BILL ANALYSIS                                                                                                                                                                                                    



                                                                  AB 1149
                                                                  Page  1

          Date of Hearing:   April 30, 2013

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                Bob Wieckowski, Chair
                 AB 1149 (Campos) - As Introduced:  February 22, 2013
           
                                   PROPOSED CONSENT
           
          SUBJECT  :  DATA Security Breach Notices: Local Agencies 

           KEY ISSUE  :  Should the existing law that requires state agencies  
          to notify affected persons in the event of a data security  
          breach be extended to impose the same requirement on local  
          agencies? 

           FISCAL EFFECT  :  As currently in print this bill is keyed fiscal.

                                      SYNOPSIS

          This bill would extend to local agencies the same data breach  
          notification requirements to which state agencies are already  
          subject.  Enacted in 2002 as an effort to better combat identity  
          theft in a digital age, California's landmark security breach  
          notification law requires both state agencies and private  
          businesses that own or maintain personal information (in  
          computerized form) to notify any person whose personal  
          information is compromised as a result of a data breach.   
          However, because the data breach notification statute falls  
          within the state's 1977 Information Practices Act (IPA), it does  
          not apply to local agencies - which were expressly exempted from  
          the IPA.  This bill would provide that, notwithstanding that  
          exemption, local agencies will henceforth be subject to the same  
          notification requirements that presently apply to state  
          agencies.  According to the author, local agencies often hold  
          the same kinds of sensitive information that are held by state  
          agencies and private businesses and, therefore, should be held  
          to the same notification requirements.  There is no known  
          opposition to this bill. 

           SUMMARY  :  Extends to local agencies an existing statute that  
          requires state agencies that own or license computerized  
          personal data to notify any person whose personal data is  
          subject to a data security breach.   

           EXISTING LAW  :








                                                                  AB 1149
                                                                  Page  2


          1)Requires any state agency that owns or licenses computerized  
            data that includes personal information to disclose any breach  
            of the data to any resident of California whose unencrypted  
            personal information was, or is reasonably believed to have  
            been, acquired by an unauthorized person.  Requires any state  
            agency that maintains, but does not own, personal information  
            to notify the owner or licensor of the data of any breach.   
            Provides further that disclosure shall be made in the most  
            expedient time possible and without unreasonable delay.   
            (Civil Code Section 1798.29.)

          2)Requires any person or business that conducts business in  
            California, and that owns or licenses computerized data that  
            includes personal information to disclose any breach of the  
            data to any resident of California whose unencrypted personal  
            information was, or is reasonably believed to have been,  
            acquired by an unauthorized person.  Requires any person or  
            business that maintains, but does not own, personal  
            information to notify the owner or licensor of the data of any  
            breach.  Provides further that disclosure shall be made in the  
            most expedient time possible and without unreasonable delay.   
            (Civil Code Section 1798.82.) 

          3)Provides that notice required under the above provisions may  
            be made by written notice or electronic notice, if the latter  
            is consistent with federal electronic signature standards.  
            Provides, however, that substitute notice, as specified, may  
            be used if the person, business, or agency determines that the  
            cost of providing notice would exceed $250,000 or that the  
            affected class of subject persons exceeds 500,000, or the  
            person, business, or agency does not have sufficient contact  
            information.  (Civil Code Sections 1798.29 (g) and 1798.82  
            (g).)

          4)Provides that when an agency, person, or business is required  
            to issue a data security breach notification pursuant to the  
            above provisions, that notification must be written in plain  
            language and provide specified information, including the name  
            and contact information of the reporting agency, person, or  
            business; information about the timing and nature of the  
            breach; and contact information for the major credit reporting  
            bureaus.  Specifies that the agency, person, or business may  
            include additional information that would be useful to the  
            person in taking steps to mitigate potential damages caused by  








                                                                  AB 1149
                                                                  Page  3

            the breach.  (Civil Code Sections 1798.29 (d) and 1798.82  
            (d).) 

          5)Notwithstanding the above notice requirements, a person,  
            business, or agency that maintains its own notification  
            procedures as part of an information security policy that is  
            consistent with existing law shall be deemed to be in  
            compliance with the notification of state law if the agency,  
            person, or business notifies subject persons in accordance  
            with its own policies.  (Civil Code Sections 1798.29 (h) and  
            1798.82 (h).) 

          6)Exempts local agencies from the state Information Practices  
            Act, of which the above provisions are a part.  (Civil Code  
            Section 1798.3(b)(4).)

           COMMENTS  :  Under California's data security breach notification  
          law, a person, business, or state agency that keeps, maintains,  
          or leases computerized data that contains personal information  
          must provide appropriate notices if personal information is  
          compromised as a result of a data breach.  The purpose for these  
          notice requirements is obvious enough:  when a person's personal  
          information is compromised there are steps that he or she can  
          take to mitigate the possibility that the personal information  
          will be misused, but a person cannot take those steps unless he  
          or she is first aware that the personal information has been  
          compromised.

          Over the past few years this Committee has heard several bills  
          that have expanded or fine-tuned existing law.  Most recently SB  
          24 (Chapter 197, Statutes of 2011) prescribed the contents of  
          the required security notices so that such notices will provide  
          more useful information to the victims of a security breach and  
          be uniform throughout the state.  The existing breach  
          notification law consists of two parallel sections in the Civil  
          Code: one section applies to state agencies and another, nearly  
          identical, section applies to persons and businesses.  However,  
          because the section relating to state agencies is located within  
          the state's Information Practices Act (IPA) of 1977, it does not  
          apply to local government agencies - which were expressly  
          exempted from the original IPA in 1985.  It is not clear from  
          extant legislative history why local agencies were carved out of  
          the IPA at that time.  This bill would specify that, for  
          purposes of the security breach notification provisions only, a  
          covered "agency" includes a local agency as well as a state  








                                                                  AB 1149
                                                                  Page  4

          agency.  Local agencies, therefore, would continue to be  
          exempted from other provisions of the IPA, except where  
          otherwise provided. 

          For purposes of this bill, "local agency" is given the standard  
          definition that currently exists in Section 6252 of the  
          Government Code: a city; county, city and county; school  
          district; municipal corporation; district; political  
          subdivision; or any board, commission or agency thereof; other  
          local public agency; or entities that are legislative bodies of  
          a local agency. 

           Scope of the Problem  :  Partly because local agencies are not  
          currently subject to the breach notification law, it is  
          difficult to ascertain the exact scope of the problem among  
          local agencies.  The author provided the Committee with a list  
          identifying a handful of breaches that have occurred at local  
          agencies in the past few years, ranging from at least one  
          hacking incident to a few law enforcement and social service  
          agencies that misplaced laptops containing files with personal  
          information.  Had these breaches occurred at state agencies,  
          those agencies would have been required to comply with the  
          breach notification law.  This bill is premised on the  
          reasonable assumption that the consequences of a data breach -  
          and the need for the affected person to have knowledge of the  
          breach and take appropriate protective steps - is the same  
          whether the data is held by a state agency or by a local agency.

           ARGUMENTS IN SUPPORT  :  The author provides an admirably succinct  
          argument on behalf of this bill: "If state agencies and private  
          companies release your personal information, regardless of how  
          it occurs, they must notify you so you can take steps to protect  
          yourself against identity theft.  Local agencies should be held  
          to the same standard.  AB 1149 accomplishes this." 

          The Privacy Rights Clearinghouse argues that "a great deal of  
          highly sensitive personal information is collected and held by  
          local governments," yet "local governments are not required to  
          provide any notifications to individuals who may be the victim  
          of a data breach . . . The end result of this failure to notify  
          can be identity theft, as individuals have no other mechanism  
          for discovering the existence of the information."  PRC believes  
          that this bill will fill a "major gap" in California's existing  
          breach notification law.  Several other consumer and labor  
          groups support this bill for substantially the same reason. 








                                                                  AB 1149
                                                                  Page  5


           REGISTERED SUPPORT / OPPOSITION  :   

           Support 
           
          ACLU
          California Cable and Telecommunications Association 
          California Federation of Teachers 
          Consumer Federation of California   
          Privacy Rights Clearinghouse

           Opposition 
           
          None on file
           
          Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334