BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2828|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2828
Author: Chau (D)
Amended: 5/27/16 in Assembly
Vote: 21
SENATE JUDICIARY COMMITTEE: 7-0, 6/21/16
AYES: Jackson, Moorlach, Anderson, Hertzberg, Leno, Monning,
Wieckowski
SENATE APPROPRIATIONS COMMITTEE: 7-0, 8/11/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
ASSEMBLY FLOOR: 79-1, 6/1/16 - See last page for vote
SUBJECT: Personal information: privacy: breach
SOURCE: Author
DIGEST: This bill requires any agency, person, or business
that owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose encrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person, if the encryption key or security
credential was, or is reasonably believed to have been, acquired
by an unauthorized person, and the entity that owns or licenses
the encrypted information has a reasonable belief that the
encryption key or security credential could render that personal
information readable or useable.
ANALYSIS:
�
AB 2828
Page 2
Existing law:
1)Requires, pursuant to the data breach notification law, any
agency, person, or business that owns or licenses computerized
data that includes personal information to disclose a breach
of the security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as specified. (Civ. Code
Secs. 1798.29(a), (c) and 1798.82(a), (c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Defines "personal information" to include either a user name
or email address, in combination with a password or security
question and answer that would permit access to an online
account, or the individual's first name or first initial and
last name in combination with one or more of the following
data elements, when either the name or the data elements are
not encrypted: social security number; driver's license number
or California identification card number; account number,
credit or debit card number, in combination with any required
security code, access code, or password that would permit
access to an individual's financial account; medical
information; health insurance information; or information or
data collected through the use or operation of an automated
license plate recognition system. "Personal information" does
not include publicly available information that is lawfully
made available to the general public from federal, state, or
local government records. (Civ. Code Secs. 1798.29(g) and
�
AB 2828
Page 3
(h); 1798.82(h) and (i).)
This bill:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose encrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person and the encryption key or security
credential was, or is reasonably believed to have been,
acquired by an unauthorized person and the agency, person, or
business that owns or licenses the encrypted information has a
reasonable belief that the encryption key or security
credential could render that personal information readable or
useable.
2)Defines "encryption key" and "security credential" to mean the
confidential key or process designed to render the data
useable, readable, and decipherable.
Background
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their computerized personal
information is breached. Existing law requires breach
notifications to be made in the most expedient time possible
without unreasonable delay, and specifies certain information
that must be included in these notices. This breach
notification requirement ensures that residents are made aware
of a breach, thus allowing them to take appropriate action to
mitigate or prevent potential financial losses due to fraudulent
activity.
�
AB 2828
Page 4
California's requirement to notify affected individuals of a
data breach has had the effect of highlighting data insecurity
as a matter for public concern, and has motivated businesses and
agencies to invest additional resources toward securing data
stored within their computer networks. However, despite the
data breach notification law's positive impact, data breaches
have increased in frequency and magnitude since the law took
effect. The Attorney General's most recent report on California
data breaches offers the following summary:
In the past four years, the Attorney General has received
reports on 657 data breaches, affecting a total of over 49
million records of Californians. In 2012, there were 131
breaches, involving 2.6 million records of Californians; in
2015, 178 breaches put over 24 million records at risk. This
means that nearly three in five Californians were victims of a
data breach in 2015 alone. (California Department of Justice,
California Data Breach Report 2012-2015 (Feb. 2016)
Page 5
This bill requires agencies, persons, and businesses to disclose
the breach of the security of a system containing encrypted
personal information when the encryption key or security
credential that could render that personal information readable
or useable is also compromised in the breach.
Comments
The author writes:
In February 2015, criminals accessed personal information,
including names, addresses, birthdates, and Social Security
numbers, of more than 80 million United States patients
covered by one of the country's largest health insurance and
health plan providers. The incident was the biggest theft of
health care data in history. The data was not encrypted,
which is what triggered a breach notice to the 80 million
victims under current state and federal laws. Current law
requires notice, so that victims can take steps to protect
themselves from fraud and identity theft before the data is
used or sold by the hackers.
However, even if encryption had been used, the data could have
still been compromised, because the hackers gained access to
at least five sets of employee credentials, which could have
unlocked any encryption. Encryption is an important tool to
secure sensitive data in transit and at rest, but if the
credentials and keys to unlock the data are stolen before,
during or after a hacking incident, then the stolen data is as
good as decrypted.
AB 2828 updates California's breach notice law to require
businesses and government agencies to provide notice of a
breach if both encrypted data and the keys to the encryption
are believed to have been breached. AB 2828's expansion of
the breach notice requirement reflects what has become an
industry best practice since the original passage of the
breach notice law more than a decade ago. Specifically, AB
2828 requires businesses and government agencies to provide a
�
AB 2828
Page 6
notice to affected consumers in the event of a data breach
where encrypted Personally Identifiable Information (PII) is
disclosed, if there is a reasonable belief that encryption
keys or security credentials were also compromised and could
render the PII readable or useable.
Related/Prior Legislation
SB 1444 (Hertzberg, 2016) requires state agencies that own or
license computerized data that includes personal information to
prepare a security plan that details the agency's strategy to
respond to a security breach of that information and its
associated consequences. The bill lists certain minimum
requirements to be included in an agency's security plan,
including a requirement to inventory personal information stored
or transmitted by the agency and procedures for facilitating
communication between an incident response team, agency
officials, and individuals affected by a breach. The bill is in
engrossing and enrolling.
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. The bill was held in the Senate Appropriations
Committee.
SB 570 (Jackson, Chapter 543, Statutes of 2015) modified
existing data breach notification requirements for agencies and
persons or businesses conducting business in California that own
or license computerized data that includes personal information.
Specifically, the bill requires these entities, in the event of
a data breach, to provide affected individuals with a notice
entitled "Notice of Data Breach," in which required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." The bill states that additional
information may be provided to supplement the required notice,
and provides a model security breach notification form that
�
AB 2828
Page 7
entities may use to comply with formatting requirements. The
bill also clarified the requirements for providing substitute
notice of a data breach, and made other technical and clarifying
changes to the data breach notification law.
AB 964 (Chau, Chapter 522, Statutes of 2015) defined "encrypted"
as used in California's data breach notification law to mean
rendered unusable, unreadable, or indecipherable to an
unauthorized person through a security technology or methodology
generally accepted in the field of information security.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's data breach notification law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. AB 1710 also prohibited the sale, advertisement
for sale, or offer to sell an individual's social security
number.
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data
elements included within the definition of personal information
under California's data breach notification law by adding
certain information that would permit access to an online
account, and imposed additional requirements on the disclosure
of a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect that personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
�
AB 2828
Page 8
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's data breach notification law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, this bill
would result in potential minor to moderate future increases in
administrative costs (General Fund) statewide across all state
agencies for additional data breach notifications, as well as
potential future increases in non-reimbursable local costs
(Local Funds) for the issuance of additional data breach notices
to consumers.
SUPPORT: (Verified8/12/16)
American Civil Liberties Union
California District Attorneys Association
Consumer Federation of California
Electronic Frontier Foundation
Privacy Rights Clearinghouse
OPPOSITION: (Verified8/12/16)
�
AB 2828
Page 9
None received
ASSEMBLY FLOOR: 79-1, 6/1/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Baker,
Bigelow, Bloom, Bonilla, Bonta, Brough, Brown, Burke,
Calderon, Campos, Chang, Chau, Chávez, Chiu, Chu, Cooley,
Cooper, Dababneh, Dahle, Daly, Dodd, Eggman, Frazier, Beth
Gaines, Gallagher, Cristina Garcia, Eduardo Garcia, Gatto,
Gipson, Gomez, Gonzalez, Gordon, Gray, Grove, Hadley, Roger
Hernández, Holden, Irwin, Jones, Jones-Sawyer, Kim, Lackey,
Levine, Linder, Lopez, Low, Maienschein, Mathis, Mayes,
McCarty, Medina, Melendez, Mullin, Nazarian, Obernolte,
O'Donnell, Olsen, Patterson, Quirk, Ridley-Thomas, Rodriguez,
Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,
Wagner, Waldron, Weber, Wilk, Williams, Wood, Rendon
NOES: Harper
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
8/15/16 20:30:06
**** END ****