BILL ANALYSIS �
SB 1166
Page 1
Date of Hearing: August 4, 2010
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Felipe Fuentes, Chair
SB 1166 (Simitian) - As Amended: August 2, 2010
Policy Committee: JudiciaryVote:7-3
Urgency: No State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill establishes additional notification requirements
following a security breach of a computerized data system.
Specifically, this bill:
1)Requires the notification required by state agencies and
private entities following a security breach to contain
specified information, including the types of personal
information believed to have been breached, a general
description of the breach, whether notification was delayed
due to a law enforcement investigation, and toll-free phone
numbers and addresses of major credit reporting agencies if
the breach exposed a social security number or a driver's
license or California identification card number.
2)Requires the notification to also include, if possible to
determine at the time the notice is provided, any of the
following: (a) the date of the breach; (b) the estimated date
of the breach; or (c) the date range within which the breach
occurred.
3)Provides state agencies and private entities discretion to
include in the breach notification:
a) Information on steps taken to protect individuals whose
personal information has been breached.
b) Advice on what such individuals can do to protect
themselves.
4)Exempts a private entity from the above notification
requirements if the entity complies with data breach
�
SB 1166
Page 2
notification requirements in the federal Health Information
Technology and Clinical Health Act.
5)Requires a state agency or private entity that is required to
notify more than 500 California residents of a breach to
electronically submit a copy of the notification, excluding
any personally identifiable information, to the Attorney
General.
6)Requires the breach notification to be submitted, in the case
of a state agency, to the Office of Information Security
within the office of the State Chief Information Officer, and
in the case of a private entity, to the Office of Privacy
Protection within the State and Consumer Services Agency.
FISCAL EFFECT
Minor absorbable costs for state agencies to comply with the
specified notification requirements.
COMMENTS
1)Purpose . Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must notify anyone whose
personal information is compromised as a result of a data
breach. The law permits the person, business, or state agency
to use "substitute notice" if the number of persons affected
would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information
is not available. Beyond these provisions, existing law does
not create any requirements as to the form and content of the
required notices. This bill seeks to correct that deficiency.
2)Prior Legislation . SB 20 (Simitian) of 2009, an almost
identical bill with no registered opposition, was vetoed. The
governor argued, in part, that "there is no evidence that
there is a problem with the information provided to consumers"
in the event of a data breach.
Three other similar, but more expansive bills-SB 364
(Simitian) of 2008, AB 1656 (Jones) of 2008, and AB 779
(Jones) of 2007 were also vetoed.
�
SB 1166
Page 3
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081