BILL ANALYSIS �Ó
AB 964
Page 1
Date of Hearing: May 20, 2015
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Jimmy Gomez, Chair
AB
964 (Chau) - As Amended May 13, 2015
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|7 - 1 |
|Committee: |Protection | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill:
1)Requires business and public agencies, for purposes of
�
AB 964
Page 2
existing data breach notification requirements, to include the
date of the discovery of the breach in the notice made to the
Attorney General.
2)Defines, for purposes of the existing data breach notification
requirements for businesses and public agencies, the term
"encrypted" to mean "rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security
technology or methodology generally accepted in the field of
information security."
FISCAL EFFECT:
Negligible fiscal impact.
COMMENTS:
1)Purpose. This bill is intended to improve the public tracking
of data breaches by including the date of the breach discovery
in the required notice to the Attorney General, while also
providing a clarifying definition of the term "encrypted."
2)Current Law. California's Data Breach Notification Law
requires, in part, that public agencies and businesses notify
California residents of security breaches if their unencrypted
personal information was, or was reasonably believed to have
been, accessed by an unauthorized person. Breaches that affect
more than 500 California residents must submit a single copy
of the notification to the Attorney General.
While the law contains multiple provisions that speak to the
�
AB 964
Page 3
content of the notice, the notice itself may be written or
electronic. Businesses may also provide "substitute" notice in
cases where the cost of notice exceeds $250,000, affects more
than 500,000 people, or where there is insufficient contact
information. A substitute notice includes an email notice
where possible, plus conspicuous posting on the business'
website and notification to statewide media. Companies may
also use their own notification procedures instead, if those
procedures are otherwise consistent with the timing
requirements of the law.
3)Related Legislation. AB 259 (Dababneh), pending on this
committee's Suspense file, requires a public agency that is
the source of a data breach to offer at least 12 months of
identity-theft prevention and mitigation services at no cost
to affected consumers.
SB 34 (Hill), pending referral in the Assembly, amends the
Data Breach Notification Law to add to the definition of
"personal information" any information or data collected
through the use or operation of an automated license plate
recognition system."
SB 570 (Jackson), pending in the Senate, amends the Data
Breach Notification Law to revise the language of the breach
notification itself to make it clearer and more conspicuous.
Analysis Prepared by:Chuck Nicol / APPR. / (916)
319-2081
�
AB 964
Page 4