY FLOOR: 69-7, 6/3/15 - See last page for vote
SUBJECT: Civil law: privacy
SOURCE: Author
DIGEST: This bill defines the word "encrypted" as used in
California's Data Breach Notification Law to mean rendered
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
ANALYSIS:
Existing law:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
�
AB 964
Page 2
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Defines "personal information," for purposes of the breach
notification statute, to include either a user name or email
address, in combination with a password or security question
and answer that would permit access to an online account, or
the individual's first name or first initial and last name in
combination with one or more of the following data elements,
when either the name or the data elements are not encrypted:
social security number; driver's license number or California
Identification Card number; account number, credit or debit
card number, in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records. (Civ. Code Secs. 1798.29(g) and (h);
1798.82(h) and (i).)
This bill defines, for purposes of the above provisions, the
word "encrypted" to mean rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security.
Background
In 2003, California's first-in-the-nation data breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
�
AB 964
Page 3
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
When the Legislature enacted SB 1386 (Peace, Chapter 915,
Statutes of 2002) and created California's Data Breach
Notification Law, the law included a safe harbor that generally
exempted the exposure of encrypted personal information from the
law's notification provisions. The inclusion of an encryption
safe harbor was meant to incentivize organizations to encrypt
personal information under their control. However, the term
"encryption" was not defined in the original law, nor has it
been defined by subsequent legislation amending that part of the
Civil Code.
This bill adds a definition of the word "encrypted" to the Data
Breach Notification Law, specifying that it means to render
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
Comments
The author writes:
California is a leader in protecting consumers and
businesses from emerging cyber threats. In 2003,
California was the first state in the nation to pass a law
that required businesses to notify customers when their
personal information has been stolen in a data breach.
Data breaches involve situations in which sensitive,
protected or confidential data, such as credit/debit card
information, social security numbers, and health records
are stolen.
As more and more of our personal information is used in the
course of our daily lives, data breaches have become an
almost common occurrence. Recent data breaches on private
and public entities have shown us that these attacks are
�
AB 964
Page 4
growing in number and are becoming increasingly
sophisticated.
In 2012, California was home to 17 percent of the data
breaches recorded in the United States, the most in the
nation. Even more troubling was the fact that, in 2013,
the number of breaches increased by 28 percent. Data
breaches pose a serious threat to governments, private
industries, and individuals. Data breaches on public
entities can put critical infrastructures at risk from
criminals and terrorist activities. In addition, private
industries risk losing corporate secrets and billions of
dollars. For consumers, the loss of personal information
can result in identify theft, fraud, and personal
embarrassment, all of which could take years to repair and
recover from, if ever.
Under current law, if the personal information that was
stolen was encrypted, businesses are not required to
provide notice. This provision serves to encourage
businesses who store personal information to adopt
encryption so that if information is stolen, that
information would be less vulnerable to abuse. However,
encryption is not clearly defined in statue.
The bill would clarify the statute by defining "encrypted"
to mean any data at issue that was rendered unusable,
unreadable, or indecipherable through a security technology
or methodology generally accepted in the field of
information security.
Related/Prior Legislation
SB 570 (Jackson, 2015) requires entities that must provide
affected individuals with notice of a data breach to provide
that notice in a specified format. Specifically, this bill
requires these entities to provide a notice entitled "Notice of
Data Breach," in which the content required by the Data Breach
Notification Law is presented under the following headings:
"What Happened," "What Information Was Involved," "What We Are
Doing," "What You Can Do," and "For More Information." This
bill states that additional information may be provided as a
supplement to the notice, clarifies the requirements for
providing substitute notice of a data breach, and makes other
�
AB 964
Page 5
technical and clarifying changes. This bill is pending in the
Assembly Appropriations Committee.
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. This bill is pending in the Senate Judiciary
Committee.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's Data Breach Notification Law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. This bill also prohibited the sale,
advertisement for sale, or offer to sell an individual's social
security number.
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data
elements included within the definition of personal information
under California's Data Breach Notification Law by adding
certain information that would permit access to an online
account, and imposed additional requirements on the disclosure
of a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 1149 (Campos, Chapter 395, Statutes of 2013) expanded
existing disclosure requirements concerning breaches of
computerized data owned or licensed by state agencies to "local
agencies" as defined by Government Code Section 6252(a). This
bill also made certain technical corrections to the security
breach notification law.
SB 24 (Simitian, Chapter 197, Statutes of 2011) required any
agency, person, or business that is required to issue a security
breach notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
�
AB 964
Page 6
General.
AB 1298 (Jones, Chapter 699, Statutes of 2007), among other
things, added medical information and health insurance
information to the data elements that, when combined with the
individual's name, would constitute personal information
requiring disclosure when acquired, or believed to be acquired,
by an unauthorized person due to a security breach.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's Data Breach Notification Law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:NoLocal: No
SUPPORT: (Verified7/7/15)
None received
�
AB 964
Page 7
OPPOSITION: (Verified7/7/15)
None received
ASSEMBLY FLOOR: 69-7, 6/3/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bloom, Bonilla,
Bonta, Brough, Brown, Burke, Calderon, Campos, Chau, Chávez,
Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,
Eggman, Frazier, Cristina Garcia, Eduardo Garcia, Gatto,
Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Roger
Hernández, Holden, Irwin, Jones-Sawyer, Lackey, Levine, Lopez,
Low, Maienschein, Mayes, McCarty, Medina, Mullin, Nazarian,
Obernolte, O'Donnell, Olsen, Perea, Quirk, Rendon,
Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark
Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams,
Wood, Atkins
NOES: Bigelow, Beth Gaines, Harper, Kim, Mathis, Melendez,
Patterson
NO VOTE RECORDED: Chang, Gallagher, Jones, Linder
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
7/10/15 14:06:05
**** END ****