BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
SB 1166 (Simitian)
As Introduced
Hearing Date: March 23, 2010
Fiscal: Yes
Urgency: No
SK:jd
SUBJECT
Privacy: Security Breach Notifications
DESCRIPTION
This bill would amend California's security breach notification
law to provide that any agency, person, or business required to
issue a notification under existing law must meet additional
requirements regarding that notification. This bill would
require that security breach notifications be written in plain
language and contain certain specified information, including,
among other things, contact information regarding the breach,
the types of information breached, and, if possible to
determine, the date, estimated date, or date range of the
breach. This bill would provide that a security breach
notification may also include other specified information, at
the discretion of the entity issuing the notification.
Under this bill, any agency, person, or business that must
provide a security breach notification under existing law to
more than 500 California residents as a result of a single
breach would be required to submit the notification
electronically to the Attorney General.
BACKGROUND
In 2003, California's first-in-the nation security breach
notification law went into effect. Since that time, 45 other
states and the District of Columbia, Puerto Rico, and the Virgin
Islands have enacted breach notification laws, following
California's lead. California's statute requires state agencies
and businesses to notify residents when the security of their
(more)
�
SB 1166 (Simitian)
Page 2 of ?
personal information is breached. According to Privacy Rights
Clearinghouse, more than 346 million records containing
sensitive personal information have been involved in security
breaches in the United States since January 2005.
Although existing law requires state agencies and businesses to
notify affected consumers when there is a breach in the security
of their information, the law does not contain requirements for
the content of those notifications. This bill is intended to
fill that gap by establishing standard, core content for breach
notification letters.
CHANGES TO EXISTING LAW
1. Existing law requires any agency, person, or business that
owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be
made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of
law enforcement, as specified. (Civ. Code Secs. 1798.29(a)
and (c) and 1798.82(a) and (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify
the owner or licensee of the information of any security
breach immediately following discovery if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. (Civ. Code Secs.
1798.29(b) and 1798.82(b).)
Existing law defines "personal information," for purposes of
the breach notification statute, to include the individual's
first name or first initial and last name in combination with
any one or more of the following data elements, when either
the name or the data elements are not encrypted: social
security number; driver's license number or California
Identification Card number; account number, credit or debit
card number, in combination with any required security code,
access code, or password that would permit access to an
individual's financial account; medical information; or health
insurance information. "Personal information" does not
include publicly available information that is lawfully made
�
SB 1166 (Simitian)
Page 3 of ?
available to the general public from federal, state, or local
government records. (Civ. Code Secs. 1798.29(e) and (f) and
1798.82(e) and (f).)
Existing law requires health care facilities to notify a
patient if his or her medical information is accessed, used,
or disclosed unlawfully or without authorization. Existing
law, which requires the notification to be provided to the
patient within five business days after the breach is detected
unless notification would impede law enforcement's
investigation of the incident, does not specify the
information that must be contained in the notification.
(Health & Saf. Code Sec. 1280.15.)
Existing federal law , the Health Information Technology for
Economic and Clinical Health Act (HITECH Act), requires
covered entities such as health care providers to notify a
patient whose "unsecured protected health information" has
been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of the breach. The HITECH
Act requires that notice of the breach include, to the extent
possible, certain items of information, including the type of
unsecured protected health information breached and the date
of the breach. (42 U.S.C. 17932(f).)
This bill would provide that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding the
notification including that it be written in plain language.
This bill would also require that the notification include, at
a minimum, the following information:
a. the name and contact information of the reporting
agency, person, or business;
b. a list of the types of personal information that were or
are reasonably believed to have been the subject of the
breach;
c. any of the following, if the information is possible to
determine at the time the notice is provided: the date,
estimated date, or date range within which the breach
occurred;
d. the date of the notice;
e. whether the notification was delayed because of an
investigation by law enforcement, if the information is
possible to determine at the time the notice is provided;
f. a general description of the breach incident, if the
information is possible to determine at the time the notice
�
SB 1166 (Simitian)
Page 4 of ?
is provided; and
g. the toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number, or a driver's license or California
identification card number.
This bill would provide that an agency, person, or business
may also include the following information in a security
breach notification, at its discretion:
a. information regarding what the entity has done to
protect individuals whose information has been breached;
and
b. advice on steps that the individual may take to protect
himself or herself.
This bill would require any agency, person, or business that
must provide a security breach notification pursuant to
existing law to more than 500 California residents as a result
of a single breach of the security system to submit a single
sample copy of the notification electronically to the Attorney
General. That copy shall not be considered to be a record of
complaint or investigation under the California Public Records
Act.
2. Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the affected
class of persons to be notified exceeds 500,000, or if the
entity does not have sufficient contact information.
Substitute notice must consist of: (a) e-mail notice when the
entity has an e-mail address for the affected individuals; (b)
conspicuous posting of the notice on the entity's Web site;
and (c) notification to major statewide media. (Civ. Code
Secs. 1798.29(g) and 1798.82(g).)
This bill would additionally require notification to the
Office of Information Security within the office of the State
Chief Information Officer when an agency uses substitute
notice and notification to the Office of Privacy Protection
within the State and Consumer Services Agency when a person or
business uses substitute notice.
COMMENT
1.Stated need for the bill
�
SB 1166 (Simitian)
Page 5 of ?
The author writes that "at least fourteen states and Puerto Rico
have built upon California's model and added more detailed
requirements for [security breach notifications (SBNs)] to
include certain types of information. And most of these states
require an entity that suffers a security breach to notify a
state regulator, such as the Attorney General, as well as the
affected individuals." Furthermore, the author notes:
Even the federal government has weighed in; as of February 19,
2009, for breaches of personal medical information,
individuals have to be notified and those notifications must
contain certain specified content. Our law is built on the
premise that individuals have a right to know when a data
breach has affected them. Quite simply, in order for
consumers to protect themselves from the unauthorized
acquisition and use of confidential information, the consumer
has to know that an unauthorized acquisition has occurred.
Without that knowledge, consumers aren't even aware of the
need to protect themselves.
In the ensuing years, however, a gap has been identified in
our state statute. While current law requires data holders to
notify individuals when there has been a data breach of
personal information, that same law is silent on what
information should be contained in the notification. As a
result, SBN letters vary greatly in the information provided,
leaving consumers confused and businesses exposed.
Individuals are left to question what information was
breached, when did the breach occur, and what should they do
to protect themselves. Moreover data holders are left exposed
and uncertain of what is expected of them in the event of a
breach. SB 1166 fills in this gap by establishing standard,
core content for the notification letters, thereby ensuring
the notifications actually work. These relatively modest but
helpful changes will enhance consumer knowledge about, and
understanding of, security breaches and the steps they can
take to protect themselves.
The American Civil Liberties Union supports the bill and notes
that when the breach occurred, the type of information breached,
and the ability to quickly contact credit reporting agencies are
all "critical to helping consumers protect themselves."
In addition, there also appears to be evidence that the
information provided to consumers in breach notification letters
�
SB 1166 (Simitian)
Page 6 of ?
is insufficient. A 2007 study entitled "Security Breach
Notification Laws: Views from Chief Security Officers" by the
Samuelson Law, Technology, and Public Policy Clinic, at UC
Berkeley School of Law found that 28 percent of consumers who
received a breach notification letter did not "understand the
data involved or the potential consequences of the breach after
reading the letter."
2. Standardized content requirements for security breach
notifications
While existing law imposes requirements for notification of
security breaches, it does not contain requirements for the
content of those notifications. This bill is intended to fill
that gap by establishing standard, core content for breach
notification letters. Under the bill, breach notification
letters sent to consumers must contain: (1) the name and contact
information of the reporting agency, person, or business; (2) a
list of the types of personal information that were or are
reasonably believed to have been the subject of the breach; and
(3) the toll-free telephone numbers and addresses of the major
credit reporting agencies if the breach exposed a social
security number, or a driver's license or California
identification card number.
The following information must also be included in the
notification if the information is possible to determine at the
time the notice is provided: (1) a general description of the
breach incident; (2) whether the notification was delayed
because of an investigation by law enforcement; and (3) any of
the following: the date, estimated date, or date range within
which the breach occurred.
California's Office of Privacy Protection (OPP) suggests
including several of these items of information in breach
notification letters. In its "Recommended Practices on Notice
of Security Breach Involving Personal Information" issued in
June 2009, OPP suggests that the following information should be
included in a breach notification letter:
1. a general description of what happened;
2. the specific type of personal information that was
involved including, in the case of a breach of
financial-related information, a social security number,
driver's license or California identification number;
3. what the entity has done to protect the consumer's
�
SB 1166 (Simitian)
Page 7 of ?
personal information from further unauthorized acquisition;
4. what the entity will do to assist consumers, including
providing a toll-free contact telephone number;
5. information on what consumers can do to protect
themselves from identity theft, as appropriate for the
specific type of personal information involved.
Although these best practice guidelines are not regulations and
are not binding, they do arguably recognize the important
consumer benefits that result when consumers affected by a
breach are provided more specific information about the breach.
For example, if the breach exposed a social security number,
knowing that fact will help a consumer to quickly mitigate any
possible harm-such as new account fraud-that may occur as a
result of the breach. Furthermore, a business that currently
follows the OPP's Recommended Practices would be in compliance
with this bill.
Recently enacted federal law also recognizes the importance of
standardized breach notices in the context of medical
information. The HITECH Act, enacted as a part of the American
Recovery and Reinvestment Act of 2009 (ARRA) (Pub. Law 111-5),
established a federal requirement for notification of a breach
in the security of health information that is not encrypted or
otherwise made indecipherable. Under the HITECH Act, covered
entities such as health care providers must notify each
individual whose "unsecured protected health information" has
been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of the breach. The HITECH
Act requires that notice of the breach include, to the extent
possible, the following items of information:
1. a brief description of what happened, including the date
of the breach and the date of the discovery of the breach,
if known;
2. a description of the types of unsecured protected health
information that were involved in the breach (such as full
name, social security number, date of birth, home address,
account number, or disability code);
3. the steps individuals should take to protect themselves
from potential harm resulting from the breach;
4. a brief description of what the covered entity involved
is doing to investigate the breach, to mitigate losses, and
to protect against any further breaches; and
5. contact procedures for individuals to ask questions or
�
SB 1166 (Simitian)
Page 8 of ?
learn additional information, which shall include a
toll-free telephone number, an e-mail address, Web site, or
postal address. (42 U.S.C. 17932(f).)
Several of the items of information required to be disclosed by
SB 1166 are also required to be disclosed under HITECH Act when
medical information is breached. The HITECH Act recognizes-like
OPP's Recommended Practices described above-that there are
important benefits to consumers when they are provided
additional detail if their personal information is breached.
Furthermore, this bill's requirements are consistent with the
requirements of the HITECH Act. At the same time, in the case
of a breach of medical information, this bill would also provide
patients with additional items of information that are not
required under the HITECH Act. Specifically, the bill would
require that the breach notification contain the toll-free
telephone numbers and addresses of the major credit reporting
agencies if the breach exposed a social security number or
driver's license or California identification card number.
Unlike the HITECH Act, this bill would also require that
individuals be told if the notification was delayed as a result
of a law enforcement investigation (if that information is
possible to determine at the time the notice is provided). And,
this bill would require that the breach notification be written
in "plain language," a requirement not contained in the HITECH
Act. It is also important to note that HITECH's notice
requirements are qualified and entities must provide the
specified information only "to the extent possible."
3. Other states' experience
A number of other states have enacted breach notification laws
which impose standardized notice requirements. According to the
author's office, 14 other states-including Michigan, New
Hampshire, New York, and North Carolina-have breach notification
laws which standardize the content of the notices. Many of
these requirements are similar to those proposed by this bill.
For example, Hawaii, Iowa, Michigan, North Carolina, New
Hampshire, Oregon, Vermont, and Virginia all require that the
notice contain a description of the incident in general terms.
These same states, plus Maryland and New York, also require that
the breach notification contain a description of the type of
personal information that was breached. All of these states,
except for Iowa, require that the notice include contact
�
SB 1166 (Simitian)
Page 9 of ?
information for the data holder. (See
http://www.perkinscoie.com/statebreachchart/.)
4.Notification to Attorney General where more than 500
California residents affected by a single breach
This bill would require an agency, person, or business to submit
a security breach notification electronically to the Attorney
General when more than 500 California residents are affected by
a single breach of the security system. The author indicates
that similar provisions are contained in other state breach
laws. For example, several state laws require notification to
the Attorney General, credit reporting agencies, and-in the case
of New York-the Office of Cyber Security and Critical
Infrastructure Coordination. By requiring notification to the
Attorney General in cases where more than 500 California
residents are affected by a single breach, this bill would allow
the Attorney General to track breaches, look at trends, and
investigate a major breach, if he or she deemed it to be
necessary.
5. Amendments to last year's SB 20 addressed concerns raised
by stakeholders at that time
This bill is identical to the enrolled version of SB 20
(Simitian, 2008). When that bill was heard in this committee
last year it was opposed by various groups representing the
financial, insurance, and technology industries. As the bill
moved through the legislative process, however, the author made
several amendments to the bill which addressed opposition
concerns raised at that time, including deleting the requirement
that the breach notification contain the number of persons
affected by the breach. As a result, there was no listed
opposition to the enrolled version of SB 20. As discussed in
more detail in Comment 6, below, the California Hospital
Association has an "oppose unless amended" position on SB 1166,
although it did not have a position on SB 20.
6. California Hospital Association concerns
The California Hospital Association (CHA) opposes this bill
unless it is amended to include a specified exemption. CHA
writes that its member hospitals are currently subject to two
"extensive sets of requirements" that require notification in
the case of security breach. Specifically, CHA notes that
Health and Safety Code Section 1280.15, added by SB 541
�
SB 1166 (Simitian)
Page 10 of ?
(Alquist, Ch. 605, Stats. 2008), requires health care facilities
to provide notice to a patient if his or her medical information
is accessed, used, or disclosed unlawfully or without
authorization. The notice, which must also be provided to the
Department of Public Health, must be issued no later than five
business days after the breach is detected unless notification
would impede law enforcement's investigation of the incident.
CHA also notes that the recently enacted HITECH Act requires
that specified information be included in the breach
notification. (See Comment 2 for additional detail.) In
opposition, CHA writes:
CHA opposes subjecting California hospitals to another very
specific breach notification requirement, requiring hospitals
to report a breach to another government agency, and
subjecting hospitals to another set of penalties for each
breach. . . . The continuing and increasing disconnect
between state and federal laws forces hospitals to assign
increasing numbers of resources (personnel and financial) to
the complex preemption and reconciliation tasks required by
these laws, thus directing resources away from direct patient
care value-added activities or further increasing health care
costs.
As discussed in Comment 2, however, this bill's requirements are
consistent with the requirements of the HITECH Act and therefore
compliance with both the bill and the HITECH Act should not be
overly burdensome. In addition, in the case of a breach of
medical information, this bill would require patients to also be
provided with two additional items of information not required
under the HITECH Act: (1) the toll-free telephone numbers and
addresses of the major credit reporting agencies if the breach
exposed a social security number or driver's license or
California identification card number and (2) whether the
notification was delayed as a result of a law enforcement
investigation, if that information is possible to determine at
the time the notice is provided. The author indicates that the
bill is not intended to require hospitals to issue more than one
security breach notification after a breach. In fact, it would
seem that a hospital could simply issue a single notice
containing the items of information required under both this
bill and the HITECH Act.
CHA also raises concerns that there are timing issues with
respect to the issuance of a notice under Health and Safety Code
Section 1280.15 (requiring notice within five business days
�
SB 1166 (Simitian)
Page 11 of ?
after the breach is detected unless a law enforcement
investigation is impeded) and under the HITECH Act (requiring
that notice be provided without unreasonable delay and in no
case later than 60 calendar days after discovery of the breach).
While these timeframes appear to be consistent, any concerns
about them relate more to existing law rather than to this bill.
This bill does not impose a requirement for notification where
one does not now exist, and it does not change the timing of the
notice. Instead the bill imposes requirements concerning the
content of the notices that are sent to consumers.
7. Governor's veto of SB 20
The enrolled version of last year's SB 20 was identical to the
current version of SB 1166. In vetoing SB 20, the governor
stated:
California's landmark law on data breach notification has had
many beneficial results. Informing individuals whose personal
information was compromised in a breach of what their risks
are and what they can do to protect themselves is an important
consumer protection benefit. This bill is unnecessary,
however, because there is no evidence that there is a problem
with the information provided to consumers. Moreover, there
is no additional consumer benefit gained by requiring the
Attorney General to become a repository of breach notices when
this measure does not require the Attorney General to do
anything with the notices. Since this measure would place
additional unnecessary mandates on businesses without a
corresponding consumer benefit, I am unable to sign this bill.
Support : American Civil Liberties Union; Consumer Federation of
California; Privacy Rights Clearinghouse
Opposition : California Hospital Association
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
SB 20 (Simitian, 2009) would have required that breach
�
SB 1166 (Simitian)
Page 12 of ?
notifications be written in plain language and contain specified
information. The enrolled version of that bill was identical to
SB 1166. This bill was vetoed (See Comments 5 and 6).
SB 364 (Simitian, 2008) also would have required that breach
notifications be written in plain language and contain specified
information. This bill was vetoed.
AB 1656 (Jones, 2008) would have, among other things, required a
person, business, or agency that maintains personal information
to include specified items in a breach notification to the owner
or licensee of the information. This bill was vetoed.
AB 779 (Jones, 2007), among other things, would have provided
that the Office of Privacy Protection be notified if substitute
notice was used and would have required an agency, person, or
business that owns, licenses, or maintains personal information
related to various payment devices to notify the owner,
licensee, or California resident of a security data breach. The
bill would have required that the notification contain certain
items of information, including, among other things, when the
breach occurred and the categories of personal information
breached. This bill was vetoed.
AB 2505 (Nunez, 2006) would have provided that the Office of
Privacy Protection be notified if substitute notice was used.
This bill died on the Senate Floor.
SB 852 (Bowen, 2006) would have required that a security breach
notification be issued regardless of whether or not the data
breached was computerized. The bill would also have required
notice to the Office of Privacy Protection. This bill died in
the Assembly Business and Professions Committee.
**************