BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
SB 1444 (Hertzberg) - State government: computerized personal
information security plans
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: April 19, 2016 |Policy Vote: JUD. 6 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: May 2, 2016 |Consultant: Jolie Onodera |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: SB 1444 would require state agencies that own or
license computerized data that includes personal information to
prepare a security plan that meets certain minimum requirements
and details the agency's strategy to respond to a security
breach, as specified.
Fiscal
Impact: Varying levels of impact from minor to significant to
various state agencies, dependent on the information security
policies and procedures currently in place.
Department of Technology, DMV, and EDD : Minor, absorbable
costs, as the requirements in the bill are largely consistent
with each agency's current information security procedures and
policies.
Department of Justice (DOJ) : One-time costs of less than
$100,000 (General Fund) to develop the security plan. Ongoing
costs of $150,000 (General Fund) to conduct trainings of
�
SB 1444 (Hertzberg) Page 1 of
?
personnel in performing the associated tasks, perform mock
security response drills, and ensure accurate inventory
controls of personal data.
Department of Corrections and Rehabilitation (CDCR) : Ongoing
costs potentially in excess of $250,000 (General Fund) to
implement an incident response team as required under the
bill.
Air Resources Board : Potentially significant one-time costs
to inventory all computerized personal information.
Background: Existing law requires state agencies, local agencies, and
businesses to notify residents when the security of their
computerized personal information has been breached. Existing
law requires breach notifications to be made in the most
expedient time possible without unreasonable delay, and
specifies certain information that must be included in these
notices. This breach notification requirement ensures that
residents are made aware of a breach, thus allowing them to take
appropriate action to mitigate or prevent potential financial
losses due to fraudulent activity. (Civil Code §§ 1798.29,
1798.82.)
California's requirement to notify affected individuals of a
data breach has highlighted the prevalence of data insecurity
across entities, and has motivated businesses and agencies to
invest additional resources toward securing data stored within
their computer networks. The Attorney General's most recent
annual report provides the following summary:
In the past four years, the Attorney General has
received reports on 657 data breaches, affecting a
total of over 49 million records of Californians. In
2012, there were 131 breaches, involving 2.6 million
records of Californians; in 2015, 178 breaches put
over 24 million records at risk. This means that
nearly three in five Californians were victims of a
data breach in 2015 alone. (California Department of
Justice, California Data Breach Report 2012-2015
(Feb. 2016) )
This bill seeks to ensure that state agencies have the proper
policies and procedures developed and tested in order to
�
SB 1444 (Hertzberg) Page 2 of
?
adequately respond in the event of a security breach of that
agency's computerized personal information.
Proposed Law:
This bill would require a state agency that owns or licenses
computerized data that includes personal information to prepare
a computerized personal information security plan that details
the agency's strategy to respond to a security breach of
computerized personal information and associated consequences
caused by the disclosed personal information.
This bill requires a computerized personal information security
plan to include, but not be limited to, all of the following:
A statement of the purpose and objectives for the plan.
An inventory of the computerized personal information
stored or transmitted by the agency.
Identification of resources necessary to implement the
plan.
Identification of an incident response team tasked with
mitigating and responding to a breach, or an imminent
threat of a breach, to the security of computerized
personal information.
Procedures for communications within the incident
response team and between the incident response team, other
individuals within the agency, and individuals outside the
agency that need to be notified in the event of a breach of
the security of computerized personal information.
Policies for training the incident response team and the
agency on the implementation of the computerized personal
information security plan, including, but not limited to,
the use of practice drills.
A process to review and improve the computerized
personal information security plan.
This bill provides that for purposes of this section, "personal
information" includes information described in Civil Code §§
1798.3(a) and 1798.29(g).
This bill makes related uncodified legislative findings and
declarations.
�
SB 1444 (Hertzberg) Page 3 of
?
Related
Legislation: AB 259 (Dababneh) 2015 would require an agency, if
the agency was the source of a breach and the breach compromised
a person's social security number, driver's license number, or
California identification card number, to offer the person
identity theft prevention and mitigation services at no cost for
not less than 12 months. This bill was held on the Suspense File
of this Committee.
AB 1841 (Irwin) 2016 requires the Office of Emergency Services
to develop a Cyber Security Annex to the State Emergency Plan,
as specified, and to develop a comprehensive cybersecurity
strategy setting standards for state agencies to prepare for
cybersecurity interference with critical infrastructure. This
bill is pending in the Assembly Committee on Appropriations.
Staff
Comments: By requiring all state agencies to prepare security
plans meeting specified requirements that detail the response
strategies to security breaches of computerized personal
information, this bill could result in additional one-time and
ongoing costs to state agencies. The impact to each state agency
will vary widely, dependent on the existing information security
policies and procedures currently in place at each agency, and
the additional workload necessary to achieve compliance with the
minimum standards outlined in this measure.
For example, both the DMV and EDD have indicated minor,
absorbable costs resulting from this bill, as the requirements
are largely consistent with each agency's current information
security procedures and policies. The DOJ, ARB, and the CDCR, on
the other hand, have indicated potential costs to ensure
security plans meet the intended goals, and ensure accurate
inventory controls of personal data.
Staff notes this bill would not require local agencies to
develop security plans as called for in this bill. The
Information Practices Act of 1977, unless otherwise specified,
applies only to state agencies. The act specifically excludes
the Legislature, agencies established under Article VI of the
California Constitution (the judicial branch), the State
Compensation Insurance Fund, and local agencies, from most of
its provisions. (See Civ. Code Sec. 1798.3(b).) Consequently,
�
SB 1444 (Hertzberg) Page 4 of
?
local agencies would not be required to prepare breach response
plans as directed by this bill, and may remain unprepared to
respond to a breach even if this bill were chaptered.
-- END --