BILL ANALYSIS �Ó
SB 1444
Page 1
Date of Hearing: June 28, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
SB
1444 (Hertzberg) - As Amended April 19, 2016
SENATE VOTE: 39-0
SUBJECT: State government: computerized personal information
security plans
SUMMARY: Requires each state agency to prepare a computerized
personal information security plan that details the agency's
strategy for responding to a security breach of computerized
personal information and associated consequences. Specifically,
this bill:
1)Requires a state agency that owns or licenses computerized
data that includes personal information to prepare a
computerized personal information security plan (plan) that
details the agency's strategy for responding to a security
breach of computerized personal information and associated
consequences caused by the disclosed personal information.
2)Requires the plan to include, but is not limited to, all of
the following elements:
�
SB 1444
Page 2
a) A statement of the purpose and objectives for the
plan;
b) An inventory of the computerized personal
information stored or transmitted by the agency;
c) Identification of resources necessary to implement
the plan;
d) Identification of an incident response team tasked
with mitigating and responding to a breach, or an
imminent threat of a breach, to the security of
computerized personal information;
e) Procedures for communications within the incident
response team and between the incident response team,
other individuals within the agency, and individuals
outside the agency that need to be notified in the event
of a breach of the security of computerized personal
information;
f) Policies for training the incident response team and
the agency on the implementation of the plan, including,
but not limited to, the use of practice drills; and
�
SB 1444
Page 3
g) A process to review and improve the plan.
3)Defines the term "personal information," as specified.
4)Makes findings and declarations relative to increased threats
to state computer networks and the need for information
security and breach mitigation plans.
EXISTING LAW:
1)Establishes the Information Practices Act of 1977 (Act), which
requires a public agency, as defined, to maintain in its
records only that personal information that is relevant and
necessary to accomplish a purpose of the agency required or
authorized by the California Constitution or statute or
mandated by the federal government. The Act requires each
agency to establish appropriate and reasonable administrative,
technical, and physical safeguards to ensure compliance with
this law, to ensure the security and confidentiality of
records, and to protect against anticipated threats or hazards
to the security or integrity of the records that could result
in any injury. The Act also requires an agency that owns or
licenses computerized data that includes personal information
to disclose a breach of the security of the system in the most
expedient time possible and without unreasonable delay, as
specified. (Civil Code Section (CC) 1798-1798.78)
2)Defines, for purposes of the Act generally, personal
information to mean "any information that is maintained by an
agency that identifies or describes an individual, including,
but not limited to, his or her name, social security number,
physical description, home address, home telephone number,
education, financial matters, and medical or employment
�
SB 1444
Page 4
history. It includes statements made by, or attributed to, the
individual." (CC 1798.3(a))
3)Defines, for purposes of data breach reporting under the Act,
"personal information" to mean either of the following:
a) An individual's first name or first initial
and last name in combination with any one or more of
the following data elements, when either the name or
the data elements are not encrypted:
i. Social Security number.
ii. Driver's license number or
California identification card number.
iii. Account number, credit or debit
card number, in combination with any required
security code, access code, or password that
would permit access to an individual's financial
account.
iv. Medical information.
v. Health insurance information.
vi. Information or data collected
through the use or operation of an automated
license plate recognition system, as defined.
b) A user name or email address, in combination
with a password or security question and answer that
would permit access to an online account. (CC
1798.29(g))
�
SB 1444
Page 5
4)Defines "personal information," for purposes of data breach
reporting under the Act, to exclude publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (CC
1798.29(h))
5)Establishes the Office of Information Security (OIS) within
the California Department of Technology (CDT), which is
responsible for ensuring the confidentiality, integrity, and
availability of state systems and applications, and to promote
and protect privacy as part of the development and operations
of state systems and applications to ensure the trust of the
residents of this state. (Government Code Section (GC)
11549(a))
6)Requires the state's chief information security officer to
establish an information security program, which includes the
creation, updating and publishing of policies and standards
for information security in the State Administrative Manual,
information technology risk management, tracking of security
and privacy incidents, and disaster recovery, as well as
statewide coordination with other agencies, promotion of state
agency risk management programs, and generally representing
the state on matters of information security and privacy. (GC
11549.3(a))
7)Requires state entities to implement the information security
and privacy policies, standards and procedures issued by OIS.
(GC 11549.3(b))
FISCAL EFFECT: According to the Senate Appropriations
Committee, this bill would have the following fiscal effects:
�
SB 1444
Page 6
"Varying levels of impact from minor to significant to various
state agencies, dependent on the information security policies
and procedures currently in place.
1)Department of Technology, [Department of Motor Vehicles], and
[Employment Development Department] : Minor, absorbable costs,
as the requirements in the bill are largely consistent with
each agency's current information security procedures and
policies.
2)Department of Justice (DOJ) : One-time costs of less than
$100,000 (General Fund) to develop the security plan. Ongoing
costs of $150,000 (General Fund) to conduct trainings of
personnel in performing the associated tasks, perform mock
security response drills, and ensure accurate inventory
controls of personal data.
3)Department of Corrections and Rehabilitation (CDCR) : Ongoing
costs potentially in excess of $250,000 (General Fund) to
implement an incident response team as required under the
bill.
4)Air Resources Board : Potentially significant one-time costs
to inventory all computerized personal information."
�
SB 1444
Page 7
COMMENTS:
1)Purpose of this bill . This bill is intended to better protect
computerized personal information controlled by state agencies
by requiring those agencies to prepare information security
and breach response plans with specific elements. This bill
is author-sponsored.
2)Author's statement . According to the author, "The State
Administrative Manual and the Statewide Information Management
Manual direct state agencies to compile an incident response
plan. The State Auditor found that only 28 of the 77 entities
had fully complied with the requirements. SB 1444 requires
incident response plans and sets a higher bar for their
contents."
3)Recent state agency data breaches in California . According to
a February 2016 report by Attorney General Kamala Harris, the
number of data breaches between 2012 and 2015 grew from 131
breach incidents in 2012 to 178 incidents in 2015. Even more
dramatic is the number of records breached during the same
time period, which rose from 2.6 million in 2012 to 24 million
records containing sensitive personal information in 2015
("California Data Breach Report 2012-2015," California
Department of Justice, February 2016).
Unfortunately, state and local agencies are not immune to data
breaches. During 2012-2015, the following California public
agencies reported one or more breaches to the DOJ: the
�
SB 1444
Page 8
Department of Motor Vehicles, the Department of Health Care
Services (x2), the Department of Business Oversight, the CDCR
(x3), the Department of Justice, the Department of Public
Health (x3), Department of Social Services (x2), the
Department of State Hospitals, California State University
(x5), the Department of Child Support Services (x2), the
Department of Managed Health Care, the Department of Resources
Recycling and Recovery, the Employment Development Department,
the State Compensation Insurance Fund, and the counties of
Monterey, Napa and Tulare County.
4)Questions regarding state oversight of cybersecurity . On
February 24, 2016, this Committee held an oversight hearing on
California's Cybersecurity Strategy. Part of that hearing
examined the findings of a 2015 California State Auditor
(Auditor) report entitled "High Risk Update - Information
Security" (Report 2015-611). The Auditor found that "many
state entities have weaknesses in their controls over
information security. These weaknesses leave some of the
State's sensitive data vulnerable to unauthorized use,
disclosure, or disruption."
The Auditor explained that "The California Department of
Technology [CDT] is responsible for ensuring that state
entities that are under the direct authority of the governor
(reporting entities) maintain the confidentiality, integrity,
and availability of their information systems and protect the
privacy of the State's information. As part of its efforts to
protect the State's information assets, the technology
department requires reporting entities to comply with the
information security and privacy policies, standards and
procedures it prescribes in Chapter 5300 of the State
Administrative Manual (security standards)?."
�
SB 1444
Page 9
"[However,] 73 of 77 reporting entities fully responding to
our survey indicated that they had yet to achieve full
compliance with the security standards. These reporting
entities noted deficiencies in their controls over information
asset and risk management, information security program
management, information security incident management, and
technology recovery. These weaknesses could compromise the
information systems the reporting entities use to perform
their day-to-day operations. Despite the pervasiveness and
seriousness of the issues we identified, [CDT] has failed to
take sufficient action to ensure that reporting entities
address these deficiencies."
"As a result of the outstanding weakness in reporting
entities' information system controls and [CDT's] failure to
provide effective oversight and assist noncompliant entities
in meeting the security standards, we determined that some of
the State's information, and its critical information systems,
are potentially vulnerable and continue to pose an area of
significant risk to the State."
5)Existing information security requirements . State agencies
are already bound by at least two statutory requirements
related to information security and risk management.
The first statutory requirement is Government Code 11549.3(b),
which requires all state agencies to implement the policies
and procedures issued by the state's OIS. Pursuant to its
responsibility to establish an information security program
(which includes risk management, incident tracking, and
disaster recovery), OIS promulgated incident response plan
regulations (State Administrative Manual Section 5340 (revised
June 2014) which require each state entity to "develop,
disseminate, and maintain a formal, documented incident
response plan that provides for the timely assembly of
appropriate staff that is capable of developing a response to,
�
SB 1444
Page 10
appropriate reporting about, and successful recovery from a
variety of incidents."
SAM 5340 is complimented by the voluminous State Information
Management Manual, which contains detailed guidance to state
entities for creating plans for technology recovery (SIMM
5325), risk management (SIMM 5330-B), breach/incident
reporting (SIMM 5340-A), and incident response requirements
for a breach of personal information (SIMM 5340-C).
For example, SIMM 5340-C is a 51-page document entitled
"Requirements to Respond to Incidents Involving a Breach of
Personal Information". SIMM 5340-C describes its purpose this
way: "To ensure that agencies/state entities understand the
responsibilities for making timely and accurate notification
to individuals affected by a breach, this SIMM 5340-C document
identifies the existing personal information breach
notification requirements, and sets out specific instructions
and guidance for agencies/state entities to follow when
responding to a security incident that involves a breach of
personal information. This document also provides a checklist
and a set of breach notification templates as tools to assist
agencies/state entities with fulfilling the notification
requirements." SIMM 5340-C was last updated in June 2016.
The second general statutory requirement in this area is Civil
Code Section 1798.21, which requires, pursuant to the Act,
each state agency to establish "appropriate and reasonable
administrative, technical and physical safeguards to ensure
compliance" with the provisions of the Act (including the
state's data breach notification law), "to ensure the security
and confidentiality of records, and to protect against
anticipated threats or hazards to their security or integrity
which could result in any injury."
6)This bill in practice . This bill's statutory mandate for
state agencies to prepare a computerized personal information
security plan likely overlaps to a substantial degree with the
pre-existing regulatory and statutory requirements described
�
SB 1444
Page 11
above, although there may be elements that are new, such as
the requirement for an inventory of the personal information
stored or transmitted by the agency.
For the agencies that already have complete risk management and
incident response plans, this bill would cause them to update
their plans to reflect the non-duplicative elements of this
bill, if any.
However, for the many agencies that have, as the State Auditor
has pointed out, outdated or incomplete plans, or no plans at
all, the question becomes one of enforcement. If state
agencies are already in violation of state statute and
regulations, it is not clear how the new provisions of this
bill would improve CDT's ability to require agencies to
comply, beyond drawing attention to their continued
non-compliance.
Nevertheless, the placement of this bill's requirements within
the Act would make a variety of civil remedies (injunction,
actual damages, court costs, attorney's fees) available to a
private individual who suffers an "adverse effect" by a state
agency's failure to comply with its provisions (Civil Code
Sections 1798.45-1798.53). A victim of a state agency data
breach could - theoretically - claim an adverse effect (such
as identity theft, embarrassment, credit monitoring costs,
etc.) as a result of an agency's failure to create an
information security plan as directed together with any
subsequent data breach.
Whether being a victim of a data breach and identity theft, or
the mere potential for future harm, is sufficient to claim
harm in a civil suit has recently been at issue in a number of
recent cases, with courts coming to differing conclusions (see
Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013)
(finding no standing where the alleged injuries are "too
speculative"); c.f., In re Anthem, Inc. Data Breach Litig.,
�
SB 1444
Page 12
15-MD-02617-LHK, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016)
(finding that there are "innumerable ways" to demonstrate an
economic injury in relation to a data breach). As such, it is
unclear what evidence a court would require a person to
produce in order to claim an "adverse effect" after a data
breach under the IPA. This potentiality may create additional
motivation for state agencies to comply with the provisions of
this bill.
7)Related legislation . AB 1841 (Irwin) would require the state
Office of Emergency Services (OES), in conjunction with CDT,
to develop, by July 1, 2017, a cybersecurity incident response
plan for cybersecurity attacks against critical
infrastructure, and further requires OES to jointly develop
cybersecurity incident response standards by January 1, 2018,
with which all state agencies must report compliance by
January 1, 2019. AB 1841 passed this Committee on April 5,
2016, on an 11-0 vote and is currently set for hearing on June
28, 2016, in the Senate Judiciary Committee.
AB 1881 (Chang) would require the Director of CDT to develop and
update mandatory baseline security controls for state networks
based on industry and national standards, and annually measure
the state's progress towards compliance. AB 1811 was held on
the Suspense File in the Assembly Appropriations Committee.
AB 2595 (Linder) would establish the California Cybersecurity
Integration Center, require it to develop a cybersecurity
strategy for California, and authorize the administration of
federal homeland security grant funding by the Office of
Emergency Services. AB 2595 was held on the Suspense File in
the Assembly Appropriations Committee.
SB 949 (Jackson) would authorize the Governor to require
owners and operators of critical infrastructure to submit
critical infrastructure information to OES or any other
designee for the purposes of gathering, analyzing,
communicating, or disclosing critical infrastructure
�
SB 1444
Page 13
information. SB 949 was held in the Senate Governmental
Organization Committee.
8)Previous legislation . AB 670 (Irwin), Chapter 518, Statutes
of 2015, requires CDT to conduct, or require to be conducted,
no fewer than 35 independent security assessments of state
agencies, departments or offices annually.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
Opposition
None on file.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916)
319-2200
�
SB 1444
Page 14