BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 1541 (Committee on Privacy and Consumer Protection)
Version: April 29, 2015
Hearing Date: June 16, 2015
Fiscal: No
Urgency: No
NR
SUBJECT
Privacy: personal information
DESCRIPTION
Existing law requires a business that owns, licenses, or
maintains personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure.
This bill would revise the definition of personal information to
include health insurance information, as defined, and a username
or email address combined with a password or security question
and answer for access to an online account.
BACKGROUND
AB 1541 is the Assembly Privacy and Consumer Protection
Committee Privacy omnibus bill. By tradition, the provisions
included in an omnibus are generally technical and
non-controversial in nature, so any member of the Committee who
objects to a specific provision may request that it be removed
from the measure.
CHANGES TO EXISTING LAW
Existing law requires a business that owns or licenses personal
information about a California resident to implement and
maintain reasonable security procedures and practices
�
AB 1541 (Committee on Privacy and Consumer Protection)
Page 2 of ?
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure. (Civ. Code Sec. 1798.81.5(b).)
Existing law further provides that a business that discloses
personal information about a California resident pursuant to a
contract with a nonaffiliated third party shall require by
contract that the third party implement and maintain reasonable
security procedures and practices appropriate to the nature of
the information, to protect the personal information from
unauthorized access, destruction, use, modification, or
disclosure. (Civ. Code Sec. 1798.81.5(c).)
Existing law defines "personal information" to include: an
individual's first name or first initial and his or her last
name in combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted or redacted: social security number; driver's license
number or California identification card number; account number,
credit or debit card number, in combination with any required
security code, access code, or password that would permit access
to an individual's financial account; and medical information.
(Civ. Code Sec. 1798.81.5.)
This bill would include in the above definition, health
insurance information, and a username or email address, in
combination with a password or security question and answer that
would permit access to an online account.
COMMENT
1.Stated need for the bill
According to the author:
In recent years, the Legislature has expanded the definition
of "personal information" in the Data Breach Notification Law
(DBNL) to include health insurance information as well as a
user name and password (or related information allowing access
to an online account). The DBNL definition no longer mirrors
the information security law definition.
This bill updates the definition of "personal information" in
the information security law (Civ. Code 1798.81.5). The law
requires businesses to use reasonable security measures to
�
AB 1541 (Committee on Privacy and Consumer Protection)
Page 3 of ?
protect personal information. Historically, the definition of
"personal information" in this law has mirrored the definition
found in the DBNL (Civ. Code Secs. 1798.29 and 1798.82).
2.Committee on Privacy and Consumer Protection Omnibus bill
This bill would revise the definition of personal information in
the information security law to match the definition in the Data
Breach Notification Law by including: (1) a username, password,
and security question; and (2) health insurance information.
a. Username, password, and security question
This bill would add that an email address, in combination with
a password or security question and answer, to the definition
of "personal information" in the information security law.
This Committee approved this policy in SB 46 (Corbett Ch. 396,
Stats. 2013), which added this protection in the Data Breach
Notification Law. The Committee analysis from that bill
noted:
[R]equiring disclosure of security breaches involving user
names, passwords, or security questions and answers would
allow those whose information has been disseminated to take
actions to minimize the impact of that disclosure. As
Privacy Rights Clearinghouse notes, "[m]any individuals
compound their exposure to financial loss and theft of
personal data [because] they use the same password or
username or answer to a security question for some or all
of their online accounts." Consequently, "a breach of one
online account can have a cascading effect upon the user's
other accounts." If existing disclosure requirements were
expanded to include disclosures of security breaches
involving user names, passwords, and security questions and
answers, California residents would be better equipped to
proactively change their passwords and other login
credentials on other online accounts before those accounts
are compromised.
b. Health insurance information
This bill would add "health insurance information," defined as
an individual's insurance policy number or subscriber
identification number, any unique identifier used by a health
insurer to identify the individual, or any information in an
�
AB 1541 (Committee on Privacy and Consumer Protection)
Page 4 of ?
individual's application and claims history, including any
appeals records, to the definition of personal information in
the information security law.
By mirroring the language from DBNL, this bill would clarify
that businesses are required to protect consumers' health
insurance information from being compromised. Staff notes
that because existing law allows the sharing of a consumer's
information by health care providers, service plans, and
contractors who are regulated by the Confidentiality of
Medical Information Act (CMIA), this bill would not limit the
ability of health care providers to exchange information as
necessary to provide services to patients.
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
AB 1710 (Dickinson, Ch. 855, Stats. 2014) among other
provisions, required, with respect to the information required
to be included in the notification of a data security breach, if
the person or business providing the notification was the source
of the breach, that the person or business offer to provide
appropriate identity theft prevention and mitigation services,
as specified.
SB 46 (Corbett, Ch. 396, Stats. 2013) revised certain data
elements included within the definition of personal information
under California's Data Breach Notification Law, by adding
certain information that would permit access to an online
account and imposed additional requirements on the disclosure of
a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
�
AB 1541 (Committee on Privacy and Consumer Protection)
Page 5 of ?
AB 555 (Salas, Ch. 103, Stats. 2013) provided an exemption from
the prohibition on posting or publicly releasing a person's
social security number (SSN) for an adult state correctional
facility, an adult city jail, or an adult county jail, that
releases an inmate's SSN, with the inmate's consent and upon
request by the county veterans service officer or the United
States Department of Veterans Affairs, for the purposes of
determining the inmate's status as a military veteran and his or
her eligibility for federal, state, or local veterans' benefits
or services.
SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,
person, or business that is required to issue a security breach
notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party, to require
by contract that those entities maintain reasonable security
procedures.
AB 763 (Liu, Ch. 532, Stats. 2003) prohibited a SSN that is
otherwise permitted to be mailed from being printed, in whole or
in part, on a postcard or other mailer or visible on the
envelope or without the envelope having been opened.
SB 1936 (Peace, Ch. 915, Stats. 2002) enacted California's Data
Breach Notification Law and required a state agency, or a person
�
AB 1541 (Committee on Privacy and Consumer Protection)
Page 6 of ?
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California's
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1936 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
SB 168 (Bowen, Ch. 720, Stats. 2001) prohibited any person or
entity, not including a state or local agency, from using an
individual's SSN in certain ways, including posting it publicly
or requiring it for access to products or services.
Prior Vote :
Assembly Floor (Ayes 78, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 11,
Noes 0)
**************