BILL ANALYSIS Ó AB 964 Page 1 Date of Hearing: May 20, 2015 ASSEMBLY COMMITTEE ON APPROPRIATIONS Jimmy Gomez, Chair AB 964 (Chau) - As Amended May 13, 2015 ----------------------------------------------------------------- |Policy |Privacy and Consumer |Vote:|7 - 1 | |Committee: |Protection | | | | | | | | | | | | | |-------------+-------------------------------+-----+-------------| | | | | | | | | | | | | | | | |-------------+-------------------------------+-----+-------------| | | | | | | | | | | | | | | | ----------------------------------------------------------------- Urgency: No State Mandated Local Program: NoReimbursable: No SUMMARY: This bill: 1)Requires business and public agencies, for purposes of AB 964 Page 2 existing data breach notification requirements, to include the date of the discovery of the breach in the notice made to the Attorney General. 2)Defines, for purposes of the existing data breach notification requirements for businesses and public agencies, the term "encrypted" to mean "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security." FISCAL EFFECT: Negligible fiscal impact. COMMENTS: 1)Purpose. This bill is intended to improve the public tracking of data breaches by including the date of the breach discovery in the required notice to the Attorney General, while also providing a clarifying definition of the term "encrypted." 2)Current Law. California's Data Breach Notification Law requires, in part, that public agencies and businesses notify California residents of security breaches if their unencrypted personal information was, or was reasonably believed to have been, accessed by an unauthorized person. Breaches that affect more than 500 California residents must submit a single copy of the notification to the Attorney General. While the law contains multiple provisions that speak to the AB 964 Page 3 content of the notice, the notice itself may be written or electronic. Businesses may also provide "substitute" notice in cases where the cost of notice exceeds $250,000, affects more than 500,000 people, or where there is insufficient contact information. A substitute notice includes an email notice where possible, plus conspicuous posting on the business' website and notification to statewide media. Companies may also use their own notification procedures instead, if those procedures are otherwise consistent with the timing requirements of the law. 3)Related Legislation. AB 259 (Dababneh), pending on this committee's Suspense file, requires a public agency that is the source of a data breach to offer at least 12 months of identity-theft prevention and mitigation services at no cost to affected consumers. SB 34 (Hill), pending referral in the Assembly, amends the Data Breach Notification Law to add to the definition of "personal information" any information or data collected through the use or operation of an automated license plate recognition system." SB 570 (Jackson), pending in the Senate, amends the Data Breach Notification Law to revise the language of the breach notification itself to make it clearer and more conspicuous. Analysis Prepared by:Chuck Nicol / APPR. / (916) 319-2081 AB 964 Page 4