BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
SB 570 (Jackson) - Personal information: privacy: breach
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: April 6, 2015 |Policy Vote: JUD. 5 - 1 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: May 11, 2015 |Consultant: Maureen Ortiz |
| | |
-----------------------------------------------------------------
This bill does not meet the criteria for referral to the
Suspense File.
Bill
Summary: SB 570 requires any agency, person or business that
owns or licenses computerized data that includes personal
information to issue the security breach notification in a one
page standardized format.
Fiscal
Impact:
Minor costs to revise the form (General/Specials)
�
SB 570 (Jackson) Page 1 of
?
Background: Existing law requires state agencies, local agencies, and
businesses that own or license computerized data that includes
personal information to disclose any breach of the security of
the system following the discovery or notification of the breach
if the unencrypted personal information was, or is reasonable
believed to have been, acquired by an unauthorized person.
Existing law requires any security breach notification to be
made in the most expedient time possible and to be written in
plain language. Notification may be delayed only if a law
enforcement agency determines that the notification will impede
a criminal investigation. The notice must also be posted on the
agency or business Internet Web page, if one is already
maintained.
Existing law also specifies the minimum provisions of the breach
notification to include the following:
a) The name and contact information of the reporting
agency;
b) A list of the types of personal information that were or
are reasonably believed to have been the subject of a
breach;
c) Other information, if possible to obtain, such as the
date of the breach;
d) Whether the notification was delayed as a result of a
law enforcement investigation;
e) A general description of the beach incident; and,
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or a driver's license or California
identification card number.
If the breach was the result of an on-line incident, the
�
SB 570 (Jackson) Page 2 of
?
notifications may be made in an electronic form. Additionally,
if the breach involved more than 500 California residents, a
copy of the breach notification must be forwarded to the
Attorney General.
Proposed Law:
SB 570 modifies the existing data breach notification
requirement for agencies and persons or businesses conducting
business in California that own or license computerized data
that includes personal information. Specifically, the bill does
the following:
1) Requires the security breach notification to include a
one page notice entitled "Notice of Data Breach".
2) Requires the content of the notice to include the
following headings: "What Happened," "What Information Was
Involved," "What We Are Doing," "What You Can Do," and "For
More Information." The bill allows additional information
to be included as a supplement to the one page notice.
3) Requires the design of the notice to call attention to
the nature and significance of the information it contains.
4) Clearly and conspicuously display of the title and
headings of the notice.
5) Requires the text to be of at least 10-point type.
6) Requires the posting on the Internet Web page to remain
for at least 30 days, and to be located via a link on the
home page in larger type than the surrounding text, or in
contrasting type, font, or color.
�
SB 570 (Jackson) Page 3 of
?
Staff
Comments: The number of reported data breaches increases every
year at an accelerated rate. These breaches compromise
sensitive personal information such as payment card data, social
security numbers, health information, and online account
credentials. As noted in the Attorney General's 2014 California
Data Breach Report, data breach notices are often
counterproductively confusing and complex.
SB 570 is intended to provide greater clarity to individuals who
receive a breach notice by streamlining the notification and
making it more user-friendly.
-- END --