SB 1444, Hertzberg. State government: computerized personal information security plans.
The Information Practices Act of 1977 requires an agency, as defined, to maintain in its records only that personal information, as defined, that is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government. That law requires each agency to establish appropriate and reasonable administrative, technical, and physical safeguards to ensure compliance with this law, to ensure the security and confidentiality of records, and to protect against anticipated threats or hazards to the security or integrity of the records that could result in any injury. Existing law requires an agency that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, as specified.
This bill would require an agency that owns or licenses computerized data that includes personal information to prepare a computerized personal information security plan that details the agency’s strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal information. The bill would make legislative findings and declarations in this regard.
The people of the State of California do enact as follows:
The Legislature finds and declares all of the following:
(a) The Attorney General reported that since 2012, 657 data breaches of the kind affecting more than 500 Californians have exposed over 49 million records to fraudulent use.
(b) Malware and hacking attacks have risen dramatically in the past four years and account for a vast majority of the records that have been breached. These types of attacks present the greatest risk for massive disclosure of sensitive personal information, including, among others, social security numbers, driver’s licenses, and dates of birth.
(c) Numerous state agencies hold records of millions of Californians and present the potential for large breaches of personal information in the future.
(d) Information technology professionals consider data breaches to be inevitable for organizations of all sizes and recommend the development and regular updating of plans and procedures designed to detect and halt breaches, notify affected Californians, and mitigate the damage caused by the data breaches.
Section 1798.21.5 is added to the Civil Code, to read:
(a) An agency that owns or licenses computerized data that includes personal information shall prepare a computerized personal information security plan that details the agency’s strategy to respond to a security breach of computerized personal information and associated consequences caused by the disclosed personal information. A computerized personal information security plan shall include, but is not limited to, all of the following:
(1) A statement of the purpose and objectives for the plan.
(2) An inventory of the computerized personal information stored or transmitted by the agency.
(3) Identification of resources necessary to implement the plan.
(4) Identification of an incident response team tasked with mitigating and responding to a breach, or an imminent threat of a breach, to the security of computerized personal information.
(5) Procedures for communications within the incident response team and between the incident response team, other individuals within the agency, and individuals outside the agency that need to be notified in the event of a breach of the security of computerized personal information.
(6) Policies for training the incident response team and the agency on the implementation of the computerized personal information security plan, including, but not limited to, the use of practice drills.
(7) A process to review and improve the computerized personal information security plan.
(b) For purposes of this section, “personal information” includes information described in subdivision (a) of Section 1798.3 and subdivision (g) of Section 1798.29.