BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1444|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 1444
Author: Hertzberg (D)
Amended: 4/19/16
Vote: 21
SENATE JUDICIARY COMMITTEE: 6-0, 4/12/16
AYES: Jackson, Moorlach, Hertzberg, Leno, Monning, Wieckowski
NO VOTE RECORDED: Anderson
SENATE APPROPRIATIONS COMMITTEE: 7-0, 5/27/16
AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
SUBJECT: State government: computerized personal information
security plans
SOURCE: Author
DIGEST: This bill requires state agencies that own or license
computerized data that includes personal information to prepare
a security plan that details the agency's strategy to respond to
a security breach of that information and its associated
consequences. This bill lists certain minimum requirements to
be included in an agency's security plan, including a
requirement to inventory personal information stored or
transmitted by the agency and procedures for facilitating
communication between an incident response team, agency
officials, and individuals affected by a breach.
ANALYSIS:
�
SB 1444
Page 2
Existing law:
1)Requires any agency, person, or business that owns or licenses
computerized data that includes personal information to
disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),
(c).)
2)Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b),
1798.82(b).)
3)Defines "personal information," for purposes of the breach
notification statute, to include either a user name or email
address, in combination with a password or security question
and answer that would permit access to an online account, or
the individual's first name or first initial and last name in
combination with one or more of the following data elements,
when either the name or the data elements are not encrypted:
social security number; driver's license number or California
identification card number; account number, credit or debit
card number, in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; medical information; health
insurance information; or information or data collected
through the use or operation of an automated license plate
recognition system. "Personal information" does not include
publicly available information that is lawfully made available
to the general public from federal, state, or local government
records. (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and
(i).)
4)States that if the person or business providing the
�
SB 1444
Page 3
notification was the source of the breach, an offer to provide
appropriate identity theft prevention and mitigation services,
if any, shall be provided at no cost to the affected person
for not less than 12 months, along with all information
necessary to take advantage of the offer to any person whose
information was or may have been breached if the breach
exposed or may have exposed an individual's first name or
first initial and last name along with their social security
number, driver's license number, or California identification
card number. (Civ. Code Sec. 1798.82(d).)
5)States that each state agency shall maintain in its records
only personal information which is relevant and necessary to
accomplish a purpose of the agency required or authorized by
the California Constitution or statute or mandated by the
federal government. (Civ. Code Sec. 1798.14.)
6)Requires each agency to establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
compliance with the provisions of the Information Practices
Act of 1977, to ensure the security and confidentiality of
records, and to protect against anticipated threats or hazards
to their security or integrity which could result in any
injury. (Civ. Code Sec. 1798.21.)
7)Defines "personal information," for purposes of the
Information Practices Act of 1977, to mean any information
that is maintained by an agency that identifies or describes
an individual, including, but not limited to, his or her name,
social security number, physical description, home address,
home telephone number, education, financial matters, and
medical or employment history, and includes statements made
by, or attributed to, an individual. (Civ. Code Sec.
1798.3(a).)
This bill:
1)Requires an agency that owns or licenses computerized data
that includes personal information to prepare a computerized
personal information security plan that details the agency's
strategy to respond to a security breach of computerized
personal information and associated consequences caused by the
disclosed personal information.
�
SB 1444
Page 4
2)Specifies that a computerized personal information security
plan shall include, but shall not be limited to, all of the
following:
a statement of the purpose and objectives for the plan;
an inventory of the computerized personal information
stored or transmitted by the agency;
identification of resources necessary to implement the
plan;
identification of an incident response team tasked with
mitigating and responding to a breach, or an imminent
threat of a breach, to the security of computerized
personal information;
procedures for communications within the incident
response team and between the incident response team, other
individuals within the agency, and individuals outside the
agency that need to be notified in the event of a breach of
the security of computerized personal information;
policies for training the incident response team and the
agency on the implementation of the computerized personal
information security plan, including, but not limited to,
the use of practice drills; and
a process to review and improve the computerized
personal information security plan.
1)Makes related findings and declarations.
Background
In 2003, California's first-in-the-nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) Since that time, all but three states
have enacted similar security breach notification laws, and
governments around the world have or are considering enacting
such laws. California's breach notification statute requires
state agencies, local agencies, and businesses to notify
residents when the security of their computerized personal
information is breached. Existing law requires breach
notifications to be made in the most expedient time possible
without unreasonable delay, and specifies certain information
that must be included in these notices. This breach
notification requirement ensures that residents are made aware
of a breach, thus allowing them to take appropriate action to
mitigate or prevent potential financial losses due to fraudulent
�
SB 1444
Page 5
activity.
California's requirement to notify affected individuals of a
data breach has had the effect of highlighting data insecurity
as a matter for public concern, and has motivated businesses and
agencies to invest additional resources toward securing data
stored within their computer networks. However, despite the
data breach notification law's positive impact, data breaches
have increased in frequency and magnitude since the law took
effect. The Attorney General's most recent report on California
data breaches offers the following summary:
In the past four years, the Attorney General has received
reports on 657 data breaches, affecting a total of over 49
million records of Californians. In 2012, there were 131
breaches, involving 2.6 million records of Californians; in
2015, 178 breaches put over 24 million records at risk. This
means that nearly three in five Californians were victims of a
data breach in 2015 alone. (California Department of Justice,
California Data Breach Report 2012-2015 (Feb. 2016)
Page 6
a computerized personal information security plan, as specified,
that details the agency's strategy to respond to a security
breach of that information and associated consequences caused by
the disclosed personal information.
Comments
The author writes:
Earlier this year, the IRS revealed that hackers had been able
to use stolen social security numbers to get general E-file
PINs for 101,000 people. While the IRS says it stopped the
attack, stealing PINs potentially allows criminals to claim
the refunds owed to legitimate taxpayers. Government and
public health facilities are at high risk for data security
breaches. According to a recent report by the California
Attorney General, last year 178 breaches placed 24 million
records of Californians at risk. This means that as many as
three in five Californians may have been victims of a data
breach. In July 2015, the UCLA Health System suffered a
cyberattack that exposed the names, dates of birth, social
security numbers, and some medical procedures for 4.5 million
patients. It took eight months to determine that the system
had been hacked and two more months to notify patients that
their information had been exposed.
Under current law, state agencies are required to establish
reasonable safeguards to ensure the security and
confidentiality of records containing personal information and
to protect against anticipated threats to the security or
integrity of the records. They may only maintain records with
personal information that is relevant and necessary to
accomplish a purpose authorized by state or federal law.
Nevertheless, real threats of breach jeopardize these records
and state agencies should have plans in place to respond.
This bill requires state agencies that own or license
computerized data that includes personal information to
prepare mitigation and response plans for breach of the
database that contains the personal information.
Related/Prior Legislation
�
SB 1444
Page 7
SB 949 (Jackson, 2016) authorizes the Governor to require owners
and operators of critical infrastructure to submit critical
infrastructure information, as defined, to the Office of
Emergency Services in order to better understand security
problems and interdependencies related to critical
infrastructure, so as to ensure the availability, integrity, and
reliability of that critical infrastructure, and to help
prevent, detect, mitigate, or recover from the effects of an
interference, compromise, or incapacitation problem related to
critical infrastructure. The bill is pending in the Senate
Committee on Governmental Organization.
AB 1841 (Irwin, 2016) requires the Office of Emergency Services
to develop a Cyber Security Annex to the State Emergency Plan,
as specified, and to develop a comprehensive cybersecurity
strategy setting standards for state agencies to prepare for
cybersecurity interference with critical infrastructure. The
bill is pending in the Assembly Appropriations Committee.
AB 259 (Dababneh, 2015) requires an agency, if the agency was
the source of a breach and the breach compromised a person's
social security number, driver's license number, or California
identification card number, to offer the person identity theft
prevention and mitigation services at no cost for not less than
12 months. The bill is in the Senate Appropriations Committee.
SB 570 (Jackson, Chapter 543, Statutes of 2015) modified
existing data breach notification requirement for agencies and
persons or businesses conducting business in California that own
or license computerized data that includes personal information.
Specifically, this bill requires these entities, in the event
of a data breach, to provide affected individuals with a notice
entitled "Notice of Data Breach," in which required content is
presented under the following headings: "What Happened," "What
Information Was Involved," "What We Are Doing," "What You Can
Do," and "For More Information." The bill states that additional
information may be provided to supplement the required notice,
and provides a model security breach notification form that
entities may use to comply with formatting requirements. The
bill also clarified the requirements for providing substitute
�
SB 1444
Page 8
notice of a data breach, and made other technical and clarifying
changes to the data breach notification law.
AB 964 (Chau, Chapter 522, Statutes of 2015) defined "encrypted"
as used in California's data breach notification law to mean
rendered unusable, unreadable, or indecipherable to an
unauthorized person through a security technology or methodology
generally accepted in the field of information security.
AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended
California's data breach notification law to require a person or
business to offer appropriate identity theft prevention and
mitigation services to an affected person at no cost for not
less than 12 months if the person or business was the source of
a data breach. AB 1710 also prohibited the sale, advertisement
for sale, or offer to sell an individual's social security
number.
AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a
business that owns or licenses personal information about a
California resident to implement and maintain reasonable
security procedures and practices to protect that personal
information from unauthorized access, destruction, use,
modification, or disclosure. AB 1950 also required a business
that discloses personal information to a nonaffiliated third
party to require by contract that those entities maintain
reasonable security procedures.
SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted
California's data breach notification law and required a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information to disclose any breach of the
security of the data to California residents whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. SB 1386 permitted
notifications to be delayed if a law enforcement agency
determines that it would impede a criminal investigation, and
required an agency, person, or business that maintains
computerized data that includes personal information owned by
�
SB 1444
Page 9
another to notify the owner or licensee of the information of
any breach of security of the data.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:YesLocal: No
According to the Senate Appropriations Committee, varying levels
of impact from minor to significant to various state agencies,
dependent on the information security policies and procedures
currently in place.
Department of Technology, Department of Motor Vehicles, and
the Employment Development Department: Minor, absorbable
costs, as the requirements in the bill are largely consistent
with each agency's current information security procedures and
policies.
Department of Justice: One-time costs of less than $100,000
(General Fund) to develop the security plan. Ongoing costs of
$150,000 (General Fund) to conduct trainings of personnel in
performing the associated tasks, perform mock security
response drills, and ensure accurate inventory controls of
personal data.
Department of Corrections and Rehabilitation: Ongoing costs
potentially in excess of $250,000 (General Fund) to implement
an incident response team as required under the bill.
Air Resources Board: Potentially significant one-time costs
to inventory all computerized personal information.
SUPPORT: (Verified5/27/16)
None received
�
SB 1444
Page 10
OPPOSITION: (Verified5/27/16)
None received
Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
5/30/16 19:33:10
**** END ****