BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 570|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 570
Author: Jackson (D)
Amended: 9/1/15
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-1, 4/28/15
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Anderson
NO VOTE RECORDED: Moorlach
SENATE APPROPRIATIONS COMMITTEE: 5-2, 5/11/15
AYES: Lara, Beall, Hill, Leyva, Mendoza
NOES: Bates, Nielsen
SENATE FLOOR: 27-11, 5/28/15
AYES: Allen, Beall, Block, Cannella, De León, Gaines, Glazer,
Hall, Hancock, Hernandez, Hertzberg, Hill, Hueso, Jackson,
Lara, Leno, Leyva, Liu, McGuire, Mendoza, Mitchell, Monning,
Pan, Pavley, Roth, Wieckowski, Wolk
NOES: Anderson, Bates, Fuller, Huff, Moorlach, Morrell,
Nguyen, Nielsen, Runner, Stone, Vidak
NO VOTE RECORDED: Berryhill, Galgiani
ASSEMBLY FLOOR: 80-0, 9/3/15 - See last page for vote
SUBJECT: Personal information: privacy: breach
SOURCE: Author
DIGEST: This bill modifies the existing data breach
notification requirement for agencies and persons or businesses
conducting business in California that own or license
computerized data that includes personal information.
�
SB 570
Page 2
Specifically, this bill requires these entities, in the event of
a data breach, to provide affected individuals with a notice
entitled "Notice of Data Breach," in which required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." This bill states that
additional information may be provided to supplement the
required notice, and provides a model security breach
notification form that entities may use to comply with
formatting requirements. This bill also clarifies the
requirements for providing substitute notice of a data breach,
and makes other technical and clarifying changes to the Data
Breach Notification Law.
Assembly Amendments remove a requirement that written data
breach notices be limited to one page, add triple-jointing
language to avoid chaptering out conflicts, and make other
technical and clarifying changes.
ANALYSIS:
Existing law:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
�
SB 570
Page 3
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Requires any agency, person, or business that must issue a
security breach notification to meet all of the following
requirements when issuing the notification:
the notification shall be written in plain language; and
the notification shall include, at a minimum, the
following information:
o the name and contact information of the reporting
entity;
o a list of the types of personal information that
were or are reasonably believed to have been the subject
of a breach;
o if the information is possible to determine at the
time the notice is provided, then any of the following:
(i) the date of the breach; (ii) the estimated date of
the breach; or (iii) the date range within which the
breach occurred;
o the date of the notice;
o whether the notification was delayed as a result of
a law enforcement investigation, if that information is
possible to determine at the time the notice is provided;
o a general description of the breach incident, if
that information is possible to determine at the time the
notice is provided; and
o the toll-free telephone numbers and addresses of the
major credit reporting agencies, if the breach exposed a
social security number or a driver's license or
California identification card number. (Civ. Code Secs.
1798.29(d), 1798.82(c).)
1)Provides that a security breach notification may also include
any of the following:
information about what the reporting entity has done to
protect individuals whose information has been breached;
and
advice on steps that the person whose information has
�
SB 570
Page 4
been breached may take to protect himself or herself.
(Civ. Code Secs. 1798.29(d), 1798.82(c).)
1)Specifies that a security breach notification may be provided
by one of the following methods:
written notice;
electronic notice; or
substitute notice, if the agency, person, or business
demonstrates that the cost of providing notice would exceed
$250,000, or that the class of persons to be notified
exceeds 500,000, or the notifying entity does not have
sufficient contact information. (Civ. Code Secs.
1798.29(i), 1798.82(j).)
1)Specifies that substitute notice shall consist of all of the
following:
email notice when the reporting entity has an email
address for the subject persons;
conspicuous posting of the notice on the notifying
entity's Internet Web site page, if it maintains one; and
notification to major statewide media, as specified.
(Civ. Code Secs. 1798.29(i), 1798.82(j).)
This bill:
1)Requires a security breach notification to be titled "Notice
of Data Breach," in which required content is presented under
the following headings: "What Happened," "What Information Was
Involved," "What We Are Doing," "What You Can Do," and "For
More Information." This bill specifies that additional
information may be provided to supplement the required notice.
2)Specifies that the format of the notice shall be designed to
call attention to the nature and significance of the
information it contains, and makes the following additional
specifications:
the title and headings in the notice shall be clearly
and conspicuously displayed; and
the text of the required data breach notice and any
other notice provided pursuant to the Data Breach
Notification Law shall be no smaller than 10-point type.
�
SB 570
Page 5
1)Provides a model security breach notification form that may be
used to notify affected individuals of a data breach, and
states that use of the model form shall constitute compliance
with the above formatting requirements.
2)Provides that conspicuous posting of the notice on the
notifying entity's Internet Web site, if it maintains one,
must occur for a minimum of 30 days. This bill also provides
that conspicuous posting on a notifying entity's Internet Web
site means providing a link to the notice on the home page or
first significant page after entering the Internet Web site
that is in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of
the same size, or set off from the surrounding text of the
same size by symbols or other marks that call attention to the
link.
3)Makes other technical and clarifying changes to the Data
Breach Notification Law.
Background
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their personal information is
breached. This notification requirement ensures that residents
are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity.
Existing law requires breach notifications to be made in the
most expedient time possible without unreasonable delay, and
specifies certain information that must be included in these
notices. The law provides that breach notifications must be
written in "plain language," but is otherwise silent about how
the information should be presented. In a 2014 report on data
breaches in California, the Attorney General stated:
�
SB 570
Page 6
Breach notices continue to be written at the college level,
well above the average reading level for adults. The intent
of the breach notice law is to alert individuals that their
information is at risk, so they can take steps to protect
themselves. Notices that can be easily understood are
obviously essential to accomplishing this purpose.
While concerns about litigation risks may cause companies to
draft notices in legalistic language that is less than
accessible, we encourage companies to work with communications
professionals to improve the clarity of their notices. Good
writing can make the notices more readable, using techniques
such as shorter sentences, familiar words and phrases, the
active voice and a layout that supports clarity. (California
Department of Justice, California Data Breach Report (Oct.
2014)
Page 7
communicate relevant information to affected California
residents. It directs these entities to convey the
information currently required under existing law in a notice
with the information grouped under the following five
headings:
What Happened
What Information Was Involved
What We Are Doing
What You Can Do
For More Information
Breached entities remain free to provide additional
information to supplement the required notice as they see fit.
Additionally, this bill specifies notices conspicuously
posted on a Web site under the substitute notice provision
must remain posted for a minimum of 30 days, and clarifies the
meaning of "conspicuous posting."
These changes to California's breach notification law will
help ensure that critical information pertaining to a breach
is communicated effectively to California residents,
empowering them to take appropriate steps to protect
themselves from the consequences of a data breach.
Related/Prior Legislation
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. AB 259 was held on suspense in the Assembly
Appropriations Committee.
AB 964 (Chau, 2015) amends California's Data Breach Notification
Law by defining "encrypted" to mean rendered unusable,
unreadable, or indecipherable through a security technology or
methodology generally accepted in the field of information
technology. AB 964 is pending a concurrence vote on the
Assembly Floor.
�
SB 570
Page 8
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's Data Breach Notification Law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. AB 1710 also prohibited the sale, advertisement
for sale, or offer to sell an individual's social security
number.
SB 46 (Corbett, Chapter 396, Statutes of 2013) revised the data
elements included within the definition of personal information
under California's Data Breach Notification Law by adding
certain information that would permit access to an online
account, and imposed additional requirements on the disclosure
of a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 1149 (Campos, Chapter 395, Statutes of 2013) expanded
existing disclosure requirements concerning breaches of
computerized data owned or licensed by state agencies to "local
agencies" as defined by Government Code Section 6252(a). AB
1149 also made certain technical corrections to the security
breach notification law.
SB 24 (Simitian, Chapter 197, Statutes of 2011) required any
agency, person, or business that is required to issue a security
breach notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Chapter 699, Statutes of 2007), among other
things, added medical information and health insurance
information to the data elements that, when combined with the
�
SB 570
Page 9
individual's name, would constitute personal information
requiring disclosure when acquired, or believed to be acquired,
by an unauthorized person due to a security breach.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's Data Breach Notification Law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California's residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, this bill will
result in minor costs to revise the form (General/Specials).
SUPPORT: (Verified9/3/15)
�
SB 570
Page 10
California Attorney General's Office
Privacy Rights Clearinghouse
OPPOSITION: (Verified9/3/15)
None received
ASSEMBLY FLOOR: 80-0, 9/3/15
AYES: Achadjian, Alejo, Travis Allen, Baker, Bigelow, Bloom,
Bonilla, Bonta, Brough, Brown, Burke, Calderon, Campos, Chang,
Chau, Chávez, Chiu, Chu, Cooley, Cooper, Dababneh, Dahle,
Daly, Dodd, Eggman, Frazier, Beth Gaines, Gallagher, Cristina
Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez,
Gordon, Gray, Grove, Hadley, Harper, Roger Hernández, Holden,
Irwin, Jones, Jones-Sawyer, Kim, Lackey, Levine, Linder,
Lopez, Low, Maienschein, Mathis, Mayes, McCarty, Medina,
Melendez, Mullin, Nazarian, Obernolte, O'Donnell, Olsen,
Patterson, Perea, Quirk, Rendon, Ridley-Thomas, Rodriguez,
Salas, Santiago, Steinorth, Mark Stone, Thurmond, Ting,
Wagner, Waldron, Weber, Wilk, Williams, Wood, Atkins
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
9/3/15 17:07:15
**** END ****