SB 1444, as amended, Hertzberg. State government: computerized personal information security plans.
The Information Practices Act of 1977 requires an agency, as defined, to maintain in its records only that personal information, as defined, that is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government. That law requires each agency to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with this law, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to the security or integrity of the records that could result in any injury. Existing law requires an agency that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, as specified.
This bill would require an agency that owns or licenses computerized data that includes personal information to prepare a computerized personal information security plan that details the agency’s strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal information. The bill would make legislative findings and declarations in this regard.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all of the
2following:
3(a) The Attorney General reported that since 2012, 657 data
4breaches of the kind affecting more than 500 Californians have
5exposed over 49 million records to fraudulent use.
6(b) Malware and hacking attacks have risen dramatically in the
7past four years and account for a vast majority of the records that
8have been breached. These types of attacks present the greatest
9risk for massive disclosure of sensitive personal information,
10including, among others, social security numbers, driver’s licenses,
11and dates of birth.
12(c) Numerous state agencies hold records of millions of
13Californians and present the potential for large breaches of personal
14information in the future.
15(d) Information technology professionals consider data breaches
16to be inevitable for organizations of all sizes and recommend the
17development and regular updating of plans and procedures designed
18to detect and halt breaches, notify affected Californians, and
19mitigate the damage caused by the data breaches.
Section 1798.21.5 is added to the Civil Code, to read:
begin insert(a)end insertbegin insert end insert An agency that owns or licenses computerized
22data that includes personal information shall prepare a
23computerized personal information security plan that details the
24agency’s strategy to respond to a security breach of computerized
25personal information and associated consequences caused by the
26disclosed personal information. A computerized personal
27information security plan shall include, but is not limited to, all of
28the following:
28 29(a)
end delete30begin insert(1)end insert A statement of the purpose and objectives for the plan.
29 31(b)
end delete
32begin insert(2)end insert An inventory of the computerized personal information
33stored or transmitted by the agency.
P3 1 P3 1(c)
end delete2begin insert(3)end insert Identification of resources necessary to implement the plan.
2 3(d)
end delete
4begin insert(4)end insert Identification of an incident response team tasked with
5mitigating and responding to a breach, or an imminent threat of a
6breach, to the security of computerized personal information.
5 7(e)
end delete
8begin insert(5)end insert Procedures for
communications within the incident response
9team and between the incident response team, other individuals
10within the agency, and individuals outside the agency that need to
11be notified in the event of a breach of the security of computerized
12personal information.
10 13(f)
end delete
14begin insert(6)end insert Policies for training the incident response team and the
15agency on the implementation of the computerized personal
16information security plan, including, but not limited to, the use of
17practice drills.
14 18(g)
end delete
19begin insert(7)end insert A process to review and improve the computerized personal
20
information security plan.
21
(b) For purposes of this section, “personal information”
22includes information described in subdivision (a) of Section 1798.3
23and subdivision (g) of Section 1798.29.
O
97