BILL ANALYSIS �
SB 852
Page 1
Date of Hearing: June 21, 2005
ASSEMBLY COMMITTEE ON JUDICIARY
Dave Jones, Chair
SB 852 (Bowen) - As Amended: May 23, 2005
SENATE VOTE : 25-13
SUBJECT : PERSONAL INFORMATION DISCLOSURE: BREACH OF SECURITY
KEY ISSUE : SHOULD EXISTING LAW BE EXTENDED TO REQUIRE
DISCLOSURE WHENEVER AN UNAUTHORIZED PERSON ACQUIRES COMPUTERIZED
DATA CONTAINING PERSONAL INFORMATION, NOT ONLY WHEN THE DATA IS
IN ELECTRONIC FORMAT, BUT WHEN IT IS IN ANY FORMAT (I.E.
ELECTRONIC FORM, PAPER, OR TAPE)?
SYNOPSIS
This bill extends existing law's requirements relating to notice
of a breach of the security of the system to also include
non-computerized data. Under current law, a theft or other type
of disclosure of computerized data containing personal
information triggers a notice, while theft or disclosure of
physical records does not. The author and her supporters
believe if names and social security numbers are exposed -
regardless of whether that information is contained in paper,
tapes or electronic files - people have a right to be warned so
they can take appropriate steps to safeguard their identity.
Opponents argue that the bill significantly expands existing law
and would be unworkable.
SUMMARY : Extends existing law's requirement that an agency,
person or business (that conducts business in California and
owns or licenses computerized data that includes personal
information) disclose any breach of the security of the system
to also include disclosure of non-computerized data and makes
related changes. Specifically, this bill :
1)Requires an agency, person, or business that conducts business
in California and owns, licenses, or collects computerized
data to notify any California resident whose personal
information was acquired by an unauthorized person following
discovery or notification of the breach, regardless of whether
�
SB 852
Page 2
the data was in computerized form at the time of the
unauthorized acquisition.
2)Provides that notification may be delayed upon the written or
electronic request of a law enforcement agency if the agency
determines that the notification will impede a criminal
investigation.
3)Provides that the mailing of materials containing personal
information to the individual's current postal or email
address is not a breach of the security of the system.
4)Provides that a name, in combination with a data element
(either a social security number, driver's license or
California identification card number, account number, or
access code) is not personal information if the data element
is encrypted or redacted unless: the encrypted information
was reasonably believed to have been acquired by an
unauthorized person who had access to a key that could be used
to decrypt the information; or an unencrypted or unredacted
data element was acquired in combination with the individual's
address or telephone number.
5)Requires notice to include a description of the elements of
personal information that were, or are reasonably believed to
have been, acquired by an authorized person.
6)Requires the agency to notify the three consumer reporting
agencies of the timing, content, and distribution of the
notices and the approximate number of affected persons.
EXISTING LAW :
1)Provides that any public or private entity which owns or
licenses computerized personal information shall provide
notice of any breach in the security of the data which results
in, or is reasonably believed to have resulted in, the
unauthorized acquisition of a California resident's
unencrypted personal information. The notice must be provided
in writing or electronically to each individual whose personal
information may have been disclosed, unless the notice would
cost more than $250,000 or the breach involves more than
500,000 individuals, in which case notice may be provided by
"notification to major statewide media." For purposes of this
section, existing law defines "personal information" as an
�
SB 852
Page 3
individual's name in combination with his or her social
security number, driver's license number, or relevant account
number. (Civil Code sections 1798.29 and 1798.82.)
2)Provides that required notice of a security breach may be
delayed if a law enforcement agency determines the notice
would impede a criminal investigation, and the person,
business, or agency must give notice once the law enforcement
agency has determined the notice will not compromise the
investigation. (Civil Code 1798.29(c), 1798.82(c).)
3)Provides that "personal information" does not include publicly
available information that is lawfully made available to the
general public in government records. (Civil Code 1798.29(f),
1798.82(f).)
FISCAL EFFECT : As currently in print, this bill is keyed
fiscal.
COMMENTS : This bill expands California's law to require
companies and public agencies to notify people anytime their
personal information is lost, stolen, or accessed by the wrong
person, regardless of the format of the data. Under existing
law, notice is required only when computerized data is breached.
The author believes, "If names, Social Security numbers, and
bank account numbers are stolen, it shouldn't matter whether the
thief got unauthorized access to the computer system or stole a
box of tapes or paper files to get that information. ? People
should have the right to be notified so they can take steps,
such as freezing access to credit reports, to prevent identity
theft."
The author explains why the legislature should be concerned
about identity theft:
Despite identity theft laws in California, identity theft
is still the fastest-growing white collar crime in the
state - and in the country. California has the third
highest per capita rate of identity theft in the nation,
behind Arizona and Nevada, according to a February 2005
report by the Federal Trade Commission (FTC) that ranked
identity theft as the number one consumer complaint for the
fifth straight year .
This bill helps fight identity theft by notifying people that
�
SB 852
Page 4
their personal information has been acquired so that they may
take appropriate steps to protect themselves. SB 852 is a
re-introduction of SB 1279 (Bowen) from 2004 which passed the
Senate, but was killed in the Assembly. That bill was
introduced after an incident in which Bank of America
inadvertently sent out 3,800 end-of-year 1099 forms to the wrong
recipients. Bank of America did not notify the individuals
whose information was disclosed until after a series of
newspaper articles were published discussing the event.
Since that time several other incidents have occurred which
would not require disclosure under current California law.
CitiFinancial announced on June 6, 2005 that it lost computer
tapes containing information about 3.9 million U.S. customers.
In May, Time Warner Inc. said that computer backup tapes
containing data on 600,000 individuals were lost. Ameritrade
Holding Corp. also lost computer tapes of some 200,000 current
and former customers in April. In February, Bank of America
announced that it had lost computer tapes containing the
personal information of 1.2 million federal employees. Because
all of these incidents involved information on a tape, rather
than a computer, California's notice laws did not apply. This
bill extends the state's nationally recognized notification
provisions to computerized personal information data even if it
is in a non-computerized form when it is stolen or released
without authorization.
Supporters of SB 852 argue that the bill is necessary to correct
deficiencies in California's current notice law that have become
apparent since its enactment . Consumers Union explains:
The intent of the current California law is to protect
individuals whose personal information has been
compromised. It has provided important benefits to
individuals whose personal information has been leaked by
requiring prompt and effective notification to such
individuals so that they can take proactive steps to
prevent against identity theft and financial harm.
However, current law requires a security breach
notification only when there is a breach of computerized
data. SB 852 expands the breach notification requirement
to cover instances of data breaches involving any data
format, including paper and back-up tapes. Since
significant breaches can occur involving data that is not
computerized, we believe that SB 852 provides an added,
�
SB 852
Page 5
necessary protection missing in current law.
Privacy Rights Clearinghouse remarks that the compromise of
personal information outside of computerized data files is a
common way in which individuals become victims of identity
theft. The California Attorney General's Office states,
"Current law, while important to consumers, is far too
narrow?.These changes are needed to require notification to
individuals regarding the unauthorized release or dissemination
of their personal identifying information in cases where the
data is not in electronic format."
Law enforcement organizations support providing notice to
potential victims of a security breach as a method of fighting
fraud before it happens.
Opponents of the bill argue that extending computer breach law
to paper is unworkable.
In support of this contention, opponents make several arguments
that seem to challenge the terms of existing law rather than the
contents of this bill. Under current law, a business must
inform any person whose information was, or is reasonably
believed to have been acquired by a third person. They contend
that the "reasonably believed" standard makes the bill a
nightmare because businesses and government entities will have
to send out notices every time there is a chance that
information was acquired. Opponents do not provide any examples
or allegations of why this current state of the law is not
working. Moreover, opponents fail to articulate why the
standard will be impossible as applied to non-computerized
transmissions of personal information, opposed to computerized
data transmissions. Instead, opponents object that the standard
is inflexible and requires notice if a business reasonably
believes unauthorized persons acquired information. However,
they acknowledge that this is the existing state of the law with
regard to computerized data.
Some opponents argue that the bill would expand the notice
requirement "to far more than just the intentional and malicious
theft of computerized data in other formats." However, the
current law does not require any sort of malfeasance to trigger
the notice requirement. Therefore, this argument seems
misguided.
�
SB 852
Page 6
Industry groups object to the bill's requirement that law
enforcement officers put a request to delay notice in writing
after they've determined that notification will impede a
criminal investigation. Opponents contend that this will create
more work for the police and prevent the notice from being sent
in a timely matter. The author states that law enforcement
officials were questioned about this provision and the officials
stated they did not have a problem with a written notice
requirement. The requirement is intended to draw clear lines
around the time period during which a person, business, or
agency may delay giving notice. It was drafted in response to
current legal proceedings in which a company claimed that its
delay was mandated by police, but the police stated notice could
have been given much sooner than it was.
The Association of California Insurance Companies (ACIC) opposes
the bill in part because it believes that requiring the
notification letter to specify what types of information may
have been acquired will delay notice because it will be
"extremely time consuming" to do this analysis for each
individual who may have been affected. The author responds that
the language of the bill will not require this assessment to be
made on an individual basis. The bill only requires companies
to state the general categories of personal information
reasonably believed to have been acquired.
ACIC also opposes the bill's added requirement that a person,
business, or agency notify the three federal consumer reporting
agencies when notice of a breach is sent to 5,000 or more
individuals. ACIC contends it would be difficult for a company
to give the credit reporting agencies sufficient information to
identify each person who was subject to a breach. This concern
is misplaced, since the language of the bill requires only that
the company tell the reporting agency about the general timing,
content, distribution, and number of affected persons - not who
in particular was affected. The author states this provision is
designed to help credit agencies prepare to meet the demands of
customers who will contact the agencies after receiving the
notification letter.
Opponents also object to the bill's elimination of the "public
information" exception which exists under current law. Under
current law, there is no notice requirement for information that
is lawfully made available to the general public from government
�
SB 852
Page 7
records. The bill has a limited definition of what "personal
information" triggers an obligation to disclose. Generally,
this includes a person's last name coupled with a social
security number, driver's license number, or account number and
password. The author's office believes that if any of this
information is, for some reason, on a document that is a public
record, a high security risk still exists if this information is
disclosed with a person's name. Several bills in the last few
years have sought to remove this sort of identification
information from public records. The author believes that an
individual should be informed if this information is disclosed,
regardless of whether it is already a public record.
Finally, opponents argue that the notifications required by the
bill would be harmful because "cyber-criminals will capitalize
on the notices by 'phishing' - that is sending out phony
requests for personal information under the name of the
institutions that have sent the breach notices. The existence
of the breach notices, unfortunately, makes some consumers more
likely to fall for this scam."
Prior Related Legislation. SB 1386 of 2002 (Peace), Chap. 915,
Stats. of 2002, and AB 700 of 2002 (Simitian), Chap. 109, Stats.
of 2002, created the notification procedures for breaches of
computer security in existing law. SB 1279 (Bowen), 2004,
passed in the Senate, but died in Assembly Business and
Professions.
The Author May Wish To Consider Making An Amendment To The Bill
To Require Businesses And Agencies To File A Copy Of Their
General Breach Notice With The Office Of Privacy Protection
(OPP) . SB 1 (Speier) required financial institutions to file
certain forms with OPP. Filing with OPP might provide greater
consumer protection because the notice would be publicly
available.
REGISTERED SUPPORT / OPPOSITION :
Support
California Organization of Police and Sheriffs
California School Employees Association
California Public Interest Research Group
Consumers Union
Electronic Frontier Foundation
�
SB 852
Page 8
Identity Theft Resource Center
Office of the Attorney General
Peace Officers Research Association of California
Privacy Rights Clearinghouse
Opposition
American Council of Life Insurers
American Electronics Association
American Insurance Association
Association of California Insurance Companies
Association of California Life and Health Insurance Companies
California Bankers Association
California Chamber of Commerce
California Financial Services Association
California Manufacturers and Technology Association
California Mortgage Bankers Association
California Retailer's Association
Capital One
Concentra Inc.
Direct Marketing Association
Elpac Electronics, Inc.
First American Corporation
Internet Commerce Coalition
Investment Company Institute
Microsoft Corporation
Personal Insurance Federation of California
TransUnion LLC
Analysis Prepared by : Elizabeth Linton / JUD. / (916)
319-2334