BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 2828 (Chau)
Version: May 27, 2016
Hearing Date: June 21, 2016
Fiscal: Yes
Urgency: No
TH
SUBJECT
Personal Information: Privacy: Breach
DESCRIPTION
This bill would require any agency, person, or business that
owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose encrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person, if the encryption key or security
credential was, or is reasonably believed to have been, acquired
by an unauthorized person, and the entity that owns or licenses
the encrypted information has a reasonable belief that the
encryption key or security credential could render that personal
information readable or useable.
BACKGROUND
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their computerized personal
information is breached. Existing law requires breach
notifications to be made in the most expedient time possible
without unreasonable delay, and specifies certain information
that must be included in these notices. This breach
�
AB 2828 (Chau)
Page 2 of ?
notification requirement ensures that residents are made aware
of a breach, thus allowing them to take appropriate action to
mitigate or prevent potential financial losses due to fraudulent
activity.
California's requirement to notify affected individuals of a
data breach has had the effect of highlighting data insecurity
as a matter for public concern, and has motivated businesses and
agencies to invest additional resources toward securing data
stored within their computer networks. However, despite the
data breach notification law's positive impact, data breaches
have increased in frequency and magnitude since the law took
effect. The Attorney General's most recent report on California
data breaches offers the following summary:
In the past four years, the Attorney General has received
reports on 657 data breaches, affecting a total of over 49
million records of Californians. In 2012, there were 131
breaches, involving 2.6 million records of Californians; in
2015, 178 breaches put over 24 million records at risk. This
means that nearly three in five Californians were victims of a
data breach in 2015 alone. (California Department of Justice,
California Data Breach Report 2012-2015 (Feb. 2016)
[as of Apr. 1, 2016].)
Unfortunately, victims of data breach are much more likely to
become victims of fraud and identity theft. The Attorney
General's data breach report notes that "[i]n 2014, 67 percent
of breach victims in the U.S. were also victims of fraud,
compared to just 25 percent of all consumers." (Id. [citations
omitted].)
When the Legislature enacted SB 1386 (Peace, Ch. 915, Stats.
2002) and created California's Data Breach Notification Law, the
law included a safe harbor that generally exempted the exposure
of encrypted personal information from the law's notification
provisions. The inclusion of an encryption safe harbor was
meant to incentivize organizations to encrypt personal
information under their control. However, the protections
offered by encryption are significantly compromised when
encrypted data is acquired along with an encryption key that can
be used to decrypt the data.
This bill would require agencies, persons, and businesses to
disclose the breach of the security of a system containing
�
AB 2828 (Chau)
Page 3 of ?
encrypted personal information when the encryption key or
security credential that could render that personal information
readable or useable is also compromised in the breach.
CHANGES TO EXISTING LAW
Existing law , the data breach notification law, requires any
agency, person, or business that owns or licenses computerized
data that includes personal information to disclose a breach of
the security of the system to any California resident whose
unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The
disclosure must be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs
of law enforcement, as specified. (Civ. Code Secs. 1798.29(a),
(c) and 1798.82(a), (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).)
Existing law defines "personal information" to include either a
user name or email address, in combination with a password or
security question and answer that would permit access to an
online account, or the individual's first name or first initial
and last name in combination with one or more of the following
data elements, when either the name or the data elements are not
encrypted: social security number; driver's license number or
California identification card number; account number, credit or
debit card number, in combination with any required security
code, access code, or password that would permit access to an
individual's financial account; medical information; health
insurance information; or information or data collected through
the use or operation of an automated license plate recognition
system. "Personal information" does not include publicly
available information that is lawfully made available to the
general public from federal, state, or local government records.
(Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and (i).)
This bill would require any agency, person, or business that
owns or licenses computerized data that includes personal
�
AB 2828 (Chau)
Page 4 of ?
information to disclose a breach of the security of the system
to any California resident whose encrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person and the encryption key or security
credential was, or is reasonably believed to have been, acquired
by an unauthorized person and the agency, person, or business
that owns or licenses the encrypted information has a reasonable
belief that the encryption key or security credential could
render that personal information readable or useable.
This bill would define "encryption key" and "security
credential" to mean the confidential key or process designed to
render the data useable, readable, and decipherable.
COMMENT
1.Stated need for the bill
The author writes:
In February 2015, criminals accessed personal information,
including names, addresses, birthdates, and Social Security
numbers, of more than 80 million United States patients
covered by one of the country's largest health insurance and
health plan providers. The incident was the biggest theft of
health care data in history. The data was not encrypted,
which is what triggered a breach notice to the 80 million
victims under current state and federal laws. Current law
requires notice, so that victims can take steps to protect
themselves from fraud and identity theft before the data is
used or sold by the hackers.
However, even if encryption had been used, the data could have
still been compromised, because the hackers gained access to
at least five sets of employee credentials, which could have
unlocked any encryption. Encryption is an important tool to
secure sensitive data in transit and at rest, but if the
credentials and keys to unlock the data are stolen before,
during or after a hacking incident, then the stolen data is as
good as decrypted.
AB 2828 updates California's breach notice law to require
businesses and government agencies to provide notice of a
breach if both encrypted data and the keys to the encryption
are believed to have been breached. AB 2828's expansion of
the breach notice requirement reflects what has become an
�
AB 2828 (Chau)
Page 5 of ?
industry best practice since the original passage of the
breach notice law more than a decade ago. Specifically, AB
2828 requires businesses and government agencies to provide a
notice to affected consumers in the event of a data breach
where encrypted Personally Identifiable Information (PII) is
disclosed, if there is a reasonable belief that encryption
keys or security credentials were also compromised and could
render the PII readable or useable.
2.Right to Privacy
California recognizes that the right to privacy is a fundamental
right, and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the
number of consumers, the data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The frequency of data breaches in California and the threat that
such breaches pose to California residents makes timely and
effective notification of a breach a matter of critical
importance.
However, notification of data breaches involving encrypted
personal information has not traditionally raised the same
policy concerns. This is because properly encrypted data is
much less valuable to whomever acquires it, since the encryption
functionally obscures the underlying data. Indeed, "[m]any
security experts insist that there ought to be a carve-out that
would allow companies to avoid disclosure requirements in a
breach that exposes properly encrypted sensitive data." (Brian
Krebs, Toward Better Privacy, Data Breach Laws
[as of Jun. 7, 2016].) California's data breach
notification law has such an exception, stating that notice of a
breach must be made when "unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person." (Civ. Code Secs. 1798.29(a), (c) and
1798.82(a), (c).)
3.Security of Encryption Keys
Modern encryption technology works by encoding information in
�
AB 2828 (Chau)
Page 6 of ?
such a way that only the person (or computer) with the
encryption key can decode it. In general, each computer
exchanging encrypted information has a secret key (code) that it
can use to encrypt a packet of information before it is sent
over a network to another computer, where it is then decrypted
using the same or a mathematically related key. Maintaining the
secrecy of an encryption key is what ensures compromised
encrypted messages cannot be read by an unauthorized person.
California's data breach notification law contains a safe harbor
for businesses and agencies that lose encrypted information in a
data breach. However, recent data breaches have revealed
instances where encrypted information was breached along with
the encryption key. For example, the ride-hailing company Uber
reported in late 2014 that "[t]housands of Uber driver names and
driver's license numbers may be in the hands of an unauthorized
third party due to a data breach," and that "one of its many
databases could have potentially been accessed because one of
the encryption keys required to unlock it had been compromised."
(Tracey Lien, Uber Security Breach May Have Affected up to
50,000 Drivers, Los Angeles Times (Feb. 27, 2015)
[as of Jun. 7, 2016].) In breaches
such as this where an encryption key is taken along with
encrypted information, the compromised information has lost the
effectiveness of its encryption protection.
This bill addresses the problem of data breaches that result in
the compromise of encryption keys. It would require agencies,
persons, and businesses to disclose the breach of the security
of a system containing encrypted personal information when the
encryption key or security credential that could render the
encrypted information readable or useable is also compromised in
the breach. By doing so, this bill closes an unintentional gap
in California's data breach notification law that allows the
safe harbor for encrypted data to remain in effect even though
the protection offered by that encryption has been severely
compromised. This change to the law ensures that victims of
data breaches are timely notified when encrypted personal
information is taken in those cases where that encrypted
information can easily be rendered useable or readable, thereby
making it likely that personal information could be exposed.
Support : American Civil Liberties Union; California District
�
AB 2828 (Chau)
Page 7 of ?
Attorneys Association; Consumer Federation of California;
Electronic Frontier Foundation; Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
SB 1444 (Hertzberg, 2016) requires state agencies that own or
license computerized data that includes personal information to
prepare a security plan that details the agency's strategy to
respond to a security breach of that information and its
associated consequences. This bill lists certain minimum
requirements to be included in an agency's security plan,
including a requirement to inventory personal information stored
or transmitted by the agency and procedures for facilitating
communication between an incident response team, agency
officials, and individuals affected by a breach. This bill is
pending in the Assembly Committee on Privacy and Consumer
Protection.
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. The bill was held in the Senate Appropriations
Committee.
Prior Legislation :
SB 570 (Jackson, Ch. 543, Stats. 2015) modified existing data
breach notification requirements for agencies and persons or
businesses conducting business in California that own or license
computerized data that includes personal information.
Specifically, this bill requires these entities, in the event of
a data breach, to provide affected individuals with a notice
entitled "Notice of Data Breach," in which required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." This bill states that
�
AB 2828 (Chau)
Page 8 of ?
additional information may be provided to supplement the
required notice, and provides a model security breach
notification form that entities may use to comply with
formatting requirements. This bill also clarified the
requirements for providing substitute notice of a data breach,
and made other technical and clarifying changes to the data
breach notification law.
AB 964 (Chau, Ch. 522, Stats. 2015) defined "encrypted" as used
in California's data breach notification law to mean rendered
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
data breach notification law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. AB 1710 also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements
included within the definition of personal information under
California's data breach notification law by adding certain
information that would permit access to an online account, and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect that personal information
from unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's data
breach notification law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
�
AB 2828 (Chau)
Page 9 of ?
disclose any breach of the security of the data to California
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
Prior Vote :
Assembly Floor (Ayes 79, Noes 1)
Assembly Appropriations Committee (Ayes 20, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 10,
Noes 0)
**************