BILL ANALYSIS �
Senate Appropriations Committee Fiscal Summary
Senator Tom Torlakson, Chairman
364 (Simitian)
Hearing Date: 1/24/08 Amended: 1/17/08
Consultant: Nora Lynn Policy Vote: Judiciary 3-2
_________________________________________________________________
____
BILL SUMMARY:
SB 364 would require businesses and state agencies, in the event
of a security breach of computer data bases containing personal
information, to provide specified information in plain English
in the notices they're currently required to provide to
California consumers. Businesses and agencies would also be
required to provide an electronic notification of these breaches
to the Office of Information Security and Privacy Protection
(OISPP) who would be required to maintain a website to receive
the electronic notifications of the breaches and post specified
information about them for the public. OISPP would further be
required to report to the Legislature annually with specified
information about the breaches that had taken place in the
previous year.
_________________________________________________________________
____
Fiscal Impact (in thousands)
Major Provisions 2008-09 2009-10 2010-11 Fund
Website, report, data storage $83-$146 $75
$75General
Data entry, posting Unknown, potentially significant;Various
see staff comments
_________________________________________________________________
____
STAFF COMMENTS: This bill meets the criteria to be placed on the
Suspense file.
Security breaches of computerized data that contain unencrypted
personal information, as defined, are currently required to be
-1-
�
SB 364 (Simitian)
Page 2
disclosed to California residents upon their discovery as
expediently as possible and consistent with the needs of law
enforcement.
SB 364 would require the security-breach notices to be written
in plain English; to contain specified information about the
breach, including the information that may have been breached,
the date and a general description of the breach incident; the
number of persons affected; and the names and contact numbers of
the major credit card reporting agencies and the reporting
agency or business. Agencies and businesses would also be
required to provide an electronic notification to OISPP of any
breach who would then post information about the breach on a
website available to the public. OISPP would additionally be
required to produce an annual report for the Legislature each
year on specified information about breach information it
receives.
SB 364 does not specify how breach information is to be
reflected on the OISPP website - if each consumer impacted by a
breach is intended to be posted separately, or if information
about each breach incident is to be entered. OISPP projects
first-year General Fund costs of $82,500 (if the website is to
reflect breach incidents) or $146,000 (to reflect information
about individual consumers impacted by a breach) associated with
designing the required website and database. Ongoing costs are
estimated at $75,000 per year to maintain the site and database.
The author may wish to consider clarifying how breach data is to
be reflected on the OISPP site as well as how long data about
breaches is to be stored; SB 364 does not currently contain a
retention period for this information.
Additionally, OISPP will accrue costs for data entry associated
with this measure. SB 364 is silent as to how the data sent to
OISPP will make its way to the breach information website. State
agencies could enter their own breach data (either that of
individual consumers or of breach incidents), but it is unlikely
that a state-operated website would be open to businesses for
data entry purposes. Assuming state agencies were to have
100,000 computerized records containing personal data breached
in 500 breach incidents per year, staff costs associated with
�
SB 364 (Simitian)
Page 3
entering and posting the data on the OISPP website would range
from just more than $2,000 (to enter information on the
associated breach incidents) to $425,000 (for individual
consumers). Similarly, costs vary dramatically for data entry
for breach information from the private sector; assuming 5
million individuals had their information breached in 5,000
incidents per year, costs for state employees to enter data
about these breaches on the website could range from $25,000 per
year (breach incidents) to $25 million (per individual).