BILL ANALYSIS Ó AB 2828 Page 1 Date of Hearing: April 20, 2016 ASSEMBLY COMMITTEE ON APPROPRIATIONS Lorena Gonzalez, Chair AB 2828 (Chau) - As Introduced February 19, 2016 ----------------------------------------------------------------- |Policy |Privacy and Consumer |Vote:|10 - 0 | |Committee: |Protection | | | | | | | | | | | | | |-------------+-------------------------------+-----+-------------| | | | | | | | | | | | | | | | ----------------------------------------------------------------- Urgency: No State Mandated Local Program: NoReimbursable: No SUMMARY: This bill expands data breach notification law, which currently requires consumer notice for compromised unencrypted personal information, to include encrypted information if the encryption keys have also been compromised. Specifically, this bill: 1)Requires a public agency, person, or business that owns or licenses computerized data that includes personal information AB 2828 Page 2 to notify any California resident whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, if at any time before or after the breach the encryption key or security credential has, or is reasonably believed to have been, acquired by an unauthorized person. 2)Defines "encryption key" and "security credential" to mean any information that could be used by an unauthorized person to access or decrypt encrypted personal information contained in a data system. FISCAL EFFECT: Requiring notification of encrypted personal information, when an encryption key or security credential is obtained by an unauthorized person, will likely increase to some extent the number of notifications required of state agencies. While the cost of these notifications is unknown, it is possible these costs could exceed $150,000 for one or more agencies in a fiscal year. COMMENTS: 1)Purpose. According to the author's office, "AB 2828 updates California's breach notice law to require businesses and government agencies to provide notice of a breach if both encrypted data and the keys to the encryption are believed to have been breached. This expansion of the breach notice requirement reflects what has become an industry best practice since the original passage of the breach notice law more than a decade ago." 2)Background. California law requires businesses as well as state and local agencies that experience a breach of AB 2828 Page 3 unencrypted personal information to send a notice of the breach to those affected by the breach. The breach notice must include basic information about what happened, what information was breached, what the business or agency is doing in response to the breach, and what the person affected by the breach can do to protect themselves from fraud and identity theft. A business or agency that experiences a breach can avoid mailing the breach notice to each and every affected customer if doing so would cost more than $250,000. In this case, the law permits "substitute notice" which must include: emailing the notice to affected customers (if an email address is available); posting the notice on the business's website, and notifying major statewide media and the Office of Information Security within the Department of Technology. The current data breach notice law does not require notice when encrypted information is lost. This creates an incentive for businesses and government agencies to encrypt personal data and thereby avoid the notice requirement. Analysis Prepared by:Chuck Nicol / APPR. / (916) 319-2081