BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 570|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 570
Author: Jackson (D)
Amended: 4/6/15
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-1, 4/28/15
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Anderson
NO VOTE RECORDED: Moorlach
SENATE APPROPRIATIONS COMMITTEE: 5-2, 5/11/15
AYES: Lara, Beall, Hill, Leyva, Mendoza
NOES: Bates, Nielsen
SUBJECT: Personal information: privacy: breach
SOURCE: Author
DIGEST: This bill modifies the existing data breach
notification requirement for agencies and persons or businesses
conducting business in California that own or license
computerized data that includes personal information.
Specifically, this bill requires these entities, in the event of
a data breach, to provide affected individuals with a one-page
notice entitled "Notice of Data Breach," in which the required
content is presented under the following headings: "What
Happened," "What Information Was Involved," "What We Are Doing,"
"What You Can Do," and "For More Information." This bill states
that additional information may be provided as a supplement to
the one-page notice, clarifies the requirements for providing
substitute notice of a data breach, and makes other technical
�
SB 570
Page 2
and clarifying changes to the Data Breach Disclosure Law.
ANALYSIS:
Existing law:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Requires any agency, person, or business that must issue a
security breach notification to meet all of the following
requirements when issuing the notification:
the notification shall be written in plain language; and
the notification shall include, at a minimum, the
following information:
o the name and contact information of the reporting
entity;
o a list of the types of personal information that
were or are reasonably believed to have been the subject
of a breach;
o if the information is possible to determine at the
time the notice is provided, then any of the following:
(i) the date of the breach; (ii) the estimated date of
the breach; or (iii) the date range within which the
�
SB 570
Page 3
breach occurred;
o the date of the notice;
o whether the notification was delayed as a result of
a law enforcement investigation, if that information is
possible to determine at the time the notice is provided;
o a general description of the breach incident, if
that information is possible to determine at the time the
notice is provided; and
o the toll-free telephone numbers and addresses of the
major credit reporting agencies, if the breach exposed a
social security number or a driver's license or
California identification card number. (Civ. Code Secs.
1798.29(d), 1798.82(c).)
1)Provides that a security breach notification may also include
any of the following:
information about what the reporting entity has done to
protect individuals whose information has been breached;
and
advice on steps that the person whose information has
been breached may take to protect himself or herself.
(Civ. Code Secs. 1798.29(d), 1798.82(c).)
1)Specifies that a security breach notification may be provided
by one of the following methods:
written notice;
electronic notice; or
substitute notice, if the agency, person, or business
demonstrates that the cost of providing notice would exceed
$250,000, or that the class of persons to be notified
exceeds 500,000, or the notifying entity does not have
sufficient contact information. (Civ. Code Secs.
1798.29(i), 1798.82(j).)
1)Specifies that substitute notice shall consist of all of the
following:
email notice when the reporting entity has an email
address for the subject persons;
conspicuous posting of the notice on the notifying
entity's Internet Web site page, if it maintains one; and
notification to major statewide media, as specified.
(Civ. Code Secs. 1798.29(i), 1798.82(j).)
This bill:
�
SB 570
Page 4
1)Requires a security breach notification to include a one page
notice titled "Notice of Data Breach," in which content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." This bill specifies that
additional information may be provided as a supplement to the
one page notice.
2)Specifies that the format of the one page notice shall be
designed to call attention to the nature and significance of
the information it contains, and makes the following
additional specifications:
the title and headings in the one page notice shall be
clearly and conspicuously displayed; and
the text of the one page notice and any other notice
provided pursuant to the Data Breach Disclosure Law shall
be no smaller than 10-point type.
1)Provides that conspicuous posting of the notice on the
notifying entity's Internet Web site, if it maintains one,
must occur for a minimum of 30 days. This bill also provides
that conspicuous posting on a notifying entity's Internet Web
site means providing a link to the notice on the home page
that is in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of
the same size, or set off from the surrounding text of the
same size by symbols or other marks that call attention to the
link.
2)Makes other technical and clarifying changes.
Background
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
�
SB 570
Page 5
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
Existing law requires breach notifications to be made in the
most expedient time possible without unreasonable delay, and
specifies certain information that must be included in these
notices. The law provides that breach notifications must be
written in "plain language," but is otherwise silent about how
the information should be presented. In a 2014 report on data
breaches in California, the Attorney General stated:
Breach notices continue to be written at the college level,
well above the average reading level for adults. The intent
of the breach notice law is to alert individuals that their
information is at risk, so they can take steps to protect
themselves. Notices that can be easily understood are
obviously essential to accomplishing this purpose.
While concerns about litigation risks may cause companies to
draft notices in legalistic language that is less than
accessible, we encourage companies to work with communications
professionals to improve the clarity of their notices. Good
writing can make the notices more readable, using techniques
such as shorter sentences, familiar words and phrases, the
active voice and a layout that supports clarity. (California
Department of Justice, California Data Breach Report (Oct.
2014)
Page 6
requiring businesses and government agencies that own or
license personal information to disclose when unencrypted
computer systems storing this data are thought to have been
breached. California's breach notification law requires these
disclosures to be made in the most expedient time possible and
without unreasonable delay. An October 2014 report from the
California Attorney General concluded that breach
notifications are often difficult to understand.
This bill improves the readability of breach notifications by
simplifying and standardizing how breached entities
communicate relevant information to affected California
residents. It directs these entities to convey the
information currently required under existing law in a
one-page notice with the information grouped under the
following five headings:
What Happened
What Information Was Involved
What We Are Doing
What You Can Do
For More Information
Breached entities remain free to provide additional
information to supplement the required one-page notice as they
see fit. Additionally, this bill specifies that notices
conspicuously posted on a Web site under the substitute notice
provision must remain posted for a minimum of 30 days, and
clarifies the meaning of "conspicuous posting."
These changes to California's breach notification law will
help ensure that critical information pertaining to a breach
is communicated effectively to California residents,
empowering them to take appropriate steps to protect
themselves from the consequences of a data breach.
Related/Prior Legislation
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. AB 259 is pending in the Assembly Appropriations
Committee.
�
SB 570
Page 7
AB 964 (Chau, 2015) amends California's Data Breach Notification
Law by defining "encrypted" to mean rendered unusable,
unreadable, or indecipherable through a security technology or
methodology generally accepted in the field of information
technology. This bill also requires a person or business, or
state or local agency to inform the Attorney General of the date
of the discovery of a breach when issuing a security breach
notification to more than 500 California residents as a result
of a single breach of a system. AB 964 is pending in the
Assembly Appropriations Committee.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's Data Breach Notification Law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. AB 1710 also prohibited the sale, advertisement
for sale, or offer to sell an individual's social security
number.
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data
elements included within the definition of personal information
under California's Data Breach Notification Law by adding
certain information that would permit access to an online
account, and imposed additional requirements on the disclosure
of a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 1149 (Campos, Chapter 395, Statutes of 2013) expanded
existing disclosure requirements concerning breaches of
computerized data owned or licensed by state agencies to "local
agencies" as defined by Government Code Section 6252(a). AB
1149 also made certain technical corrections to the security
breach notification law.
SB 24 (Simitian, Chapter 197, Statutes of 2011) required any
agency, person, or business that is required to issue a security
breach notification pursuant to existing law to fulfill certain
�
SB 570
Page 8
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Chapter 699, Statutes of 2007), among other
things, added medical information and health insurance
information to the data elements that, when combined with the
individual's name, would constitute personal information
requiring disclosure when acquired, or believed to be acquired,
by an unauthorized person due to a security breach.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's Data Breach Notification Law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
�
SB 570
Page 9
Com.:YesLocal: No
According to the Senate Appropriations Committee, this bill will
result in minor costs to revise the form (General/Specials).
SUPPORT: (Verified5/13/15)
California Attorney General's Office
Privacy Rights Clearinghouse
OPPOSITION: (Verified5/14/15)
Association of California Life & Health Insurance Companies
California Bankers Association
California Chamber of Commerce
California Credit Union League
California Grocers Association
California Retailers Association
Direct Marketing Association
Personal Insurance Federation of California
Securities Industry and Financial Markets Association
State Privacy & Security Coalition
ARGUMENTS IN SUPPORT: According to the California Attorney
General's Office, SB 570 would provide for more effective notice
to data breach victims through the use of a single page
streamlined notice format and improvements to web site
"substitute notice." By addressing these flaws in data breach
notices and making it easier for consumers to find and
understand them, SB 570 strengthens protection for the
increasing number of Californians whose personal information has
been breached.
ARGUMENTS IN OPPOSITION: According to the California Chamber
of Commerce, SB 570 creates new litigation exposure for
insufficient breach notices, expands costly protection and
mitigation service requirements, and effectively bars electronic
breach notification. SB 570 requires businesses and government
�
SB 570
Page 10
agencies to provide an additional one page breach notice summary
in addition to the notice required under current law, raising
concerns of new litigation exposure for noncompliance by
providing too much or too little information, or for presenting
information in a continuous, non-paginated format. SB 570 also
expands the requirement that businesses provide identity theft
and mitigation services to consumers who have had certain
information breached.
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
5/15/15 14:00:47
**** END ****