BILL ANALYSIS Ó AB 964 Page 1 ASSEMBLY THIRD READING AB 964 (Chau) As Amended May 13, 2015 Majority vote ------------------------------------------------------------------- |Committee |Votes |Ayes |Noes | | | | | | | | | | | |----------------+------+--------------------+----------------------| |Privacy |7-1 |Gatto, Calderon, |Wilk | | | |Chau, Cooper, | | | | |Dababneh, Gordon, | | | | |Low | | | | | | | |----------------+------+--------------------+----------------------| |Appropriations |11-4 |Gomez, Bloom, |Bigelow, Chang, | | | |Bonta, Calderon, |Gallagher, Wagner | | | |Eggman, Eduardo | | | | |Garcia, Holden, | | | | |Quirk, Rendon, | | | | |Weber, Wood | | | | | | | | | | | | ------------------------------------------------------------------- SUMMARY: Requires data breach notifications made by businesses and public agencies to include the date of discovery of the breach in the notice to the Attorney General. Specifically, this bill: AB 964 Page 2 1)Requires business and public agencies, for purposes of existing data breach notification requirements, to include the date of the discovery of the breach in the notice made to the Attorney General. 2)Defines, for purposes of the existing data breach notification requirements for businesses and public agencies, the term "encrypted" to mean "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security." 3)Makes other technical or non-substantive changes. FISCAL EFFECT: According to the Assembly Appropriations Committee, there is a negligible fiscal impact. COMMENTS: 1)Purpose of this bill. This bill is intended to improve the public tracking of data breaches by including the date of the breach discovery in the required notice to the Attorney General, while also providing a clarifying definition of the term "encrypted." This bill also imposes a reasonableness requirement on a business' efforts to respond to a breach before notifying the victims. This bill is sponsored by the author. 2)Data breaches are a fast-growing threat. 2014 was a record-setting year in terms of the number of security breaches reported. According to a January 2015 report by the California Attorney General's Office, 187 breaches were reported to the California Department of Justice in 2014, compared to 167 in AB 964 Page 3 2013 and 131 in 2012. According to the Identity Theft Resource Center, there were 783 data breaches reported nationwide in 2014 - a 27.5% increase over the previous year. The Privacy Rights Clearinghouse reports that more than 815 million records have been compromised in more than 4,489 publicly acknowledged data breaches since 2005. 3)Related legislation. AB 83 (Gatto) of the current legislative session requires businesses that own or maintain personal information to secure that data to the extent that any "reasonably prudent business" would provide, and specifies certain requirements and considerations that must be part of any reasonable security procedures and practices. AB 83 is currently pending referral in the Senate Rules Committee. AB 259 (Dababneh) of the current legislative session requires a public agency that is the source of a data breach to offer at least 12 months of identity-theft prevention and mitigation services at no cost to affected consumers. AB 259 is currently pending in the Assembly Appropriations Committee. SB 34 (Hill) of the current legislative session amends the Data Breach Notification Law to add to the definition of "personal information" any information or data collected through the use or operation of an automated license plate recognition system. SB 34 is currently pending on the Assembly Floor. SB 570 (Jackson) of the current legislative session amends the Data Breach Notification Law to revise the language of the breach notification itself to make it clearer and more conspicuous. SB 570 is currently pending on the Senate Floor. AB 964 Page 4 4)Prior legislation. AB 1710 (Dickinson), Chapter 855, Statutes of 2014, required, among other things, that businesses that maintain, own or license the personal information of California residents to use reasonable and appropriate security measures to protect the information. SB 24 (Simitian), Chapter 197, Statutes of 2011, standardized the breach notification that an agency, person, or business must issue in the event of a data breach, and required any agency, person, or business that is required to issue a security breach notification to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the Attorney General. AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted California's Data Breach Notification Law. Analysis Prepared by: Hank Dempsey / P. & C.P. / (916) 319-2200 FN: 0000462 AB 964 Page 5