BILL ANALYSIS �
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 1166|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
VETO
Bill No: SB 1166
Author: Simitian (D)
Amended: 8/2/10
Vote: 21
SENATE JUDICIARY COMMITTEE : 4-1, 3/23/10
AYES: Corbett, Harman, Hancock, Leno
NOES: Walters
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SENATE FLOOR : 31-5, 4/15/10
AYES: Aanestad, Alquist, Ashburn, Calderon, Cedillo,
Corbett, Correa, Cox, DeSaulnier, Florez, Hancock,
Harman, Kehoe, Leno, Liu, Lowenthal, Maldonado, Negrete
McLeod, Oropeza, Padilla, Pavley, Price, Romero, Runner,
Simitian, Steinberg, Strickland, Wolk, Wright, Wyland,
Yee
NOES: Cogdill, Dutton, Hollingsworth, Huff, Walters
NO VOTE RECORDED: Denham, Ducheny, Wiggins, Vacancy
ASSEMBLY FLOOR : 50-25, 8/16/10 - See last page for vote
SENATE FLOOR : 31-4, 8/19/10
AYES: Aanestad, Alquist, Ashburn, Calderon, Cedillo,
Corbett, Correa, DeSaulnier, Ducheny, Dutton, Emmerson,
Florez, Hancock, Harman, Kehoe, Leno, Liu, Lowenthal,
Negrete McLeod, Padilla, Pavley, Price, Romero, Runner,
Simitian, Steinberg, Strickland, Wolk, Wright, Wyland,
Yee
NOES: Cogdill, Denham, Hollingsworth, Huff
NO VOTE RECORDED: Oropeza, Walters, Wiggins, Vacancy,
CONTINUED
�
SB 1166
Page
2
Vacancy
SUBJECT : Privacy: Security breach notifications
SOURCE : Author
DIGEST : This bill amends Californias security breach
notification law to provide that any agency, person, or
business required to issue a notification under existing
law must meet additional requirements regarding that
notification. This bill requires that security breach
notifications be written in plain language and contain
certain specified information, including, among other
things, contact information regarding the breach, the types
of information breached, and, if possible to determine, the
date, estimated date, or date range of the breach. This
bill provides that a security breach notification may also
include other specified information, at the discretion of
the entity issuing the notification. This bill provides
that any agency, person, or business that must provide a
security breach notification under existing law to more
than 500 California residents as a result of a single
breach would be required to submit the notification
electronically to the Attorney General.
Assembly Amendments add clarifying language relatiave to
compliance under the federal Health Insurance Portability
and Accountability Act.
ANALYSIS : Existing law requires any agency, person, or
business that owns or licenses computerized data that
includes personal information to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with
the legitimate needs of law enforcement, as specified.
(Civ. Code Secs. 1798.29(a) and (c) and 1798.82(a) and
(c).)
Existing law requires any agency, person, or business that
�
SB 1166
Page
3
maintains computerized data that includes personal
information that the agency, person, or business does not
own to notify the owner or licensee of the information of
any security breach immediately following discovery if the
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. (Civ. Code Secs.
1798.29(b) and 1798.82(b).)
Existing law defines "personal information," for purposes
of the breach notification statute, to include the
individual's first name or first initial and last name in
combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number; driver's license number
or California Identification Card number; account number,
credit or debit card number, in combination with any
required security code, access code, or password that would
permit access to an individual's financial account; medical
information; or health insurance information. "Personal
information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
(Civ. Code Secs. 1798.29(e) and (f) and 1798.82(e) and
(f).)
Existing law requires health care facilities to notify a
patient if his or her medical information is accessed,
used, or disclosed unlawfully or without authorization.
Existing law, which requires the notification to be
provided to the patient within five business days after the
breach is detected unless notification would impede law
enforcement's investigation of the incident, does not
specify the information that must be contained in the
notification. (Health & Saf. Code Sec. 1280.15.)
Existing federal law, the Health Information Technology for
Economic and Clinical Health Act (HITECH Act), requires
covered entities such as health care providers to notify a
patient whose "unsecured protected health information" has
been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of the breach. The
HITECH Act requires that notice of the breach include, to
the extent possible, certain items of information,
including the type of unsecured protected health
�
SB 1166
Page
4
information breached and the date of the breach. (42
U.S.C. 17932(f).)
This bill provides that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding
the notification including that it be written in plain
language. This bill also requires that the notification
include, at a minimum, the following information:
1.The name and contact information of the reporting agency,
person, or business;
2.A list of the types of personal information that were or
are reasonably believed to have been the subject of the
breach;
3.Any of the following, if the information is possible to
determine at the time the notice is provided: the date,
estimated date, or date range within which the breach
occurred;
4.The date of the notice;
5.Whether the notification was delayed because of an
investigation by law enforcement, if the information is
possible to determine at the time the notice is provided;
6.A general description of the breach incident, if the
information is possible to determine at the time the
notice is provided; and
7.The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number, or a driver's license or
California identification card number.
This bill provides that an agency, person, or business may
also include the following information in a security breach
notification, at its discretion:
1.Information regarding what the entity has done to protect
individuals whose information has been breached; and
�
SB 1166
Page
5
2.Advice on steps that the individual may take to protect
himself or herself.
This bill requires any agency, person, or business that
must provide a security breach notification pursuant to
existing law to more than 500 California residents as a
result of a single breach of the security system to submit
a single sample copy of the notification electronically to
the Attorney General. That copy shall not be considered to
be a record of complaint or investigation under the
California Public Records Act.
Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the
affected class of persons to be notified exceeds 500,000,
or if the entity does not have sufficient contact
information. Substitute notice must consist of: (a) e-mail
notice when the entity has an e-mail address for the
affected individuals; (b) conspicuous posting of the notice
on the entity's Web site; and (c) notification to major
statewide media. (Civ. Code Secs. 1798.29(g) and
1798.82(g).)
This bill additionally requires notification to the Office
of Information Security within the office of the State
Chief Information Officer when an agency uses substitute
notice and notification to the Office of Privacy Protection
within the State and Consumer Services Agency when a person
or business uses substitute notice.
This bill specifies that a covered entity under the federal
Health Insurance Portability and Accountability Act (42
U.S.C. Sec. 1320d et seq.) will be deemed to have complied
with the notice requirements if it has complied completely
with Section 13402(f) of the federal Health Information
Technology and Clinical Health Act. However, nothing in
this subdivision shall be construed to exempt a covered
entity from any other provision of this bill.
Prior Legislation
�
SB 1166
Page
6
SB 20 (Simitian, 2009), which passed the Senate on 9/4/09
(31-7), would have required that breach notifications be
written in plain language and contain specified
information. The enrolled version of that bill was
identical to SB 1166. This bill was vetoed. In vetoing SB
20, the governor stated:
California's landmark law on data breach notification
has had many beneficial results. Informing
individuals whose personal information was compromised
in a breach of what their risks are and what they can
do to protect themselves is an important consumer
protection benefit. This bill is unnecessary,
however, because there is no evidence that there is a
problem with the information provided to consumers.
Moreover, there is no additional consumer benefit
gained by requiring the Attorney General to become a
repository of breach notices when this measure does
not require the Attorney General to do anything with
the notices. Since this measure would place
additional unnecessary mandates on businesses without
a corresponding consumer benefit, I am unable to sign
this bill.
SB 364 (Simitian, 2008), which passed the Senate on 8/30/09
(38-2) also would have required that breach notifications
be written in plain language and contain specified
information. This bill was vetoed.
AB 1656 (Jones, 2008) would have, among other things,
required a person, business, or agency that maintains
personal information to include specified items in a breach
notification to the owner or licensee of the information.
This bill was vetoed.
AB 779 (Jones, 2007), among other things, would have
provided that the Office of Privacy Protection be notified
if substitute notice was used and would have required an
agency, person, or business that owns, licenses, or
maintains personal information related to various payment
devices to notify the owner, licensee, or California
resident of a security data breach. The bill would have
required that the notification contain certain items of
information, including, among other things, when the breach
�
SB 1166
Page
7
occurred and the categories of personal information
breached. This bill was vetoed.
AB 2505 (Nunez, 2006) would have provided that the Office
of Privacy Protection be notified if substitute notice was
used. This bill died on the Senate Floor.
SB 852 (Bowen, 2006) would have required that a security
breach notification be issued regardless of whether or not
the data breached was computerized. The bill would also
have required notice to the Office of Privacy Protection.
This bill died in the Assembly Business and Professions
Committee.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
SUPPORT : (Verified 8/17/10)
American Civil Liberties Union
California School Employees Association
CALPIRG
Consumer Federation of California
Los Angeles County District Attorney's Office
Privacy Rights Clearinghouse
ARGUMENTS IN SUPPORT : According to the author's office,
"at least fourteen states and Puerto Rico have built upon
California's model and added more detailed requirements for
[security breach notifications (SBNs)] to include certain
types of information. And most of these states require an
entity that suffers a security breach to notify a state
regulator, such as the Attorney General, as well as the
affected individuals." Furthermore, the author notes:
Even the federal government has weighed in; as of
February 19, 2009, for breaches of personal medical
information, individuals have to be notified and those
notifications must contain certain specified content.
Our law is built on the premise that individuals have
a right to know when a data breach has affected them.
Quite simply, in order for consumers to protect
themselves from the unauthorized acquisition and use
of confidential information, the consumer has to know
�
SB 1166
Page
8
that an unauthorized acquisition has occurred.
Without that knowledge, consumers aren't even aware of
the need to protect themselves.
In the ensuing years, however, a gap has been
identified in our state statute. While current law
requires data holders to notify individuals when there
has been a data breach of personal information, that
same law is silent on what information should be
contained in the notification. As a result, SBN
letters vary greatly in the information provided,
leaving consumers confused and businesses exposed.
Individuals are left to question what information was
breached, when did the breach occur, and what should
they do to protect themselves. Moreover data holders
are left exposed and uncertain of what is expected of
them in the event of a breach. SB 1166 fills in this
gap by establishing standard, core content for the
notification letters, thereby ensuring the
notifications actually work. These relatively modest
but helpful changes will enhance consumer knowledge
about, and understanding of, security breaches and the
steps they can take to protect themselves.
The American Civil Liberties Union supports the bill and
notes that when the breach occurred, the type of
information breached, and the ability to quickly contact
credit reporting agencies are all "critical to helping
consumers protect themselves."
In addition, there also appears to be evidence that the
information provided to consumers in breach notification
letters is insufficient. A 2007 study entitled "Security
Breach Notification Laws: Views from Chief Security
Officers" by the Samuelson Law, Technology, and Public
Policy Clinic, at UC Berkeley School of Law found that 28
percent of consumers who received a breach notification
letter did not "understand the data involved or the
potential consequences of the breach after reading the
letter."
GOVERNOR'S VETO MESSAGE:
"I am returning Senate Bill 1166 without my signature.
�
SB 1166
Page
9
This bill would require any agency, person, or
business that must issue an information security
breach notification pursuant to existing law to also
fulfill certain additional requirements pertaining to
the security breach notification.
California's landmark law on data breach notification
has had many beneficial results. Informing
individuals whose personal information was compromised
in a breach of what their risks are and what they can
do to protect themselves is an important consumer
protection benefit. This bill is unnecessary, however,
because there is no evidence that there is a problem
with the information provided to consumers. Moreover,
there is no additional consumer benefit gained by
requiring the Attorney General to become a repository
of breach notices when this measure does not require
the Attorney General to do anything with the notices.
Since this measure would place additional unnecessary
mandates on businesses without a corresponding
consumer benefit, I am unable to sign this bill."
ASSEMBLY FLOOR :
AYES: Ammiano, Arambula, Beall, Block, Blumenfield,
Bradford, Brownley, Buchanan, Caballero, Carter, Chesbro,
Coto, De La Torre, De Leon, Eng, Evans, Feuer, Fletcher,
Fong, Fuentes, Furutani, Galgiani, Gatto, Hall, Hayashi,
Hernandez, Hill, Huber, Huffman, Jones, Lieu, Bonnie
Lowenthal, Ma, Mendoza, Monning, Nava, V. Manuel Perez,
Portantino, Ruskin, Salas, Saldana, Skinner, Solorio,
Audra Strickland, Swanson, Torlakson, Torres, Torrico,
Yamada, John A. Perez
NOES: Adams, Anderson, Bill Berryhill, Tom Berryhill,
Conway, Cook, DeVore, Fuller, Gaines, Garrick, Gilmore,
Hagman, Harkey, Jeffries, Knight, Logue, Miller,
Nestande, Niello, Nielsen, Norby, Silva, Smyth, Tran,
Villines
NO VOTE RECORDED: Bass, Blakeslee, Charles Calderon, Davis,
Vacancy
�
SB 1166
Page
10
RJG:nl 10/5/10 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****