BILL ANALYSIS �Ó
AB 2828
Page 1
ASSEMBLY THIRD READING
AB
2828 (Chau)
As Amended May 27, 2016
Majority vote
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |10-0 |Chau, Wilk, Baker, | |
| | |Calderon, Cooper, | |
| | |Dababneh, Gatto, | |
| | |Gordon, Low, Olsen | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Appropriations |20-0 |Gonzalez, Bigelow, | |
| | |Bloom, Bonilla, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
| | |Gallagher, Eduardo | |
| | |Garcia, Roger | |
| | |Hernández, Holden, | |
| | |Jones, Obernolte, | |
| | |Quirk, Santiago, | |
| | |Wagner, Weber, Wood | |
| | | | |
| | | | |
------------------------------------------------------------------
�
AB 2828
Page 2
SUMMARY: Expands data breach notification law, which currently
requires consumer notice for compromised unencrypted personal
information, to include encrypted information if the encryption
keys have also been compromised. Specifically, this bill:
1)Requires a public agency, person, or business that owns or
licenses computerized data that includes personal information
to notify any California resident whose encrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person, and the encryption key or
security credential was, or is reasonably believed to have
been, acquired by an unauthorized person and the person,
business, or agency that owns or licenses the encrypted
information has a reasonable belief that the encryption key or
security credential could render that personal information
readable or useable.
2)Defines "encryption key" and "security credential" to mean the
confidential key or process designed to render the data
useable, readable, and decipherable.
FISCAL
EFFECT: According to the Assembly Appropriations Committee,
"Requiring notification of encrypted personal information, when
an encryption key or security credential is obtained by an
unauthorized person, will likely increase to some extent the
number of notifications required of state agencies. While the
cost of these notifications is unknown, it is possible these
costs could exceed $150,000 for one or more agencies in a fiscal
year. The most recent amendments reduce the likelihood that a
state agency would experience such high costs, however."
COMMENTS:
1)Purpose of this bill. This bill is intended to better inform
�
AB 2828
Page 3
likely data breach victims by requiring businesses and
government agencies to provide a notice of breach in cases
where both encrypted Personally Identifiable Information (PII)
and the encryption keys or security credentials that can
unlock the encrypted PII are believed to have been
compromised. Current law only requires notice if unencrypted
data is breached. This measure is author-sponsored.
2)Recent data breaches in California. According to a February
2016 report by Attorney General Kamala Harris, the number of
data breaches between 2012 and 2015 grew from 131 breach
incidents in 2012 to 178 incidents in 2015. Even more
dramatic is the number of records breached during the same
time period, which rose from 2.6 million in 2012 to 24 million
records containing sensitive personal information in 2015
("California Data Breach Report 2012-2015," California
Department of Justice, February 2016). In February 2015,
criminals accessed personal information, including names,
addresses, birthdates, and Social Security numbers of more
than 80 million United States patients covered by Anthem, one
of the country's largest health insurance and health plan
providers. The incident was the single biggest theft of
health care data in U.S. history. Anthem's data was not
encrypted, which is what triggered a breach notice to the 80
million victims under current state and federal laws.
During 2012-2014, the following California public agencies
reported breaches: California State University, Department of
Corrections and Rehabilitation, Department of Public Health,
Department of State Hospitals, Correctional Health Care
Services, Department of Social Services, Department of
Justice, Department of Child Support Services, Employment
Development Department, and the Department of Motor Vehicles.
3)Requiring notice of encrypted data. State law currently
requires notice of a security breach only if the data is
unencrypted under the premise that: 1) the law provides an
�
AB 2828
Page 4
incentive to government and business to encrypt sensitive
data; and 2) the law triggers notice only when there is a
reasonable possibility of fraud or identity theft, so that
victims can take steps to protect themselves before criminals
use the data. This bill requires notice of breach in cases
where the data is in fact encrypted, but notice is only
required if the key or security credential that can unlock the
data is also reasonably believed to have been compromised.
Interestingly, the hacked data in the 2015 Anthem breach was
unencrypted, but even if Anthem had encrypted the data, it
still would have been easily accessible. The Anthem hackers
also gained access to at least five sets of employee security
credentials, which could have unlocked the encryption -
meaning that the data would likely have been lost anyway.
4)California's Data Breach Notification Law. California law
requires businesses as well as state and local agencies that
experience a breach of unencrypted personal information to
send a notice of the breach to the people affected by the
breach. The breach notice must include basic information
about what happened, what information was breached, what the
business or agency is doing in response to the breach, and
what the person affected by the breach can do to protect
themselves from fraud and identity theft.
Under current law, a business or agency that experiences a
breach can avoid mailing the breach notice to each and every
affected customer if doing so would cost more than $250,000.
The Data Breach Notification Law has two distinct parts: one
part that applies to state and local agencies, which is
located in the Information Practices Act of 1977 (Civil Code
1798.29), and one part that applies to businesses (Civil Code
1798.82).
This bill would change both laws, so that both the public
sector and the private sector would have a duty to provide
notice of breach to affected customers if both the encrypted
�
AB 2828
Page 5
data and the encryption key that unlocks it are compromised.
Analysis Prepared by:
Jennie Bretschneider / P. & C.P. / (916)
319-2200
FN: 0003327