BILL ANALYSIS                                                                                                                                                                                                    



                                                                  AB 1149
                                                                  Page  1

          Date of Hearing:  April 17, 2013

                       ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT
                           K.H. "Katcho" Achadjian, Chair
                 AB 1149 (Campos) - As Introduced:  February 22, 2013
           
          SUBJECT  :  Identity theft: local agencies.

           SUMMARY  :  Extends the provisions of the state's existing  
          information privacy breach notice law to local public agencies.   
          Specifically,  this bill  :

          1)Applies the provisions of the state's existing information  
            privacy breach notice law to local agencies.

          2)Declares that if the Commission on State Mandates determines  
            that this bill contains costs mandated by the state,  
            reimbursement to local agencies and school districts for those  
            costs shall be made pursuant to existing state law.

          3)Makes non-substantive, technical corrections.

           EXISTING LAW  :

          1)Requires any state office, officer, or executive agency that  
            owns or licenses computerized data that includes personal  
            information to disclose any breach of the security of the  
            system following discovery or notification of the breach in  
            the security of the data to any resident of California whose  
            unencrypted personal information was, or is reasonably  
            believed to have been, acquired by an unauthorized person.  
            Provides further that disclosure shall be made in the most  
            expedient time possible and without unreasonable delay.

          2)Notwithstanding the above notice requirements, a person,  
            business, or agency that maintains its own notification  
            procedures as part of an information security policy that is  
            consistent with the requirements of the security breach law,  
            shall be deemed to be in compliance with the notification of  
            state law if the agency, person, or business notifies subject  
            persons in accordance with its own policies. 

          3)Defines "breach of the security of the system" to mean  
            unauthorized acquisition of computerized data that compromises  
            the security, confidentiality, or integrity of personal  








                                                                  AB 1149
                                                                  Page  2

            information maintained by the agency.  Good faith acquisition  
            of personal information by an employee or agent of the agency  
            for the purposes of the agency is not a breach of the security  
            of the system, provided that the personal information is not  
            used or subject to further unauthorized disclosure.

          4)Defines "personal information" to mean an individual's first  
            name or first initial and last name in combination with one or  
            more of the following data elements, when either the name or  
            the data elements are not encrypted:  social security number;  
            driver's license number or California identification card  
            number; account number, credit or debit card number, in  
            combination with any required security code, access code, or  
            password that would permit access to an individual's financial  
            account; medical information; or, health insurance  
            information.  "Personal information" does not include publicly  
            available information that is lawfully made available to the  
            general public from federal, state, or local government  
            records.

          5)Provides that notice required under the above provisions may  
            be made by written notice or electronic notice, if the latter  
            is consistent with federal electronic signature standards.  
            Provides, however, that substitute notice, as specified, may  
            be used if the person, business, or agency determines that the  
            cost of providing notice would exceed $250,000 or that the  
            affected class of subject persons exceeds 500,000, or the  
            person, business, or agency does not have sufficient contact  
            information.  

          6)Requires, under federal law, that any entity covered by the  
            Health Insurance Portability and Accountability Act (HIPAA) to  
            notify any person whose personal information is compromised by  
            a data security breach, and specifies the required content of  
            the notice.  

           FISCAL EFFECT  :  Unknown

           COMMENTS  :

          1)This bill extends the provisions of California's existing data  
            breach notification law to local public agencies.  This bill  
            is sponsored by the author.

          2)According to the author's office, "Local government agencies  








                                                                  AB 1149
                                                                  Page  3

            have some of our most personal information - date of birth,  
            social security number, driver's license number, medical  
            information, etc.  This is the type of personal information  
            that identity thieves thrive upon.  Identity theft was  
            responsible for more than $13.3 billion in financial loses in  
            2010 and can take months and even years to wipe off your  
            record.

            "AB 1149 applies the same notification requirements to local  
            governments that have existed for state government since 1977.  
             It is perfectly reasonable, and long overdue, that county and  
            city offices notify us when our personal data is compromised  
            so that we can protect ourselves."

          3)The California Information Privacy Act of 1977 (Act)  
            operationalizes the state constitutional guarantee of privacy  
            by limiting the collection, management and dissemination of  
            personal information by state agencies.  That Act includes  
            provisions requiring state agencies and private businesses to  
            notify California residents if the agency or business believes  
            an unauthorized person has accessed personalized data it  
            holds.

          4)California's data breach notification statute was based on the  
            premise that individuals have a right to know when a data  
            breach has occurred and affected them.  If consumers are made  
            aware that their personal information may have been  
            compromised, they are able to take steps to protect themselves  
            from fraud or identity theft.  This requirement applies to  
            state agencies.  Local public agencies are exempt from these  
            data-breach notification requirements.

            The law requires state agencies that own or license electronic  
            data that includes personal information to disclose to  
            California residents when unencrypted data is believed to have  
            been acquired by an unauthorized person.  The agency must make  
            the disclosure expediently and without unreasonable delay,  
            subject to the needs of law enforcement. 
            The notice must be written in plain language and include the  
            name and contact information of the agency, a list of the  
            types of personal information compromised, time and date of  
            the breach, length of any delays, a general description of the  
            incident, and contact information for credit reporting  
            agencies.  The agency may also include information about the  
            agency's response and advice on preventing fraud and identity  








                                                                  AB 1149
                                                                  Page  4

            theft after a breach. 

            Notices going to more than 500 California residents must also  
            be shared with the Office of the Attorney General.  Notice may  
            take the form of a written notice, an electronic notice (as  
            specified in federal law), or a substitute notice if the  
            notification would cost more than $250,000, include more than  
            500,000 people, or if the agency does not have adequate  
            contact information.  The substitute notice must include email  
            notice where possible, conspicuous posting on the agency's  
            Internet web site, and notification to major statewide media  
            and the state Office of Information Security. 

            Agencies that maintain their own breach notification  
            procedures for personal information, provide notice in  
            compliance with those procedures, and otherwise comply with  
            the timing requirements of current law are deemed to be in  
            compliance with the law. 

            This bill would apply these same provisions to all local  
            public agencies, which the bill defines to include the  
            following:  counties; cities (both general law and charter  
            cities); cities and counties; school districts; municipal  
            corporations; districts; political subdivisions; any board,  
            commission or agency of the above-named entities; other local  
            public agencies; and, specified entities that are legislative  
            bodies of a local agency.

            The extent of data breaches of local agency information is not  
            definitively documented.  According to a list provided by the  
            Privacy Rights Clearinghouse, about a dozen local agency data  
            breaches have occurred since 2006.

          5)The California State Association of Counties, the Urban  
            Counties Caucus, the League of California Cities, and the  
            California Special Districts Association have expressed  
            concerns about the fiscal and operational impacts of this  
            bill.  They note that local agencies must comply with federal  
            requirements under HIPAA regarding the privacy of health  
            information.  They believe this bill's provisions could impact  
            many departments within their agencies, particularly counties,  
            and are concerned with the "potentially costly new  
            responsibilities on local agencies at a time when we are  
            challenged to deliver core public services given difficult  
            fiscal conditions."








                                                                  AB 1149
                                                                  Page  5


          6)This bill is substantially similar to AB 2455 (Campos, 2012),  
            which passed this Committee on a 9-0 vote on April 5, 2012.   
            AB 2455 was held in the Assembly Appropriations Committee.

          7)This bill is keyed a state mandate, which means the state  
            could be required to reimburse local agencies and school  
            districts for implementing the bill's provisions if the  
            Commission on State Mandates determines that the bill contains  
            costs mandated by the state.

           8)Support arguments  :  Supporters argue that this bill  
            "strengthens the state's consumer protections and ensures that  
            consumers can continue entrusting their personal information  
            to California's local agencies."

             Opposition arguments  :  Opponents could argue that the need for  
            this bill has not adequately been demonstrated and that more  
            information regarding data breaches of local agency  
            information should be gathered and documented before  
            legislating in this arena.

          9)This bill is double-referred to the Judiciary Committee.

           REGISTERED SUPPORT / OPPOSITION  :

           Support 
           
          California Cable and Telecommunications Association
          California Federation of Teachers
          Consumer Federation of California
          Privacy Rights Clearinghouse

           Opposition 
           
          None on file
           
          Analysis Prepared by  :    Angela Mapp / L. GOV. / (916) 319-3958