BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
SB 1444 (Hertzberg)
Version: March 31, 2016
Hearing Date: April 12, 2016
Fiscal: Yes
Urgency: No
TH
SUBJECT
State Government: Computerized Personal Information Security
Plans
DESCRIPTION
This bill requires state agencies that own or license
computerized data that includes personal information to prepare
a security plan that details the agency's strategy to respond to
a security breach of that information and its associated
consequences. The bill lists certain minimum requirements to be
included in an agency's security plan, including a requirement
to inventory personal information stored or transmitted by the
agency and procedures for facilitating communication between an
incident response team, agency officials, and individuals
affected by a breach.
BACKGROUND
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their computerized personal
information is breached. Existing law requires breach
notifications to be made in the most expedient time possible
without unreasonable delay, and specifies certain information
that must be included in these notices. This breach
�
SB 1444 (Hertzberg)
PageB of?
notification requirement ensures that residents are made aware
of a breach, thus allowing them to take appropriate action to
mitigate or prevent potential financial losses due to fraudulent
activity.
California's requirement to notify affected individuals of a
data breach has had the effect of highlighting data insecurity
as a matter for public concern, and has motivated businesses and
agencies to invest additional resources toward securing data
stored within their computer networks. However, despite the
data breach notification law's positive impact, data breaches
have increased in frequency and magnitude since the law took
effect. The Attorney General's most recent report on California
data breaches offers the following summary:
In the past four years, the Attorney General has received
reports on 657 data breaches, affecting a total of over 49
million records of Californians. In 2012, there were 131
breaches, involving 2.6 million records of Californians; in
2015, 178 breaches put over 24 million records at risk. This
means that nearly three in five Californians were victims of a
data breach in 2015 alone. (California Department of Justice,
California Data Breach Report 2012-2015 (Feb. 2016)
[as of Apr. 1, 2016].)
Unfortunately, victims of data breach are much more likely to
become victims of fraud and identity theft. The Attorney
General's data breach report notes that "[i]n 2014, 67 percent
of breach victims in the U.S. were also victims of fraud,
compared to just 25 percent of all consumers." (Id. [citations
omitted].)
Two years ago, the Legislature passed AB 1710 (Dickinson, Ch.
855, Stats. 2014) which amended California's data breach
notification law to require a person or business to offer
appropriate identity theft prevention and mitigation services to
an affected person at no cost for not less than 12 months if the
person or business was the source of a data breach. AB 1710
required such services to be offered only if the breach
compromised an individual's first name or first initial and last
name along with their social security number, driver's license
number, or California identification card number. AB 1710 did
not impose a parallel requirement on state and local agencies
that are the source of a data breach.
�
SB 1444 (Hertzberg)
PageC of?
This bill would require state agencies that own or license
computerized data that includes personal information to prepare
a computerized personal information security plan that details
the agency's strategy to respond to a security breach of that
information and associated consequences caused by the disclosed
personal information. This bill specifies that a computerized
personal information security plan shall include, at a minimum,
the following elements:
a statement of the purpose and objectives for the plan;
an inventory of the computerized personal information stored
or transmitted by the agency;
identification of resources necessary to implement the plan;
identification of an incident response team tasked with
mitigating and responding to a breach, or an imminent threat
of a breach, to the security of computerized personal
information;
procedures for communications within the incident response
team and between the incident response team, other individuals
within the agency, and individuals outside the agency that
need to be notified in the event of a breach of the security
of computerized personal information;
policies for training the incident response team and the
agency on the implementation of the computerized personal
information security plan, including, but not limited to, the
use of practice drills; and
a process to review and improve the computerized personal
information security plan.
CHANGES TO EXISTING LAW
Existing law , the data breach notification law, requires any
agency, person, or business that owns or licenses computerized
data that includes personal information to disclose a breach of
the security of the system to any California resident whose
unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The
disclosure must be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs
of law enforcement, as specified. (Civ. Code Secs. 1798.29(a),
(c) and 1798.82(a), (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
�
SB 1444 (Hertzberg)
PageD of?
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).)
Existing law defines "personal information," for purposes of the
breach notification statute, to include either a user name or
email address, in combination with a password or security
question and answer that would permit access to an online
account, or the individual's first name or first initial and
last name in combination with one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number; driver's license number or
California identification card number; account number, credit or
debit card number, in combination with any required security
code, access code, or password that would permit access to an
individual's financial account; medical information; health
insurance information; or information or data collected through
the use or operation of an automated license plate recognition
system. "Personal information" does not include publicly
available information that is lawfully made available to the
general public from federal, state, or local government records.
(Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and (i).)
Existing law states that if the person or business providing the
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, shall be provided at no cost to the affected person for
not less than 12 months, along with all information necessary to
take advantage of the offer to any person whose information was
or may have been breached if the breach exposed or may have
exposed an individual's first name or first initial and last
name along with their social security number, driver's license
number, or California identification card number. (Civ. Code
Sec. 1798.82(d).)
Existing law , the Information Practices Act of 1977, states that
each state agency shall maintain in its records only personal
information which is relevant and necessary to accomplish a
purpose of the agency required or authorized by the California
Constitution or statute or mandated by the federal government.
(Civ. Code Sec. 1798.14.)
Existing law requires each agency to establish appropriate and
reasonable administrative, technical, and physical safeguards to
ensure compliance with the provisions of the Information
Practices Act of 1977, to ensure the security and
�
SB 1444 (Hertzberg)
PageE of?
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in any injury. (Civ. Code Sec. 1798.21.)
Existing law defines "personal information," for purposes of the
Information Practices Act of 1977, to mean any information that
is maintained by an agency that identifies or describes an
individual, including, but not limited to, his or her name,
social security number, physical description, home address, home
telephone number, education, financial matters, and medical or
employment history, and includes statements made by, or
attributed to, an individual. (Civ. Code Sec. 1798.3(a).)
This bill requires an agency that owns or licenses computerized
data that includes personal information to prepare a
computerized personal information security plan that details the
agency's strategy to respond to a security breach of
computerized personal information and associated consequences
caused by the disclosed personal information.
This bill specifies that a computerized personal information
security plan shall include, but shall not be limited to, all of
the following:
a statement of the purpose and objectives for the plan;
an inventory of the computerized personal information stored
or transmitted by the agency;
identification of resources necessary to implement the plan;
identification of an incident response team tasked with
mitigating and responding to a breach, or an imminent threat
of a breach, to the security of computerized personal
information;
procedures for communications within the incident response
team and between the incident response team, other individuals
within the agency, and individuals outside the agency that
need to be notified in the event of a breach of the security
of computerized personal information;
policies for training the incident response team and the
agency on the implementation of the computerized personal
information security plan, including, but not limited to, the
use of practice drills; and
a process to review and improve the computerized personal
information security plan.
This bill makes related findings and declarations.
COMMENT
�
SB 1444 (Hertzberg)
PageF of?
1.Stated need for the bill
The author writes:
Earlier this year, the IRS revealed that hackers had been able
to use stolen social security numbers to get general E-file
PINs for 101,000 people. While the IRS says it stopped the
attack, stealing PINs potentially allows criminals to claim
the refunds owed to legitimate taxpayers. Government and
public health facilities are at high risk for data security
breaches. According to a recent report by the California
Attorney General, last year 178 breaches placed 24 million
records of Californians at risk. This means that as many as
three in five Californians may have been victims of a data
breach. In July 2015, the UCLA Health System suffered a
cyberattack that exposed the names, dates of birth, social
security numbers, and some medical procedures for 4.5 million
patients. It took eight months to determine that the system
had been hacked and two more months to notify patients that
their information had been exposed.
Under current law, state agencies are required to establish
reasonable safeguards to ensure the security and
confidentiality of records containing personal information and
to protect against anticipated threats to the security or
integrity of the records. They may only maintain records with
personal information that is relevant and necessary to
accomplish a purpose authorized by state or federal law.
Nevertheless, real threats of breach jeopardize these records
and state agencies should have plans in place to respond.
This bill requires state agencies that own or license
computerized data that includes personal information to
prepare mitigation and response plans for breach of the
database that contains the personal information.
2.Right to privacy and agency breaches
California recognizes the right to privacy as a fundamental
right and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the sheer
�
SB 1444 (Hertzberg)
PageG of?
number of its consumers, data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The Attorney General's 2014 California Data Breach Report found
that in 2012, "17 percent of the data breaches recorded in the
United States took place in California - more than any other
state" and that "the number of reported breaches in California
increased by 28 percent in 2013." (California Department of
Justice, California Data Breach Report (Oct. 2014)
[as of Apr. 1, 2016].) The frequency
of data breaches in California and the threat that such breaches
pose to California residents makes timely and effective response
to a breach, and the ability to mitigate potential damages
resulting from the breach, matters of critical importance.
Recent data breaches show that government agencies are just as
vulnerable as businesses to breaches that expose the personal
information of California residents. In March of 2014, for
example, the California Department of Motor Vehicles reported
that its system for processing online credit card transactions
may have been breached, potentially compromising millions of
credit card numbers, expiration dates and credit card security
codes. (See Kate Mather and Carla Rivera, California DMV
Probing Possible Breach of Customer Credit Cards, Los Angeles
Times (Mar. 22, 2014)
[as of Apr. 1, 2016].) More recently, the federal
Office of Personnel Management suffered a massive data breach
that revealed the personal information -- and in some cases the
fingerprints -- of approximately 21.5 million individuals,
including many with secret-level security clearances. (See
James Eng, OPM Hack: Government Finally Starts Notifying 21.5
Million Victims, NBC News (Oct. 1, 2015)
[as of Apr. 1, 2016].)
When breaches do occur, a rapid and effective response is
crucial toward mitigating the impact to affected individuals.
This bill would assist state agencies in executing a rapid and
effective response in the wake of a breach by requiring these
agencies to formulate a breach response plan before an incident
occurs. Many of the specific elements required by SB 1444 to be
in a breach response plan, such as identifying resources
necessary to carry out the plan or establishing procedures to
�
SB 1444 (Hertzberg)
PageH of?
carry out communications between plan participants, take time to
sort out. If an agency waits until a data breach to address
these critical elements of its breach response, time will be
lost and damage that could have been avoided will occur.
3.Limited to state agencies
It should be noted that SB 1444, as an amendment to the
Information Practices Act of 1977, would not require local
agencies to develop computerized personal information security
plans as called for in this bill. The Information Practices Act
of 1977, unless otherwise specified, applies only to state
agencies. The act specifically excludes the Legislature,
agencies established under Article VI of the California
Constitution (the judicial branch), the State Compensation
Insurance Fund, and local agencies, from most of its provisions.
(See Civ. Code Sec. 1798.3(b).) Consequently, local agencies
would not be required to prepare breach response plans as
directed by this bill, and may remain unprepared to respond to a
breach even if this bill were chaptered.
4.Duty to safeguard personal information
Under existing law, both state agencies and private businesses
have a duty to protect personal information entrusted to their
care from a data breach. The Information Practices Act of 1977
states that agencies "shall establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
compliance with the provisions of [the act], to ensure the
security and confidentiality of records, and to protect against
anticipated threats or hazards to their security or integrity
which could result in any injury." (Civ. Code Sec. 1798.21.)
Civil Code Section 1798.81.5(b) similarly states that "[a]
business that owns, licenses, or maintains personal information
about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information
from unauthorized access, destruction, use, modification, or
disclosure." (Civ. Code Sec. 1798.81.5(b).) Contrasting with
these existing duties that focus primarily on safeguarding
information from a data breach, SB 1444 makes explicit the
responsibility of state agencies to mitigate impacts after a
data breach has occurred by developing a breach response plan.
While the duty to mitigate the effects of a breach might already
�
SB 1444 (Hertzberg)
PageI of?
be the legal responsibility of businesses and agencies that
possess personal information under existing law,<1> this bill
clarifies that agencies have a responsibility to develop a
breach response plan in advance of an incident as part of their
stewardship of personal information.
5.Clarifying amendment regarding "personal information"
SB 1444 amends the Information Practices Act of 1977 to
explicitly require agencies to develop data breach response
plans. These agency response plans are directed to address an
agency's response to a security breach of computerized personal
information and the associated consequences caused by the breach
of that information. The act defines "personal information" to
mean any information that is maintained by an agency that
identifies or describes an individual, including, but not
limited to, his or her name, social security number, physical
description, home address, home telephone number, education,
financial matters, and medical or employment history, and
includes statements made by, or attributed to, an individual.
(Civ. Code Sec. 1798.3.) The data breach notification law,
which is codified within the act, uses a different definition of
personal information that extends to data which may not, in
isolation, be personally identifiable, such as a username and
password to an online account. The difference between these two
definitions of "personal information" in the act may lead to
confusion as agencies prepare their data breach response plans,
or may lead to inconsistent agency responses for breaches
involving sensitive information that falls within both of these
definitions.
To provide clarity to responsible agencies, and to ensure breach
response plans address all sensitive information subject to the
Information Practices Act that is held by these agencies, the
author offers the following amendment to incorporate both
definitions of "personal information" into the scope of SB 1444.
Author's Amendment
On page 3, following line 27, insert: "For the purposes of
this section, the term "personal information" includes
information described in Civil Code Section 1798.3(a) and
--------------------------
<1> For example, the data breach notification law requires
certain businesses and individuals to offer appropriate identity
theft prevention and mitigation services after a data breach
occurs. See Civil Code Section 1798.82(d).
�
SB 1444 (Hertzberg)
PageJ of?
Civil Code Section 1798.29(g).
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure to submit critical
infrastructure information, as defined, to the Office of
Emergency Services in order to better understand security
problems and interdependencies related to critical
infrastructure, so as to ensure the availability, integrity, and
reliability of that critical infrastructure, and to help
prevent, detect, mitigate, or recover from the effects of an
interference, compromise, or incapacitation problem related to
critical infrastructure. This bill is pending in the Senate
Committee on Governmental Organization.
AB 259 (Dababneh, 2015) would require an agency, if the agency
was the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. This bill is pending in the Senate Appropriations
Committee.
AB 1841 (Irwin, 2016) requires the Office of Emergency Services
to develop a Cyber Security Annex to the State Emergency Plan,
as specified, and to develop a comprehensive cybersecurity
strategy setting standards for state agencies to prepare for
cybersecurity interference with critical infrastructure. This
bill is pending in the Assembly Committee on Privacy and
Consumer Protection.
Prior Legislation :
SB 570 (Jackson, Ch. 543, Stats. 2015) modified existing data
�
SB 1444 (Hertzberg)
PageK of?
breach notification requirement for agencies and persons or
businesses conducting business in California that own or license
computerized data that includes personal information.
Specifically, this bill requires these entities, in the event of
a data breach, to provide affected individuals with a notice
entitled "Notice of Data Breach," in which required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." This bill states that
additional information may be provided to supplement the
required notice, and provides a model security breach
notification form that entities may use to comply with
formatting requirements. This bill also clarified the
requirements for providing substitute notice of a data breach,
and made other technical and clarifying changes to the data
breach notification law.
AB 964 (Chau, Ch. 522, Stats. 2015) defined "encrypted" as used
in California's data breach notification law to mean rendered
unusable, unreadable, or indecipherable to an unauthorized
person through a security technology or methodology generally
accepted in the field of information security.
AB 1710 (Dickinson, Ch. 855, Stats. 2014) amended California's
data breach notification law to require a person or business to
offer appropriate identity theft prevention and mitigation
services to an affected person at no cost for not less than 12
months if the person or business was the source of a data
breach. AB 1710 also prohibited the sale, advertisement for
sale, or offer to sell an individual's social security number.
SB 46 (Corbett, Ch. 396, Stats. 2013) revised the data elements
included within the definition of personal information under
California's data breach notification law by adding certain
information that would permit access to an online account, and
imposed additional requirements on the disclosure of a breach of
the security of the system or data in situations where the
breach involves personal information that would permit access to
an online or email account.
AB 1149 (Campos, Ch. 395, Stats. 2013) expanded existing
disclosure requirements concerning breaches of computerized data
owned or licensed by state agencies to "local agencies" as
defined by Government Code Section 6252(a). AB 1149 also made
certain technical corrections to the data breach notification
�
SB 1444 (Hertzberg)
PageL of?
law.
SB 24 (Simitian, Ch. 197, Stats. 2011) required, among other
things, any agency, person, or business that is required to
issue a security breach notification to more than 500 California
residents to electronically submit a single sample copy of that
security breach notification to the Attorney General.
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect that personal information
from unauthorized access, destruction, use, modification, or
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party to require
by contract that those entities maintain reasonable security
procedures.
SB 1386 (Peace, Ch. 915, Stats. 2002) enacted California's data
breach notification law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1386 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
**************
�
SB 1444 (Hertzberg)
PageM of?