BILL ANALYSIS Ó SENATE COMMITTEE ON APPROPRIATIONS Senator Ricardo Lara, Chair 2015 - 2016 Regular Session AB 2828 (Chau) - Personal information: privacy: breach ----------------------------------------------------------------- | | | | | | ----------------------------------------------------------------- |--------------------------------+--------------------------------| | | | |Version: May 27, 2016 |Policy Vote: JUD. 7 - 0 | | | | |--------------------------------+--------------------------------| | | | |Urgency: No |Mandate: No | | | | |--------------------------------+--------------------------------| | | | |Hearing Date: August 1, 2016 |Consultant: Jolie Onodera | | | | ----------------------------------------------------------------- This bill meets the criteria for referral to the Suspense File. Bill Summary: AB 2828 would expand the data breach notification law to include the breach of encrypted information if the encryption key or security credential, as defined, has also been compromised, as specified. Fiscal Impact: State agencies : Potential minor to moderate future increase in administrative costs (General Fund) statewide across all agencies for additional data breach notifications. Various departments have indicated minor impacts to comply with the expanded data breach standards, however, to the extent a large agency does not currently have a process to respond to this type of data breach, there could be potential costs to comply with the bill's requirements. Staff notes to the extent many agencies would issue data breach notifications in the absence of this measure, this bill largely serves to codify existing practices. AB 2828 (Chau) Page 1 of ? Local agencies : Potential future increase in non-reimbursable local costs (Local Funds) for the issuance of additional data breach notices to consumers. Background: Existing law, the data breach notification law, requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified. (Civil Code §§ 1798.29(a),(c) and 1798.82(a), (c).) When the Legislature enacted SB 1386 (Peace) Chapter 915/2002 and created California's Data Breach Notification Law, the law included a safe harbor that generally exempted the exposure of encrypted personal information from the law's notification provisions. The inclusion of an encryption safe harbor was meant to incentivize organizations to encrypt personal information under their control. However, the protections offered by encryption are significantly compromised when encrypted data is acquired along with an encryption key that can be used to decrypt the data. This bill would require agencies, persons, and businesses to disclose the breach of the security of a system containing encrypted personal information when the encryption key or security credential that could render that personal information readable or useable is also compromised in the breach. Proposed Law: This bill would require any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency, person, or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could AB 2828 (Chau) Page 2 of ? render that personal information readable or useable. This bill would define "encryption key" and "security credential" to mean the confidential key or process designed to render the data useable, readable, and decipherable. Related Legislation: SB 1444 (Hertzberg) 2016 would require state agencies that own or license computerized data that includes personal information to prepare a security plan that details the agency's strategy to respond to a security breach of that information and its associated consequences. This bill is pending hearing in the Assembly Committee on Privacy and Consumer Protection. AB 259 (Dababneh) 2015 would require an agency, if the agency was the source of a breach and the breach compromised a person's social security number, driver's license number, or California identification card number, to offer the person identity theft prevention and mitigation services at no cost for not less than 12 months. The bill was held on the Suspense File of this Committee. Prior Legislation: SB 570 (Jackson) Chapter 543/2015 modified existing data breach notification requirements for agencies and persons or businesses conducting business in California that own or license computerized data that includes personal information. This bill also clarified the requirements for providing substitute notice of a data breach, and made other technical and clarifying changes to the data breach notification law. AB 964 (Chau) Chapter 522/2015 defined "encrypted" as used in California's data breach notification law to mean rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. AB 1710 (Dickinson) Chapter 855/2014 amended California's data breach notification law to require a person or business to offer appropriate identity theft prevention and mitigation services to an affected person at no cost for not less than 12 months if the AB 2828 (Chau) Page 3 of ? person or business was the source of a data breach. This bill also prohibited the sale, advertisement for sale, or offer to sell an individual's social security number. SB 46 (Corbett) Chapter 396/2013 revised the data elements included within the definition of personal information under California's data breach notification law by adding certain information that would permit access to an online account and imposed additional requirements on the disclosure of a breach of the security of the system or data in situations where the breach involves personal information that would permit access to an online or email account. AB 1950 (Wiggins) Chapter 877/2004 required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect that personal information from unauthorized access, destruction, use, modification, or disclosure. SB 1386 (Peace) Chapter 915/2002 enacted California's data breach notification law and required a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Staff Comments: Various departments, including the Department of Motor Vehicles, have indicated minor costs resulting from the expanded application of the data breach notification law required by this measure. Staff notes to the extent many agencies would issue data breach notifications in the absence of this measure, this bill largely serves to codify existing practices. The DOJ has indicated the fiscal impact of this bill on the agency would be unknown, but potentially substantial. The DOJ would need to determine the source of the breach and those impacted, and subsequently take the necessary steps to notify. AB 2828 (Chau) Page 4 of ? In addition, there would likely be a large volume of inquiries from the public and law enforcement agencies to process. Thus, the fiscal impact of this measure on the DOJ is potentially significant but unquantifiable. -- END --