BILL ANALYSIS ��
AB 1149
Page 1
Date of Hearing: April 17, 2013
ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT
K.H. "Katcho" Achadjian, Chair
AB 1149 (Campos) - As Introduced: February 22, 2013
SUBJECT : Identity theft: local agencies.
SUMMARY : Extends the provisions of the state's existing
information privacy breach notice law to local public agencies.
Specifically, this bill :
1)Applies the provisions of the state's existing information
privacy breach notice law to local agencies.
2)Declares that if the Commission on State Mandates determines
that this bill contains costs mandated by the state,
reimbursement to local agencies and school districts for those
costs shall be made pursuant to existing state law.
3)Makes non-substantive, technical corrections.
EXISTING LAW :
1)Requires any state office, officer, or executive agency that
owns or licenses computerized data that includes personal
information to disclose any breach of the security of the
system following discovery or notification of the breach in
the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
2)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies.
3)Defines "breach of the security of the system" to mean
unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of personal
�
AB 1149
Page 2
information maintained by the agency. Good faith acquisition
of personal information by an employee or agent of the agency
for the purposes of the agency is not a breach of the security
of the system, provided that the personal information is not
used or subject to further unauthorized disclosure.
4)Defines "personal information" to mean an individual's first
name or first initial and last name in combination with one or
more of the following data elements, when either the name or
the data elements are not encrypted: social security number;
driver's license number or California identification card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or, health insurance
information. "Personal information" does not include publicly
available information that is lawfully made available to the
general public from federal, state, or local government
records.
5)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information.
6)Requires, under federal law, that any entity covered by the
Health Insurance Portability and Accountability Act (HIPAA) to
notify any person whose personal information is compromised by
a data security breach, and specifies the required content of
the notice.
FISCAL EFFECT : Unknown
COMMENTS :
1)This bill extends the provisions of California's existing data
breach notification law to local public agencies. This bill
is sponsored by the author.
2)According to the author's office, "Local government agencies
�
AB 1149
Page 3
have some of our most personal information - date of birth,
social security number, driver's license number, medical
information, etc. This is the type of personal information
that identity thieves thrive upon. Identity theft was
responsible for more than $13.3 billion in financial loses in
2010 and can take months and even years to wipe off your
record.
"AB 1149 applies the same notification requirements to local
governments that have existed for state government since 1977.
It is perfectly reasonable, and long overdue, that county and
city offices notify us when our personal data is compromised
so that we can protect ourselves."
3)The California Information Privacy Act of 1977 (Act)
operationalizes the state constitutional guarantee of privacy
by limiting the collection, management and dissemination of
personal information by state agencies. That Act includes
provisions requiring state agencies and private businesses to
notify California residents if the agency or business believes
an unauthorized person has accessed personalized data it
holds.
4)California's data breach notification statute was based on the
premise that individuals have a right to know when a data
breach has occurred and affected them. If consumers are made
aware that their personal information may have been
compromised, they are able to take steps to protect themselves
from fraud or identity theft. This requirement applies to
state agencies. Local public agencies are exempt from these
data-breach notification requirements.
The law requires state agencies that own or license electronic
data that includes personal information to disclose to
California residents when unencrypted data is believed to have
been acquired by an unauthorized person. The agency must make
the disclosure expediently and without unreasonable delay,
subject to the needs of law enforcement.
The notice must be written in plain language and include the
name and contact information of the agency, a list of the
types of personal information compromised, time and date of
the breach, length of any delays, a general description of the
incident, and contact information for credit reporting
agencies. The agency may also include information about the
agency's response and advice on preventing fraud and identity
�
AB 1149
Page 4
theft after a breach.
Notices going to more than 500 California residents must also
be shared with the Office of the Attorney General. Notice may
take the form of a written notice, an electronic notice (as
specified in federal law), or a substitute notice if the
notification would cost more than $250,000, include more than
500,000 people, or if the agency does not have adequate
contact information. The substitute notice must include email
notice where possible, conspicuous posting on the agency's
Internet web site, and notification to major statewide media
and the state Office of Information Security.
Agencies that maintain their own breach notification
procedures for personal information, provide notice in
compliance with those procedures, and otherwise comply with
the timing requirements of current law are deemed to be in
compliance with the law.
This bill would apply these same provisions to all local
public agencies, which the bill defines to include the
following: counties; cities (both general law and charter
cities); cities and counties; school districts; municipal
corporations; districts; political subdivisions; any board,
commission or agency of the above-named entities; other local
public agencies; and, specified entities that are legislative
bodies of a local agency.
The extent of data breaches of local agency information is not
definitively documented. According to a list provided by the
Privacy Rights Clearinghouse, about a dozen local agency data
breaches have occurred since 2006.
5)The California State Association of Counties, the Urban
Counties Caucus, the League of California Cities, and the
California Special Districts Association have expressed
concerns about the fiscal and operational impacts of this
bill. They note that local agencies must comply with federal
requirements under HIPAA regarding the privacy of health
information. They believe this bill's provisions could impact
many departments within their agencies, particularly counties,
and are concerned with the "potentially costly new
responsibilities on local agencies at a time when we are
challenged to deliver core public services given difficult
fiscal conditions."
�
AB 1149
Page 5
6)This bill is substantially similar to AB 2455 (Campos, 2012),
which passed this Committee on a 9-0 vote on April 5, 2012.
AB 2455 was held in the Assembly Appropriations Committee.
7)This bill is keyed a state mandate, which means the state
could be required to reimburse local agencies and school
districts for implementing the bill's provisions if the
Commission on State Mandates determines that the bill contains
costs mandated by the state.
8)Support arguments : Supporters argue that this bill
"strengthens the state's consumer protections and ensures that
consumers can continue entrusting their personal information
to California's local agencies."
Opposition arguments : Opponents could argue that the need for
this bill has not adequately been demonstrated and that more
information regarding data breaches of local agency
information should be gathered and documented before
legislating in this arena.
9)This bill is double-referred to the Judiciary Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
California Cable and Telecommunications Association
California Federation of Teachers
Consumer Federation of California
Privacy Rights Clearinghouse
Opposition
None on file
Analysis Prepared by : Angela Mapp / L. GOV. / (916) 319-3958