SB 1444, as amended, Hertzberg. State government: computerized personal information security plans.
The Information Practices Act of 1977 requires an agency, as defined, to maintain in its records only that personal information, as defined, that is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government. That law requires each agency to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with this law, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to the security or integrity of the records that could result in any injury. Existing law requires an agency that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, as specified.
This bill would require an agency that owns or licenses computerized data that includes personal information to prepare a computerized personal information security plan that details the agency’s strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal information. The bill would make legislative findings and declarations in this regard.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all of the
3(a) The Attorney General reported that since 2012, 657 data
4breaches of the kind affecting more than 500 Californians have
5exposed over 49 million records to fraudulent use.
6(b) Malware and hacking attacks have risen dramatically in the
7past four years and account for a vast majority of the records that
8have been breached. These types of attacks present the greatest
9risk for massive disclosure of sensitive personal information,
10including, among others, social security numbers, driver’s licenses,
11and dates of birth.
12(c) Numerous state agencies hold records of millions of
13Californians and present the potential for large breaches of personal
14information in the future.
15(d) Information technology professionals consider data breaches
16to be inevitable for organizations of all sizes and recommend the
17development and regular updating of plans and procedures designed
18to detect and halt breaches, notify affected Californians, and
19mitigate the damage caused by the data breaches.
Section 1798.21.5 is added to the Civil Code, to read:
An agency that owns or licenses computerized
22data that includes personal information shall prepare a
23computerized personal information security plan that details the
24agency’s strategy to respond to a security breach of computerized
25personal information and associated consequences caused by the
26disclosed personal information. A computerized personal
27information security plan shall include, but is not limited to, all of
28 29(a)end delete
30 A statement of the purpose and objectives for the plan.
29 31(b)end delete
32 An inventory of the computerized personal information
33stored or transmitted by the agency.
P3 1 P3 1(c)end delete
2 Identification of resources necessary to implement the plan.
2 3(d)end delete
4 Identification of an incident response team tasked with
5mitigating and responding to a breach, or an imminent threat of a
6breach, to the security of computerized personal information.
5 7(e)end delete
8 Procedures for
communications within the incident response
9team and between the incident response team, other individuals
10within the agency, and individuals outside the agency that need to
11be notified in the event of a breach of the security of computerized
10 13(f)end delete
14 Policies for training the incident response team and the
15agency on the implementation of the computerized personal
16information security plan, including, but not limited to, the use of
14 18(g)end delete
19 A process to review and improve the computerized personal
20 information security plan.