BILL ANALYSIS ��
SB
24
Page
1
SENATE THIRD READING
SB 24 (Simitian)
As Amended June 20, 2011
Majority vote
SENATE VOTE :31-6
JUDICIARY 10-0 APPROPRIATIONS 12-4
-----------------------------------------------------------------
|Ayes:|Feuer, Wagner, Atkins, |Ayes:|Fuentes, Blumenfield, |
| |Dickinson, Beth Gaines, | |Bradford, Charles |
| |Huber, Huffman, Jones, | |Calderon, Campos, Gatto, |
| |Monning, Wieckowski | |Hall, Hill, Lara, |
| | | |Mitchell, Solorio, Wagner |
| | | | |
|-----+--------------------------+-----+--------------------------|
| | |Nays:|Harkey, Donnelly, |
| | | |Nielsen, Norby |
-----------------------------------------------------------------
SUMMARY : Requires that a notice required under California's
data security breach law must contain specified information and
a copy of the notice must be sent to appropriate state agencies,
as specified. Specifically, this bill :
1)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to
existing law, that notification must be written in plain
language and shall include at a minimum the following
information:
a) The name and contact information of the reporting
agency, person, or business;
b) A list of the types of personal information that were or
are reasonably believed to have been the subject of a
breach;
c) The date, estimated date, or date range within which the
breach occurred, if that information is possible to
determine at the time the notice is provided;
�
SB
24
Page
2
d) Whether the notification was delayed as a result of a
law enforcement investigation, if that information is
possible to determine at the time the notice is provided;
e) A general description of the breach incident, if that
information is possible to determine at the time the notice
is provided; and,
f) The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number or driver's license or state
identification card number.
1)Provides that, at the discretion of the reporting agency,
person, or business, the notification may include other
information, including information about what the agency has
done to protect the individuals affected by the breach and
what steps those individuals may take to protect themselves.
2)Provides that an agency, person, or business that is required
to issue a data security breach notification to more than 500
California residents must also submit a notification to the
Attorney General, as specified.
3)Provides that if substitute notice is used, as permitted by
existing law, then a reporting agency must notify major
statewide media and the Office of Information Security within
the California Technology Agency, and a reporting person or
business must notify major statewide media and the Office of
Privacy Protection within the State and Consumer Services
Agency.
4)Specifies that entities covered by the Health Insurance
Portability and Accountability Act (HIPAA) will be deemed to
have complied with the notice provisions of this bill if they
have complied with substantially similar notices that are
already required under federal law.
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
�
SB
24
Page
3
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains, but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains, but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information.
4)Provides that, notwithstanding the above notice requirements,
a person, business, or agency that maintains its own
notification procedures as part of an information security
policy that is consistent with the requirements of the
security breach law, shall be deemed to be in compliance with
the notification of state law if the agency, person, or
business notifies subject persons in accordance with its own
policies.
5)Requires, under federal law, that any entity covered by HIPAA,
to notify any person whose personal information is compromised
by a data security breach and specifies the required content
�
SB
24
Page
4
of the notice.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, minor absorbable costs for state agencies to comply
with the specified notification requirements.
COMMENTS : Under existing law, a person, business, or state
agency that keeps, maintains, or leases computerized data that
contains personal information must provide appropriate notices
if that personal information is compromised as a result of a
data breach. The law permits the person, business, or state
agency to use "substitute notice" if the number of persons
affected would make personal notice prohibitively expensive or
impractical, or if the affected person's contact information is
not available. However, beyond these provisions, existing law
does not create any requirements as to the form and content of
the required notices. This bill seeks to correct that
deficiency by requiring notices to contain specified information
that will be useful to the affected resident and ensure that
there is greater uniformity in the content of security breach
notices. In addition, this bill would require that notification
be sent to the State Attorney General's office for any breaches
that affect more than 500 California residents. This bill would
also provide that if "substitute notice" is used, as permitted
by existing law, then a copy of the notice should also be sent
to major statewide media and a designated state office.
Finally, this bill would specify that entities covered by HIPAA
are deemed to have met the notice requirements of this bill if
they meet the substantially similar federal notice requirements
under HIPAA.
According to the author, California's first-in-the nation breach
notification statute, which requires data holders to notify
individuals in the event of a breach of their personal data, was
based on the premise that individuals have a right to know when
a data breach has occurred and affected them. If consumers are
unaware of the fact that their personal information has been
compromised, they are unable to take steps that might protect
them from various kinds of fraud or identity theft. However,
according to the author, there remains a troubling gap in our
breach notification law: while current law requires data
holders to notify individuals when there has been a data breach
�
SB
24
Page
5
of personal information, it does not specify what kinds of
information the notice must contain. This bill, the author
contends, will establish "standard, core content for security
breach notifications in California." The author believes that
requiring a standard form will ensure that all consumers
affected by a data breach will have adequate information
describing the nature of the breach, the types of data that have
been compromised, and contact information that will help the
affected individual take necessary steps of self-protection.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0001505