BILL ANALYSIS                                                                                                                                                                                                    

                                                                  AB 1149
                                                                  Page  1

          Date of Hearing:   May 15, 2013

                                  Mike Gatto, Chair

                AB 1149 (Campos) - As Introduced:  February 22, 2013 

          Policy Committee:                               
                        Local Government                        9-0

          Urgency:     No                   State Mandated Local Program:  
          Yes    Reimbursable:              Yes


          This bill extends the provisions of the state's existing  
          information privacy breach notice law to local public agencies.   

           FISCAL EFFECT  

          Legislative Counsel has opined this bill constitutes a state  
          mandate that is subject to reimbursement of local costs by the  
          state.  The specific mandate is the required notification of a  
          breach, as specified.

          Estimated costs to the state for reimbursements could exceed  
          $150,000.  The estimates depend on the number of breaches, which  
          is difficult to forecast.  However, there are about 550 cities  
          and counties and about 1,000 school districts.  Among the  
          thousands of special districts only hundreds may be eligible for  
          reimbursement under the state mandate program.  


           1)Purpose  .  The author notes local government agencies have some  
            of our most personal information, such as date of birth,  
            social security number, driver's license number and medical  
            information.  This is the type of personal information  
            identity thieves thrive upon.  According to the author,  
            identity theft was responsible for more than $13.3 billion in  
            financial loses in 2010. AB 1149 applies the same notification  
            requirements to local governments that have existed for state  
            government since 1977.  The author argues these requirements  


                                                                  AB 1149
                                                                  Page  2

            are reasonable and overdue.

           2)Support  . Supporters, including The Privacy Rights  
            Clearinghouse, believe this bill will fill a gap in  
            California's existing breach notification law.  Supporters  
            argue a great deal of highly sensitive personal information is  
            collected and held by local governments, yet local governments  
            are not required to provide any notifications to individuals  
            who may be the victim of a data breach.  They contend the end  
            result of this failure to notify can be identity theft, as  
            individuals have no other mechanism for discovering the  
            existence of the breach. 

           3)Concerns  .  The California State Association of Counties, the  
            Urban Counties Caucus, the League of California Cities and the  
            California Special Districts Association have expressed  
            concerns about the fiscal and operational impacts of this  
            bill.  They note local agencies must comply with federal  
            requirements under HIPAA regarding the privacy of health  
            information.  They believe this bill's provisions could impact  
            many departments within their agencies, particularly counties,  
            and are concerned with the potentially costly new  
            responsibilities on local agencies at a time when we are  
            challenged to deliver core public services given difficult  
            fiscal conditions.

           4)Background  .  The California Information Privacy Act of 1977  
            (Act) implements the state constitutional guarantee of privacy  
            by limiting the collection, management and dissemination of  
            personal information by state agencies.  The act includes  
            provisions requiring state agencies and private businesses to  
            notify California residents if the agency or business believes  
            an unauthorized person has accessed personalized data it  

           5)Previous legislation  .  This bill is substantially similar to  
            AB 2455 (Campos, 2012) , which was held on this committee's  
            Suspense File.

           Analysis Prepared by  :    Roger Dunstan / APPR. / (916) 319-2081 


                                                                  AB 1149
                                                                  Page  3