BILL ANALYSIS                                                                                                                                                                                                    



                                                                    SB 1444  


                                                                    Page  1





          Date of Hearing:  August 3, 2016


                        ASSEMBLY COMMITTEE ON APPROPRIATIONS


                               Lorena Gonzalez, Chair


          SB 1444  
          (Hertzberg) - As Amended April 19, 2016


           ----------------------------------------------------------------- 
          |Policy       |Privacy and Consumer           |Vote:|11 - 0       |
          |Committee:   |Protection                     |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
           ----------------------------------------------------------------- 


          Urgency:  No  State Mandated Local Program:  NoReimbursable:  No


          SUMMARY:


          This bill requires state agencies that own or license  
          computerized data that includes personal information to prepare  
          a computerized personal information security plan detailing the  
          agency's strategy for responding to a security breach of  
          computerized personal information and associated consequences  
          caused by the disclosed personal information. Specifically, this  
          bill requires the plan to include the following elements:


          1)A statement of the purpose and objectives.










                                                                    SB 1444  


                                                                    Page  2






          2)An inventory of the computerized personal information stored  
            or transmitted by the agency.



          3)Identification of resources necessary to implement the plan.



          4)Identification of an incident response team tasked with  
            mitigating and responding to a breach, or imminent threat of a  
            breach, to the security of computerized personal information.



          5)Procedures for communications within the incident response  
            team and between the incident response team, other individuals  
            within the agency, and individuals outside the agency that  
            need to be notified in the event of a breach of the security  
            of computerized personal information.



          6)Policies for training the incident response team and the  
            agency on the implementation of the plan, including, but not  
            limited to, the use of practice drills.



          7)A process to review and improve the plan.
          FISCAL EFFECT:


          Some state agencies have identified significant costs to comply  
          with this bill. Any compliance costs should be absorbable,  
          however. The requirements of this bill are, in general, already  
          administrative requirements with which agencies should currently  
          be in compliance, and in fact some agencies are in compliance.  








                                                                    SB 1444  


                                                                    Page  3





          Moreover, these requirements constitute a normal function of  
          state agencies in maintaining the security of personal  
          information within their possession, and as such agencies would  
          be expected to address meeting these requirements on an ongoing  
          basis and with existing resources rather than future budget  
          augmentations.


          





          COMMENTS:


          1)Background. In a 2015 California State Auditor report entitled  
            "High Risk Update - Information Security, " the Auditor found  
            that "many state entities have weaknesses in their controls  
            over information security.  These weaknesses leave some of the  
            State's sensitive data vulnerable to unauthorized use,  
            disclosure, or disruption."


            State agencies are already bound by at least two statutory  
            requirements related to information security and risk  
            management. 


             a)   Government Code Section 11549.3(b) requires all state  
               agencies to implement the policies and procedures issued by  
               the state's Office of Information Security (OIS), within  
               the Department of Technology. Pursuant to its  
               responsibility to establish an information security program  
               (which includes risk management, incident tracking, and  
               disaster recovery), OIS promulgated incident response plan  
               regulations requiring each state entity to "develop,  
               disseminate, and maintain a formal, documented incident  








                                                                    SB 1444  


                                                                    Page  4





               response plan that provides for the timely assembly of  
               appropriate staff that is capable of developing a response  
               to, appropriate reporting about, and successful recovery  
               from a variety of incidents." Moreover, the State  
               Information Management Manual contains detailed guidance to  
               state entities for creating plans for technology recovery,  
               risk management, breach/incident reporting, and incident  
               response requirements for a breach of personal information.


             b)   Civil Code Section 1798.21, which requires, pursuant to  
               the Act, each state agency to establish "appropriate and  
               reasonable administrative, technical and physical  
               safeguards to ensure compliance" with the provisions of the  
               Act (including the state's data breach notification law),  
               "to ensure the security and confidentiality of records, and  
               to protect against anticipated threats or hazards to their  
               security or integrity which could result in any injury."


          2)Purpose. In light of the Auditor's report, the author argues  
            this bill is necessary to ensure that state agencies have  
            appropriate incident response plans. 


          Analysis Prepared by:Chuck Nicol / APPR. / (916)  
          319-2081