BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                       AB 964


                                                                      Page  1





          ASSEMBLY THIRD READING


          AB  
          964 (Chau)


          As Amended  May 13, 2015


          Majority vote


           ------------------------------------------------------------------- 
          |Committee       |Votes |Ayes                |Noes                  |
          |                |      |                    |                      |
          |                |      |                    |                      |
          |----------------+------+--------------------+----------------------|
          |Privacy         |7-1   |Gatto, Calderon,    |Wilk                  |
          |                |      |Chau, Cooper,       |                      |
          |                |      |Dababneh, Gordon,   |                      |
          |                |      |Low                 |                      |
          |                |      |                    |                      |
          |----------------+------+--------------------+----------------------|
          |Appropriations  |11-4  |Gomez, Bloom,       |Bigelow, Chang,       |
          |                |      |Bonta, Calderon,    |Gallagher, Wagner     |
          |                |      |Eggman, Eduardo     |                      |
          |                |      |Garcia, Holden,     |                      |
          |                |      |Quirk, Rendon,      |                      |
          |                |      |Weber, Wood         |                      |
          |                |      |                    |                      |
          |                |      |                    |                      |
           ------------------------------------------------------------------- 


          SUMMARY:  Requires data breach notifications made by businesses  
          and public agencies to include the date of discovery of the breach  
          in the notice to the Attorney General.  Specifically, this bill:  









                                                                       AB 964


                                                                      Page  2






          1)Requires business and public agencies, for purposes of existing  
            data breach notification requirements, to include the date of  
            the discovery of the breach in the notice made to the Attorney  
            General. 


          2)Defines, for purposes of the existing data breach notification  
            requirements for businesses and public agencies, the term  
            "encrypted" to mean "rendered unusable, unreadable, or  
            indecipherable to an unauthorized person through a security  
            technology or methodology generally accepted in the field of  
            information security."


          3)Makes other technical or non-substantive changes. 


          FISCAL EFFECT:  According to the Assembly Appropriations  
          Committee, there is a negligible fiscal impact. 


          COMMENTS:  


          1)Purpose of this bill.  This bill is intended to improve the  
            public tracking of data breaches by including the date of the  
            breach discovery in the required notice to the Attorney General,  
            while also providing a clarifying definition of the term  
            "encrypted."  This bill also imposes a reasonableness  
            requirement on a business' efforts to respond to a breach before  
            notifying the victims.  This bill is sponsored by the author.


          2)Data breaches are a fast-growing threat.  2014 was a  
            record-setting year in terms of the number of security breaches  
            reported.  According to a January 2015 report by the California  
            Attorney General's Office, 187 breaches were reported to the  
            California Department of Justice in 2014, compared to 167 in  








                                                                       AB 964


                                                                      Page  3





            2013 and 131 in 2012.  


            According to the Identity Theft Resource Center, there were 783  
            data breaches reported nationwide in 2014 - a 27.5% increase  
            over the previous year.  The Privacy Rights Clearinghouse  
            reports that more than 815 million records have been compromised  
            in more than 4,489 publicly acknowledged data breaches since  
            2005.


          3)Related legislation.  AB 83 (Gatto) of the current legislative  
            session requires businesses that own or maintain personal  
            information to secure that data to the extent that any  
            "reasonably prudent business" would provide, and specifies  
            certain requirements and considerations that must be part of any  
            reasonable security procedures and practices.  AB 83 is  
            currently pending referral in the Senate Rules Committee.  


            AB 259 (Dababneh) of the current legislative session requires a  
            public agency that is the source of a data breach to offer at  
            least 12 months of identity-theft prevention and mitigation  
            services at no cost to affected consumers.  AB 259 is currently  
            pending in the Assembly Appropriations Committee.


            SB 34 (Hill) of the current legislative session amends the Data  
            Breach Notification Law to add to the definition of "personal  
            information" any information or data collected through the use  
            or operation of an automated license plate recognition system.   
            SB 34 is currently pending on the Assembly Floor.  


            SB 570 (Jackson) of the current legislative session amends the  
            Data Breach Notification Law to revise the language of the  
            breach notification itself to make it clearer and more  
            conspicuous.  SB 570 is currently pending on the Senate Floor. 









                                                                       AB 964


                                                                      Page  4






          4)Prior legislation.  AB 1710 (Dickinson), Chapter 855, Statutes  
            of 2014, required, among other things, that businesses that  
            maintain, own or license the personal information of California  
            residents to use reasonable and appropriate security measures to  
            protect the information.   
            SB 24 (Simitian), Chapter 197, Statutes of 2011, standardized  
            the breach notification that an agency, person, or business must  
            issue in the event of a data breach, and required any agency,  
            person, or business that is required to issue a security breach  
            notification to more than 500 California residents to  
            electronically submit a single sample copy of that security  
            breach notification to the Attorney General.


            AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required a  
            business that owns or licenses personal information about a  
            California resident to implement and maintain reasonable  
            security procedures and practices to protect personal  
            information from unauthorized access, destruction, use,  
            modification, or disclosure.  


            SB 1386 (Peace), Chapter 915, Statutes of 2002, enacted  
            California's Data Breach Notification Law.


          Analysis Prepared by:                                               
                          Hank Dempsey / P. & C.P. / (916) 319-2200  FN:  
          0000462

















                                                                       AB 964


                                                                      Page  5