BILL ANALYSIS Ó AB 1149 Page 1 Date of Hearing: May 15, 2013 ASSEMBLY COMMITTEE ON APPROPRIATIONS Mike Gatto, Chair AB 1149 (Campos) - As Introduced: February 22, 2013 Policy Committee: JudiciaryVote:10-0 Local Government 9-0 Urgency: No State Mandated Local Program: Yes Reimbursable: Yes SUMMARY This bill extends the provisions of the state's existing information privacy breach notice law to local public agencies. FISCAL EFFECT Legislative Counsel has opined this bill constitutes a state mandate that is subject to reimbursement of local costs by the state. The specific mandate is the required notification of a breach, as specified. Estimated costs to the state for reimbursements could exceed $150,000. The estimates depend on the number of breaches, which is difficult to forecast. However, there are about 550 cities and counties and about 1,000 school districts. Among the thousands of special districts only hundreds may be eligible for reimbursement under the state mandate program. COMMENTS 1)Purpose . The author notes local government agencies have some of our most personal information, such as date of birth, social security number, driver's license number and medical information. This is the type of personal information identity thieves thrive upon. According to the author, identity theft was responsible for more than $13.3 billion in financial loses in 2010. AB 1149 applies the same notification requirements to local governments that have existed for state government since 1977. The author argues these requirements AB 1149 Page 2 are reasonable and overdue. 2)Support . Supporters, including The Privacy Rights Clearinghouse, believe this bill will fill a gap in California's existing breach notification law. Supporters argue a great deal of highly sensitive personal information is collected and held by local governments, yet local governments are not required to provide any notifications to individuals who may be the victim of a data breach. They contend the end result of this failure to notify can be identity theft, as individuals have no other mechanism for discovering the existence of the breach. 3)Concerns . The California State Association of Counties, the Urban Counties Caucus, the League of California Cities and the California Special Districts Association have expressed concerns about the fiscal and operational impacts of this bill. They note local agencies must comply with federal requirements under HIPAA regarding the privacy of health information. They believe this bill's provisions could impact many departments within their agencies, particularly counties, and are concerned with the potentially costly new responsibilities on local agencies at a time when we are challenged to deliver core public services given difficult fiscal conditions. 4)Background . The California Information Privacy Act of 1977 (Act) implements the state constitutional guarantee of privacy by limiting the collection, management and dissemination of personal information by state agencies. The act includes provisions requiring state agencies and private businesses to notify California residents if the agency or business believes an unauthorized person has accessed personalized data it holds. 5)Previous legislation . This bill is substantially similar to AB 2455 (Campos, 2012) , which was held on this committee's Suspense File. Analysis Prepared by : Roger Dunstan / APPR. / (916) 319-2081 AB 1149 Page 3