SB 1444,
as amended, Hertzberg. begin deletePersonal information: privacy: state agencies: mitigation and response plans. end deletebegin insertState government: computerized personal information security plans.end insert
begin deleteExisting law authorizes end deletebegin insertThe Information Practices Act of 1977 requires end insertan agency, as defined, to maintain in its records only that personalbegin delete informationend deletebegin insert information, as defined,end insert that is relevant and necessary to accomplish a purpose of thebegin delete agency,end deletebegin insert agencyend insert required or authorized by the California Constitution orbegin delete statute,end deletebegin insert
statuteend insert or mandated by the federal government.begin delete Existingend deletebegin insert Thatend insert law requires eachbegin delete stateend delete agencybegin delete that maintains personal informationend delete to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance withbegin insert thisend insert law, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to the security or integrity of the records that could result in any injury. Existing law requires an agency that owns or licenses computerized data that
includes personalbegin delete information, as defined,end deletebegin insert informationend insert to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, as specified.
This bill would requirebegin delete a stateend deletebegin insert anend insert agency that owns or licenses computerized data that includes personal information to preparebegin delete a mitigation and response plan for breach of the database that contains the personal information.end deletebegin insert a computerized
personal information security plan that details the agency’s strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal informationend insertbegin insert. The bill would make legislative findings and declarations in this regard.end insert
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertThe Legislature finds and declares all of the
2following:end insert
3
(a) The Attorney General reported that since 2012, 657 data
4breaches of the kind affecting more than 500 Californians have
5exposed over 49 million records to fraudulent use.
6
(b) Malware and hacking attacks have
risen dramatically in the
7past four years and account for a vast majority of the records that
8have been breached. These types of attacks present the greatest
9risk for massive disclosure of sensitive personal information,
10including, among others, social security numbers, driver’s licenses,
11and dates of birth.
12
(c) Numerous state agencies hold records of millions of
13Californians and present the potential for large breaches of
14personal information in the future.
15
(d) Information technology professionals consider data breaches
16to be inevitable for organizations of all sizes and recommend the
17development and regular updating of plans and procedures
18designed to detect and halt breaches, notify affected Californians,
19and mitigate the damage caused by the data breaches.
begin insertSection 1798.21.5 is added to the end insertbegin insertCivil Codeend insertbegin insert, to read:end insert
begin insertAn agency that owns or licenses computerized data
22that includes personal information shall prepare a computerized
23personal information security plan that details the agency’s
24strategy to respond to a security breach of computerized personal
25information and associated consequences caused by the disclosed
26personal information. A computerized personal information
27security plan shall include, but is not limited to, all of the following:
28
(a) A statement of the purpose and objectives for the plan.
29
(b) An inventory of the computerized personal information stored
30or transmitted by the agency.
P3 1
(c) Identification of resources necessary to
implement the plan.
2
(d) Identification of an incident response team tasked with
3mitigating and responding to a breach, or an imminent threat of
4a breach, to the security of computerized personal information.
5
(e) Procedures for communications within the incident response
6team and between the incident response team, other individuals
7within the agency, and individuals outside the agency that need
8to be notified in the event of a breach of the security of
9computerized personal information.
10
(f) Policies for training the incident response team and the
11agency on the implementation of the computerized personal
12information security plan, including, but not limited to, the use of
13practice drills.
14
(g) A process to review and improve the computerized personal
15
information security plan.
Section 1798.21 of the Civil Code is amended
17to read:
(a) Each agency shall establish appropriate and
19reasonable administrative, technical, and physical safeguards to
20ensure compliance with the provisions of this chapter, to ensure
21the security and confidentiality of records, and to protect against
22anticipated threats or hazards to
the security or integrity of the
23records that could result in any injury.
24(b) An agency that owns or licenses computerized data that
25includes personal information shall prepare a mitigation and
26response plan for breach of the database that contains the personal
27information.
O
98