BILL ANALYSIS �Ó
SB 1444
Page 1
Date of Hearing: August 3, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
SB 1444
(Hertzberg) - As Amended April 19, 2016
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11 - 0 |
|Committee: |Protection | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill requires state agencies that own or license
computerized data that includes personal information to prepare
a computerized personal information security plan detailing the
agency's strategy for responding to a security breach of
computerized personal information and associated consequences
caused by the disclosed personal information. Specifically, this
bill requires the plan to include the following elements:
1)A statement of the purpose and objectives.
�
SB 1444
Page 2
2)An inventory of the computerized personal information stored
or transmitted by the agency.
3)Identification of resources necessary to implement the plan.
4)Identification of an incident response team tasked with
mitigating and responding to a breach, or imminent threat of a
breach, to the security of computerized personal information.
5)Procedures for communications within the incident response
team and between the incident response team, other individuals
within the agency, and individuals outside the agency that
need to be notified in the event of a breach of the security
of computerized personal information.
6)Policies for training the incident response team and the
agency on the implementation of the plan, including, but not
limited to, the use of practice drills.
7)A process to review and improve the plan.
FISCAL EFFECT:
Some state agencies have identified significant costs to comply
with this bill. Any compliance costs should be absorbable,
however. The requirements of this bill are, in general, already
administrative requirements with which agencies should currently
be in compliance, and in fact some agencies are in compliance.
�
SB 1444
Page 3
Moreover, these requirements constitute a normal function of
state agencies in maintaining the security of personal
information within their possession, and as such agencies would
be expected to address meeting these requirements on an ongoing
basis and with existing resources rather than future budget
augmentations.
COMMENTS:
1)Background. In a 2015 California State Auditor report entitled
"High Risk Update - Information Security, " the Auditor found
that "many state entities have weaknesses in their controls
over information security. These weaknesses leave some of the
State's sensitive data vulnerable to unauthorized use,
disclosure, or disruption."
State agencies are already bound by at least two statutory
requirements related to information security and risk
management.
a) Government Code Section 11549.3(b) requires all state
agencies to implement the policies and procedures issued by
the state's Office of Information Security (OIS), within
the Department of Technology. Pursuant to its
responsibility to establish an information security program
(which includes risk management, incident tracking, and
disaster recovery), OIS promulgated incident response plan
regulations requiring each state entity to "develop,
disseminate, and maintain a formal, documented incident
�
SB 1444
Page 4
response plan that provides for the timely assembly of
appropriate staff that is capable of developing a response
to, appropriate reporting about, and successful recovery
from a variety of incidents." Moreover, the State
Information Management Manual contains detailed guidance to
state entities for creating plans for technology recovery,
risk management, breach/incident reporting, and incident
response requirements for a breach of personal information.
b) Civil Code Section 1798.21, which requires, pursuant to
the Act, each state agency to establish "appropriate and
reasonable administrative, technical and physical
safeguards to ensure compliance" with the provisions of the
Act (including the state's data breach notification law),
"to ensure the security and confidentiality of records, and
to protect against anticipated threats or hazards to their
security or integrity which could result in any injury."
2)Purpose. In light of the Auditor's report, the author argues
this bill is necessary to ensure that state agencies have
appropriate incident response plans.
Analysis Prepared by:Chuck Nicol / APPR. / (916)
319-2081