BILL ANALYSIS �
SB 1166
Page 1
SENATE THIRD READING
SB 1166 (Simitian)
As Amended August 2, 2010
Majority vote
SENATE VOTE :31-5
JUDICIARY 7-3 APPROPRIATIONS 12-5
-----------------------------------------------------------------
|Ayes:|Feuer, Brownley, Evans, |Ayes:|Fuentes, Bradford, |
| |Jones, Monning, Nava, | |Charles Calderon, Coto, |
| |Huffman | |Davis, De Leon, Gatto, |
| | | |Hall, Skinner, Solorio, |
| | | |Torlakson, Torrico |
| | | | |
|-----+--------------------------+-----+--------------------------|
|Nays:|Tran, Hagman, Knight |Nays:|Conway, Harkey, Miller, |
| | | |Nielsen, Norby |
| | | | |
-----------------------------------------------------------------
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of the notice must be sent to appropriate state agencies,
as specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum the following
information:
a) The name and contact information of the reporting
agency, person, or business;
b) A list of the types of personal information that were or
are reasonably believed to have been the subject of a
breach;
c) The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided;
d) Whether the notification was delayed as a result of a
�
SB 1166
Page 2
law enforcement investigation, if that information is
possible to determine at the time the notice is provided;
e) A general description of the breach incident, if that
information is possible to determine at the time the notice
is provided; and,
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General, as specified.
3)Provides that if substitute notice is used, as permitted by
existing law, then the reporting person, business, or agency
must also provide notification to the Office of Information
Security within the office of the State Chief Information
Officer.
4)Provides that a covered entity under the federal Health
Insurance Portability and Accountability Act (HIPAA) is deemed
to have complied with the provisions of this bill if it has
complied with federal law, as specified.
FISCAL EFFECT : According to the Assembly Appropriations
analysis, minor absorbable costs for state agencies to comply
with the specified notification requirements.
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
�
SB 1166
Page 3
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the state Attorney General's office for any breaches
that affect more than 500 California residents. Finally, this
bill would also provide that if "substitute notice" is used, as
permitted by existing law, then a copy of the notice should also
be sent to the Office of Information Security within the office
of the State Chief Information Officer.
This bill is similar to the enrolled version of last year's SB
20, which was vetoed by the Governor. Last year's bill was
opposed by several groups representing various businesses,
including financial institutions and the hi-tech electronics
industry. In order to address opposition concerns, the author
took several amendments, including amendments that eliminated
the requirement that the breach notice contain the number of
persons affected (which opponents claimed was always subject to
change and could require several notices). In addition, the
author added qualifying amendments to make it clear that
information about the scope and nature of the breach was
required only to the extent that such information was available
at the time the notice was provided. While these amendments
apparently removed all of the registered opposition to the bill
by the time the bill was passed by the Legislature, the bill was
nevertheless vetoed by the Governor as "unnecessary."
Specifically, the Governor's veto message stated:
Informing individuals whose personal information was
compromised in a breach of what their risks are and what
they can do to protect themselves is an important consumer
protection benefit. This bill is unnecessary, however,
because there is no evidence that there is a problem with
the information provided to consumers. Moreover, there is
no additional consumer benefit gained by requiring the
Attorney General to become a repository of breach notices
when this measure does not require the Attorney General to
do anything with the notices. Since this measure would
�
SB 1166
Page 4
place additional unnecessary mandates on businesses without
a corresponding consumer benefit, I am unable to sign this
bill.
Unlike last year's SB 20, this bill, in response to concerns
raised by the California Hospital Association (CHA), carves out
a qualified exemption for entities covered by the federal HIPAA.
Because HIPAA already requires that notices contain information
quite similar to that required by this bill, the CHA contended
that the bill would be unnecessarily duplicative as applied to
covered entities. In order to address this concern, the author
amended to bill to provide that a covered entity under HIPAA
will be deemed to have complied with the provisions of this bill
if it complies with the parallel federal notice requirements.
According to the author, California's first-in-the nation breach
notification statute, which requires data holders to notify
individuals in the event of a breach of their personal data, was
"built on the premise that individuals have a right to know when
a data breach has affected them." If consumers are unaware of
the fact that their personal information has been compromised,
they are unable to take steps that might protect them from
various kinds of fraud or identity theft. However, according to
the author, there remains a troubling gap in our breach
notification law: "while current law requires data holders to
notify individuals when there has been a data breach of personal
information, the same law is silent on what information should
be contained in the notification." As a result, the author
contends, breach notices "vary greatly in the information
provided, leaving consumers confused and businesses exposed."
The author believes that this bill will fill the gap in existing
law and make sure that consumers have adequate information
describing the nature of the breach, the types of information
that have been compromised, and the contact information that
will help the affected individual take necessary steps of
self-protection.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0005647