BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
AB 1710 (Dickinson)
As Amended June 5, 2014
Hearing Date: June 24, 2014
Fiscal: No
Urgency: No
TMW
SUBJECT
Personal Information: Privacy
DESCRIPTION
This bill would enact various changes to the Data Breach
Notification Law, including implementing a specific encryption
standard for the law's safe harbor provisions (breached
encrypted data is not subject to notification), expanding the
notification required by those who "maintain" but do not "own"
personal information, and requiring the source of the breach to
offer appropriate identity theft prevention and mitigation
services at no cost. The bill would also explicitly ban the
sale, advertising for sale, or offering for sale of an
individual's social security number.
(This analysis reflects author's amendments to be offered in
Committee.)
BACKGROUND
On December 19, 2013, Target Corporation announced that it had
suffered a major data breach. During the height of the
Christmas shopping season, hackers infiltrated the retailer's
point-of-sale network and stole the debit and credit card
information of an estimated 40 million Target shoppers. As
forensic investigations into the breach progressed, Target
announced that the personally identifying information of
approximately 70 million Target customers had also been stolen
from the retailer's computer network. According to press
reports, it appeared that the hackers behind the breach
successfully penetrated and lurked within Target's systems
(more)
�
AB 1710 (Dickinson)
Page 2 of ?
months before the breach occurred, remaining undetected while
waiting for the start of the holiday shopping season before
striking.
The Target data breach - the second largest in United States
history - will have wide-ranging impacts on both consumers and
industry for a long time to come. In the short-term, an untold
number of Californians whose card numbers or personal
information was stolen will be at greater risk of identity theft
and payment card fraud. Financial institutions have already
expended over $170 million to reissue over 17 million credit and
debit cards that were compromised by the breach, a number likely
to grow over time. (See http://www.cbanet.org.) Multiple
class-action lawsuits have also been filed in jurisdictions
across the country, and the Attorneys General of several states
have initiated investigations into the breach. Businesses that
were not directly affected by the breach are re-examining their
internal security, and many are likely to redouble efforts to
protect their networks from similar sorts of intrusions.
Both the upscale retailer Neiman Marcus and the craft store
Michaels also reported data breaches during the 2013 holiday
season. Indeed, in a notification circulated to certain
retailers in January, the Federal Bureau of Investigation (FBI)
revealed that the point-of-sale networks of no fewer than twenty
retailers were attacked by hackers in 2013. Furthermore, the
scope of computer networks targeted by hackers intent on
stealing sensitive personal and financial information extends
far beyond the retail sector. According to a database of
breaches maintained by the Privacy Rights Clearinghouse, nearly
200 different organizations were subject to malicious hacking
during the thirteen months that began in January 2013. (See
http://www.privacyrights.org/data-breach.) Besides retail, the
affected organizations spanned across the hospitality,
education, health care, telecommunications, news media, social
media, financial, and gaming sectors. Since 2005, over 660
million records have been compromised in more than 4,100
publicly acknowledged data breaches.
The scale of recent attacks against major retailers has drawn
particular attention to the vulnerability of electronic payment
systems and to fraud prevention and data security efforts within
the retail environment. Fundamentally, electronic payment
systems cannot function without the trust of those who use them.
Customers want assurances that their personal information is
safe when they swipe a credit or debit card at a point-of-sale
�
AB 1710 (Dickinson)
Page 3 of ?
terminal, or when they provide credit or debit card information
to a merchant online. Retailers, card issuers, card networks,
and payment processors want assurances that customers who use a
card or card number in a transaction actually own or are
authorized to use the card.
The task of safeguarding consumers' personal and financial
information has become a multi-billion dollar industry populated
by thousands of participants, each with a slightly different
role in a vast and extremely complex payment network. The
variation and complexity of the payment card space and the
multitude of different entities that occupy it cannot and should
not be underestimated, but must be understood if policymakers
are to ensure the security of sensitive information within the
retail environment.
On February 25, 2014, the Senate Banking and Financial
Institutions Committee and Senate Judiciary Committee jointly
convened an informational hearing titled, "Beyond the Breach:
Protecting Consumers' Personal Information in the Retail
Environment." That joint hearing reviewed retail electronic
payment systems and gave members of the Committees and other
interested parties an opportunity to ask experts from across the
industry about efforts to combat fraud, prevent data breaches,
and keep sensitive personal and financial information safe. The
Assembly Banking and Finance Committee and the Assembly
Judiciary Committee also held an oversight hearing to discuss
the current process for data breaches and how California can
improve this process, titled, "Is Our Personal Data Really Safe
and Secure: A Review of the Recent Data Breaches."
AB 1710 seeks to address data breaches by expanding the security
practices and notification required by those who "maintain" but
do not "own or license" personal information and requiring the
source of the breach to offer appropriate identity theft
prevention and mitigation services at no cost. The bill would
also explicitly ban the sale, advertising for sale, or offering
for sale of an individual's social security number.
CHANGES TO EXISTING LAW
1. Existing law requires a business that owns or licenses
personal information about a California resident to implement
and maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the
personal information from unauthorized access, destruction,
�
AB 1710 (Dickinson)
Page 4 of ?
use, modification, or disclosure. (Civ. Code Sec.
1798.81.5(b).)
Existing law further provides that a business that discloses
personal information about a California resident pursuant to a
contract with a nonaffiliated third party shall require by
contract that the third party implement and maintain
reasonable security procedures and practices appropriate to
the nature of the information, to protect the personal
information from unauthorized access, destruction, use,
modification, or disclosure. (Civ. Code Sec. 1798.81.5(c).)
Existing law requires any agency, person, or business that
owns or licenses computerized data that includes personal
information to disclose a breach of the security of the system
to any California resident whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure must be
made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of
law enforcement, as specified. (Civ. Code Secs. 1798.29(a),
(c),1798.82(a), (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify
the owner or licensee of the information of any security
breach immediately following discovery if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. (Civ. Code Secs.
1798.29(b), 1798.82(b).)
Existing law defines "personal information," for purposes of
the breach notification statute, to include the individual's
first name or first initial and last name in combination with
one or more of the following data elements, when either the
name or the data elements are not encrypted: social security
number; driver's license number or California Identification
Card number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
(Civ. Code Secs. 1798.29(g), (h), 1798.82(h), (i).)
�
AB 1710 (Dickinson)
Page 5 of ?
This bill would apply the above security practices and
notification requirements to businesses that maintain personal
information.
This bill would require a person or business that maintains
computerized data that includes personal information to notify
subject persons affecting 500 or more of the breach of the
security when credit card or debit card data was, or is
reasonably believed to have been, acquired by an unauthorized
person at the same time that notice is given to the owner or
licensee by United States mail if the person or business has a
mailing address for the subject persons or email notice if the
person or business has an email address for the subject
persons. If the subject persons cannot be notified by mail or
email, this bill would require the person or business to
provide notice by the following methods:
conspicuous posting of the notice on the Internet Web
site page of the person or business, if the person or
business maintains an Internet Web site page, for at least
30 days; and
notification to major statewide media.
This bill would authorize the owner or licensee of
computerized data that includes personal information and a
person or business that maintains computerized data that
includes personal information to agree based on a written
contractual agreement which party will notify subject persons
of the breach of the security whose personal information was,
or is reasonably believed to have been acquired by an
unauthorized person.
This bill would require, if the person or business providing
the notification was the source of the breach, an offer to
provide appropriate identity theft prevention and mitigation
services, if any, to be provided at no cost to the affected
person for not less than 12 months, along with all information
necessary to take advantage of the offer to any person whose
information was or may have been breached if the breach
exposed or may have exposed personal information, as defined.
2. Existing law prohibits businesses from requesting or
requiring as a condition to accepting a credit card as
payment, any personal identification information related to
the cardholder, but authorizes a business that accepts credit
cards to require, as a condition of accepting the card that
�
AB 1710 (Dickinson)
Page 6 of ?
the cardholder provides reasonable forms of identification,
including, but not limited to, a driver's license or state
identification card, provided that the identification is not
written or recorded. (Civ. Code Sec. 1747.08.)
Existing law prohibits a person or entity from publicly
posting or publicly displaying a person's social security
number (SSN) and defines "publicly post" or "publicly display"
to mean intentionally communicating or otherwise making
available to the general public. (Civ. Code Sec.
1798.85(a)(1).)
Existing law prohibits a person or entity from taking
specified actions that might compromise an individual's SSN,
including printing an SSN on any card required to access goods
or services, requiring a person to transmit an SSN over the
Internet without a secure connection or encryption, requiring
a person to use his or her SSN to access an Internet Web site,
except as specified, or printing an individual's SSN on any
materials that are mailed to the individual, unless the SSN is
required to be on the mailed document by state or federal law.
(Civ. Code Sec. 1798.85(a)(2)-(5).)
This bill would also prohibit a person or entity from selling,
advertising for sale, or offering to sell an individual's SSN.
This bill would provide that "sell" would not include the
release of an individual's SSN if the release of the SSN is
incidental to a larger transaction and is necessary to
identify the individual in order to accomplish a legitimate
business purpose.
This bill would also provide that "sell" would not include the
release of an individual's SSN for a purpose specifically
authorized or specifically allowed by federal or state law.
This bill would clarify that the release of an SSN for the
purpose of marketing is not a legitimate business purpose.
COMMENT
1. Stated need for the bill
The author writes:
�
AB 1710 (Dickinson)
Page 7 of ?
AB 1710 stems from the recent mega data breaches affecting
specified retailers. Following these mega data breaches, the
Assembly Banking and Finance Committee and the Assembly
Judiciary Committee held an oversight hearing to discuss the
current process for data breaches and how California can
improve this process, titled, "Is Our Personal Data Really
Safe and Secure: A Review of the Recent Data Breaches." AB
1710 addresses the issues raised at this hearing and reflects
the areas of law that need clarification. The recent examples
of mega data breaches emphasized the importance of disclosure
and accountability. All too often, data breaches happen and
consumers receive a notice in the mail from a financial
institution stating their personal information may have been
breached. The consumer is not made aware where the personal
information was compromised and might interpret the letter to
believe the breach occurred at the financial institution.
Under existing law, financial institutions are considered the
owners of personal information and therefore must provide the
notification, although the breach most often did not occur at
a bank or credit union. AB 1710 will provide clarity to
consumers because it will require the maintainers of personal
information which could be a retailer to disclose to a
consumer that a breach occurred and their personal information
may have been breached. This allows a consumer to: 1) be
proactive by contacting their financial institution and/or
credit reporting agency; and, 2) have the option to not shop
at a retail establishment that may not maintain personal
information in a safe and secure manner.
2. Increasing data breach notification requirements
Existing law requires businesses that own or license
computerized data that includes personal information of
customers to disclose a breach of the security of the system to
any California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. That disclosure must be made in the most
expedient time possible and without unreasonable delay.
Proponents, the American Civil Liberties Union, Consumer
Federation of California, and Consumer Watchdog, argue that this
bill is necessary because "[c]onsumer privacy should never take
a back seat to the profit motive. News reports suggest that
Neiman Marcus delayed issuing notice of a December 2013 breach
involving over one million credit cards until after the end of
the Christmas shopping season. Withholding notice deprived
�
AB 1710 (Dickinson)
Page 8 of ?
consumers of information that might have led them to take
preventive measures such as the placement of a credit freeze on
their credit report before the damage is done. . . . Experience
shows that some businesses will only safeguard privacy when the
price for violating that privacy overcomes the appetite for data
marketing purposes."
In addition to notifying the owner or licensee of the data, this
bill would require businesses that maintain data to notify
consumers if a breach of personal information affects 500 or
more consumers when credit card or debit card data was, or is
reasonably believed to have been, acquired by an unauthorized
person. This notice would be required to be given by mail or
email, and, if the business does not have the consumer's mailing
or email address, the notice must be provided conspicuously on
the business's Internet Web site for at least 30 days and
through major statewide media. With these various notification
methods, this bill seeks to ensure that consumers are informed
of security breaches so that consumers can take steps to protect
against unauthorized uses of their personal information. This
bill would also require the person or business providing
notification that was the source of the breach to provide to
affected consumers with identity theft prevention and mitigation
services for a minimum of 12 months.
This bill seeks to strike a balance between increased consumer
protection and business control over notification responsibility
by authorizing the owner or licensee of the computerized data to
contract with the party that maintains the data to decide which
party will notify subject persons of the data security breach of
the security.
3. Prohibiting sale of Social Security Numbers (SSNs)
Existing law prohibits businesses from requesting, or requiring
as a condition to accepting a credit card as payment, any
personal identification information related to the cardholder,
but authorizes a business that accepts credit cards to require,
as a condition of accepting the card that the cardholder
provides reasonable forms of identification, including, but not
limited to, a driver's license or state identification card,
provided that the identification is not written or recorded.
This bill would prohibit a business from selling, advertising
for sale, or offering to sell a consumer's SSN.
Notably, this bill would clarify that the prohibition on selling
�
AB 1710 (Dickinson)
Page 9 of ?
an individual's SSN would not include the release of an
individual's SSN if the release of the SSN is incidental to a
larger transaction and is necessary to identify the individual
in order to accomplish a legitimate business purpose or for a
purpose specifically authorized or allowed by federal or state
law. However, this bill would make the release of an SSN for
marking purposes unlawful.
4. Oppositions' concerns
Opponents assert that the new requirements and prohibitions on
entities that maintain personal and payment card information
establish new operational burdens and will result in unnecessary
dual notification of data breaches to consumers. Further,
opponents argue that the identify theft mitigation requirements
are unnecessary because of existing industry services.
Opponents also contend that the encryption requirement is
unnecessary since encryption data is useless to hackers unless
they have the encryption keys. Further, opponents argue that
government entities should not be exempt from the provisions of
this bill since they are a large repository of personal
information.
5. Author's amendments
In response to the oppositions' concerns raised above, the
author offers the following amendments to be taken in Committee.
Author's amendments :
1. On page 4, in line 30, after "whose" insert
"unencrypted"
2. On page 4, in line 32, strike "unless the data was
encrypted", strike lines 33-35, and in line 36, strike
"from time to time"
3. On page 5, strike lines 7-8, and in line 9, strike
"affected by the breach" and insert: "(2) A person or
business that maintains computerized data that includes
personal information shall notify subject persons affecting
500 or more of the breach of the security when credit card
or debit card data was, or is reasonably believed to have
�
AB 1710 (Dickinson)
Page 10 of ?
been, acquired by an unauthorized person"
4. On page 5, between lines 18 and 19, insert "(3)
Notwithstanding (b) (1), the owner or licensee of
computerized data that include personal information and a
person or business that maintains computerized data that
includes personal information may agree based on a written
contractual agreement which party will notify subject
persons of the breach of the security whose personal
information was, or is reasonably believed to have been
acquired by an unauthorized person."
5. On page 6, in line 14, strike "24" and insert "12"
6. On page 7, in line 38, strike "in", strike lines 39-40,
and on page 8, strike lines 1-2.
Support : American Civil Liberties Union; Consumer Attorneys of
California; Consumer Federation of California (CFC); Consumer
Watchdog; Privacy Rights Clearinghouse (PRC); One Individual
Opposition : American Council of Life Insurers; American
Insurance Association; Association of California Life and Health
Insurance Companies; Association of California Insurance
Companies; California Association of Collectors; California
Association of Licensed Investigators; California Bankers
Association; California Chamber of Commerce; California Cable
and Telecommunications Association; California Grocers
Association; California Hospital Association; California Hotel
and Lodging Association; California Manufacturers & Technology
Association; California Medical Association; California
Restaurant Association; California Retailers Association;
California Travel Association; CTIA The Wireless Association;
Direct Marketing Association; Internet Coalition; Motion Picture
Association of America; Personal Insurance Federation of
California; State Privacy and Security Coalition, Inc.;
TechAmerica; TechNet; The Internet Association
HISTORY
Source : Author
�
AB 1710 (Dickinson)
Page 11 of ?
Related Pending Legislation : None Known
Prior Legislation :
SB 46 (Corbett, Ch. 396, Stats. 2013) revised certain data
elements included within the definition of personal information
under California's Data Breach Notification Law, by adding
certain information that would permit access to an online
account and imposed additional requirements on the disclosure of
a breach of the security of the system or data in situations
where the breach involves personal information that would permit
access to an online or email account.
AB 555 (Salas, Ch. 103, Stats. 2013) provided an exemption from
the prohibition on posting or publicly releasing a person's
social security number (SSN) for an adult state correctional
facility, an adult city jail, or an adult county jail, that
releases an inmate's SSN, with the inmate's consent and upon
request by the county veterans service officer or the United
States Department of Veterans Affairs, for the purposes of
determining the inmate's status as a military veteran and his or
her eligibility for federal, state, or local veterans' benefits
or services.
SB 24 (Simitian, Ch. 197, Stats. 2011) required any agency,
person, or business that is required to issue a security breach
notification pursuant to existing law to fulfill certain
additional requirements pertaining to the security breach
notification, and required any agency, person, or business that
is required to issue a security breach notification to more than
500 California residents to electronically submit a single
sample copy of that security breach notification to the Attorney
General.
AB 1298 (Jones, Ch. 699, Stats. 2007), among other things, added
medical information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information requiring disclosure when
acquired, or believed to be acquired, by an unauthorized person
due to a security breach.
AB 1950 (Wiggins, Ch. 877, Stats. 2004) required a business that
owns or licenses personal information about a California
resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or
�
AB 1710 (Dickinson)
Page 12 of ?
disclosure. AB 1950 also required a business that discloses
personal information to a nonaffiliated third party, to require
by contract that those entities maintain reasonable security
procedures.
AB 763 (Liu, Ch. 532, Stats. 2003) prohibited a SSN that is
otherwise permitted to be mailed from being printed, in whole or
in part, on a postcard or other mailer or visible on the
envelope or without the envelope having been opened.
SB 1936 (Peace, Ch. 915, Stats. 2002) enacted California's Data
Breach Notification Law and required a state agency, or a person
or business that conducts business in California, that owns or
licenses computerized data that includes personal information to
disclose any breach of the security of the data to California's
residents whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. SB 1936 permitted notifications to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation, and required an agency, person, or business that
maintains computerized data that includes personal information
owned by another to notify the owner or licensee of the
information of any breach of security of the data.
SB 168 (Bowen, Ch. 720, Stats. 2001) prohibited any person or
entity, not including a state or local agency, from using an
individual's SSN in certain ways, including posting it publicly
or requiring it for access to products or services.
Prior Vote :
Assembly Floor (Ayes 43, Noes 25)
Assembly Committee on Banking and Finance (Ayes 8, Noes 3)
Assembly Committee on Judiciary (Ayes 6, Noes 3)
**************