BILL ANALYSIS �Ó
AB 2828
Page 1
Date of Hearing: April 5, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2828
(Chau) - As Introduced February 19, 2016
SUBJECT: Personal information: privacy: breach
SUMMARY: Expands data breach notification law, which currently
requires consumer notice for compromised unencrypted personal
information, to include encrypted information if the encryption
keys have also been compromised. Specifically, this bill:
1)Requires a public agency, person, or business that owns or
licenses computerized data that includes personal information
to notify any California resident whose encrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person, if at any time before or
after the breach the encryption key or security credential
has, or is reasonably believed to have been, acquired by an
unauthorized person.
2)Defines "encryption key" and "security credential" to mean any
information that could be used by an unauthorized person to
access or decrypt encrypted personal information contained in
a data system.
EXISTING LAW:
�
AB 2828
Page 2
1)Requires a public agency, person, or business that owns or
licenses computerized data that includes personal information
to notify any California resident whose unencrypted personal
information was acquired, or reasonably believed to have been
acquired, by an unauthorized person. The notice must be made
in the most expedient time possible and without unreasonable
delay, consistent with the legitimate needs of law
enforcement, as specified. This requirement does not apply to
the Judiciary, the Legislature, or the University of
California. (Civil Code (CC) Sections 1798.29(a), (c);
1798.82(a), (c))
2)Requires a public agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (CC 1798.29(b), 1798.82(b))
3)Requires a person or business that is the source of a breach
of Social Security numbers or driver's license numbers, and is
required to provide notice of the breach, to offer an identity
theft protection or mitigation service to affected individuals
at no cost, for no less than 12 months. (CC 1798.82
(d)(2)(G))
4)Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
�
AB 2828
Page 3
of the following data elements, when either the name or the
data elements are not encrypted: Social Security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
1798.29(g), (h), 1798.82(h), (i))
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to better inform
likely data breach victims by requiring businesses and
government agencies to provide a notice of breach in cases
where both encrypted Personally Identifiable Information (PII)
and the encryption keys or security credentials that can
unlock the encrypted PII are believed to have been
compromised. Current law only requires notice if unencrypted
data is breached. This measure is author-sponsored.
2)Author's statement . According to the author's office, "AB
2828 updates California's breach notice law to require
businesses and government agencies to provide notice of a
breach if both encrypted data and the keys to the encryption
are believed to have been breached. This expansion of the
breach notice requirement reflects what has become an industry
best practice since the original passage of the breach notice
law more than a decade ago."
�
AB 2828
Page 4
3)Recent data breaches in California . Unfortunately, the
incidence and sophistication of data breaches is growing year
to year. According to a February 2016 report by Attorney
General Kamala Harris, the number of data breaches between
2012 and 2015 grew from 131 breach incidents in 2012 to 178
incidents in 2015. Even more dramatic is the number of
records breached during the same time period, which rose from
2.6 million in 2012 to 24 million records containing sensitive
personal information in 2015 ("California Data Breach Report
2012-2015," California Department of Justice, February 2016).
Data breaches are also becoming increasingly sophisticated.
Hackers are constantly looking for new and innovative ways to
penetrate networks, such as gaining access to encryption keys
or security credentials, in order to access encrypted data.
As a result, security experts contend that encryption, by
itself, cannot thwart criminals if the hack involves gaining
access to security credentials as well.
In February 2015, criminals accessed personal information,
including names, addresses, birthdates, and Social Security
numbers of more than 80 million United States patients covered
by Anthem, one of the country's largest health insurance and
health plan providers. The incident was the single biggest
theft of health care data in history. Anthem's data was not
encrypted, which is what triggered a breach notice to the 80
million victims under current state and federal laws.
�
AB 2828
Page 5
Unfortunately, state and local agencies are not immune to data
breaches. During 2012-2014, the following California public
agencies reported breaches: California State University,
Department of Corrections and Rehabilitation, Department of
Public Health, Department of State Hospitals, Correctional
Health Care Services, Department of Social Services,
Department of Justice, Department of Child Support Services,
Employment Development Department, and the Department of Motor
Vehicles.
4)Requiring notice of encrypted data . State law currently
requires notice of a security breach only if the data is
unencrypted under the premise that: 1) the law provides an
incentive to government and business to encrypt sensitive
data; and 2) the law triggers notice only when there is a
reasonable possibility of fraud or identity theft, so that
victims can take steps to protect themselves before criminals
use the data. This bill requires notice of breach in cases
where the data is in fact encrypted, but only if the
encryption key or security credentials are also reasonably
believed to have been compromised.
Interestingly, the hacked data in the 2015 Anthem breach was
unencrypted, but even if Anthem had encrypted the data, it
still would have been easily accessible. The Anthem hackers
also gained access to at least five sets of employee security
credentials, which could have unlocked the encryption -
meaning that the data would likely have been lost anyway.
The author contends that while encryption is an important tool
to secure sensitive data, if the keys that unlock the data are
�
AB 2828
Page 6
stolen in conjunction with a hacking incident, then the stolen
data is as good as decrypted. In that case, the business or
government agency should be required by law to provide notice
of the breach.
5)California's Data Breach Notification Law . California law
requires businesses as well as state and local agencies that
experience a breach of unencrypted personal information to
send a notice of the breach to the people affected by the
breach. The breach notice must include basic information
about what happened, what information was breached, what the
business or agency is doing in response to the breach, and
what the person affected by the breach can do to protect
themselves from fraud and identity theft.
Under current law, a business or agency that experiences a
breach can avoid mailing the breach notice to each and every
affected customer if doing so would cost more than $250,000.
In this case, the law permits "substitute notice" which must
include: emailing the notice to affected customers (if an
email address is available); posting the notice on the
business's website, and notifying major statewide media and
the Office of Information Security within the Department of
Technology.
California's current data breach notice law does not require
notice when encrypted information is lost. This creates an
incentive for businesses and government agencies to encrypt
personal data and thereby avoid the notice requirement.
�
AB 2828
Page 7
Breach notice is also not required unless the data breach
involved "personal information" relating to a California
resident. "Personal information" means a person's first name
or first initial and last name in combination with one or more
of the following data elements:
a) Social Security number;
b) Driver's license number or California
identification card number;
c) Account number, credit or debit card number,
in combination with any required security code, access
code, or password;
d) Medical information; health insurance
information;
e) Information or data collected through the use
of operation of an automated license plate recognition
system; or
f) A user name or email address in combination
with a password or security question and answer that
would permit access to an online account.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
The Data Breach Notification Law has two distinct parts: one
part that applies to state and local agencies, which is
located in the Information Practices Act of 1977 (Civil Code
1798.29), and one part that applies to businesses (Civil Code
1798.82).
This bill would change both laws, so that both the public
�
AB 2828
Page 8
sector and the private sector would have a duty to provide
notice of breach to affected customers if both the encrypted
data and the encryption key that unlocks it are compromised.
The author and the Committee may wish to consider whether the
bill should exempt situations where only the encryption key is
hacked or stolen, but not the data itself. For example, if
only the encryption key is stolen and the business or
government agency changes its encryption as a result -
essentially changing the locks on its doors - then this bill
arguably should not require notice of breach if the encrypted
data is later breached since the stolen key no longer unlocks
the encrypted data.
6)Arguments in support . Consumer Federation of California
states in support that, "Access to sensitive data files, as
well as security credentials, by unauthorized persons is
increasingly common. AB 2828 is a common sense update that
recognizes this unfortunate reality. Providing consumers with
data breach notifications will allow them to take steps to
correct the injuries caused by the breach and guard against
future identity theft."
Electronic Frontier Foundation states, "AB 2828 would fill an
important gap in California's current data breach notification
law. A thief might steal an encrypted laptop, along with a
note carelessly taped to the device stating the decryption
password. Or a thief might remotely steal encrypted data, and
later use social engineering to acquire the security
credentials. In these and many other circumstances, wrongdoers
will acquire both encrypted personal information and the power
to decrypt that information. In such circumstances, people
should be notified that they are at risk of wrongdoers
misusing their personal information."
�
AB 2828
Page 9
7)Prior Legislation . AB 964 (Chau), Chapter 522, Statutes of
2015, defined the word "encrypted" as used in California's
Data Breach Notification Law to mean rendered unusable,
unreadable, or indecipherable to an unauthorized person
through a security technology or methodology generally
accepted in the field of information security.
SB 570 (Jackson), Chapter 543, Statutes of 2015, modified the
existing data breach notification requirement for agencies and
persons or businesses conducting business in California that
own or license computerized data that includes personal
information.
SB 46 (Corbett), Chapter 396, Statutes of 2013, revised
certain data elements included within the definition of
personal information under California's Data Breach
Notification Law, by adding certain information that would
permit access to an online account and imposed additional
requirements on the disclosure of a breach of the security of
the system or data in situations where the breach involves
personal information that would permit access to an online or
email account.
SB 24 (Simitian), Chapter 197, Statutes of 2011, required any
agency, person, or business that is required to issue a
security breach notification pursuant to existing law to
fulfill certain additional requirements pertaining to the
security breach notification, and required any agency, person,
or business that is required to issue a security breach
notification to more than 500 California residents to
electronically submit a single sample copy of that security
breach notification to the Attorney General.
SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted
�
AB 2828
Page 10
California's Data Breach Notification Law and required a
public agency, or a person or business that conducts business
in California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. SB
1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business
that maintains computerized data that includes personal
information owned by another to notify the owner or licensee
of the information of any breach of security of the data.
REGISTERED SUPPORT / OPPOSITION:
Support
ACLU
Consumer Federation of California
Electronic Frontier Foundation
Privacy Rights Clearinghouse
Opposition
�
AB 2828
Page 11
None on file.
Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916)
319-2200