BILL ANALYSIS �Ó
SB 570
Page 1
SENATE THIRD READING
SB
570 (Jackson)
As Amended September 1, 2015
Majority vote
SENATE VOTE: 27-11
--------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Privacy |11-0 |Gatto, Wilk, Baker, | |
| | |Calderon, Chang, Chau, | |
| | |Cooper, Dababneh, | |
| | |Dahle, Gordon, Low | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Appropriations |16-0 |Gomez, Bigelow, Bloom, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
| | |Gallagher, Eduardo | |
| | |Garcia, Jones, Quirk, | |
| | |Rendon, Wagner, Weber, | |
| | |Wood | |
| | | | |
| | | | |
--------------------------------------------------------------------
�
SB 570
Page 2
SUMMARY: Creates a standard format for data breach notices with
subheadings to improve readability, improves access to
substitute data breach notices by requiring a conspicuous link
to the substitute notice on the businesses or agency Internet
homepage, and requires the link and the notice to remain posted
for at least 30 days. Specifically, this bill:
1)Requires data breach notices to be titled "Notice of Data
Breach" and requires the content of the breach notice to be
presented under specific headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information."
2)Provides an optional model security breach notification form
in table format and specifies that use of the model form
constitutes compliance with the bill.
3)Requires conspicuous posting of a substitute breach notice on
the business or agency Web site for at least 30 days.
4)Contains double-jointing language to avoid chaptering
conflicts with AB 964 (Chau) and SB 34 (Hill) of the current
legislative session.
EXISTING LAW:
1)Requires, under the Data Breach Notification Law (DBNL), a
public agency, person, or business that owns or licenses
computerized data that includes personal information to notify
any California resident whose unencrypted personal information
was acquired, or reasonably believed to have been acquired, by
an unauthorized person. The notice must be made in the most
�
SB 570
Page 3
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. Note that this requirement does not apply to the
Judiciary, the Legislature, or the University of California.
(Civil Code (CC) Sections 1798.29(a), (c); 1798.82(a), (c))
2)Requires a person or business that is the source of a breach
of Social Security numbers or driver's license numbers, and is
required to provide notice of the breach, to offer appropriate
identity theft protection or mitigation services to affected
individuals at no cost, for no less than 12 months. (CC
Section 1798.82 (d)(2)(G))
3)Requires a public agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (CC Sections 1798.29(b), 1798.82(b))
4)Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or more
of the following data elements, when either the name or the
data elements are not encrypted: Social Security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
Sections1798.29(g), (h), 1798.82(h), (i))
FISCAL EFFECT: According to the Senate Appropriations
�
SB 570
Page 4
Committee, minor costs to revise the form (General/Specials).
COMMENTS: A 2014 report by the California Department of Justice
(DOJ) recommends improving the readability of breach notices.
This bill seeks to improve breach notice readability by changing
the format in which breach information is communicated to
affected consumers. This bill directs breached entities to
present the information under the following five headings:
1)What Happened
2)What Information Was Involved
3)What We Are Doing
4)What You Can Do
5)For More Information
The DOJ report also suggests, among other things, posting the
link to the substitute notice on the business's Web site
homepage, labeling it clearly, and leaving the link and the
notice page up for at least 30 days. This bill implements those
recommendations by requiring substitute breach notices to be
conspicuously posted and left up for at least 30 days.
Analysis Prepared by:
Jennie Bretschneider / P. & C.P. / (916)
319-2200
FN: 0001860
�
SB 570
Page 5