BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2007-2008 Regular Session
SB 364 S
Senator Simitian B
As Amended January 7, 2008
Hearing Date: January 15, 2008 3
Civil Code 6
ADM 4
SUBJECT
Personal Information: Privacy: Security Data Breach
Notification
DESCRIPTION
This bill would amend California's security data breach
notification law to require that security breach
notifications be written in plain language, and include, at
a minimum, certain specified standard information,
including, among other things, the types of information
breached, the date of the breach and notification, and
contact information regarding the breach.
This bill would require, following discovery or
notification of a breach, any agency, person, or business
that owns or licenses computerized data that includes
personal information to submit electronically any security
breach notification sent to California residents to the
Office of Information Security and Privacy Protection
(OISPP, formerly the Office of Privacy Protection).
This bill would require the OISPP to establish a Web site
to which an agency, person, or business must electronically
submit breach notifications, and the OISPP would be
required to make the notifications available to the public
online. The bill would also require the OISPP to annually
report a summary of the information collected and made
available via the Web site to the Legislature.
This bill would provide that any agency, person, or
(more)
�
SB 364 (Simitian)
Page 2 of ?
business that maintains breach notification procedures that
are consistent with the bill's notification information
requirements would be deemed in compliance with security
breach notification law.
(This analysis reflects author's amendments to be offered
in committee.)
BACKGROUND
On January 1, 2003, California's security breach notice law
went into effect. Those statutes provide that any public
agency, person, or business that owns or licenses
computerized data that includes personal information, as
defined, must disclose any security system breach upon
notification or discovery of the breach to any California
resident whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person.
According to an ongoing chronology by the Privacy Rights
Clearinghouse of security breaches, more than 217 million
records containing sensitive information have been involved
in security breaches since February 2005. The chronology
also shows that at least 5.5 million records of entities
doing business in California have experienced a breach of
personal information in databases, and an unknown number of
additional entities have been affected.
For the seventh year in a row, identity theft topped the
Federal Trade Commission's (FTC) list of top 10 consumer
complaints in 2006. Of the close to 700,000 complaints
filed with the FTC that year, 36% related to identity
theft. And, among the 50 states, California ranked third
in identity theft victims, after Arizona and Nevada. The
Director of the FTC's Bureau of Consumer Protection writes
that, "The important thing is that people learn how to
deter identity thieves, detect suspicious activity on their
financial records, and defend against the crime, should it
happen."
A December 2007 study report from the Samuelson Law,
Technology & Public Policy Clinic of University of
�
SB 364 (Simitian)
Page 3 of ?
California, Berkeley, Boalt Hall School of Law, found that
security breach notification laws provide strong incentives
for public and private organizations to engage in best
practices with respect to the security of personal
information. The study report also makes a number of
recommendations to improve upon security breach
notification laws, including that breach notifications
should include a standard set of information, and there
should be a centralized clearinghouse of security breach
notifications.
This bill is intended to augment California's security
breach notification law to implement two of the study
report's recommendations, thus allowing Californians to
better deter, detect, and defend against identity theft.
CHANGES TO EXISTING LAW
1. Existing law , the Security Breach Information Act,
provides that any agency, person, or business that owns
or licenses computerized data that includes personal
information, as defined, shall disclose any breach of
security of the system following discovery or
notification of the security breach to any California
resident whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the
most expedient time possible and without unreasonable
delay, consistent with the legitimate needs of law
enforcement, as specified. (Civil Code (CC) Sections
1798.29(a) and (c) and 1798.82(a) and (c).)
Existing law provides that any agency, person, or
business that maintains computerized data that includes
personal information that the agency, person, or business
does not own shall notify the owner or licensee of the
information of any breach of the security of the data
immediately following discovery, if the personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. (CC Sections
1798.29(b) and 1798.82(b).)
Existing law defines "personal information," for purposes
of notification of security breaches, to include the
individual's first name or first initial and last name in
�
SB 364 (Simitian)
Page 4 of ?
combination with any one or more of the following data
elements, when either the name or the data elements are
not encrypted: Social Security number; driver's license
number or California Identification Card number; or
account number, credit or debit card number, in
combination with any required security code, access code,
or password that would permit access to an individual's
financial account. "Personal information" does not
include publicly available information that is lawfully
made available to the general public from federal, state,
or local government records. (CC Sections 1798.29(e) and
(f) and 1798.82(e) and (f).)
This bill would require that security breach
notifications sent to California residents be written in
plain language and must include, at a minimum, the
following information:
the toll-free telephone numbers and addresses of
the major credit reporting agencies;
the name and contact information of the reporting
agency, person, or business;
a list of the types of information, such as name or
Social Security number, that were or may have been the
subject of a breach;
the date of a breach, if known, and the date of
discovery of a breach, if known;
the date of the notification, and whether the
notification was delayed pursuant to current law for
law enforcement purposes;
a general description of the breach incident;
the estimated number of persons affected by the
breach; and
whether substitute notice was used.
This bill would require any agency, person, or business
that owns or licenses computerized data that includes
personal information, following the discovery or
notification of the breach of the security of the system,
to submit electronically any security breach notification
sent to California residents to the Office of Information
Security and Privacy Protection (OISPP).
This bill would require the OISPP to establish a Web site
where agencies, persons, or businesses shall submit
electronically breach notifications and shall make the
�
SB 364 (Simitian)
Page 5 of ?
notifications available to the public online.
This bill would require the OISPP to annually report a
summary of the information collected and made available
via the Web site to the Legislature.
2. Existing law provides that any agency, person, or
business that maintains its own notification procedures
as part of an information security policy for the
treatment of personal information and is otherwise
consistent with the law's timing requirements, shall be
deemed to be in compliance with the security breach
notification law. (CC Sections 1798.29(h) and
1798.82(h).)
This bill would provide that any agency, person, or
business that maintains its own notification procedures
as part of an information security policy for the
treatment of personal information, and whose notification
procedures are otherwise consistent with the notification
information requirements of the bill, would be deemed to
be in compliance with the security breach notification
law.
COMMENT
1. Stated need for the bill
The author writes:
First, although California has security breach
notification statutes, they do not require public
agencies, businesses or persons subject to those
statutes to provide any standard set of information
about a breach. As a result, security breach
notification letters often lack important information
- such as the type of information that was breached or
when the breach occurred - or are confusing to
consumers. This leaves consumers uncertain about how
to respond to the breach or how to protect themselves
from identity theft.
Second, because California lacks any centralized
reporting process for security breaches, it is
impossible for state policy makers to assess or
�
SB 364 (Simitian)
Page 6 of ?
improve state security breach laws. The state may not
be cognizant of criminal activity patterns or consumer
practices, the analysis of which could aid in
establishing better protections of Californians'
personal, private, and confidential information.
Third, this bill would make relatively minor changes
to the current security breach notification statutes
that would enhance consumer and legislative knowledge
and understanding of security breaches and their
ramifications. The legislature has already had an
opportunity to evaluate these minor improvements in
previous, more expansive legislative proposals.
2. Recent research supports need for augmenting security
breach notification
law
In December 2007, the Samuelson Law, Technology & Public
Policy Clinic, University of California-Berkeley School
of Law released a study report entitled "Security Breach
Notification Laws: Views from Chief Security Officers"
(Study). The Study included a comprehensive review of
the literature available on the world of information
security and in-depth interviews with chief information
security officers at a variety of business organizations
nationwide.
The Study made a number of findings, including that
breach notification laws: 1) provide organizations
(public, private, and non-profit) strong incentives to
invest in best practices with respect to information
security; 2) contribute to awareness of the importance of
information security throughout all levels of an
organization; 3) increase cooperation among different
departments within an organization with respect to
information security; 4) have increased requirements that
third party vendors, data collectors, and organizations
comply with information security measures; 5) provide
"lessons learned" across organizations, allowing
organizations to learn from each others' breaches, and
justifying investment in security; and 6) inform and
educate consumers about the importance of being concerned
and diligent about the security of their personal
information.
�
SB 364 (Simitian)
Page 7 of ?
The Study also identified a number of areas for
improvement in security breach notification laws,
including a uniform minimum information standard
applicable to all security breach notifications,
including basic guidelines for the information included
in security breach notifications, and a centralized
publicly available source for tracking security breaches.
The author asserts that this bill would implement the
above two recommendations of the Study, and thereby
strengthen California's security breach notification law.
3. Clear, standard set of information in security breach
notifications would fill
gap in current law
Current law requires any agency, person, or business that
owns, licenses, or maintains computerized unencrypted
personal information to provide notification of a breach
of the security of the information. Current law also
includes certain timing requirements for security breach
notifications. There are not, however, any information
content requirements for breach notifications. The
author provided the committee several examples of breach
notification letters that lack certain basic information
such as the type of information breached, when the breach
occurred, or how to protect against identity theft; and
contain confusing technical or legal jargon.
The Study discussed in Comment 2 provides:
A uniform standard that applies to all security
breaches would ensure that all consumers receive the
same amount of information coming out of a security
breach, and therefore have the same opportunities to
protect themselves. The consistency of information
disclosure is even more important because one of the
primary benefits of security breach notification laws
is that of heightening information exchange and
awareness about information security and privacy
issues.
�
SB 364 (Simitian)
Page 8 of ?
Notifications can only provide value to consumers if
they have useful information about the [breach]
incident and know what steps can be taken to mitigate
the harm. Notifications provide an opportunity for
consumer education that ? has been bypassed by
notification letters that focus more on obfuscated
language and legal jargon than direct communication. ?
Breach notification letters are difficult to read and
understand; ? Notification laws ? should incorporate
some basic guidelines regarding clarity of language, a
description of the incident, and steps that consumers
can take to protect themselves ?.
The author writes that this bill's provisions requiring
notification to be in plain language and contain
specified pieces of information, including the types of
information breached, the dates of the breach and
notification, a general description of the incident, and
contact information for credit reporting agencies would
fill the information gap in current law. The author also
notes that other states' notification laws, including
Michigan, New Hampshire, New York, and North Carolina
have similar requirements.
4. Centralized clearinghouse for security breach
information in Office of
Information Security and Privacy Protection (OISPP) would
allow both the public and the legislature to make better
informed information privacy protection decisions
Current law does not provide for a centralized
clearinghouse for security data breach information. This
bill would do so by providing that security breach
notifications must be sent to the OISPP, which in turn
must provide the information on a publicly available Web
site, and must annually report a summary of the
information collected to the legislature.
�
SB 364 (Simitian)
Page 9 of ?
The author asserts that a centralized clearinghouse for
security breach notifications, and annual reporting to
the legislature would serve a number of important goals,
including: 1) informing and educating the public and the
legislature so that both may make better informed
decisions with respect to the protection of personal
information on an individual and policy-making basis; 2)
creating an information database for purposes of research
and evaluation of security breach notification laws; 3)
creating a database that may better inform both law
enforcement and others of patterns of criminal activity
and/or consumer practices that need to be addressed; and
4) creating a database of information that may, in the
future, shed light on the connection or interaction
between security data breaches and identity theft.
As noted in the Study discussed in Comment 2:
[F]or information security to become a characteristic
that consumers take into account when purchasing
services, there must be consistent public information
on which analysis and information-gathering can be
based. ? [A] public database of security breaches can
serve as an analytical tool for security
professionals. ? [R]equiring organizations that
suffer a security breach to take the additional step
of filing with a centralized organization could
increase the amount of information available about
security breaches without compromising the security
incentives that notification laws provide. This
database would provide a standardized source of
information to which security professionals can refer
to gather statistics on security vulnerabilities. It
would also give media outlets a reliable source of
information. ? [and] would also assist enforcement
agencies ? in keeping track of repeat offenders
against whom enforcement actions may need to be
brought.
5. Author's and technical amendments
�
SB 364 (Simitian)
Page 10 of ?
a. Technical amendments to correct drafting errors
On page 3, line 7, delete the word "one," and on line
6, insert the word "one" before the word "the"
On page 3, lines 13-14, delete "one hundred thousand
dollars ($100,000)," and insert "two hundred fifty
thousand dollars ($250,000)"
On page 6, lines 36, delete the word "one," and on
line 35, insert the word "one" before the word "the"
On page 7, line 3, delete "one hundred thousand
dollars ($100,000)," and insert "two hundred fifty
thousand dollars ($250,000)"
b. Author's amendments
On page 3, line 27, delete "English," and insert
"language"
On page 3, line 34, after "that," insert "were or"
On page 5, line 37, after "part," insert "and
subdivision (e)(2) and (3)"
On page 7, line 18, delete "English," and insert
"language"
On page 7, line 26, after "that," insert "were or"
On page 9, line 31, after "part," insert "and
subdivision (e)(2) and (3)"
Support: Consumers Union; Consumer Federation of CA;
Electronic Frontier
Foundation; Privacy Rights Clearinghouse
Opposition: None Known
HISTORY
Source: Author
�
SB 364 (Simitian)
Page 11 of ?
Related Pending Legislation: None Known
Prior Legislation: AB 779 (Jones of 2007) would have,
among a number of other things, provided,
under the security data breach notification
law, that the Office of Privacy Protection
(OPP, now OISPP) be notified if substitute
notice of a security breach was used. The
bill would also have required any agency,
person, or business that owns, licenses, or
maintains computerized personal data related
to various payment devices to notify the
owner, licensee, or California resident of a
security data breach. The notification would
have been required to contain certain
specified standard information, including,
among other things, when the breach occurred
and the categories of personal information
breached. This bill was vetoed.
AB 2505 (Nunez of 2006) would have provided,
under the
security data breach notification law, that
the OPP be notified if substitute notice was
used. This bill died on the Senate Floor.
SB 852 (Bowen of 2006) would have required a
security data breach notification whether or
not the data was computerized and would have
required notice to the OPP. This bill died
in the Assembly Business and Professions
Committee.
SB 1512 (Machado of 2006) would have
increased the threshold dollar amount for the
substitute notice provision under the
security data breach notification law from
$250,000 to $500,000. This bill was not
pursued after referral to this committee.
**************
�
SB 364 (Simitian)
Page 12 of ?