BILL ANALYSIS �Ó
SB 570
Page 1
Date of Hearing: July 7, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
SB
570 (Jackson) - As Amended July 2, 2015
SENATE VOTE: 27-11
SUBJECT: Personal information: privacy: breach.
SUMMARY: Creates a standard format for data breach notices with
subheadings to improve readability; improves the visibility of
substitute data breach notices by requiring a conspicuous link
to the substitute notice on the businesses or agency Internet
homepage; and requires the link and the notice to remain posted
for at least 30 days. Specifically, this bill:
1)Requires data breach notices to be titled "Notice of Data
Breach" and requires the content of the breach notice to be
presented under specific headings, including: "What Happened,"
What Information Was Involved," "What We Are Doing," "What You
Can Do," and "For More Information."
2)Specifies how each of the breach notice content requirements
delineated in current law fit under each of the above
headings.
�
SB 570
Page 2
3)Requires the notice to be designed to call attention to the
nature and significance of the information it contains and
requires the title and headings to be clearly and
conspicuously displayed.
4)Requires the text of a notice to be no smaller than 10-point
type.
5)Establishes a model security breach notification form in table
format and specifies that use of the model form constitutes
compliance with the bill.
6)Requires conspicuous posting of a substitute breach notice on
the business or agency website for at least 30 days.
7)Defines "conspicuous posting" to mean placing a link in larger
or contrasting type, font, or color on the business's or
agency's Internet homepage, or the first significant page
after entering the business's or agency's Internet website.
8)Makes technical and nonsubstantive changes to the Data Breach
Notification Law (DBNL).
EXISTING LAW:
1)Requires, under the DBNL, a public agency, person, or business
that owns or licenses computerized data that includes personal
information to notify any California resident whose
unencrypted personal information was acquired, or reasonably
believed to have been acquired, by an unauthorized person.
The notice must be made in the most expedient time possible
and without unreasonable delay, consistent with the legitimate
�
SB 570
Page 3
needs of law enforcement, as specified. Note that this
requirement does not apply to the Judiciary, the Legislature,
or the University of California. (Civil Code (CC) Sections
1798.29(a), (c); 1798.82(a), (c))
2)Requires a person or business that is the source of a breach
of Social Security numbers or driver's license numbers, and is
required to provide notice of the breach, to offer appropriate
identity theft protection or mitigation services to affected
individuals at no cost, for no less than 12 months. (CC
1798.82 (d)(2)(G))
3)Requires a public agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (CC 1798.29(b), 1798.82(b))
4)Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: Social Security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
1798.29(g), (h), 1798.82(h), (i))
�
SB 570
Page 4
FISCAL EFFECT: According to the Senate Appropriations
Committee: Minor costs to revise the form (General/Specials).
COMMENTS:
1)Purpose of this bill . This bill is intended to improve the
readability of breach notifications by simplifying and
standardizing how breached entities communicate relevant
information to affected California residents about the breach,
what steps the breached entity is taking, and what steps the
consumer can take to mitigate the risk of fraud and identity
theft. This measure is author-sponsored.
2)Author's statement . According to the author's office,
"Existing law protects the privacy of California residents by
requiring businesses and government agencies that own or
license personal information to disclose when unencrypted
computer systems storing this data are thought to have been
breached. California's breach notification law requires these
disclosures to be made in the most expedient time possible and
without unreasonable delay."
"An October 2014 report from the California Attorney General
concluded that breach notifications are often difficult to
understand. This bill will improve the readability of breach
notifications by requiring notices to convey information
grouped under specified headings. This bill will also clarify
how to 'conspicuously post' notices on a website under the
breach notification law's substitute notice provision.
�
SB 570
Page 5
"Additionally, this bill specifies that notices conspicuously
posted on a website under the substitute notice provision must
remain posted for a minimum of 30 days."
3)Recent data breaches . In February 2015, more than 80 million
people in the United States were impacted by a data breach at
health insurer Anthem. Information stolen in the breach
included current and former customers' names, birth dates,
medical identification numbers, Social Security numbers, home
addresses, email addresses, and employment and income data.
According to a January 2015 report by the California
Department of Justice (DOJ), 187 breaches were reported to the
DOJ in 2014, compared to 167 in 2013 and 131 in 2012.
According to a national database of breaches maintained by the
Privacy Rights Clearinghouse, more than 815 million records
have been compromised in more than 4,489 publicly acknowledged
data breaches since 2005.
Unfortunately, state and local agencies are not immune to data
breaches. During 2012-2014, the following California public
agencies also reported breaches: California State University,
Department of Corrections and Rehabilitation, Department of
Public Health, Department of State Hospitals, Correctional
Health Care Services, Department of Social Services,
Department of Justice, Department of Child Support Services,
Employment Development Department, and the Department of Motor
Vehicles.
4)California's DBNL . In 2003, California became the first state
in the nation to require businesses and government agencies to
notify California residents of security breaches if
unencrypted personal information was, or was reasonably
believed to have been, stolen. (SB 1386 (Peace), Chapter 915,
Statutes of 2002)
�
SB 570
Page 6
The DBNL does not apply to "encrypted" information, which
creates an incentive for businesses and government agencies to
encrypt personal data and thereby avoid the notice
requirement. Also, notice is not required unless the data
breach involved "personal information" relating to a
California resident. "Personal information" means a person's
first name or first initial and last name in combination with
one or more of the following data elements:
a) Social Security number;
b) Driver's license number or California
identification card number;
c) Account number, credit or debit card number,
in combination with any required security code, access
code, or password;
d) Medical information; health insurance
information; or
e) A user name or email address in combination
with a password or security question and answer that
would permit access to an online account.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
The DBNL has two distinct parts: one part that applies to
state and local agencies, and one part that applies to
businesses.
�
SB 570
Page 7
5)Improving readability of data breach notices . A recent report
by DOJ recommends improving the readability of breach notices.
(California Data Breach Report, California Department of
Justice, October 2014, Page 27) This bill seeks to improve
breach notice readability by changing the format in which
breach information is communicated to affected consumers.
Specifically, the bill directs breached entities to present
the information required under existing with that information
in a table format and grouped under the following five
headings:
What Happened
What Information Was Involved
What We Are Doing
What You Can Do
For More Information
This bill also provides an optional model security breach
notification form that entities may use to comply with these
formatting requirements. The author points out that breached
entities remain free to provide additional information to
supplement the required notice as they see fit.
1)Enhancing visibility of data breach "substitute notices."
Under current law, a business that experiences a breach can
avoid mailing a notice to each and every affected customer if
doing so would cost more than $250,000. In this case, the law
permits "substitute notice" which must include:
a. Emailing the notice to affected customers (if
an email address is available),
b. Posting the notice on the business's website,
and
c. Notifying major statewide media and the Office
of Information Security within the Department of
Technology.
The 2014 DOJ report recommends improving the substitute notice
by "making it more likely that the notice will be noticed."
The DOJ report recommends, among other things, posting the
�
SB 570
Page 8
link to the substitute notice on the business's website
homepage, labeling it clearly, and leaving the link and the
notice page up for at least 30 days. (California Data Breach
Report, California Department of Justice, October 2014, Page
23, 27)
This bill adopts the recommendations put forward in the DOJ
report by requiring substitute breach notices to be
conspicuously posted on a business's homepage (or first
significant page after entering the website) and left up for
at least 30 days.
2)Questions about breach mitigation and the "if any" clause .
Separate from the author's effort to make data breach notices
more readable, there has been some discussion within the legal
community as to the meaning of the existing statute's
requirement that businesses provide identity theft prevention
and mitigation services to affected individuals in the event
of a breach. As passed by the Legislature and signed by the
Governor, AB 1710 (Dickinson), requires a business that issues
a breach notification to offer "appropriate identity theft
prevention and mitigation services, if any" to affected
individuals at no cost. However, the effect of the "if any"
clause has sparked debate as to whether or not the offer of
services itself is required or discretionary.
Under well-settled canons of statutory construction, a
statute's plain meaning controls the interpretation of the
statute unless the words are ambiguous. (Green v. State of
California (2007) 42 Cal.4th 254, 260; see also Gattuso v.
Harte-Hanks Shoppers, Inc. (2007) 42 Cal.4th 554, 567.) If
the statutory language permits more than one reasonable
interpretation, then the courts may consider "other aids,"
such as "the statute's purpose, legislative history, and
public policy." (Coalition of Concerned Communities, Inc. v.
�
SB 570
Page 9
City of Los Angeles (2004) 34 Cal.4th 733, 737.)
Read plainly, the "if any" clause (Civil Code 1798.29
(d)(2)(G)) modifies the preceding phrase "appropriate identity
theft prevention and mitigation services" - i.e., if there are
no prevention or mitigation services that are appropriate for
a consumer after a particular breach, then the business is not
required to offer services. For example, a breach involving
the theft of a driver's license, rather than a Social Security
number, might be appropriately mitigated by simply notifying
the consumer rather than providing credit reporting monitoring
services for a year, since identity thieves cannot open up new
credit card accounts simply with a person's name and driver's
license number. However, the presumption is in favor of the
provision of services unless it is obvious that no service is
appropriate.
Conversely, the law firm Morrison & Foerster suggested in an
online Client Alert on October 9, 2014, that the "if any"
clause could be interpreted to modify the "offer" of services
itself to make it voluntary. That is, the "if any" clause
would be presumed to be a misplaced modifier, an adjective
improperly separated from the word it modifies ("offer").
Under this reading, a business would simply be permitted by
statute - not required - to offer identity theft prevention
and mitigation services after a breach. The result is
confusing and arguably absurd, since statutory authority is
not required for a business to offer data breach mitigation
services to its customers voluntarily.
A review of the legislative history shows that the June 24,
2014, Senate Judiciary Committee analysis of AB 1710
(Dickinson) describes that bill as imposing a requirement, not
a discretionary authorization: "This bill would also require
the person or business providing notification that was the
source of the breach to provide to affected consumers with
identity theft prevention and mitigation services for a
�
SB 570
Page 10
minimum of 12 months."
This bill leaves the "if any" clause in statute, and therefore
does not provide additional clarity on the intent of AB 1710
to require - not simply permit - a business to provide
appropriate identity theft prevention and mitigation services
for a minimum of 12 months to consumers affected by a data
breach.
3)Recent amendments remove opposition . The author has recently
accepted a number of amendments to remove remaining opposition
to the bill. The latest amendments removed a one-page notice
requirement and added language to clarify which parts of the
data breach notice content should be placed under each notice
heading required under this bill. The amendments kept the
30-day website posting requirement for substitute notices, but
mirrored the California Online Privacy Protection Act, which
allows posting the notice on the Internet homepage or the
"first significant page after entering the Internet website"
of the breached entity.
4)Arguments in support . According to the Attorney General's
Office, this bill would "provide for more effective notice to
data breach victims. [D]ata breach notices are often
counterproductively confusing and complex. Substitute notices
through media and website posting?can be difficult to find on
a web site, and may not remain posted for a sufficient period
of time. By addressing these flaws in data breach notices and
making it easier for consumers to find and understand them,
[this bill] strengthens protection for the increasing number
of Californians whose personal information has been breached."
�
SB 570
Page 11
Privacy Rights Clearinghouse states in support: "These changes
to California's breach notification law will help ensure that
critical information pertaining to a breach is communicated
effectively to California residents, empowering them to take
appropriate steps to protect themselves from the consequences
of a data breach."
5)Potential chaptering conflicts with other bills . Because this
bill would amend the code sections related to the DBNL, it
presents a potential chaptering conflict with four other
measures: AB 259 (Dababneh), AB 739 (Irwin), AB 964 (Chau),
and SB 34 (Hill).
6)Related legislation . AB 259 (Dababneh) requires state and
local agencies affected by a data breach to provide
individuals affected by the breach with at least 12 months of
identity theft protection. AB 259 is currently pending in the
Senate Judiciary Committee.
AB 739 (Irwin) provides legal immunity from civil or criminal
liability for private entities that communicate anonymized
cyber security-threat information and meet specified
requirements, until January 1, 2020. AB 739 was held in the
Assembly Judiciary Committee.
AB 964 (Chau) requires data breach notifications made by
businesses and public agencies to include the date of
discovery of the breach in the notice to the Attorney General.
�
SB 570
Page 12
AB 964 is currently pending in the Senate Judiciary
Committee.
SB 34 (Hill) amends the DBNL to add to the definition of
"personal information" any information or data collected
through the use or operation of an automated license plate
recognition system. SB 34 will be heard in the Assembly
Privacy and Consumer Protection Committee on July 7, 2015.
7)Prior Legislation . AB 1710 (Dickinson and Wieckowski),
Chapter 855, Statutes of 2014, required a person or business
that is the source of a breach of Social Security numbers or
driver's license numbers to offer an identity theft protection
or mitigation service to affected individuals at no cost, for
no less than 12 months. It expands the existing law to require
businesses that maintain, own or license the personal
information of California residents to use reasonable and
appropriate security measures to protect the information. It
also prohibits the sale or marketing of Social Security
numbers, with certain exceptions.
SB 46 (Corbett), Chapter 396, Statutes of 2013, revised
certain data elements included within the definition of
personal information under the DBNL, by adding certain
information that would permit access to an online account and
imposing additional requirements on the disclosure of a breach
of the security of the system or data in situations where the
breach involves personal information that would permit access
to an online or email account.
SB 24 (Simitian), Chapter 197, Statutes of 2011, required any
�
SB 570
Page 13
agency, person, or business that is required to issue a
security breach notification pursuant to existing law to
fulfill certain additional requirements pertaining to the
security breach notification, and required any agency, person,
or business that is required to issue a security breach
notification to more than 500 California residents to
electronically submit a single sample copy of that security
breach notification to the Attorney General.
AB 1298 (Jones), Chapter 699, Statutes of 2007, among other
things, added medical information and health insurance
information to the data elements that, when combined with the
individual's name, would constitute personal information
requiring disclosure when acquired, or believed to be
acquired, by an unauthorized person due to a security breach.
AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted
California's Data Breach Notification Law and required a
public agency, or a person or business that conducts business
in California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. SB
1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
�
SB 570
Page 14
investigation, and required an agency, person, or business
that maintains computerized data that includes personal
information owned by another to notify the owner or licensee
of the information of any breach of security of the data.
REGISTERED SUPPORT / OPPOSITION:
Support
Attorney General's Office
Privacy Rights Clearinghouse
Opposition
California Bankers Association (as amended May 21, 2015)
California Credit Union League (as amended May 21, 2015)
California Grocers Association (as amended May 21, 2015)
California Retailers Association (as amended May 21, 2015)
Direct Marketing Association (as amended May 21, 2015)
�
SB 570
Page 15
Personal Insurance Federation of California (as amended May 21,
2015)
Securities Industry and Financial Markets Association (as
amended May 21, 2015)
State Privacy & Security Coalition (as amended May 21, 2015)
Analysis Prepared by:Jennie Bretschneider / P. & C.P. / (916)
319-2200