BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 2828 (Chau) - Personal information: privacy: breach
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: May 27, 2016 |Policy Vote: JUD. 7 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 1, 2016 |Consultant: Jolie Onodera |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: AB 2828 would expand the data breach notification law
to include the breach of encrypted information if the encryption
key or security credential, as defined, has also been
compromised, as specified.
Fiscal
Impact:
State agencies : Potential minor to moderate future increase
in administrative costs (General Fund) statewide across all
agencies for additional data breach notifications. Various
departments have indicated minor impacts to comply with the
expanded data breach standards, however, to the extent a large
agency does not currently have a process to respond to this
type of data breach, there could be potential costs to comply
with the bill's requirements. Staff notes to the extent many
agencies would issue data breach notifications in the absence
of this measure, this bill largely serves to codify existing
practices.
�
AB 2828 (Chau) Page 1 of
?
Local agencies : Potential future increase in non-reimbursable
local costs (Local Funds) for the issuance of additional data
breach notices to consumers.
Background: Existing law, the data breach notification law, requires any
agency, person, or business that owns or licenses computerized
data that includes personal information to disclose a breach of
the security of the system to any California resident whose
unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
must be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as specified. (Civil Code §§ 1798.29(a),(c) and
1798.82(a), (c).)
When the Legislature enacted SB 1386 (Peace) Chapter 915/2002
and created California's Data Breach Notification Law, the law
included a safe harbor that generally exempted the exposure of
encrypted personal information from the law's notification
provisions. The inclusion of an encryption safe harbor was meant
to incentivize organizations to encrypt personal information
under their control. However, the protections offered by
encryption are significantly compromised when encrypted data is
acquired along with an encryption key that can be used to
decrypt the data.
This bill would require agencies, persons, and businesses to
disclose the breach of the security of a system containing
encrypted personal information when the encryption key or
security credential that could render that personal information
readable or useable is also compromised in the breach.
Proposed
Law: This bill would require any agency, person, or business
that owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose encrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person and the encryption key or security
credential was, or is reasonably believed to have been, acquired
by an unauthorized person and the agency, person, or business
that owns or licenses the encrypted information has a reasonable
belief that the encryption key or security credential could
�
AB 2828 (Chau) Page 2 of
?
render that personal information readable or useable.
This bill would define "encryption key" and "security
credential" to mean the confidential key or process designed to
render the data useable, readable, and decipherable.
Related
Legislation: SB 1444 (Hertzberg) 2016 would require state
agencies that own or license computerized data that includes
personal information to prepare a security plan that details the
agency's strategy to respond to a security breach of that
information and its associated consequences. This bill is
pending hearing in the Assembly Committee on Privacy and
Consumer Protection.
AB 259 (Dababneh) 2015 would require an agency, if the agency
was the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. The bill was held on the Suspense File of this
Committee.
Prior Legislation: SB 570 (Jackson) Chapter 543/2015 modified
existing data breach notification requirements for agencies and
persons or businesses conducting business in California that own
or license computerized data that includes personal information.
This bill also clarified the requirements for providing
substitute notice of a data breach, and made other technical and
clarifying changes to the data breach notification law.
AB 964 (Chau) Chapter 522/2015 defined "encrypted" as used in
California's data breach notification law to mean rendered
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
AB 1710 (Dickinson) Chapter 855/2014 amended California's data
breach notification law to require a person or business to offer
appropriate identity theft prevention and mitigation services to
an affected person at no cost for not less than 12 months if the
�
AB 2828 (Chau) Page 3 of
?
person or business was the source of a data breach. This bill
also prohibited the sale, advertisement for sale, or offer to
sell an individual's social security number.
SB 46 (Corbett) Chapter 396/2013 revised the data elements
included within the definition of personal information under
California's data breach notification law by adding certain
information that would permit access to an online account and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1950 (Wiggins) Chapter 877/2004 required a business that owns
or licenses personal information about a California resident to
implement and maintain reasonable security procedures and
practices to protect that personal information from unauthorized
access, destruction, use, modification, or disclosure.
SB 1386 (Peace) Chapter 915/2002 enacted California's data
breach notification law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person.
Staff
Comments: Various departments, including the Department of
Motor Vehicles, have indicated minor costs resulting from the
expanded application of the data breach notification law
required by this measure. Staff notes to the extent many
agencies would issue data breach notifications in the absence of
this measure, this bill largely serves to codify existing
practices.
The DOJ has indicated the fiscal impact of this bill on the
agency would be unknown, but potentially substantial. The DOJ
would need to determine the source of the breach and those
impacted, and subsequently take the necessary steps to notify.
�
AB 2828 (Chau) Page 4 of
?
In addition, there would likely be a large volume of inquiries
from the public and law enforcement agencies to process. Thus,
the fiscal impact of this measure on the DOJ is potentially
significant but unquantifiable.
-- END --