BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                    AB 2828


                                                                    Page  1





          Date of Hearing:  April 20, 2016


                        ASSEMBLY COMMITTEE ON APPROPRIATIONS


                               Lorena Gonzalez, Chair


          AB  
          2828 (Chau) - As Introduced February 19, 2016


           ----------------------------------------------------------------- 
          |Policy       |Privacy and Consumer           |Vote:|10 - 0       |
          |Committee:   |Protection                     |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |-------------+-------------------------------+-----+-------------|
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
           ----------------------------------------------------------------- 


          Urgency:  No  State Mandated Local Program:  NoReimbursable:  No


          SUMMARY:


          This bill expands data breach notification law, which currently  
          requires consumer notice for compromised unencrypted personal  
          information, to include encrypted information if the encryption  
          keys have also been compromised.  Specifically, this bill:


          1)Requires a public agency, person, or business that owns or  
            licenses computerized data that includes personal information  








                                                                    AB 2828


                                                                    Page  2





            to notify any California resident whose encrypted personal  
            information was, or is reasonably believed to have been,  
            acquired by an unauthorized person, if at any time before or  
            after the breach the encryption key or security credential  
            has, or is reasonably believed to have been, acquired by an  
            unauthorized person.
          2)Defines "encryption key" and "security credential" to mean any  
            information that could be used by an unauthorized person to  
            access or decrypt encrypted personal information contained in  
            a data system.


          FISCAL EFFECT:


          Requiring notification of encrypted personal information, when  
          an encryption key or security credential is obtained by an  
          unauthorized person, will likely increase to some extent the  
          number of notifications required of state agencies. While the  
          cost of these notifications is unknown, it is possible these  
          costs could exceed $150,000 for one or more agencies in a fiscal  
          year.


          COMMENTS:


          1)Purpose. According to the author's office, "AB 2828 updates  
            California's breach notice law to require businesses and  
            government agencies to provide notice of a breach if both  
            encrypted data and the keys to the encryption are believed to  
            have been breached.  This expansion of the breach notice  
            requirement reflects what has become an industry best practice  
            since the original passage of the breach notice law more than  
            a decade ago."


          2)Background. California law requires businesses as well as  
            state and local agencies that experience a breach of  








                                                                    AB 2828


                                                                    Page  3





            unencrypted personal information to send a notice of the  
            breach to those affected by the breach.  The breach notice  
            must include basic information about what happened, what  
            information was breached, what the business or agency is doing  
            in response to the breach, and what the person affected by the  
            breach can do to protect themselves from fraud and identity  
            theft.


            A business or agency that experiences a breach can avoid  
            mailing the breach notice to each and every affected customer  
            if doing so would cost more than $250,000.  In this case, the  
            law permits "substitute notice" which must include: emailing  
            the notice to affected customers (if an email address is  
            available); posting the notice on the business's website, and  
            notifying major statewide media and the Office of Information  
            Security within the Department of Technology.


            The current data breach notice law does not require notice  
            when encrypted information is lost.  This creates an incentive  
            for businesses and government agencies to encrypt personal  
            data and thereby avoid the notice requirement.


          Analysis Prepared by:Chuck Nicol / APPR. / (916)  
          319-2081