BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Hannah-Beth Jackson, Chair 2015-2016 Regular Session AB 1541 (Committee on Privacy and Consumer Protection) Version: April 29, 2015 Hearing Date: June 16, 2015 Fiscal: No Urgency: No NR SUBJECT Privacy: personal information DESCRIPTION Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. This bill would revise the definition of personal information to include health insurance information, as defined, and a username or email address combined with a password or security question and answer for access to an online account. BACKGROUND AB 1541 is the Assembly Privacy and Consumer Protection Committee Privacy omnibus bill. By tradition, the provisions included in an omnibus are generally technical and non-controversial in nature, so any member of the Committee who objects to a specific provision may request that it be removed from the measure. CHANGES TO EXISTING LAW Existing law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices AB 1541 (Committee on Privacy and Consumer Protection) Page 2 of ? appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (Civ. Code Sec. 1798.81.5(b).) Existing law further provides that a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (Civ. Code Sec. 1798.81.5(c).) Existing law defines "personal information" to include: an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: social security number; driver's license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; and medical information. (Civ. Code Sec. 1798.81.5.) This bill would include in the above definition, health insurance information, and a username or email address, in combination with a password or security question and answer that would permit access to an online account. COMMENT 1.Stated need for the bill According to the author: In recent years, the Legislature has expanded the definition of "personal information" in the Data Breach Notification Law (DBNL) to include health insurance information as well as a user name and password (or related information allowing access to an online account). The DBNL definition no longer mirrors the information security law definition. This bill updates the definition of "personal information" in the information security law (Civ. Code 1798.81.5). The law requires businesses to use reasonable security measures to AB 1541 (Committee on Privacy and Consumer Protection) Page 3 of ? protect personal information. Historically, the definition of "personal information" in this law has mirrored the definition found in the DBNL (Civ. Code Secs. 1798.29 and 1798.82). 2.Committee on Privacy and Consumer Protection Omnibus bill This bill would revise the definition of personal information in the information security law to match the definition in the Data Breach Notification Law by including: (1) a username, password, and security question; and (2) health insurance information. a. Username, password, and security question This bill would add that an email address, in combination with a password or security question and answer, to the definition of "personal information" in the information security law. This Committee approved this policy in SB 46 (Corbett Ch. 396, Stats. 2013), which added this protection in the Data Breach Notification Law. The Committee analysis from that bill noted: [R]equiring disclosure of security breaches involving user names, passwords, or security questions and answers would allow those whose information has been disseminated to take actions to minimize the impact of that disclosure. As Privacy Rights Clearinghouse notes, "[m]any individuals compound their exposure to financial loss and theft of personal data [because] they use the same password or username or answer to a security question for some or all of their online accounts." Consequently, "a breach of one online account can have a cascading effect upon the user's other accounts." If existing disclosure requirements were expanded to include disclosures of security breaches involving user names, passwords, and security questions and answers, California residents would be better equipped to proactively change their passwords and other login credentials on other online accounts before those accounts are compromised. b. Health insurance information This bill would add "health insurance information," defined as an individual's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an AB 1541 (Committee on Privacy and Consumer Protection) Page 4 of ? individual's application and claims history, including any appeals records, to the definition of personal information in the information security law. By mirroring the language from DBNL, this bill would clarify that businesses are required to protect consumers' health insurance information from being compromised. Staff notes that because existing law allows the sharing of a consumer's information by health care providers, service plans, and contractors who are regulated by the Confidentiality of Medical Information Act (CMIA), this bill would not limit the ability of health care providers to exchange information as necessary to provide services to patients. Support : None Known Opposition : None Known HISTORY Source : Author Related Pending Legislation : None Known Prior Legislation : AB 1710 (Dickinson, Ch. 855, Stats. 2014) among other provisions, required, with respect to the information required to be included in the notification of a data security breach, if the person or business providing the notification was the source of the breach, that the person or business offer to provide appropriate identity theft prevention and mitigation services, as specified. SB 46 (Corbett, Ch. 396, Stats. 2013) revised certain data elements included within the definition of personal information under California's Data Breach Notification Law, by adding certain information that would permit access to an online account and imposed additional requirements on the disclosure of a breach of the security of the system or data in situations where the breach involves personal information that would permit access to an online or email account. AB 1541 (Committee on Privacy and Consumer Protection) Page 5 of ? AB 555 (Salas, Ch. 103, Stats. 2013) provided an exemption from the prohibition on posting or publicly releasing a person's social security number (SSN) for an adult state correctional facility, an adult city jail, or an adult county jail, that releases an inmate's SSN, with the inmate's consent and upon request by the county veterans service officer or the United States Department of Veterans Affairs, for the purposes of determining the inmate's status as a military veteran and his or her eligibility for federal, state, or local veterans' benefits or services. SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill certain additional requirements pertaining to the security breach notification, and required any agency, person, or business that is required to issue a security breach notification to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the Attorney General. AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added medical information and health insurance information to the data elements that, when combined with the individual's name, would constitute personal information requiring disclosure when acquired, or believed to be acquired, by an unauthorized person due to a security breach. AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. AB 1950 also required a business that discloses personal information to a nonaffiliated third party, to require by contract that those entities maintain reasonable security procedures. AB 763 (Liu, Ch. 532, Stats. 2003) prohibited a SSN that is otherwise permitted to be mailed from being printed, in whole or in part, on a postcard or other mailer or visible on the envelope or without the envelope having been opened. SB 1936 (Peace, Ch. 915, Stats. 2002) enacted California's Data Breach Notification Law and required a state agency, or a person AB 1541 (Committee on Privacy and Consumer Protection) Page 6 of ? or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to California's residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. SB 1936 permitted notifications to be delayed if a law enforcement agency determines that it would impede a criminal investigation, and required an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data. SB 168 (Bowen, Ch. 720, Stats. 2001) prohibited any person or entity, not including a state or local agency, from using an individual's SSN in certain ways, including posting it publicly or requiring it for access to products or services. Prior Vote : Assembly Floor (Ayes 78, Noes 0) Assembly Privacy and Consumer Protection Committee (Ayes 11, Noes 0) **************