BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 964|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 964
Author: Chau (D)
Amended: 9/1/15 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-1, 7/7/15
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Moorlach
NO VOTE RECORDED: Anderson
ASSEMBLY FLOOR: 69-7, 6/3/15 - See last page for vote
SUBJECT: Civil law: privacy
SOURCE: Author
DIGEST: This bill defines the word "encrypted" as used in
California's Data Breach Notification Law to mean rendered
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
Senate Floor Amendments add triple-jointing language to avoid
chaptering out conflicts with SB 34 (Hill, 2015) and SB 570
(Jackson, 2015).
ANALYSIS:
�
AB 964
Page 2
Existing law:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Defines "personal information," for purposes of the breach
notification statute, to include either a user name or email
address, in combination with a password or security question
and answer that would permit access to an online account, or
the individual's first name or first initial and last name in
combination with one or more of the following data elements,
when either the name or the data elements are not encrypted:
social security number; driver's license number or California
Identification Card number; account number, credit or debit
card number, in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records. (Civ. Code Secs. 1798.29(g) and (h);
1798.82(h) and (i).)
This bill defines, for purposes of the above provisions, the
�
AB 964
Page 3
word "encrypted" to mean rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security.
Background
In 2003, California's first-in-the-nation data breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
When the Legislature enacted SB 1386 (Peace, Chapter 915,
Statutes of 2002) and created California's Data Breach
Notification Law, the law included a safe harbor that generally
exempted the exposure of encrypted personal information from the
law's notification provisions. The inclusion of an encryption
safe harbor was meant to incentivize organizations to encrypt
personal information under their control. However, the term
"encryption" was not defined in the original law, nor has it
been defined by subsequent legislation amending that part of the
Civil Code.
This bill adds a definition of the word "encrypted" to the Data
Breach Notification Law, specifying that it means to render
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
Comments
The author writes:
�
AB 964
Page 4
California is a leader in protecting consumers and businesses
from emerging cyber threats. In 2003, California was the
first state in the nation to pass a law that required
businesses to notify customers when their personal information
has been stolen in a data breach. Data breaches involve
situations in which sensitive, protected or confidential data,
such as credit/debit card information, social security
numbers, and health records are stolen.
As more and more of our personal information is used in the
course of our daily lives, data breaches have become an almost
common occurrence. Recent data breaches on private and public
entities have shown us that these attacks are growing in
number and are becoming increasingly sophisticated.
In 2012, California was home to 17 percent of the data
breaches recorded in the United States, the most in the
nation. Even more troubling was the fact that, in 2013, the
number of breaches increased by 28 percent. Data breaches
pose a serious threat to governments, private industries, and
individuals. Data breaches on public entities can put
critical infrastructures at risk from criminals and terrorist
activities. In addition, private industries risk losing
corporate secrets and billions of dollars. For consumers, the
loss of personal information can result in identify theft,
fraud, and personal embarrassment, all of which could take
years to repair and recover from, if ever.
Under current law, if the personal information that was stolen
was encrypted, businesses are not required to provide notice.
This provision serves to encourage businesses who store
personal information to adopt encryption so that if
information is stolen, that information would be less
vulnerable to abuse. However, encryption is not clearly
defined in statue.
The bill would clarify the statute by defining "encrypted" to
mean any data at issue that was rendered unusable, unreadable,
or indecipherable through a security technology or methodology
generally accepted in the field of information security.
Related/Prior Legislation
SB 570 (Jackson, 2015) requires entities that must provide
�
AB 964
Page 5
affected individuals with notice of a data breach to provide
that notice in a specified format. Specifically, this bill
would require these entities to provide a notice entitled
"Notice of Data Breach," in which the content required by the
Data Breach Notification Law is presented under the following
headings: "What Happened," "What Information Was Involved,"
"What We Are Doing," "What You Can Do," and "For More
Information." This bill states that additional information may
be provided as a supplement to the notice, clarifies the
requirements for providing substitute notice of a data breach,
and makes other technical and clarifying changes. This bill is
pending on the Assembly Floor.
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. This bill was held on suspense in the Senate
Appropriations Committee.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's Data Breach Notification Law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. This bill also prohibited the sale,
advertisement for sale, or offer to sell an individual's social
security number.
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data
elements included within the definition of personal information
under California's Data Breach Notification Law by adding
certain information that would permit access to an online
account, and imposed additional requirements on the disclosure
of a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 1149 (Campos, Chapter 395, Statutes of 2013) expanded
existing disclosure requirements concerning breaches of
computerized data owned or licensed by state agencies to "local
agencies" as defined by Government Code Section 6252(a). This
bill also made certain technical corrections to the security
�
AB 964
Page 6
breach notification law.
SB 24 (Simitian, Chapter 197, Statutes of 2011) required any
agency, person, or business that is required to issue a security
breach notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Chapter 699, Statutes of 2007), among other
things, added medical information and health insurance
information to the data elements that, when combined with the
individual's name, would constitute personal information
requiring disclosure when acquired, or believed to be acquired,
by an unauthorized person due to a security breach.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's Data Breach Notification Law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
�
AB 964
Page 7
Com.:NoLocal: No
SUPPORT: (Verified9/1/15)
None received
OPPOSITION: (Verified9/1/15)
None received
ASSEMBLY FLOOR: 69-7, 6/3/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bloom, Bonilla,
Bonta, Brough, Brown, Burke, Calderon, Campos, Chau, Chávez,
Chiu, Chu, Cooley, Cooper, Dababneh, Dahle, Daly, Dodd,
Eggman, Frazier, Cristina Garcia, Eduardo Garcia, Gatto,
Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Roger
Hernández, Holden, Irwin, Jones-Sawyer, Lackey, Levine, Lopez,
Low, Maienschein, Mayes, McCarty, Medina, Mullin, Nazarian,
Obernolte, O'Donnell, Olsen, Perea, Quirk, Rendon,
Ridley-Thomas, Rodriguez, Salas, Santiago, Steinorth, Mark
Stone, Thurmond, Ting, Wagner, Waldron, Weber, Wilk, Williams,
Wood, Atkins
NOES: Bigelow, Beth Gaines, Harper, Kim, Mathis, Melendez,
Patterson
NO VOTE RECORDED: Chang, Gallagher, Jones, Linder
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
9/2/15 11:38:45
**** END ****