BILL ANALYSIS ��
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 24|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 445-6614 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 24
Author: Simitian (D), et al.
Amended: 6/20/11
Vote: 21
SENATE JUDICIARY COMMITTEE : 4-0, 3/22/11
AYES: Evans, Harman, Corbett, Leno
NO VOTE RECORDED: Blakeslee
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SENATE FLOOR : 31-6, 4/14/11
AYES: Alquist, Anderson, Blakeslee, Calderon, Cannella,
Corbett,
De Le�n, DeSaulnier, Emmerson, Evans, Fuller, Hancock,
Harman, Hernandez, Kehoe, Leno, Lieu, Liu, Lowenthal,
Negrete McLeod, Padilla, Pavley, Price, Rubio, Simitian,
Steinberg, Strickland, Vargas, Wright, Wyland, Yee
NOES: Berryhill, Dutton, Huff, La Malfa, Runner, Walters
NO VOTE RECORDED: Correa, Gaines, Wolk
ASSEMBLY FLOOR : 60-16, 8/15/11 - See last page for vote
SUBJECT : Privacy: security breach notifications
SOURCE : Author
DIGEST : This bill amends Californias security breach
notification law to provide that any agency, person, or
business required to issue a notification under existing
CONTINUED
�
SB 24
Page
2
law must meet additional requirements regarding that
notification. This bill requires that security breach
notifications be written in plain language and contain
certain specified information, including, among other
things, contact information regarding the breach, the types
of information breached, and, if possible to determine, the
date, estimated date, or date range of the breach. This
bill provides that a security breach notification may also
include other specified information, at the discretion of
the entity issuing the notification. This bill requires
that, any agency, person, or business that must provide a
security breach notification under existing law to more
than 500 California residents as a result of a single
breach would be required to submit the notification
electronically to the Attorney General.
Assembly Amendments (1) add co-author, and (2) provide that
notification of a branch of security be sent to the
California Technology Agency rather than the State Chief
Information Officer.
ANALYSIS : Existing law requires any agency, person, or
business that owns or licenses computerized data that
includes personal information to disclose a breach of the
security of the system to any California resident whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with
the legitimate needs of law enforcement, as specified.
(Civil Code �CIV] Sections 1798.29(a) and (c) and
1798.82(a) and (c))
Existing law requires any agency, person, or business that
maintains computerized data that includes personal
information that the agency, person, or business does not
own to notify the owner or licensee of the information of
any security breach immediately following discovery if the
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. (CIV Sections
1798.29(b) and 1798.82(b))
Existing law defines "personal information," for purposes
of the breach notification statute, to include the
�
SB 24
Page
3
individual's first name or first initial and last name in
combination with any one or more of the following data
elements, when either the name or the data elements are not
encrypted: social security number; driver's license number
or California Identification Card number; account number,
credit or debit card number, in combination with any
required security code, access code, or password that would
permit access to an individual's financial account; medical
information; or health insurance information. "Personal
information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
(CIV Sections 1798.29(e) and (f) and 1798.82(e) and (f))
Existing law requires health care facilities to notify a
patient if his or her medical information is accessed,
used, or disclosed unlawfully or without authorization.
Existing law, which requires the notification to be
provided to the patient within five business days after the
breach is detected unless notification would impede law
enforcement's investigation of the incident, does not
specify the information that must be contained in the
notification. (Health and Safety Code Section 1280.15)
Existing federal law, the Health Information Technology for
Economic and Clinical Health Act (HITECH Act), requires
covered entities such as health care providers to notify a
patient whose "unsecured protected health information" has
been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of the breach. The
HITECH Act requires that notice of the breach include, to
the extent possible, certain items of information,
including the type of unsecured protected health
information breached and the date of the breach. (42
United States Code 17932(f))
This bill provides that any agency, person, or business
required to issue a security breach notification under
existing law must also meet certain requirements regarding
the notification including that it be written in plain
language.
This bill also requires that the notification include, at a
minimum, the following information:
�
SB 24
Page
4
1. The name and contact information of the reporting
agency, person, or business;
2. A list of the types of personal information that were or
breach;
3. Any of the following, if the information is possible to
determine at the time the notice is provided: the date
or estimated date of the breach, or date range within
which the breach occurred;
4. The date of the notice;
5. Whether the notification was delayed because of an
investigation by law enforcement, if the information is
possible to determine at the time the notice is
provided;
6. A general description of the breach incident, if the
information is possible to determine at the time the
notice is provided; and
7. The toll-free telephone numbers and addresses of the
major credit reporting agencies if the breach exposed a
social security number, or a driver's license or
California Identification Card number.
This bill provides that an agency, person, or business may
also include the following information in a security breach
notification, at its discretion:
1. Information regarding what the entity has done to
protect individuals whose information has been breached;
and
2. Advice on steps that the individual may take to protect
himself or herself.
This bill requires any agency, person, or business that
must provide a security breach notification pursuant to
existing law to more than 500 California residents as a
result of a single breach of the security system to submit
a single sample copy of the notification electronically to
�
SB 24
Page
5
the Attorney General. That copy shall not be considered to
be a record of complaint or investigation under the
California Public Records Act.
This bill provides that a "covered entity" under the
federal Health Insurance Portability and Accountability Act
is deemed to have complied with the bill's notification
requirements regarding standardized content if the entity
has complied completely with the notification requirements
contained in the federal HITECH Act.
Existing law requires an agency, person, or business to
provide breach notification using either written notice,
electronic notice, or substitute notice. An entity may use
substitute notice when it demonstrates that the cost of
providing notice would exceed $250,000, or that the
affected class of persons to be notified exceeds 500,000,
or if the entity does not have sufficient contact
information. Substitute notice must consist of: (a)
e-mail notice when the entity has an e-mail address for the
affected individuals; (b) conspicuous posting of the notice
on the entity's Web site; and (c) notification to major
statewide media. (CIV Sections 1798.29(g) and 1798.82(g))
This bill requires notification to the Office of
Information Security within the California Technology
Agency when an agency uses substitute notice and
notification to the Office of Privacy Protection within the
State and Consumer Services Agency when a person or
business uses substitute notice.
Prior Legislation
SB 1166 (Simitian, 2010), which was vetoed, would have
required that breach notifications be written in plain
language and contain specified information. (See veto
message below)
SB 20 (Simitian, 2009), which was vetoed, was identical to
SB 1166. (See veto message below)
SB 364 (Simitian, 2008), which was vetoed, also would have
required that breach notifications be written in plain
language and contain specified information.
�
SB 24
Page
6
AB 1656 (Jones, 2008), which was vetoed, would have, among
other things, required a person, business, or agency that
maintains personal information to include specified items
in a breach notification to the owner or licensee of the
information.
AB 779 (Jones, 2007), which was vetoed, among other things,
would have provided that the Office of Privacy Protection
be notified if substitute notice was used and would have
required an agency, person, or business that owns,
licenses, or maintains personal information related to
various payment devices to notify the owner, licensee, or
California resident of a security data breach. The bill
would also have required that the notification contain
certain items of information, including, among other
things, when the breach occurred and the categories of
personal information breached.
AB 2505 (Nunez, 2006), which died on the Senate Floor,
would have provided that the Office of Privacy Protection
be notified if substitute notice was used.
SB 852 (Bowen, 2006), which died in the Assembly Business
and Professions Committee, would have required that a
security breach notification be issued regardless of
whether or not the data breached was computerized. The
bill would also have required notice to the Office of
Privacy Protection.
Governor Schwarzenegger stated the following in vetoing
both SB 1166 and SB 20:
"California's landmark law on data breach notification
has had many beneficial results. Informing individuals
whose personal information was compromised in a breach of
what their risks are and what they can do to protect
themselves is an important consumer protection benefit.
This bill is unnecessary, however, because there is no
evidence that there is a problem with the information
provided to consumers. Moreover, there is no additional
consumer benefit gained by requiring the Attorney General
to become a repository of breach notices when this
�
SB 24
Page
7
measure does not require the Attorney General to do
anything with the notices. Since this measure would
place additional unnecessary mandates on businesses
without a corresponding consumer benefit, I am unable to
sign this bill."
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
SUPPORT : (Verified 8/16/11)
American Civil Liberties Union
Association of California Healthcare Districts
California Association of Health Underwriters
California Attorney General
California School Employees Association
California State Sheriffs' Association
Consumer Action
Consumer Federation of California
Privacy Activism
Privacy Rights Clearinghouse
ARGUMENTS IN SUPPORT : According to the author:
"In 2002, California adopted a first-in-the-nation
security breach notification statute (AB 700, Simitian,
Chapter 1054, Statutes of 2002), that requires data
holders to notify individuals when there has been a data
breach of personal information. Since that time, 45
other states, as well as the District of Columbia, Puerto
Rico, and the U.S. Virgin Islands, have also enacted
security breach notification laws that are modeled upon
the California statute. This leaves Alabama, Kentucky,
New Mexico and South Dakota as the only remaining states
without a legal requirement to notify affected
individuals in the event of a breach.
"In addition, at least fourteen states �Hawaii, Iowa,
Maryland, Massachusetts, Minnesota, New Hampshire, New
York, North Carolina, Oregon, Vermont, Virginia, West
Virginia, Wisconsin, and Wyoming] and Puerto Rico have
built upon California's model and added more detailed
requirements for SBNs �security breach notifications] to
include certain types of information.
�
SB 24
Page
8
"And most of these states �Alaska, Hawaii, Louisiana,
Maine, Maryland, Massachusetts, New Hampshire, New
Jersey, New York, North Carolina, South Carolina,
Vermont, and Virginia] require an entity that suffers a
security breach to notify a state regulator, such as the
Attorney General, as well as the affected individuals.
"Even the federal government has weighed in; as of
February 19, 2009, for breaches of personal medical
information, individuals have to be notified and those
notifications must contain certain specified content.
"California's law is built on the premise that
individuals have a right to know when a data breach has
affected them. Quite simply, in order for consumers to
protect themselves from the unauthorized acquisition and
use of confidential information, the consumer has to know
that an unauthorized acquisition has occurred. Without
that knowledge, consumers aren't even aware of the need
to protect themselves.
"In the ensuing years, however, a gap has been identified
in our state statute. While current law requires data
holders to notify individuals when there has been a data
breach of personal information, that same law is silent
on what information should be contained in the
notification. As a result, �security breach
notification] letters vary greatly in the information
provided, leaving consumers confused and businesses
exposed.
"Individuals are left to question what information was
breached, when did the breach occur, and what should they
do to protect themselves. Moreover data holders are left
exposed and uncertain of what is expected of them in the
event of a breach. SB 24 fills in this gap by
establishing standard, core content for the notification
letters, thereby ensuring the notifications actually
work.
"These relatively modest but helpful changes will enhance
consumer knowledge about, and understanding of, security
breaches and the steps they can take to protect
�
SB 24
Page
9
themselves."
Privacy Rights Clearinghouse echoes the author, writing
that when breach notifications lack critical information
such as the type of personal information breached and the
date of the breach, consumers are left "uncertain about how
to respond to the breach, or confused about how to protect
themselves from identity theft. SB 24 addresses this
confusion by standardizing the core content contained in
security breach notices."
In addition, there also appears to be evidence that the
information provided to consumers in breach notification
letters is insufficient. A 2007 study entitled "Security
Breach Notification Laws: Views from Chief Security
Officers" by the Samuelson Law, Technology, and Public
Policy Clinic, at UC Berkeley School of Law found that 28
percent of consumers who received a breach notification
letter did not "understand the data involved or the
potential consequences of the breach after reading the
letter."
ASSEMBLY FLOOR : 60-16, 8/15/11
AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Beall,
Block, Bradford, Brownley, Buchanan, Butler, Charles
Calderon, Campos, Carter, Cedillo, Chesbro, Davis,
Dickinson, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani,
Beth Gaines, Galgiani, Gatto, Gordon, Hagman, Hall,
Hayashi, Roger Hern�ndez, Hill, Huber, Hueso, Huffman,
Jeffries, Jones, Lara, Bonnie Lowenthal, Ma, Mendoza,
Miller, Mitchell, Monning, Nestande, Olsen, Pan, Perea,
V. Manuel P�rez, Portantino, Skinner, Solorio, Swanson,
Torres, Wagner, Wieckowski, Williams, Yamada, John A.
P�rez
NOES: Bill Berryhill, Conway, Donnelly, Garrick, Grove,
Halderman, Harkey, Knight, Logue, Mansoor, Morrell,
Nielsen, Norby, Silva, Smyth, Valadao
NO VOTE RECORDED: Blumenfield, Bonilla, Cook, Gorell
RJG:kc 8/16/11 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
�
SB 24
Page
10
**** END ****