BILL ANALYSIS �
AB 779
Page 1
Date of Hearing: May 23, 2007
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Mark Leno, Chair
AB 779 (Jones) - As Amended: May 14, 2007
Policy Committee: JudiciaryVote:8-2
Business and Professions 6-0
Urgency: No State Mandated Local Program:
No Reimbursable:
SUMMARY
This bill places additional requirements on government agencies
and businesses in the event of a security breach of their
computer data bases containing personal information, and
establishes data security standards for government agencies and
businesses that accept credit or debit card payments.
Specifically, this bill:
1)Prohibits a person, business, or public agency that sells
goods or services and accepts credit or debit card payments
from:
a) Storing specified personal information related to that
payment, unless the seller has a policy limiting the data
retained and limiting the time of retention prior to
disposal, and the seller's practice is in conformance with
that policy.
b) Storing "sensitive authentication data," as specified,
subsequent to authorization of the payment.
2)Specifies that (1) does not apply to any person or business in
compliance with the federal Gramm-Leach-Bliley rules and
regulations, as overseen by a state or federal regulatory
agency.
3)Modifies current law requiring state agencies, persons, and
businesses that own, license, or maintain computerized data
containing personal information to notify those potentially
impacted by a security breach of that data by:
�
AB 779
Page 2
a) Requiring the notification to be written in plain
language and to include specified information at a minimum,
including a toll-free phone number or alternatively, an
electronic mail address for contacting the agency, person,
or business. A local phone number may be used if the agency
or business has no toll-free number.
b) Requiring a copy of the notification to be sent to the
Office of Privacy Protection within the Department of
Consumer Affairs.
c) Entitling the owner or licensee of the personal
information to reimbursement from the agency, person, or
business for the costs of providing the notification,
including the costs of credit or debit card replacement.
FISCAL EFFECT
1)The CSU indicates potential costs exceeding one million
dollars to pay for replacement on credit cards in the event of
a data breach. For example, at the San Diego campus, replacing
credit cards (assuming 25 cents per card) could cost $1.45
million to replace 58,000 transactions. The University of
California indicates that costs would be absorbable.
2)Other departments contacted who accept payment by credit or
debit card-Board of Equalization, Franchise Tax Board,
Employment Development Department, Department of Motor
Vehicles and the Department of Parks and Recreation-indicate
no additional costs because, in general, these operations are
the responsibility of third parties under contract to those
agencies. These departments, and the Department of Health
Services (DHS), also indicate that they are generally in
compliance with the bill's notification requirements, and thus
see no additional costs. DHS noted that the bill's requirement
for responsible third parties to provide reimbursement could
yield cost savings related to any future security breach.
3)Similar responses could be expected for other state
departments not contacted for this analysis. However, some
departments could see unknown increased costs, such as for
providing and staffing a toll-free or alternative phone number
for those impacted by a breach to contact the department.
These costs would probably be minor for any single department.
�
AB 779
Page 3
4)Any cost to local government entities would be
nonreimbursable.
COMMENTS
1)Purpose . According to the author and sponsor, the California
Credit Union League (CCUL), this bill makes needed
improvements to California's data breach notification law-AB
700 (Simitian)/Chapter 1054 of 2002-in light of three years of
experience with the operation of the law. This bill: (a)
entitles the owner or licensee of personal information to
recover notification costs from the person or business that
actually maintained and compromised the data; (b) clarifies
that those subject to the notification law must follow
specific provisions developed by industry governing data
retention; and, (c) requires notices to be more
consumer-friendly. The author also argues that during the
three years in which the notice law has been in effect, we
have learned a great deal about its strengths and
shortcomings.
CCLU believes that this bill will force retailers to take
greater steps to secure financial data and limit the
opportunities for data breaches to occur. In addition, CCLU
indicates that the revamped notice requirement will mean that
consumers will have the correct information about where data
breaches occur. This is particularly important to credit
unions, because even though the retailer might be responsible
for the breach, existing law requires the credit union to
provide the notice to the consumer. The consumer, CCLU fears,
will equate the message with the messenger, creating bad
public relations for a credit union even though it was not
responsible for the breach. Finally, the sponsor supports the
reimbursement provision because it creates pressure for
merchants to prevent data breaches.
According to the author's office, the bill's prohibitions on
storage of payment-related data and sensitive authentication
data are modeled on the Payment Card Industry (PCI) data
security standards. These standards were recently developed
mainly by Visa and Mastercard and are intended to govern
storage and protection of data. Compliance with these
standards among large retailers, while still relatively low,
is reportedly growing-from 15% to about one-third in the last
year for Level 1 merchants (those processing more than six
�
AB 779
Page 4
million transactions annually).
2)Opposition . A coalition of associations representing several
types of businesses, including retailers, financial
institutions, electronics and information technology firms,
insurers, grocers and restaurants registers its strong
opposition to the bill. The coalition believes the bill
establishes onerous data management standards for government
and business. The coalition argues that the bill requires
every business and government entity accepting any form of
payment to establish "very high and possibly unattainable data
retention and security standards that will result in extremely
high compliance costs for government and business."
The coalition particularly notes the AB 779 prohibition on
sending "payment related data across any network [including
interagency or interdepartmental] unless the data is encrypted
using strong cryptography and security protocols."
The coalition also objects to the requirement to reimburse
financial institutions for the costs of sending out breach
notification letters and credit and debit card replacements,
the requirement to maintain a toll-free number for customers
to inquire about a data breach (the bill actually allows use
of a local number if no toll-free number has previously been
established), and the general interjection of government into
an area of contractual relationships and obligations between
consenting businesses.
3)Related Legislation . AB 1298 (Jones), pending in the
Assembly, adds medical information and health insurance
information to the list of personal information subject to
California's breach notification law.
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081