BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015 - 2016 Regular Session
SB 570 (Jackson)
Version: April 6, 2015
Hearing Date: April 28, 2015
Fiscal: Yes
Urgency: No
TH
SUBJECT
Personal Information: Privacy: Breach
DESCRIPTION
This bill would modify the existing data breach notification
requirement for agencies and persons or businesses conducting
business in California that own or license computerized data
that includes personal information. Specifically, this bill
would require these entities, in the event of a data breach, to
provide affected individuals with a one-page notice entitled
"Notice of Data Breach," in which the required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." This bill would state that
additional information may be provided as a supplement to the
one-page notice, would clarify the requirements for providing
substitute notice of a data breach, and would make other
technical and clarifying changes.
BACKGROUND
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
�
SB 570 (Jackson)
Page 2 of ?
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
Existing law requires breach notifications to be made in the
most expedient time possible without unreasonable delay, and
specifies certain information that must be included in these
notices. The law provides that breach notifications must be
written in "plain language," but is otherwise silent about how
the information should be presented. In a 2014 report on data
breaches in California, the Attorney General stated:
Breach notices continue to be written at the college level,
well above the average reading level for adults. The intent
of the breach notice law is to alert individuals that their
information is at risk, so they can take steps to protect
themselves. Notices that can be easily understood are
obviously essential to accomplishing this purpose.
While concerns about litigation risks may cause companies to
draft notices in legalistic language that is less than
accessible, we encourage companies to work with communications
professionals to improve the clarity of their notices. Good
writing can make the notices more readable, using techniques
such as shorter sentences, familiar words and phrases, the
active voice and a layout that supports clarity. (California
Department of Justice, California Data Breach Report (Oct.
2014)
[as of Apr. 20, 2015].)
To provide greater clarity to individuals who receive notice of
a breach, this bill would require data breach notifications to
include a one-page notice entitled "Notice of Data Breach," in
which content is presented under five discrete headings. This
bill would also clarify how to "conspicuously post" a substitute
notice of a data breach on a Web site and would make other
technical and clarifying changes to the Data Breach Notification
Law.
CHANGES TO EXISTING LAW
1.Existing law requires any agency, person, or business that
owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
�
SB 570 (Jackson)
Page 3 of ?
to any California resident whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be
made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of
law enforcement, as specified. (Civ. Code Secs. 1798.29(a),
(c) and 1798.82(a), (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify
the owner or licensee of the information of any security
breach immediately following discovery if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. (Civ. Code Secs.
1798.29(b), 1798.82(b).)
Existing law requires any agency, person, or business that is
required to issue a security breach notification to meet all
of the following requirements when issuing the notification:
the notification shall be written in plain language; and
the notification shall include, at a minimum, the
following information:
o the name and contact information of the reporting
entity;
o a list of the types of personal information that
were or are reasonably believed to have been the subject
of a breach;
o if the information is possible to determine at the
time the notice is provided, then any of the following:
(i) the date of the breach; (ii) the estimated date of
the breach; or (iii) the date range within which the
breach occurred;
o the date of the notice;
o whether the notification was delayed as a result of
a law enforcement investigation, if that information is
possible to determine at the time the notice is provided;
o a general description of the breach incident, if
that information is possible to determine at the time the
notice is provided; and
o the toll-free telephone numbers and addresses of the
major credit reporting agencies, if the breach exposed a
social security number or a driver's license or
California identification card number. (Civ. Code Secs.
1798.29(d), 1798.82(c).)
�
SB 570 (Jackson)
Page 4 of ?
Existing law provides that at the discretion of the agency,
person, or business that is required to issue a security
breach notification, the notification may also include any of
the following:
information about what the reporting entity has done to
protect individuals whose information has been breached;
and
advice on steps that the person whose information has
been breached may take to protect himself or herself.
(Civ. Code Secs. 1798.29(d), 1798.82(c).)
This bill would additionally require a security breach
notification to include a one page notice titled "Notice of
Data Breach," in which content is presented under the
following headings: "What Happened," "What Information Was
Involved," "What We Are Doing," "What You Can Do," and "For
More Information." This bill would specify that additional
information may be provided as a supplement to the one page
notice.
This bill would specify that the format of the one page notice
shall be designed to call attention to the nature and
significance of the information it contains, and would make
the following additional specifications:
the title and headings in the one page notice shall be
clearly and conspicuously displayed; and
the text of the one page notice and any other notice
provided pursuant to the Data Breach Notification Law shall
be no smaller than 10-point type.
1.Existing law specifies that, for purposes of the Data Breach
Disclosure Law, "notice" may be provided by one of the
following methods:
written notice;
electronic notice; or
substitute notice, if the agency, person, or business
demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to
be notified exceeds 500,000, or the agency does not have
sufficient contact information. (Civ. Code Secs.
1798.29(i), 1798.82(j).)
Existing law further specifies that substitute notice shall
consist of all of the following:
�
SB 570 (Jackson)
Page 5 of ?
email notice when the reporting entity has an email
address for the subject persons;
conspicuous posting of the notice on the reporting
entity's Internet Web site page, if it maintains one; and
notification to major statewide media, as specified.
(Civ. Code Secs. 1798.29(i), 1798.82(j).)
This bill would provide that conspicuous posting of the notice
on the reporting entity's Internet Web site, if it maintains
one, must occur for a minimum of 30 days. This bill would
also provide that conspicuous posting on a reporting entity's
Internet Web site means providing a link to the notice on the
home page that is in larger type than the surrounding text, or
in contrasting type, font, or color to the surrounding text of
the same size, or set off from the surrounding text of the
same size by symbols or other marks that call attention to the
link.
This bill would make other technical and clarifying changes.
COMMENT
1.Stated need for the bill
The author writes:
Existing law protects the privacy of California residents by
requiring businesses and government agencies that own or
license personal information to disclose when unencrypted
computer systems storing this data are thought to have been
breached. California's breach notification law requires these
disclosures to be made in the most expedient time possible and
without unreasonable delay. An October 2014 report from the
California Attorney General concluded that breach
notifications are often difficult to understand.
This bill improves the readability of breach notifications by
simplifying and standardizing how breached entities
communicate relevant information to affected California
residents. It directs these entities to convey the
information currently required under existing law in a
one-page notice with the information grouped under the
following five headings:
What Happened
What Information Was Involved
�
SB 570 (Jackson)
Page 6 of ?
What We Are Doing
What You Can Do
For More Information
Breached entities remain free to provide additional
information to supplement the required one-page notice as they
see fit. Additionally, this bill specifies that notices
conspicuously posted on a Web site under the substitute notice
provision must remain posted for a minimum of 30 days, and
clarifies the meaning of "conspicuous posting."
These changes to California's breach notification law will
help ensure that critical information pertaining to a breach
is communicated effectively to California residents,
empowering them to take appropriate steps to protect
themselves from the consequences of a data breach.
2.Readability of Data Breach Notifications
California recognizes that the right to privacy is a fundamental
right, and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the
number of consumers, the data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The Attorney General's 2014 California Data Breach Report found
that, in 2012, "17 percent of the data breaches recorded in the
United States took place in California - more than any other
state" and that "the number of reported breaches in California
increased by 28 percent in 2013." (California Department of
Justice, California Data Breach Report (Oct. 2014)
[as of Apr. 20, 2015].) The frequency
of data breaches in California and the threat that such breaches
pose to California residents makes timely and effective
notification of a breach a matter of critical importance.
However, data breach notices are often written in a way that
obscures the information they contain, making them less
effective in communicating critical information to affected
California residents. The Attorney General's 2014 California
Data Breach Report states that, using the Flesch-Kinkaid
Grade-Level index to assess readability of 70 randomly selected
�
SB 570 (Jackson)
Page 7 of ?
notices, "no significant improvement in readability" has
occurred since readability assessments began in 2012. The
Report found that the "average reading grade was college level
in both years: 14 in 2012 and 13 in 2013." (Id.)
This bill would likely enhance the readability of data breach
notices by specifying that such notices must include one page
marked with clear headings that group the most critical
information California residents need to respond effectively
when their personal information is compromised. By moving away
from current practice that allows the presentation of breach
notice information in multiple unbroken paragraphs, this bill
would help make the information conveyed in breach notices more
accessible to all Californians. The bill would additionally
provide breached entities with some measure of clarity about how
breach notices should be formatted in order to give affected
consumers adequate notice of a breach, while allowing breached
entities the flexibility to include relevant additional
information in their notices.
3.Conspicuous Posting of Substitute Notices
Existing law authorizes breached entities to issue substitute
notices in lieu of direct notice when the entity can demonstrate
that the cost of providing notice would exceed $250,000, that
the affected class of subject persons to be notified exceeds
500,000, or that the entity does not have sufficient contact
information to notify affected consumers directly. Existing law
states that breach notification by substitute notice must
include notification to major statewide media and conspicuous
posting of the notice on the reporting entity's Internet Web
site, if it maintains one.
This bill would clarify that conspicuously posting a substitute
notice on an Internet Web site means providing a link to the
notice on the home page that is in larger type than the
surrounding text, or in contrasting type, font, or color to the
surrounding text of the same size, or set off from the
surrounding text of the same size by symbols or other marks that
call attention to the link. This bill would also specify that
substitute notices must remain conspicuously posted for at least
30 days. These changes to the substitute notice requirement
would likely make substitute notices more effective by making it
more likely that they will be noticed by affected consumers.
�
SB 570 (Jackson)
Page 8 of ?
Support : Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
AB 259 (Dababneh, 2015) would require an agency, if the agency
was the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. This bill is pending in the Assembly Appropriations
Committee.
AB 964 (Chau, 2015) would amend California's Data Breach
Notification Law to require breach notification to be made
within 30 days, consistent with the legitimate needs of law
enforcement. This bill would authorize the Attorney General to
grant additional time, not exceeding 30 days, in which to make
the disclosure if the Attorney General determines that the
person or business needs additional time in order to determine
the scope of the security breach, prevent further disclosures,
conduct a risk assessment, restore the integrity of the data
system, or provide notice to an entity designated to receive
reports and information about information security incidents.
This bill would also provide that if the data containing
personal information was encrypted, there would be a presumption
that a breach would not compromise the security,
confidentiality, or integrity of the personal information. This
bill is pending in the Assembly Privacy and Consumer Protection
Committee.
Prior Legislation :
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
Data Breach Notification Law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. This bill also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
�
SB 570 (Jackson)
Page 9 of ?
SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements
included within the definition of personal information under
California's Data Breach Notification Law by adding certain
information that would permit access to an online account, and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1149 (Campos, Ch. 395, Stats. 2013) expanded existing
disclosure requirements concerning breaches of computerized data
owned or licensed by state agencies to "local agencies" as
defined by Government Code Section 6252(a). This bill also made
certain technical corrections to the security breach
notification law.
SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,
person, or business that is required to issue a security breach
notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's Data
�
SB 570 (Jackson)
Page 10 of ?
Breach Notification Law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California's
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1936 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
**************