BILL ANALYSIS �Ó
AB 2828
Page 1
Date of Hearing: April 20, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
AB
2828 (Chau) - As Introduced February 19, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|10 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill expands data breach notification law, which currently
requires consumer notice for compromised unencrypted personal
information, to include encrypted information if the encryption
keys have also been compromised. Specifically, this bill:
1)Requires a public agency, person, or business that owns or
licenses computerized data that includes personal information
�
AB 2828
Page 2
to notify any California resident whose encrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person, if at any time before or
after the breach the encryption key or security credential
has, or is reasonably believed to have been, acquired by an
unauthorized person.
2)Defines "encryption key" and "security credential" to mean any
information that could be used by an unauthorized person to
access or decrypt encrypted personal information contained in
a data system.
FISCAL EFFECT:
Requiring notification of encrypted personal information, when
an encryption key or security credential is obtained by an
unauthorized person, will likely increase to some extent the
number of notifications required of state agencies. While the
cost of these notifications is unknown, it is possible these
costs could exceed $150,000 for one or more agencies in a fiscal
year.
COMMENTS:
1)Purpose. According to the author's office, "AB 2828 updates
California's breach notice law to require businesses and
government agencies to provide notice of a breach if both
encrypted data and the keys to the encryption are believed to
have been breached. This expansion of the breach notice
requirement reflects what has become an industry best practice
since the original passage of the breach notice law more than
a decade ago."
2)Background. California law requires businesses as well as
state and local agencies that experience a breach of
�
AB 2828
Page 3
unencrypted personal information to send a notice of the
breach to those affected by the breach. The breach notice
must include basic information about what happened, what
information was breached, what the business or agency is doing
in response to the breach, and what the person affected by the
breach can do to protect themselves from fraud and identity
theft.
A business or agency that experiences a breach can avoid
mailing the breach notice to each and every affected customer
if doing so would cost more than $250,000. In this case, the
law permits "substitute notice" which must include: emailing
the notice to affected customers (if an email address is
available); posting the notice on the business's website, and
notifying major statewide media and the Office of Information
Security within the Department of Technology.
The current data breach notice law does not require notice
when encrypted information is lost. This creates an incentive
for businesses and government agencies to encrypt personal
data and thereby avoid the notice requirement.
Analysis Prepared by:Chuck Nicol / APPR. / (916)
319-2081