BILL ANALYSIS                                                                                                                                                                                                    





                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                             2015-2016  Regular  Session


          SB 1444 (Hertzberg)
          Version: March 31, 2016
          Hearing Date: April 12, 2016
          Fiscal: Yes
          Urgency: No
          TH   


                                        SUBJECT
                                           
            State Government: Computerized Personal Information Security  
                                        Plans

                                      DESCRIPTION  

          This bill requires state agencies that own or license  
          computerized data that includes personal information to prepare  
          a security plan that details the agency's strategy to respond to  
          a security breach of that information and its associated  
          consequences.  The bill lists certain minimum requirements to be  
          included in an agency's security plan, including a requirement  
          to inventory personal information stored or transmitted by the  
          agency and procedures for facilitating communication between an  
          incident response team, agency officials, and individuals  
          affected by a breach.

                                      BACKGROUND  

          In 2003, California's first-in-the-nation security breach  
          notification law went into effect. (See Civ. Code Secs.  
          1798.29(a), 1798.82(a).)  Since that time, all but three states  
          have enacted similar security breach notification laws, and  
          governments around the world have or are considering enacting  
          such laws.  California's breach notification statute requires  
          state agencies, local agencies, and businesses to notify  
          residents when the security of their computerized personal  
          information is breached.  Existing law requires breach  
          notifications to be made in the most expedient time possible  
          without unreasonable delay, and specifies certain information  
          that must be included in these notices.  This breach  









          SB 1444 (Hertzberg)
          PageB of? 
          notification requirement ensures that residents are made aware  
          of a breach, thus allowing them to take appropriate action to  
          mitigate or prevent potential financial losses due to fraudulent  
          activity.

          California's requirement to notify affected individuals of a  
          data breach has had the effect of highlighting data insecurity  
          as a matter for public concern, and has motivated businesses and  
          agencies to invest additional resources toward securing data  
          stored within their computer networks.  However, despite the  
          data breach notification law's positive impact, data breaches  
          have increased in frequency and magnitude since the law took  
          effect.  The Attorney General's most recent report on California  
          data breaches offers the following summary:

            In the past four years, the Attorney General has received  
            reports on 657 data breaches, affecting a total of over 49  
            million records of Californians.  In 2012, there were 131  
            breaches, involving 2.6 million records of Californians; in  
            2015, 178 breaches put over 24 million records at risk.  This  
            means that nearly three in five Californians were victims of a  
            data breach in 2015 alone.  (California Department of Justice,  
            California Data Breach Report 2012-2015 (Feb. 2016)  
             [as of Apr. 1, 2016].)

          Unfortunately, victims of data breach are much more likely to  
          become victims of fraud and identity theft.  The Attorney  
          General's data breach report notes that "[i]n 2014, 67 percent  
          of breach victims in the U.S. were also victims of fraud,  
          compared to just 25 percent of all consumers."  (Id. [citations  
          omitted].)

          Two years ago, the Legislature passed AB 1710 (Dickinson, Ch.  
          855, Stats. 2014) which amended California's data breach  
          notification law to require a person or business to offer  
          appropriate identity theft prevention and mitigation services to  
          an affected person at no cost for not less than 12 months if the  
          person or business was the source of a data breach.  AB 1710  
          required such services to be offered only if the breach  
          compromised an individual's first name or first initial and last  
          name along with their social security number, driver's license  
          number, or California identification card number.  AB 1710 did  
          not impose a parallel requirement on state and local agencies  
          that are the source of a data breach.









          SB 1444 (Hertzberg)
          PageC of? 
          This bill would require state agencies that own or license  
          computerized data that includes personal information to prepare  
          a computerized personal information security plan that details  
          the agency's strategy to respond to a security breach of that  
          information and associated consequences caused by the disclosed  
          personal information.  This bill specifies that a computerized  
          personal information security plan shall include, at a minimum,  
          the following elements:
           a statement of the purpose and objectives for the plan;
           an inventory of the computerized personal information stored  
            or transmitted by the agency;
           identification of resources necessary to implement the plan;
           identification of an incident response team tasked with  
            mitigating and responding to a breach, or an imminent threat  
            of a breach, to the security of computerized personal  
            information;
           procedures for communications within the incident response  
            team and between the incident response team, other individuals  
            within the agency, and individuals outside the agency that  
            need to be notified in the event of a breach of the security  
            of computerized personal information;
           policies for training the incident response team and the  
            agency on the implementation of the computerized personal  
            information security plan, including, but not limited to, the  
            use of practice drills; and
           a process to review and improve the computerized personal  
            information security plan.

                                CHANGES TO EXISTING LAW
           
           Existing law  , the data breach notification law, requires any  
          agency, person, or business that owns or licenses computerized  
          data that includes personal information to disclose a breach of  
          the security of the system to any California resident whose  
          unencrypted personal information was, or is reasonably believed  
          to have been, acquired by an unauthorized person.  The  
          disclosure must be made in the most expedient time possible and  
          without unreasonable delay, consistent with the legitimate needs  
          of law enforcement, as specified.  (Civ. Code Secs. 1798.29(a),  
          (c) and 1798.82(a), (c).)

           Existing law  requires any agency, person, or business that  
          maintains computerized data that includes personal information  
          that the agency, person, or business does not own to notify the  
          owner or licensee of the information of any security breach  








          SB 1444 (Hertzberg)
          PageD of? 
          immediately following discovery if the personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  (Civ. Code Secs. 1798.29(b), 1798.82(b).)

           Existing law  defines "personal information," for purposes of the  
          breach notification statute, to include either a user name or  
          email address, in combination with a password or security  
          question and answer that would permit access to an online  
          account, or the individual's first name or first initial and  
          last name in combination with one or more of the following data  
          elements, when either the name or the data elements are not  
          encrypted: social security number; driver's license number or  
          California identification card number; account number, credit or  
          debit card number, in combination with any required security  
          code, access code, or password that would permit access to an  
          individual's financial account; medical information; health  
          insurance information; or information or data collected through  
          the use or operation of an automated license plate recognition  
          system.  "Personal information" does not include publicly  
          available information that is lawfully made available to the  
          general public from federal, state, or local government records.  
           (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and (i).)

           Existing law  states that if the person or business providing the  
          notification was the source of the breach, an offer to provide  
          appropriate identity theft prevention and mitigation services,  
          if any, shall be provided at no cost to the affected person for  
          not less than 12 months, along with all information necessary to  
          take advantage of the offer to any person whose information was  
          or may have been breached if the breach exposed or may have  
          exposed an individual's first name or first initial and last  
          name along with their social security number, driver's license  
          number, or California identification card number.  (Civ. Code  
          Sec. 1798.82(d).)
           Existing law  , the Information Practices Act of 1977, states that  
          each state agency shall maintain in its records only personal  
          information which is relevant and necessary to accomplish a  
          purpose of the agency required or authorized by the California  
          Constitution or statute or mandated by the federal government.   
          (Civ. Code Sec. 1798.14.)

           Existing law  requires each agency to establish appropriate and  
          reasonable administrative, technical, and physical safeguards to  
          ensure compliance with the provisions of the Information  
          Practices Act of 1977, to ensure the security and  








          SB 1444 (Hertzberg)
          PageE of? 
          confidentiality of records, and to protect against anticipated  
          threats or hazards to their security or integrity which could  
          result in any injury.  (Civ. Code Sec. 1798.21.)

           Existing law  defines "personal information," for purposes of the  
          Information Practices Act of 1977, to mean any information that  
          is maintained by an agency that identifies or describes an  
          individual, including, but not limited to, his or her name,  
          social security number, physical description, home address, home  
          telephone number, education, financial matters, and medical or  
          employment history, and includes statements made by, or  
          attributed to, an individual.  (Civ. Code Sec. 1798.3(a).)

           This bill  requires an agency that owns or licenses computerized  
          data that includes personal information to prepare a  
          computerized personal information security plan that details the  
          agency's strategy to respond to a security breach of  
          computerized personal information and associated consequences  
          caused by the disclosed personal information.

           This bill  specifies that a computerized personal information  
          security plan shall include, but shall not be limited to, all of  
          the following:
           a statement of the purpose and objectives for the plan;
           an inventory of the computerized personal information stored  
            or transmitted by the agency;
           identification of resources necessary to implement the plan;
           identification of an incident response team tasked with  
            mitigating and responding to a breach, or an imminent threat  
            of a breach, to the security of computerized personal  
            information;
           procedures for communications within the incident response  
            team and between the incident response team, other individuals  
            within the agency, and individuals outside the agency that  
            need to be notified in the event of a breach of the security  
            of computerized personal information;
           policies for training the incident response team and the  
            agency on the implementation of the computerized personal  
            information security plan, including, but not limited to, the  
            use of practice drills; and
           a process to review and improve the computerized personal  
            information security plan.

           This bill  makes related findings and declarations.
                                        COMMENT








          SB 1444 (Hertzberg)
          PageF of? 
           
           1.Stated need for the bill
           
          The author writes:

            Earlier this year, the IRS revealed that hackers had been able  
            to use stolen social security numbers to get general E-file  
            PINs for 101,000 people.  While the IRS says it stopped the  
            attack, stealing PINs potentially allows criminals to claim  
            the refunds owed to legitimate taxpayers.  Government and  
            public health facilities are at high risk for data security  
            breaches.  According to a recent report by the California  
            Attorney General, last year 178 breaches placed 24 million  
            records of Californians at risk.  This means that as many as  
            three in five Californians may have been victims of a data  
            breach.  In July 2015, the UCLA Health System suffered a  
            cyberattack that exposed the names, dates of birth, social  
            security numbers, and some medical procedures for 4.5 million  
            patients.  It took eight months to determine that the system  
            had been hacked and two more months to notify patients that  
            their information had been exposed.

            Under current law, state agencies are required to establish  
            reasonable safeguards to ensure the security and  
            confidentiality of records containing personal information and  
            to protect against anticipated threats to the security or  
            integrity of the records. They may only maintain records with  
            personal information that is relevant and necessary to  
            accomplish a purpose authorized by state or federal law.   
            Nevertheless, real threats of breach jeopardize these records  
            and state agencies should have plans in place to respond.

            This bill requires state agencies that own or license  
            computerized data that includes personal information to  
            prepare mitigation and response plans for breach of the  
            database that contains the personal information.

           2.Right to privacy and agency breaches
            
           California recognizes the right to privacy as a fundamental  
          right and has enshrined that right along with other fundamental  
          rights in article I, section 1 of the California Constitution.   
          The harm that can result from the theft of personal information  
          via a data breach threatens to undermine that fundamental right.  
           Unfortunately, because of the size of its economy and the sheer  








          SB 1444 (Hertzberg)
          PageG of? 
          number of its consumers, data held by California businesses and  
          government agencies is frequently targeted by cyber criminals.   
          The Attorney General's 2014 California Data Breach Report found  
          that in 2012, "17 percent of the data breaches recorded in the  
          United States took place in California - more than any other  
          state" and that "the number of reported breaches in California  
          increased by 28 percent in 2013."  (California Department of  
          Justice, California Data Breach Report (Oct. 2014)  
           [as of Apr. 1, 2016].)  The frequency  
          of data breaches in California and the threat that such breaches  
          pose to California residents makes timely and effective response  
          to a breach, and the ability to mitigate potential damages  
          resulting from the breach, matters of critical importance.

          Recent data breaches show that government agencies are just as  
          vulnerable as businesses to breaches that expose the personal  
          information of California residents.  In March of 2014, for  
          example, the California Department of Motor Vehicles reported  
          that its system for processing online credit card transactions  
          may have been breached, potentially compromising millions of  
          credit card numbers, expiration dates and credit card security  
          codes.  (See Kate Mather and Carla Rivera, California DMV  
          Probing Possible Breach of Customer Credit Cards, Los Angeles  
          Times (Mar. 22, 2014)  
           [as of Apr. 1, 2016].)  More recently, the federal  
          Office of Personnel Management suffered a massive data breach  
          that revealed the personal information -- and in some cases the  
          fingerprints -- of approximately 21.5 million individuals,  
          including many with secret-level security clearances.  (See  
          James Eng, OPM Hack: Government Finally Starts Notifying 21.5  
          Million Victims, NBC News (Oct. 1, 2015)  
           [as of Apr. 1, 2016].)
           
          When breaches do occur, a rapid and effective response is  
          crucial toward mitigating the impact to affected individuals.   
          This bill would assist state agencies in executing a rapid and  
          effective response in the wake of a breach by requiring these  
          agencies to formulate a breach response plan before an incident  
          occurs.  Many of the specific elements required by SB 1444 to be  
          in a breach response plan, such as identifying resources  
          necessary to carry out the plan or establishing procedures to  








          SB 1444 (Hertzberg)
          PageH of? 
          carry out communications between plan participants, take time to  
          sort out.  If an agency waits until a data breach to address  
          these critical elements of its breach response, time will be  
          lost and damage that could have been avoided will occur.

           3.Limited to state agencies
           
          It should be noted that SB 1444, as an amendment to the  
          Information Practices Act of 1977, would not require local  
          agencies to develop computerized personal information security  
          plans as called for in this bill.  The Information Practices Act  
          of 1977, unless otherwise specified, applies only to state  
          agencies.  The act specifically excludes the Legislature,  
          agencies established under Article VI of the California  
          Constitution (the judicial branch), the State Compensation  
          Insurance Fund, and local agencies, from most of its provisions.  
           (See Civ. Code Sec. 1798.3(b).)  Consequently, local agencies  
          would not be required to prepare breach response plans as  
          directed by this bill, and may remain unprepared to respond to a  
          breach even if this bill were chaptered.


           4.Duty to safeguard personal information
           
          Under existing law, both state agencies and private businesses  
          have a duty to protect personal information entrusted to their  
          care from a data breach.  The Information Practices Act of 1977  
          states that agencies "shall establish appropriate and reasonable  
          administrative, technical, and physical safeguards to ensure  
          compliance with the provisions of [the act], to ensure the  
          security and confidentiality of records, and to protect against  
          anticipated threats or hazards to their security or integrity  
          which could result in any injury."  (Civ. Code Sec. 1798.21.)   
          Civil Code Section 1798.81.5(b) similarly states that "[a]  
          business that owns, licenses, or maintains personal information  
          about a California resident shall implement and maintain  
          reasonable security procedures and practices appropriate to the  
          nature of the information, to protect the personal information  
          from unauthorized access, destruction, use, modification, or  
          disclosure." (Civ. Code Sec. 1798.81.5(b).)  Contrasting with  
          these existing duties that focus primarily on safeguarding  
          information from a data breach, SB 1444 makes explicit the  
          responsibility of state agencies to mitigate impacts after a  
          data breach has occurred by developing a breach response plan.   
          While the duty to mitigate the effects of a breach might already  








          SB 1444 (Hertzberg)
          PageI of? 
          be the legal responsibility of businesses and agencies that  
          possess personal information under existing law,<1> this bill  
          clarifies that agencies have a responsibility to develop a  
          breach response plan in advance of an incident as part of their  
          stewardship of personal information.

           5.Clarifying amendment regarding "personal information"
           
          SB 1444 amends the Information Practices Act of 1977 to  
          explicitly require agencies to develop data breach response  
          plans.  These agency response plans are directed to address an  
          agency's response to a security breach of computerized personal  
          information and the associated consequences caused by the breach  
          of that information.  The act defines "personal information" to  
          mean any information that is maintained by an agency that  
          identifies or describes an individual, including, but not  
          limited to, his or her name, social security number, physical  
          description, home address, home telephone number, education,  
          financial matters, and medical or employment history, and  
          includes statements made by, or attributed to, an individual.   
          (Civ. Code Sec. 1798.3.)  The data breach notification law,  
          which is codified within the act, uses a different definition of  
          personal information that extends to data which may not, in  
          isolation, be personally identifiable, such as a username and  
          password to an online account.  The difference between these two  
          definitions of "personal information" in the act may lead to  
          confusion as agencies prepare their data breach response plans,  
          or may lead to inconsistent agency responses for breaches  
          involving sensitive information that falls within both of these  
          definitions.
          To provide clarity to responsible agencies, and to ensure breach  
          response plans address all sensitive information subject to the  
          Information Practices Act that is held by these agencies, the  
          author offers the following amendment to incorporate both  
          definitions of "personal information" into the scope of SB 1444.

             Author's Amendment
             
            On page 3, following line 27, insert: "For the purposes of  
            this section, the term "personal information" includes  
            information described in Civil Code Section 1798.3(a) and  
            --------------------------
          <1> For example, the data breach notification law requires  
          certain businesses and individuals to offer appropriate identity  
          theft prevention and mitigation services after a data breach  
          occurs.  See Civil Code Section 1798.82(d).








          SB 1444 (Hertzberg)
          PageJ of? 
            Civil Code Section 1798.29(g).


           Support  :  None Known

           Opposition  :  None Known

                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  :

          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure to submit critical  
          infrastructure information, as defined, to the Office of  
          Emergency Services in order to better understand security  
          problems and interdependencies related to critical  
          infrastructure, so as to ensure the availability, integrity, and  
          reliability of that critical infrastructure, and to help  
          prevent, detect, mitigate, or recover from the effects of an  
          interference, compromise, or incapacitation problem related to  
          critical infrastructure.  This bill is pending in the Senate  
          Committee on Governmental Organization.

          AB 259 (Dababneh, 2015) would require an agency, if the agency  
          was the source of a breach and the breach compromised a person's  
                                                                               social security number, driver's license number, or California  
          identification card number, to offer the person identity theft  
          prevention and mitigation services at no cost for not less than  
          12 months.  This bill is pending in the Senate Appropriations  
          Committee.

          AB 1841 (Irwin, 2016) requires the Office of Emergency Services  
          to develop a Cyber Security Annex to the State Emergency Plan,  
          as specified, and to develop a comprehensive cybersecurity  
          strategy setting standards for state agencies to prepare for  
          cybersecurity interference with critical infrastructure.  This  
          bill is pending in the Assembly Committee on Privacy and  
          Consumer Protection.


           Prior Legislation  :

          SB 570 (Jackson, Ch. 543, Stats. 2015) modified existing data  








          SB 1444 (Hertzberg)
          PageK of? 
          breach notification requirement for agencies and persons or  
          businesses conducting business in California that own or license  
          computerized data that includes personal information.   
          Specifically, this bill requires these entities, in the event of  
          a data breach, to provide affected individuals with a notice  
          entitled "Notice of Data Breach," in which required content is  
          presented under the following headings: "What Happened," "What  
          Information Was Involved," "What We Are Doing," "What You Can  
          Do," and "For More Information." This bill states that  
          additional information may be provided to supplement the  
          required notice, and provides a model security breach  
          notification form that entities may use to comply with  
          formatting requirements.  This bill also clarified the  
          requirements for providing substitute notice of a data breach,  
          and made other technical and clarifying changes to the data  
          breach notification law.

          AB 964 (Chau, Ch. 522, Stats. 2015) defined "encrypted" as used  
          in California's data breach notification law to mean rendered  
          unusable, unreadable, or indecipherable to an unauthorized  
          person through a security technology or methodology generally  
          accepted in the field of information security.

          AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's  
          data breach notification law to require a person or business to  
          offer appropriate identity theft prevention and mitigation  
          services to an affected person at no cost for not less than 12  
          months if the person or business was the source of a data  
          breach.  AB 1710 also prohibited the sale, advertisement for  
          sale, or offer to sell an individual's social security number.

          SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements  
          included within the definition of personal information under  
          California's data breach notification law by adding certain  
          information that would permit access to an online account, and  
          imposed additional requirements on the disclosure of a breach of  
          the security of the system or data in situations where the  
          breach involves personal information that would permit access to  
          an online or email account.

          AB 1149 (Campos, Ch. 395, Stats. 2013) expanded existing  
          disclosure requirements concerning breaches of computerized data  
          owned or licensed by state agencies to "local agencies" as  
          defined by Government Code Section 6252(a).  AB 1149 also made  
          certain technical corrections to the data breach notification  








          SB 1444 (Hertzberg)
          PageL of? 
          law.

          SB 24 (Simitian, Ch. 197, Stats. 2011) required, among other  
          things, any agency, person, or business that is required to  
          issue a security breach notification to more than 500 California  
          residents to electronically submit a single sample copy of that  
          security breach notification to the Attorney General.

          AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added  
          medical information and health insurance information to data  
          elements that, when combined with the individual's name, would  
          constitute personal information requiring disclosure when  
          acquired, or believed to be acquired, by an unauthorized person  
          due to a security breach.

          AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that  
          owns or licenses personal information about a California  
          resident to implement and maintain reasonable security  
          procedures and practices to protect that personal information  
          from unauthorized access, destruction, use, modification, or  
          disclosure.  AB 1950 also required a business that discloses  
          personal information to a nonaffiliated third party to require  
          by contract that those entities maintain reasonable security  
          procedures.

          SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's data  
          breach notification law and required a state agency, or a person  
          or business that conducts business in California, that owns or  
          licenses computerized data that includes personal information to  
          disclose any breach of the security of the data to California  
          residents whose unencrypted personal information was, or is  
          reasonably believed to have been, acquired by an unauthorized  
          person.  SB 1386 permitted notifications to be delayed if a law  
          enforcement agency determines that it would impede a criminal  
          investigation, and required an agency, person, or business that  
          maintains computerized data that includes personal information  
          owned by another to notify the owner or licensee of the  
          information of any breach of security of the data.

                                   **************
                                          












          SB 1444 (Hertzberg)
          PageM of?