BILL ANALYSIS �
SB 1166
Page 1
Date of Hearing: June 15, 2010
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
SB 1166 (Simitian) - As Introduced: February 18, 2010
SENATE VOTE : 31-5
SUBJECT : Personal Information: Privacy
KEY ISSUE : Should California's Security Breach Notification law
be amended to require that notices be written in plain language
and contain standard information that is useful to the affected
person?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
This bill would strengthen California's existing breach
notification law by requiring notices to contain specified
information. Existing law requires any agency, person, or
business that keeps or maintains the personal information of
California residents to notify affected residents in the event
the data is compromised by a security breach. This bill would
require the notice to be written in plain language and include
useful information about the nature of the breach and contact
information that allows the affected person to take corrective
action. In addition, sample copies of the notification would be
sent to the Attorney General in cases that affect more than 500
persons. Furthermore, if substitute notice is used, which is
generally permitted in cases that affect large numbers of
persons, a copy would be provided to the Office of Information
Security. This bill is identical to the enrolled version of
last year's SB 20 by the same author. Despite the fact that the
author took several amendments to remove most if not all of the
opposition, the bill was nevertheless vetoed by the Governor on
the grounds that it was "unnecessary," because, the Governor
believed, there was no evidence of any problem with the notices
that are provided now under existing law. It should be noted,
however, that none of the groups that opposed SB 20 when it
appeared before this Committee last year oppose it now. Only
the California Hospital Association (CHA) - which did not take a
position on last year's bill - remains opposed unless the bill
�
SB 1166
Page 2
is amended to exempt hospitals who, CHA contends, must already
comply with substantially similar breach notification rules as
HIPAA-covered entities. The analysis recommends an amendment
specifying that if HIPAA-covered entities meet the federal
notice content requirements, they will be deemed to have
complied with the notice content requirements of this bill. The
bill is supported several privacy rights and consumer groups.
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of the notice must be sent to appropriate state agencies,
as specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum the following
information:
a) The name and contact information of the reporting
agency, person, or business.
b) A list of the types of personal information that were or
are reasonably believed to have been the subject of a
breach.
c) The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided.
d) Whether the notification was delayed as a result of a
law enforcement investigation, if that information is
possible to determine at the time the notice is provided.
e) A general description of the breach incident, if that
information is possible to determine at the time the notice
is provided.
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
�
SB 1166
Page 3
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General, as specified.
3)Provides that if substitute notice is used, as permitted by
existing law, then the reporting person, business, or agency
must also provide notification to the Office of Information
Security within the office of the State Chief Information
Officer.
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains , but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
(Civil Code Section 1798.29.)
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains , but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice may be used if the
person, business, or agency determines that the cost of
providing notice would exceed $250,000 or that the affected
class of subject persons exceeds 500,000, or the person,
business, or agency does not have sufficient contact
information. (Civil Code Sections 1798.29 (g) and 1798.82
(g).)
�
SB 1166
Page 4
4)Provides that substitute notice, when used, shall consist of
all of the following:
a) E-mail notice when the e-mail address of subject persons
is known.
b) Conspicuous posting of the notice on the Web site of the
person, business, or agency if the person, business, or
agency maintains one.
c) Notification to major statewide media. (Id.)
5)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies. (Civil Code
Sections 1798.29 (h) and 1798.82 (h).)
6)Requires, under federal law, that any entity covered by the
Health Insurance Portability and Accountability Act (HIPAA),
to notify any person whose personal information is compromised
by a data security breach and specifies the required content
of the notice. (Section 13402(f) of the 2009 Health
Information Technology for Economic and Clinical Health
(HITECH) Act.)
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the state Attorney General's office for any breaches
that affect more than 500 California residents. Finally, this
�
SB 1166
Page 5
bill would also provide that if "substitute notice" is used, as
permitted by existing law, then a copy of the notice should also
be sent to the Office of Information Security within the office
of the State Chief Information Officer.
Governor's Veto of SB 20. This bill is identical to the
enrolled version of last year's SB 20, by the same author. When
SB 20 was heard by this Committee last year, it was opposed by
several groups representing various businesses, including
financial institutions and the hi-tech electronics industry. In
order to address opposition concerns, the author took several
amendments, including amendments that eliminated the requirement
that the breach notice contain the number of persons affected
(which opponents claimed was always subject to change and could
require several notices). In addition, the author added
qualifying amendments to make it clear that information about
the scope and nature of the breach was required only to the
extent that such information was available at the time the
notice was provided. While these amendments apparently removed
all of the registered opposition to the bill by the time the
bill was passed by the Legislature, the bill was nevertheless
vetoed by the Governor as "unnecessary." Specifically, the
Governor's veto message stated:
Informing individuals whose personal information was
compromised in a breach of what their risks are and what
they can do to protect themselves is an important
consumer protection benefit. This bill is unnecessary,
however, because there is no evidence that there is a
problem with the information provided to consumers.
Moreover, there is no additional consumer benefit gained
by requiring the Attorney General to become a repository
of breach notices when this measure does not require the
Attorney General to do anything with the notices. Since
this measure would place additional unnecessary mandates
on businesses without a corresponding consumer benefit,
I am unable to sign this bill.
ARGUMENTS IN SUPPORT : According to the author, California's
first-in-the nation breach notification statute, which requires
data holders to notify individuals in the event of a breach of
their personal data, was "built on the premise that individuals
have a right to know when a data breach has affected them." If
consumers are unaware of the fact that their personal
information has been compromised, they are unable to take steps
�
SB 1166
Page 6
that might protect them from various kinds of fraud or identity
theft. However, according to the author, there remains a
troubling gap in our breach notification law: "while current law
requires data holders to notify individuals when there has been
a data breach of personal information, the same law is silent on
what information should be contained in the notification." As a
result, the author contends, breach notices "vary greatly in the
information provided, leaving consumers confused and businesses
exposed." The author believes that this bill will fill the gap
in existing law and make sure that consumers have adequate
information describing the nature of the breach, the types of
information that have been compromised, and the contact
information that will help the affected individual take
necessary steps of self-protection.
The American Civil Liberties Union (ACLU) supports this bill
because it will provide individuals with a plainly written
description of the breach and relevant self-help and contact
information. The Consumer Federation of California (CFC)
supports this bill for similar reasons, and also alleges that
existing breach notifications "often lack important information
- such as the time of the breach or type of information that was
breach - or are confusing to consumers." This confusion, CFC
maintains, leaves consumers uncertain as to how to go about
protecting themselves from identity theft. Finally, the Privacy
Rights Clearinghouse (PRC) adds that, because California
currently "lacks any centralizing reporting process for security
breaches," it is "therefore difficult for state policy makers to
assess or improve upon our state security breach laws." PRC
believes that requiring that a copy of the notice be sent to the
Attorney General will help the state monitor the problem and
develop appropriate responses. CALPIRG and the California
School Employees Association support the bill for substantially
the same reasons as those noted above.
ARGUMENTS IN OPPOSITION UNLESS AMENDED : The California Hospital
Association (CHA) opposes this bill unless it is amended to
exempt hospitals and other health facilities that are already
required to send breach notifications under federal law whenever
a patient's personal information is compromised by a data
breach. CHA claims that, not only are the state requirements
unnecessarily duplicative, but that mandating specific detail in
state notices may be counterproductive, as hospitals and health
care facilities will be required to trace developments in both
areas of state and federal law and produce two similar, but
�
SB 1166
Page 7
slightly different, notices to meet state and federal
requirements. As CHA points out, the breach notice required
under Section 13402(f) of the recent Health Information
Technology for Economic and Clinical Health Act (HITECH) is
strikingly similar to the notice elements in SB 1166. The
HITECH requirements apply to any hospital, plan, or facility
covered by the Health Insurance Portability and Accountability
(HIPAA). Because the prescribed content of the HITECH notice is
substantially similar to content that would be required under SB
1166, CHA argues that hospitals - and perhaps all HIPAA-covered
entities subject to HITECH - should be exempted from the
provisions of this bill.
CHA argues that while it might be possible for a hospital to
develop a single form that would cover the elements of both the
HITECH and SB 1166 notices, the problem, according to CHA, is
that hospitals will need to devote staff time and resources to
tracking the ever expanding regulations of both federal and
state law. According to CHA, "the continuing friction between
state and federal regulations currently being developed specific
to [HITECH], forces hospitals to assign increasing numbers of
resources, personnel and financial, to complex related
preemption and reconciliation tasks for these and thus away from
direct patient care value-added activities and further
increasing health costs." In short, while the author's staff
has communicated to the Committee that a hospital could easily
develop a single form that would cover the requirements of both
law, that is not really CHA's primary concern. Rather, CHA
fears that the hospital would need to track changes in both
federal and state law to make sure that notice - whether there
is one or two - complies with both state and federal law. CHA
believes that this is unnecessary given that both rules seek the
same end - to provide consumers with information about the
breach and steps that they can take to protect themselves.
Comparison between HITECH and SB 1166 Notice Elements : In light
of the objections raised by CHA, it is useful to compare the
specific required notice elements of each:
-----------------------------------------------------------------
|SB 1166 (new subdivision |HITECH Section 13402(f) |
|(d) | |
|--------------------------------+--------------------------------|
|The name and contact |A brief description of what |
|information of the |happened, including the |
�
SB 1166
Page 8
|reporting agency. |date of the breach and the |
| |date of the discovery of |
| |the breach. |
|--------------------------------+--------------------------------|
|A list of the types of |A description of the types |
|personal information |of the information involved |
|breached. |in the breach. |
|--------------------------------+--------------------------------|
|If possible to determine, |Steps individuals should |
|the date, estimated breach, |take to protect themselves |
|or date range of the |(regulations specify this |
|breach. |would include numbers for |
| |credit reporting agencies.) |
| | |
|--------------------------------+--------------------------------|
|Whether notification was |Description of what the |
|delayed by a law |steps the entity is doing |
|enforcement investigation, |to investigate and mitigate |
|if known |the breach. |
|--------------------------------+--------------------------------|
|A general description of |Contact information, |
|the breach, if possible to |including toll-free |
|determine at time of |numbers, to obtain for |
|breach. |additional information. |
|--------------------------------+--------------------------------|
|Toll-free number of credit | |
|reporting agencies if | |
|breach exposed SSN or DLN. | |
-----------------------------------------------------------------
As the above chart indicates, the notices required by HITECH and
SB 1166 are remarkably similar, although not identical. Indeed
the only difference appears to be that SB 1166 requires the
notice to specify whether the notification was delayed by a law
enforcement investigation. It is also true that SB 1166
expressly requires the notice to contain the contact number of
the credit reporting agencies. Section 13420 (f) of HITECH only
states that the notice must contain steps the individual should
take to protect themselves, without expressly requiring
inclusion of the toll-free numbers. However, the interim rules
in the Federal Register state that this requirement should be
met by recommending that the person "contact his or her credit
card company and information about how to contact credit bureaus
and obtain credit card monitoring services (if credit card
information was breached.)" In some ways, HITECH requires more
�
SB 1166
Page 9
than SB 1166. For example, where HITECH requires the notice to
include both the steps that the individual should take for self
protection and the steps that the entity is taking to protect
individuals, SB 1166 makes these elements discretionary. In
short, by almost any measure, it appears that the HITECH notice
requirements substantially meet the overall objectives of SB
1166. For that reason, CHA believes that HIPAA-covered entities
should be exempted from the provisions of this bill, and CHA
opposes this bill unless it is so amended.
Proposed Committee Amendments : While many may conclude that
hospitals should be exempted altogether, it does seem reasonable
to add a provision stating that, for any entity subject to
HIPAA, compliance with the notice content requirements of
Section 13402(f) of HITECH will be deemed sufficient to satisfy
the requirements of subdivision (d) under this bill. However,
hospitals and other HIPAA-covered entities would still need to
comply with subdivision (e) - sending a copy of the notice to
the AG - and subdivision (i) - sending a copy to OIS if
substitute notice is used. Moreover, such an amendment would
not absolve HIPAA-covered entities of the duty to send notice
under the state's breach notification law; it would simply say
that for purposes of the specific content of the notices, a
HIPAA-covered entity will be deemed to have satisfied the
content requirements of this bill if it has already met the
substantially similar content requirements of HITECH.
Specifically, the Committee may wish to discuss with the author
the potential merits of the following amendment.
- On page 3 after line 18 insert:
(e) A covered entity under the federal Health Insurance
Portability and Insurance Act (42 U.S.C. Section 1320d et seq.)
will be deemed to have complied with the notice requirements in
subdivision (d) if it has complied completely with Section
13402(f) of the Health Information Technology and Clinical
Health Act. However, nothing in this subdivision shall be
construed to exempt a covered entity from any other provision of
this section.
- On page 3 line 19 change (e) to (f), and change
following subdivisions accordingly.
It should be noted that this exception is not entirely
inconsistent with existing law. As noted under # 5 in the above
�
SB 1166
Page 10
existing law summary, a person, business, or agency that
maintains its own notification procedures as part of an
information security policy that is consistent with the
requirements of the breach law "shall be deemed to be in
compliance with" the breach notification law insofar as the
manner in which the notice must be provided. (Civil Code
Section 1798.29 (h)). However, because this bill is adding new
content requirements, and Civil Code Section 1798.29(h) only
applies to methods of acceptable notice (not the contents), the
exemption suggested above would need to be explicit.
REGISTERED SUPPORT / OPPOSITION :
Support
American Civil Liberties Union
California School Employees Association
CALPIRG
Consumer Federation of California
Privacy Rights Clearinghouse
Opposition
California Hospital Association (unless amended)
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334