BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON APPROPRIATIONS
                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          SB 1444 (Hertzberg) - State government:  computerized personal  
          information security plans
          
           ----------------------------------------------------------------- 
          |                                                                 |
          |                                                                 |
          |                                                                 |
           ----------------------------------------------------------------- 
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Version: April 19, 2016         |Policy Vote: JUD. 6 - 0         |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Hearing Date: May 2, 2016       |Consultant: Jolie Onodera       |
          |                                |                                |
           ----------------------------------------------------------------- 


          This bill meets the criteria for referral to the Suspense File.


          Bill  
          Summary:  SB 1444 would require state agencies that own or  
          license computerized data that includes personal information to  
          prepare a security plan that meets certain minimum requirements  
          and details the agency's strategy to respond to a security  
          breach, as specified.


          Fiscal  
          Impact:  Varying levels of impact from minor to significant to  
          various state agencies, dependent on the information security  
          policies and procedures currently in place.
            Department of Technology, DMV, and EDD :  Minor, absorbable  
            costs, as the requirements in the bill are largely consistent  
            with each agency's current information security procedures and  
            policies. 
            Department of Justice (DOJ) :  One-time costs of less than  
            $100,000 (General Fund) to develop the security plan. Ongoing  
            costs of $150,000 (General Fund) to conduct trainings of  







          SB 1444 (Hertzberg)                                    Page 1 of  
          ?
          
          
            personnel in performing the associated tasks, perform mock  
            security response drills, and ensure accurate inventory  
            controls of personal data. 
            Department of Corrections and Rehabilitation (CDCR)  :  Ongoing  
            costs potentially in excess of $250,000 (General Fund) to  
            implement an incident response team as required under the  
            bill. 
            Air Resources Board  :  Potentially significant one-time costs  
            to inventory all computerized personal information.


          Background:  Existing law requires state agencies, local agencies, and  
          businesses to notify residents when the security of their  
          computerized personal information has been breached. Existing  
          law requires breach notifications to be made in the most  
          expedient time possible without unreasonable delay, and  
          specifies certain information that must be included in these  
          notices. This breach notification requirement ensures that  
          residents are made aware of a breach, thus allowing them to take  
          appropriate action to mitigate or prevent potential financial  
          losses due to fraudulent activity. (Civil Code  1798.29,  
          1798.82.) 
          California's requirement to notify affected individuals of a  
          data breach has highlighted the prevalence of data insecurity  
          across entities, and has motivated businesses and agencies to  
          invest additional resources toward securing data stored within  
          their computer networks. The Attorney General's most recent  
          annual report provides the following summary: 


              In the past four years, the Attorney General has  
              received reports on 657 data breaches, affecting a  
              total of over 49 million records of Californians. In  
              2012, there were 131 breaches, involving 2.6 million  
              records of Californians; in 2015, 178 breaches put  
              over 24 million records at risk. This means that  
              nearly three in five Californians were victims of a  
              data breach in 2015 alone. (California Department of  
              Justice, California Data Breach Report 2012-2015  
              (Feb. 2016) )


          This bill seeks to ensure that state agencies have the proper  
          policies and procedures developed and tested in order to  








          SB 1444 (Hertzberg)                                    Page 2 of  
          ?
          
          
          adequately respond in the event of a security breach of that  
          agency's computerized personal information.




          Proposed Law:  
           This bill would require a state agency that owns or licenses  
          computerized data that includes personal information to prepare  
          a computerized personal information security plan that details  
          the agency's strategy to respond to a security breach of  
          computerized personal information and associated consequences  
          caused by the disclosed personal information. 

          This bill requires a computerized personal information security  
          plan to include, but not be limited to, all of the following:
                 A statement of the purpose and objectives for the plan.
                 An inventory of the computerized personal information  
               stored or transmitted by the agency.
                 Identification of resources necessary to implement the  
               plan.
                 Identification of an incident response team tasked with  
               mitigating and responding to a breach, or an imminent  
               threat of a breach, to the security of computerized  
               personal information.
                 Procedures for communications within the incident  
               response team and between the incident response team, other  
               individuals within the agency, and individuals outside the  
               agency that need to be notified in the event of a breach of  
               the security of computerized personal information.
                 Policies for training the incident response team and the  
               agency on the implementation of the computerized personal  
               information security plan, including, but not limited to,  
               the use of practice drills.
                 A process to review and improve the computerized  
               personal information security plan.

          This bill provides that for purposes of this section, "personal  
          information" includes information described in Civil Code   
          1798.3(a) and 1798.29(g).

          This bill makes related uncodified legislative findings and  
          declarations.









          SB 1444 (Hertzberg)                                    Page 3 of  
          ?
          
          

          Related  
          Legislation:  AB 259 (Dababneh) 2015 would require an agency, if  
          the agency was the source of a breach and the breach compromised  
          a person's social security number, driver's license number, or  
          California identification card number, to offer the person  
          identity theft prevention and mitigation services at no cost for  
          not less than 12 months. This bill was held on the Suspense File  
          of this Committee. 
          AB 1841 (Irwin) 2016 requires the Office of Emergency Services  
          to develop a Cyber Security Annex to the State Emergency Plan,  
          as specified, and to develop a comprehensive cybersecurity  
          strategy setting standards for state agencies to prepare for  
          cybersecurity interference with critical infrastructure. This  
          bill is pending in the Assembly Committee on Appropriations.


          Staff  
          Comments:  By requiring all state agencies to prepare security  
          plans meeting specified requirements that detail the response  
          strategies to security breaches of computerized personal  
          information, this bill could result in additional one-time and  
          ongoing costs to state agencies. The impact to each state agency  
          will vary widely, dependent on the existing information security  
          policies and procedures currently in place at each agency, and  
          the additional workload necessary to achieve compliance with the  
          minimum standards outlined in this measure.
          For example, both the DMV and EDD have indicated minor,  
          absorbable costs resulting from this bill, as the requirements  
          are largely consistent with each agency's current information  
          security procedures and policies. The DOJ, ARB, and the CDCR, on  
          the other hand, have indicated potential costs to ensure  
          security plans meet the intended goals, and ensure accurate  
          inventory controls of personal data. 


          Staff notes this bill would not require local agencies to  
          develop security plans as called for in this bill. The  
          Information Practices Act of 1977, unless otherwise specified,  
          applies only to state agencies. The act specifically excludes  
          the Legislature, agencies established under Article VI of the  
          California Constitution (the judicial branch), the State  
          Compensation Insurance Fund, and local agencies, from most of  
          its provisions. (See Civ. Code Sec. 1798.3(b).) Consequently,  








          SB 1444 (Hertzberg)                                    Page 4 of  
          ?
          
          
          local agencies would not be required to prepare breach response  
          plans as directed by this bill, and may remain unprepared to  
          respond to a breach even if this bill were chaptered.




                                      -- END --