BILL ANALYSIS                                                                                                                                                                                                    






           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                       SB 1444|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 


                                   THIRD READING 


          Bill No:  SB 1444
          Author:   Hertzberg (D) 
          Amended:  4/19/16  
          Vote:     21 

           SENATE JUDICIARY COMMITTEE:  6-0, 4/12/16
           AYES:  Jackson, Moorlach, Hertzberg, Leno, Monning, Wieckowski
           NO VOTE RECORDED:  Anderson

           SENATE APPROPRIATIONS COMMITTEE:  7-0, 5/27/16
           AYES: Lara, Bates, Beall, Hill, McGuire, Mendoza, Nielsen
           
           SUBJECT:   State government: computerized personal information  
                     security plans


          SOURCE:    Author


          DIGEST:  This bill requires state agencies that own or license  
          computerized data that includes personal information to prepare  
          a security plan that details the agency's strategy to respond to  
          a security breach of that information and its associated  
          consequences.  This bill lists certain minimum requirements to  
          be included in an agency's security plan, including a  
          requirement to inventory personal information stored or  
          transmitted by the agency and procedures for facilitating  
          communication between an incident response team, agency  
          officials, and individuals affected by a breach.


          ANALYSIS:  









                                                                    SB 1444 
                                                                    Page  2



          Existing law:
           
           1)Requires any agency, person, or business that owns or licenses  
            computerized data that includes personal information to  
            disclose a breach of the security of the system to any  
            California resident whose unencrypted personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.  The disclosure must be made in the most  
            expedient time possible and without unreasonable delay,  
            consistent with the legitimate needs of law enforcement, as  
            specified.  (Civ. Code Secs. 1798.29(a), (c) and 1798.82(a),  
            (c).)

          2)Requires any agency, person, or business that maintains  
            computerized data that includes personal information that the  
            agency, person, or business does not own to notify the owner  
            or licensee of the information of any security breach  
            immediately following discovery if the personal information  
            was, or is reasonably believed to have been, acquired by an  
            unauthorized person.  (Civ. Code Secs. 1798.29(b),  
            1798.82(b).)

          3)Defines "personal information," for purposes of the breach  
            notification statute, to include either a user name or email  
            address, in combination with a password or security question  
            and answer that would permit access to an online account, or  
            the individual's first name or first initial and last name in  
            combination with one or more of the following data elements,  
            when either the name or the data elements are not encrypted:  
            social security number; driver's license number or California  
            identification card number; account number, credit or debit  
            card number, in combination with any required security code,  
            access code, or password that would permit access to an  
            individual's financial account; medical information; health  
            insurance information; or information or data collected  
            through the use or operation of an automated license plate  
            recognition system.  "Personal information" does not include  
            publicly available information that is lawfully made available  
            to the general public from federal, state, or local government  
            records.  (Civ. Code Secs. 1798.29(g) and (h); 1798.82(h) and  
            (i).)

          4)States that if the person or business providing the  







                                                                    SB 1444  
                                                                    Page  3


            notification was the source of the breach, an offer to provide  
            appropriate identity theft prevention and mitigation services,  
            if any, shall be provided at no cost to the affected person  
            for not less than 12 months, along with all information  
            necessary to take advantage of the offer to any person whose  
            information was or may have been breached if the breach  
            exposed or may have exposed an individual's first name or  
            first initial and last name along with their social security  
            number, driver's license number, or California identification  
            card number.  (Civ. Code Sec. 1798.82(d).)

          5)States that each state agency shall maintain in its records  
            only personal information which is relevant and necessary to  
            accomplish a purpose of the agency required or authorized by  
            the California Constitution or statute or mandated by the  
            federal government.  (Civ. Code Sec. 1798.14.)

          6)Requires each agency to establish appropriate and reasonable  
            administrative, technical, and physical safeguards to ensure  
            compliance with the provisions of the Information Practices  
            Act of 1977, to ensure the security and confidentiality of  
            records, and to protect against anticipated threats or hazards  
            to their security or integrity which could result in any  
            injury.  (Civ. Code Sec. 1798.21.)

          7)Defines "personal information," for purposes of the  
            Information Practices Act of 1977, to mean any information  
            that is maintained by an agency that identifies or describes  
            an individual, including, but not limited to, his or her name,  
            social security number, physical description, home address,  
            home telephone number, education, financial matters, and  
            medical or employment history, and includes statements made  
            by, or attributed to, an individual.  (Civ. Code Sec.  
            1798.3(a).)

          This bill:

          1)Requires an agency that owns or licenses computerized data  
            that includes personal information to prepare a computerized  
            personal information security plan that details the agency's  
            strategy to respond to a security breach of computerized  
            personal information and associated consequences caused by the  
            disclosed personal information.








                                                                    SB 1444  
                                                                    Page  4


          2)Specifies that a computerized personal information security  
            plan shall include, but shall not be limited to, all of the  
            following:

                 a statement of the purpose and objectives for the plan;
                 an inventory of the computerized personal information  
               stored or transmitted by the agency;
                 identification of resources necessary to implement the  
               plan;
                 identification of an incident response team tasked with  
               mitigating and responding to a breach, or an imminent  
               threat of a breach, to the security of computerized  
               personal information;
                 procedures for communications within the incident  
               response team and between the incident response team, other  
               individuals within the agency, and individuals outside the  
               agency that need to be notified in the event of a breach of  
               the security of computerized personal information;
                 policies for training the incident response team and the  
               agency on the implementation of the computerized personal  
               information security plan, including, but not limited to,  
               the use of practice drills; and
                 a process to review and improve the computerized  
               personal information security plan.

          1)Makes related findings and declarations.

          Background
          
          In 2003, California's first-in-the-nation security breach  
          notification law went into effect. (See Civ. Code Secs.  
          1798.29(a), 1798.82(a).)  Since that time, all but three states  
          have enacted similar security breach notification laws, and  
          governments around the world have or are considering enacting  
          such laws.  California's breach notification statute requires  
          state agencies, local agencies, and businesses to notify  
          residents when the security of their computerized personal  
          information is breached.  Existing law requires breach  
          notifications to be made in the most expedient time possible  
          without unreasonable delay, and specifies certain information  
          that must be included in these notices.  This breach  
          notification requirement ensures that residents are made aware  
          of a breach, thus allowing them to take appropriate action to  
          mitigate or prevent potential financial losses due to fraudulent  







                                                                    SB 1444  
                                                                    Page  5


          activity.

          California's requirement to notify affected individuals of a  
          data breach has had the effect of highlighting data insecurity  
          as a matter for public concern, and has motivated businesses and  
          agencies to invest additional resources toward securing data  
          stored within their computer networks.  However, despite the  
          data breach notification law's positive impact, data breaches  
          have increased in frequency and magnitude since the law took  
          effect.  The Attorney General's most recent report on California  
          data breaches offers the following summary:

            In the past four years, the Attorney General has received  
            reports on 657 data breaches, affecting a total of over 49  
            million records of Californians.  In 2012, there were 131  
            breaches, involving 2.6 million records of Californians; in  
            2015, 178 breaches put over 24 million records at risk.  This  
            means that nearly three in five Californians were victims of a  
            data breach in 2015 alone.  (California Department of Justice,  
            California Data Breach Report 2012-2015 (Feb. 2016)  
             
                                                                    Page  6


          a computerized personal information security plan, as specified,  
          that details the agency's strategy to respond to a security  
          breach of that information and associated consequences caused by  
          the disclosed personal information.  

          Comments
          
          The author writes:

            Earlier this year, the IRS revealed that hackers had been able  
            to use stolen social security numbers to get general E-file  
            PINs for 101,000 people.  While the IRS says it stopped the  
            attack, stealing PINs potentially allows criminals to claim  
            the refunds owed to legitimate taxpayers.  Government and  
            public health facilities are at high risk for data security  
            breaches.  According to a recent report by the California  
            Attorney General, last year 178 breaches placed 24 million  
            records of Californians at risk.  This means that as many as  
            three in five Californians may have been victims of a data  
            breach.  In July 2015, the UCLA Health System suffered a  
            cyberattack that exposed the names, dates of birth, social  
            security numbers, and some medical procedures for 4.5 million  
            patients.  It took eight months to determine that the system  
            had been hacked and two more months to notify patients that  
            their information had been exposed.

            Under current law, state agencies are required to establish  
            reasonable safeguards to ensure the security and  
            confidentiality of records containing personal information and  
            to protect against anticipated threats to the security or  
            integrity of the records. They may only maintain records with  
            personal information that is relevant and necessary to  
            accomplish a purpose authorized by state or federal law.   
            Nevertheless, real threats of breach jeopardize these records  
            and state agencies should have plans in place to respond.

            This bill requires state agencies that own or license  
            computerized data that includes personal information to  
            prepare mitigation and response plans for breach of the  
            database that contains the personal information.


          Related/Prior Legislation








                                                                    SB 1444  
                                                                    Page  7



          SB 949 (Jackson, 2016) authorizes the Governor to require owners  
          and operators of critical infrastructure to submit critical  
          infrastructure information, as defined, to the Office of  
          Emergency Services in order to better understand security  
          problems and interdependencies related to critical  
          infrastructure, so as to ensure the availability, integrity, and  
          reliability of that critical infrastructure, and to help  
          prevent, detect, mitigate, or recover from the effects of an  
          interference, compromise, or incapacitation problem related to  
          critical infrastructure.  The bill is pending in the Senate  
          Committee on Governmental Organization.


          AB 1841 (Irwin, 2016) requires the Office of Emergency Services  
          to develop a Cyber Security Annex to the State Emergency Plan,  
          as specified, and to develop a comprehensive cybersecurity  
          strategy setting standards for state agencies to prepare for  
          cybersecurity interference with critical infrastructure.  The  
          bill is pending in the Assembly Appropriations Committee.


          AB 259 (Dababneh, 2015) requires an agency, if the agency was  
          the source of a breach and the breach compromised a person's  
          social security number, driver's license number, or California  
          identification card number, to offer the person identity theft  
          prevention and mitigation services at no cost for not less than  
          12 months.  The bill is in the Senate Appropriations Committee.


          SB 570 (Jackson, Chapter 543, Statutes of 2015) modified  
          existing data breach notification requirement for agencies and  
          persons or businesses conducting business in California that own  
          or license computerized data that includes personal information.  
           Specifically, this bill requires these entities, in the event  
          of a data breach, to provide affected individuals with a notice  
          entitled "Notice of Data Breach," in which required content is  
          presented under the following headings: "What Happened," "What  
          Information Was Involved," "What We Are Doing," "What You Can  
          Do," and "For More Information." The bill states that additional  
          information may be provided to supplement the required notice,  
          and provides a model security breach notification form that  
          entities may use to comply with formatting requirements.  The  
          bill also clarified the requirements for providing substitute  







                                                                    SB 1444 
                                                                    Page  8


          notice of a data breach, and made other technical and clarifying  
          changes to the data breach notification law. 


          AB 964 (Chau, Chapter 522, Statutes of 2015) defined "encrypted"  
          as used in California's data breach notification law to mean  
          rendered unusable, unreadable, or indecipherable to an  
          unauthorized person through a security technology or methodology  
          generally accepted in the field of information security.


          AB 1710 (Dickinson, Chapter 855, Statutes of 2014) amended  
          California's data breach notification law to require a person or  
          business to offer appropriate identity theft prevention and  
          mitigation services to an affected person at no cost for not  
          less than 12 months if the person or business was the source of  
          a data breach.  AB 1710 also prohibited the sale, advertisement  
          for sale, or offer to sell an individual's social security  
          number.


          AB 1950 (Wiggins, Chapter 877, Statutes of 2004) required a  
          business that owns or licenses personal information about a  
          California resident to implement and maintain reasonable  
          security procedures and practices to protect that personal  
          information from unauthorized access, destruction, use,  
          modification, or disclosure.  AB 1950 also required a business  
          that discloses personal information to a nonaffiliated third  
          party to require by contract that those entities maintain  
          reasonable security procedures.


          SB 1386 (Peace, Chapter 915, Statutes of 2002) enacted  
          California's data breach notification law and required a state  
          agency, or a person or business that conducts business in  
          California, that owns or licenses computerized data that  
          includes personal information to disclose any breach of the  
          security of the data to California residents whose unencrypted  
          personal information was, or is reasonably believed to have  
          been, acquired by an unauthorized person.  SB 1386 permitted  
          notifications to be delayed if a law enforcement agency  
          determines that it would impede a criminal investigation, and  
          required an agency, person, or business that maintains  
          computerized data that includes personal information owned by  







                                                                    SB 1444  
                                                                    Page  9


          another to notify the owner or licensee of the information of  
          any breach of security of the data.


          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   No


          According to the Senate Appropriations Committee, varying levels  
          of impact from minor to significant to various state agencies,  
          dependent on the information security policies and procedures  
          currently in place.


           Department of Technology, Department of Motor Vehicles, and  
            the Employment Development Department:  Minor, absorbable  
            costs, as the requirements in the bill are largely consistent  
            with each agency's current information security procedures and  
            policies. 


           Department of Justice:  One-time costs of less than $100,000  
            (General Fund) to develop the security plan. Ongoing costs of  
            $150,000 (General Fund) to conduct trainings of personnel in  
            performing the associated tasks, perform mock security  
            response drills, and ensure accurate inventory controls of  
            personal data. 


           Department of Corrections and Rehabilitation:  Ongoing costs  
            potentially in excess of $250,000 (General Fund) to implement  
            an incident response team as required under the bill. 


           Air Resources Board:  Potentially significant one-time costs  
            to inventory all computerized personal information.


          SUPPORT:   (Verified5/27/16)


          None received









                                                                    SB 1444  
                                                                    Page  10


          OPPOSITION:   (Verified5/27/16)


          None received


          Prepared by:Tobias Halvarson / JUD. / (916) 651-4113
          5/30/16 19:33:10


                                   ****  END  ****