BILL ANALYSIS �Ó
SB 570
Page 1
SENATE THIRD READING
SB
570 (Jackson)
As Amended July 2, 2015
Majority vote
SENATE VOTE: 27-11
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |11-0 |Gatto, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Chau, Cooper, | |
| | |Dababneh, Dahle, | |
| | |Gordon, Low | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Appropriations |16-0 |Gomez, Bigelow, | |
| | |Bloom, Bonta, | |
| | |Calderon, Chang, | |
| | |Daly, Eggman, | |
| | |Gallagher, | |
| | | | |
| | | | |
| | |Eduardo Garcia, | |
| | |Jones, Quirk, Rendon, | |
| | |Wagner, Weber, Wood | |
�
SB 570
Page 2
| | | | |
| | | | |
------------------------------------------------------------------
SUMMARY: Creates a standard format for data breach notices with
subheadings to improve readability, improves access to
substitute data breach notices by requiring a conspicuous link
to the substitute notice on the businesses or agency Internet
homepage, and requires the link and the notice to remain posted
for at least 30 days. Specifically, this bill:
1)Requires data breach notices to be titled "Notice of Data
Breach" and requires the content of the breach notice to be
presented under specific headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information."
2)Provides an optional model security breach notification form
in table format and specifies that use of the model form
constitutes compliance with this bill.
3)Requires conspicuous posting of a substitute breach notice on
the business or agency Web site for at least 30 days.
EXISTING LAW:
1)Requires, under the Data Breach Notification Law (DBNL), a
public agency, person, or business that owns or licenses
computerized data that includes personal information to notify
any California resident whose unencrypted personal information
was acquired, or reasonably believed to have been acquired, by
an unauthorized person. The notice must be made in the most
expedient time possible and without unreasonable delay,
�
SB 570
Page 3
consistent with the legitimate needs of law enforcement, as
specified. Note that this requirement does not apply to the
Judiciary, the Legislature, or the University of California.
(Civil Code (CC) Sections 1798.29(a), (c); 1798.82(a), (c))
2)Requires a person or business that is the source of a breach
of Social Security numbers or driver's license numbers, and is
required to provide notice of the breach, to offer appropriate
identity theft protection or mitigation services to affected
individuals at no cost, for no less than 12 months. (CC
Section 1798.82(d)(2)(G))
3)Requires a public agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (CC Sections 1798.29(b), 1798.82(b))
4)Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: Social Security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
Sections 1798.29(g), (h), 1798.82(h), (i))
COMMENTS: A 2014 report by the California Department of Justice
(DOJ) recommends improving the readability of breach notices.
�
SB 570
Page 4
This bill seeks to improve breach notice readability by changing
the format in which breach information is communicated to
affected consumers. Specifically, this bill directs breached
entities to present the information required under existing law
under the following five headings:
1)What Happened
2)What Information Was Involved
3)What We Are Doing
4)What You Can Do
5)For More Information
The DOJ report also recommends improving the substitute notice
by "making it more likely that the notice will be noticed." The
DOJ report suggests, among other things, posting the link to the
substitute notice on the business's Web site homepage, labeling
it clearly, and leaving the link and the notice page up for at
least 30 days.
This bill implements those recommendations by requiring
substitute breach notices to be conspicuously posted on a
business's homepage (or first significant page after entering
the website) and left up for at least 30 days.
FISCAL EFFECT: According to the Assembly Appropriations
Committee, minor absorbable costs for state agencies to revise
their respective notification forms.
�
SB 570
Page 5
Analysis Prepared by: Jennie
Bretschneider / P. & C.P. / (916) 319-2200 FN: 0001302