BILL ANALYSIS                                                                                                                                                                                                    



                                                                    SB 1444


                                                                    Page  1





          Date of Hearing:  June 28, 2016 


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                   Ed Chau, Chair


          SB  
          1444 (Hertzberg) - As Amended April 19, 2016


          SENATE VOTE:  39-0


          SUBJECT:  State government:  computerized personal information  
          security plans


          SUMMARY:  Requires each state agency to prepare a computerized  
          personal information security plan that details the agency's  
          strategy for responding to a security breach of computerized  
          personal information and associated consequences.  Specifically,  
          this bill:  


          1)Requires a state agency that owns or licenses computerized  
            data that includes personal information to prepare a  
            computerized personal information security plan (plan) that  
            details the agency's strategy for responding to a security  
            breach of computerized personal information and associated  
            consequences caused by the disclosed personal information. 



          2)Requires the plan to include, but is not limited to, all of  
            the following elements:









                                                                    SB 1444


                                                                    Page  2







               a)     A statement of the purpose and objectives for the  
                 plan;



               b)     An inventory of the computerized personal  
                 information stored or transmitted by the agency;



               c)     Identification of resources necessary to implement  
                 the plan;



               d)     Identification of an incident response team tasked  
                 with mitigating and responding to a breach, or an  
                 imminent threat of a breach, to the security of  
                 computerized personal information;



               e)     Procedures for communications within the incident  
                 response team and between the incident response team,  
                 other individuals within the agency, and individuals  
                 outside the agency that need to be notified in the event  
                 of a breach of the security of computerized personal  
                 information;



               f)     Policies for training the incident response team and  
                 the agency on the implementation of the plan, including,  
                 but not limited to, the use of practice drills; and











                                                                    SB 1444


                                                                    Page  3





               g)     A process to review and improve the plan.



          3)Defines the term "personal information," as specified.   
          4)Makes findings and declarations relative to increased threats  
            to state computer networks and the need for information  
            security and breach mitigation plans. 


          EXISTING LAW:   


          1)Establishes the Information Practices Act of 1977 (Act), which  
            requires a public agency, as defined, to maintain in its  
            records only that personal information that is relevant and  
            necessary to accomplish a purpose of the agency required or  
            authorized by the California Constitution or statute or  
            mandated by the federal government.  The Act requires each  
            agency to establish appropriate and reasonable administrative,  
            technical, and physical safeguards to ensure compliance with  
            this law, to ensure the security and confidentiality of  
            records, and to protect against anticipated threats or hazards  
            to the security or integrity of the records that could result  
            in any injury.  The Act also requires an agency that owns or  
            licenses computerized data that includes personal information  
            to disclose a breach of the security of the system in the most  
            expedient time possible and without unreasonable delay, as  
            specified. (Civil Code Section (CC) 1798-1798.78)




          2)Defines, for purposes of the Act generally, personal  
            information to mean "any information that is maintained by an  
            agency that identifies or describes an individual, including,  
            but not limited to, his or her name, social security number,  
            physical description, home address, home telephone number,  
            education, financial matters, and medical or employment  








                                                                    SB 1444


                                                                    Page  4





            history. It includes statements made by, or attributed to, the  
            individual."  (CC 1798.3(a))




          3)Defines, for purposes of data breach reporting under the Act,  
            "personal information" to mean either of the following:




                  a)        An individual's first name or first initial  
                    and last name in combination with any one or more of  
                    the following data elements, when either the name or  
                    the data elements are not encrypted:


                        i.             Social Security number.

                        ii.            Driver's license number or  
                         California identification card number.

                        iii.           Account number, credit or debit  
                         card number, in combination with any required  
                         security code, access code, or password that  
                         would permit access to an individual's financial  
                         account.
                        iv.            Medical information.
                        v.             Health insurance information.
                        vi.            Information or data collected  
                         through the use or operation of an automated  
                         license plate recognition system, as defined.

                  b)        A user name or email address, in combination  
                    with a password or security question and answer that  
                    would permit access to an online account.  (CC  
                    1798.29(g))









                                                                    SB 1444


                                                                    Page  5







          4)Defines "personal information," for purposes of data breach  
            reporting under the Act, to exclude publicly available  
            information that is lawfully made available to the general  
            public from federal, state, or local government records.  (CC  
            1798.29(h))



          5)Establishes the Office of Information Security (OIS) within  
            the California Department of Technology (CDT), which is  
            responsible for ensuring the confidentiality, integrity, and  
            availability of state systems and applications, and to promote  
            and protect privacy as part of the development and operations  
            of state systems and applications to ensure the trust of the  
            residents of this state.  (Government Code Section (GC)  
            11549(a))

          6)Requires the state's chief information security officer to  
            establish an information security program, which includes the  
            creation, updating and publishing of policies and standards  
            for information security in the State Administrative Manual,  
            information technology risk management, tracking of security  
            and privacy incidents, and disaster recovery, as well as  
            statewide coordination with other agencies, promotion of state  
            agency risk management programs, and generally representing  
            the state on matters of information security and privacy.  (GC  
            11549.3(a))   


          7)Requires state entities to implement the information security  
            and privacy policies, standards and procedures issued by OIS.   
            (GC 11549.3(b))    


          FISCAL EFFECT:  According to the Senate Appropriations  
          Committee, this bill would have the following fiscal effects:









                                                                    SB 1444


                                                                    Page  6









          "Varying levels of impact from minor to significant to various  
          state agencies, dependent on the information security policies  
          and procedures currently in place.





           1)Department of Technology, [Department of Motor Vehicles], and  
            [Employment Development Department]  :  Minor, absorbable costs,  
            as the requirements in the bill are largely consistent with  
            each agency's current information security procedures and  
            policies. 

           2)Department of Justice (DOJ)  :  One-time costs of less than  
            $100,000 (General Fund) to develop the security plan. Ongoing  
            costs of $150,000 (General Fund) to conduct trainings of  
            personnel in performing the associated tasks, perform mock  
            security response drills, and ensure accurate inventory  
            controls of personal data. 



           3)Department of Corrections and Rehabilitation (CDCR)  :  Ongoing  
            costs potentially in excess of $250,000 (General Fund) to  
            implement an incident response team as required under the  
            bill. 



           4)Air Resources Board  :  Potentially significant one-time costs  
            to inventory all computerized personal information."


          








                                                                    SB 1444


                                                                    Page  7







          COMMENTS:  





           1)Purpose of this bill  .  This bill is intended to better protect  
            computerized personal information controlled by state agencies  
            by requiring those agencies to prepare information security  
            and breach response plans with specific elements.  This bill  
            is author-sponsored.  



           2)Author's statement  .  According to the author, "The State  
            Administrative Manual and the Statewide Information Management  
            Manual direct state agencies to compile an incident response  
            plan.  The State Auditor found that only 28 of the 77 entities  
            had fully complied with the requirements.  SB 1444 requires  
            incident response plans and sets a higher bar for their  
            contents."



           3)Recent state agency data breaches in California  .  According to  
            a February 2016 report by Attorney General Kamala Harris, the  
            number of data breaches between 2012 and 2015 grew from 131  
            breach incidents in 2012 to 178 incidents in 2015.  Even more  
            dramatic is the number of records breached during the same  
            time period, which rose from 2.6 million in 2012 to 24 million  
            records containing sensitive personal information in 2015  
            ("California Data Breach Report 2012-2015," California  
            Department of Justice, February 2016).  

            Unfortunately, state and local agencies are not immune to data  
            breaches.  During 2012-2015, the following California public  
            agencies reported one or more breaches to the DOJ: the  








                                                                    SB 1444


                                                                    Page  8





            Department of Motor Vehicles, the Department of Health Care  
            Services (x2), the Department of Business Oversight, the CDCR  
            (x3), the Department of Justice, the Department of Public  
            Health (x3), Department of Social Services (x2), the  
            Department of State Hospitals, California State University  
            (x5), the Department of Child Support Services (x2), the  
            Department of Managed Health Care, the Department of Resources  
            Recycling and Recovery, the Employment Development Department,  
            the State Compensation Insurance Fund, and the counties of  
            Monterey, Napa and Tulare County. 


           


          4)Questions regarding state oversight of cybersecurity  .  On  
            February 24, 2016, this Committee held an oversight hearing on  
            California's Cybersecurity Strategy.  Part of that hearing  
            examined the findings of a 2015 California State Auditor  
            (Auditor) report entitled "High Risk Update - Information  
            Security" (Report 2015-611).  The Auditor found that "many  
            state entities have weaknesses in their controls over  
            information security.  These weaknesses leave some of the  
            State's sensitive data vulnerable to unauthorized use,  
            disclosure, or disruption."



            The Auditor explained that "The California Department of  
            Technology [CDT] is responsible for ensuring that state  
            entities that are under the direct authority of the governor  
            (reporting entities) maintain the confidentiality, integrity,  
            and availability of their information systems and protect the  
            privacy of the State's information.  As part of its efforts to  
            protect the State's information assets, the technology  
            department requires reporting entities to comply with the  
            information security and privacy policies, standards and  
            procedures it prescribes in Chapter 5300 of the State  
            Administrative Manual (security standards)?."








                                                                    SB 1444


                                                                    Page  9






            "[However,] 73 of 77 reporting entities fully responding to  
            our survey indicated that they had yet to achieve full  
            compliance with the security standards.  These reporting  
            entities noted deficiencies in their controls over information  
            asset and risk management, information security program  
            management, information security incident management, and  
            technology recovery.  These weaknesses could compromise the  
            information systems the reporting entities use to perform  
            their day-to-day operations.  Despite the pervasiveness and  
            seriousness of the issues we identified, [CDT] has failed to  
            take sufficient action to ensure that reporting entities  
            address these deficiencies."

            "As a result of the outstanding weakness in reporting  
            entities' information system controls and [CDT's] failure to  
            provide effective oversight and assist noncompliant entities  
            in meeting the security standards, we determined that some of  
            the State's information, and its critical information systems,  
            are potentially vulnerable and continue to pose an area of  
            significant risk to the State." 



           5)Existing information security requirements  .  State agencies  
            are already bound by at least two statutory requirements  
            related to information security and risk management. 

          The first statutory requirement is Government Code 11549.3(b),  
            which requires all state agencies to implement the policies  
            and procedures issued by the state's OIS.  Pursuant to its  
            responsibility to establish an information security program  
            (which includes risk management, incident tracking, and  
            disaster recovery), OIS promulgated incident response plan  
            regulations (State Administrative Manual Section 5340 (revised  
            June 2014) which require each state entity to "develop,  
            disseminate, and maintain a formal, documented incident  
            response plan that provides for the timely assembly of  
            appropriate staff that is capable of developing a response to,  








                                                                    SB 1444


                                                                    Page  10





            appropriate reporting about, and successful recovery from a  
            variety of incidents."

          SAM 5340 is complimented by the voluminous State Information  
            Management Manual, which contains detailed guidance to state  
            entities for creating plans for technology recovery (SIMM  
            5325), risk management (SIMM 5330-B), breach/incident  
            reporting (SIMM 5340-A), and incident response requirements  
            for a breach of personal information (SIMM 5340-C). 

          For example, SIMM 5340-C is a 51-page document entitled  
            "Requirements to Respond to Incidents Involving a Breach of  
            Personal Information".  SIMM 5340-C describes its purpose this  
            way: "To ensure that agencies/state entities understand the  
            responsibilities for making timely and accurate notification  
            to individuals affected by a breach, this SIMM 5340-C document  
            identifies the existing personal information breach  
            notification requirements, and sets out specific instructions  
            and guidance for agencies/state entities to follow when  
            responding to a security incident that involves a breach of  
            personal information.  This document also provides a checklist  
            and a set of breach notification templates as tools to assist  
            agencies/state entities with fulfilling the notification  
            requirements."  SIMM 5340-C was last updated in June 2016. 

          The second general statutory requirement in this area is Civil  
            Code Section 1798.21, which requires, pursuant to the Act,  
            each state agency to establish "appropriate and reasonable  
            administrative, technical and physical safeguards to ensure  
            compliance" with the provisions of the Act (including the  
            state's data breach notification law), "to ensure the security  
            and confidentiality of records, and to protect against  
            anticipated threats or hazards to their security or integrity  
            which could result in any injury."

           6)This bill in practice  .  This bill's statutory mandate for  
            state agencies to prepare a computerized personal information  
            security plan likely overlaps to a substantial degree with the  
            pre-existing regulatory and statutory requirements described  








                                                                    SB 1444


                                                                    Page  11





            above, although there may be elements that are new, such as  
            the requirement for an inventory of the personal information  
            stored or transmitted by the agency.  



          For the agencies that already have complete risk management and  
            incident response plans, this bill would cause them to update  
            their plans to reflect the non-duplicative elements of this  
            bill, if any. 

          However, for the many agencies that have, as the State Auditor  
            has pointed out, outdated or incomplete plans, or no plans at  
            all, the question becomes one of enforcement.  If state  
            agencies are already in violation of state statute and  
            regulations, it is not clear how the new provisions of this  
            bill would improve CDT's ability to require agencies to  
            comply, beyond drawing attention to their continued  
            non-compliance.  

          Nevertheless, the placement of this bill's requirements within  
            the Act would make a variety of civil remedies (injunction,  
            actual damages, court costs, attorney's fees) available to a  
            private individual who suffers an "adverse effect" by a state  
            agency's failure to comply with its provisions  (Civil Code  
            Sections 1798.45-1798.53).  A victim of a state agency data  
            breach could - theoretically - claim an adverse effect (such  
            as identity theft, embarrassment, credit monitoring costs,  
            etc.) as a result of an agency's failure to create an  
            information security plan as directed together with any  
            subsequent data breach.  

          Whether being a victim of a data breach and identity theft, or  
            the mere potential for future harm, is sufficient to claim  
            harm in a civil suit has recently been at issue in a number of  
            recent cases, with courts coming to differing conclusions (see  
            Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013)  
            (finding no standing where the alleged injuries are "too  
            speculative"); c.f., In re Anthem, Inc. Data Breach Litig.,  








                                                                    SB 1444


                                                                    Page  12





            15-MD-02617-LHK, 2016 WL 589760 (N.D. Cal. Feb. 14, 2016)  
            (finding that there are "innumerable ways" to demonstrate an  
            economic injury in relation to a data breach).  As such, it is  
            unclear what evidence a court would require a person to  
            produce in order to claim an "adverse effect" after a data  
            breach under the IPA.  This potentiality may create additional  
            motivation for state agencies to comply with the provisions of  
            this bill.     
           7)Related legislation  .  AB 1841 (Irwin) would require the state  
            Office of Emergency Services (OES), in conjunction with CDT,  
            to develop, by July 1, 2017, a cybersecurity incident response  
            plan for cybersecurity attacks against critical  
            infrastructure, and further requires OES to jointly develop  
            cybersecurity incident response standards by January 1, 2018,  
            with which all state agencies must report compliance by  
            January 1, 2019.  AB 1841 passed this Committee on April 5,  
            2016, on an 11-0 vote and is currently set for hearing on June  
            28, 2016, in the Senate Judiciary Committee. 



          AB 1881 (Chang) would require the Director of CDT to develop and  
            update mandatory baseline security controls for state networks  
            based on industry and national standards, and annually measure  
            the state's progress towards compliance.  AB 1811 was held on  
            the Suspense File in the Assembly Appropriations Committee.     


          AB 2595 (Linder) would establish the California Cybersecurity  
            Integration Center, require it to develop a cybersecurity  
            strategy for California, and authorize the administration of  
            federal homeland security grant funding by the Office of  
            Emergency Services.  AB 2595 was held on the Suspense File in  
            the Assembly Appropriations Committee.   
            SB 949 (Jackson) would authorize the Governor to require  
            owners and operators of critical infrastructure to submit  
            critical infrastructure information to OES or any other  
            designee for the purposes of gathering, analyzing,  
            communicating, or disclosing critical infrastructure  








                                                                    SB 1444


                                                                    Page  13





            information.  SB 949 was held in the Senate Governmental  
            Organization Committee.


           8)Previous legislation  .  AB 670 (Irwin), Chapter 518, Statutes  
            of 2015, requires CDT to conduct, or require to be conducted,  
            no fewer than 35 independent security assessments of state  
            agencies, departments or offices annually.   
          REGISTERED SUPPORT / OPPOSITION:




          Support


          None on file. 




          Opposition


          None on file.




          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916)  
          319-2200
















                                                                    SB 1444


                                                                    Page  14