BILL ANALYSIS �Ó
SB 570
Page 1
Date of Hearing: July 15, 2015
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Jimmy Gomez, Chair
SB 570
(Jackson) - As Amended July 2, 2015
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill modifies the state's Data Breach Notification Law
(DBNL) to:
�
SB 570
Page 2
1)Require a standard format for data breach notices, to include
specified headings.
2)Provide a model notification form.
3)Provide that use of the model form, or any or form using the
specified headings, constitutes compliance with (1).
4)Require that the conspicuous posting of a substitute breach
notice on the business or agency website, as required under
current law, be for at least 30 days and consist of placing a
link in larger or contrasting type, font, or color on the
business's or agency's homepage or on the first significant
page after entering the business's or agency's website.
FISCAL EFFECT:
Minor absorbable costs for state agencies to revise their
respective notification forms.
COMMENTS:
1)Background. California first-in-the-nation DBNL, enacted in
2003, requires a public agency, person, or business that owns
or licenses computerized data that includes personal
information, as defined, to notify any California resident
whose unencrypted personal information was acquired, or
reasonably believed to have been stolen.
An agency or business that experiences a breach can avoid
mailing a notice to each and every affected customer if doing
�
SB 570
Page 3
so would cost more than $250,000, or more than 500,000 person
are impacted. In such cases, the DBNL permits "substitute
notice" which must include an email notice to affected
customers (if an email address is available), posting the
notice on the breached entity's website, and notifying major
statewide media and the Office of Information Security within
the Department of Technology.
2)Purpose. A recent report by Department of Justice (DOJ)
recommends improving the readability of breach notices. This
bill seeks to improve breach notice readability by directing
breached entities to present the information required in a
table format and grouped under the following five headings:
What Happened
What Information Was Involved
What We Are Doing
What You Can Do
For More Information
This bill also provides an optional model security breach
notification form that entities may use to comply with these
formatting requirements.
The DOJ report also recommends improving the substitute notice
by making it more likely that it will be noticed. As provided
in this bill the DOJ report recommends, among other things,
posting the link to the substitute notice on the business's
website homepage, labeling it clearly, and leaving the link
and the notice page up for at least 30 days.
Analysis Prepared by:Chuck Nicol / APPR. / (916)
319-2081
�
SB 570
Page 4