BILL ANALYSIS ��
AB 1149
Page 1
ASSEMBLY THIRD READING
AB 1149 (Campos)
As Introduced February 22, 2013
Majority vote
LOCAL GOVERNMENT 9-0 JUDICIARY 10-0
-----------------------------------------------------------------
|Ayes:|Achadjian, Levine, Alejo, |Ayes:|Wieckowski, Wagner, |
| |Bradford, Gordon, | |Alejo, Chau, Dickinson, |
| |Melendez, Mullin, | |Garcia, Gorell, |
| |Waldron, Atkins | |Maienschein, Muratsuchi, |
| | | |Stone |
-----------------------------------------------------------------
APPROPRIATIONS 17-0
-----------------------------------------------------------------
|Ayes:|Gatto, Harkey, Bigelow, | | |
| |Bocanegra, Bradford, Ian | | |
| |Calderon, Campos, | | |
| |Donnelly, Eggman, Gomez, | | |
| |Hall, Ammiano, Linder, | | |
| |Pan, Quirk, Wagner, Weber | | |
|-----+--------------------------+-----+--------------------------|
| | | | |
-----------------------------------------------------------------
SUMMARY : Extends the provisions of the state's existing
information privacy breach notice law to local public agencies.
Specifically, this bill :
1)Applies the provisions of the state's existing information
privacy breach notice law to local agencies.
2)Declares that if the Commission on State Mandates determines
that this bill contains costs mandated by the state,
reimbursement to local agencies and school districts for those
costs shall be made pursuant to existing state law.
3)Makes non-substantive, technical corrections.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, the Legislative Counsel has opined this bill
constitutes a state mandate that is subject to reimbursement of
�
AB 1149
Page 2
local costs by the state. The specific mandate is the required
notification of a breach, as specified. Estimated costs to the
state for reimbursements could exceed $150,000. The estimates
depend on the number of breaches, which is difficult to
forecast. However, there are about 550 cities and counties and
about 1,000 school districts. Among the thousands of special
districts only hundreds may be eligible for reimbursement under
the state mandate program.
COMMENTS : This bill extends the provisions of California's
existing data breach notification law to local public agencies.
This bill is sponsored by the author.
According to the author's office, "Local government agencies
have some of our most personal information - date of birth,
social security number, driver's license number, medical
information, etc. This is the type of personal information that
identity thieves thrive upon. Identity theft was responsible
for more than $13.3 billion in financial loses in 2010 and can
take months and even years to wipe off your record. AB 1149
applies the same notification requirements to local governments
that have existed for state government since 1977. It is
perfectly reasonable, and long overdue, that county and city
offices notify us when our personal data is compromised so that
we can protect ourselves."
The California Information Privacy Act of 1977 (Act)
operationalizes the state constitutional guarantee of privacy by
limiting the collection, management and dissemination of
personal information by state agencies. That Act includes
provisions requiring state agencies and private businesses to
notify California residents if the agency or business believes
an unauthorized person has accessed personalized data it holds.
California's data breach notification statute was based on the
premise that individuals have a right to know when a data breach
has occurred and affected them. If consumers are made aware
that their personal information may have been compromised, they
are able to take steps to protect themselves from fraud or
identity theft. This requirement applies to state agencies.
Local public agencies are exempt from these data-breach
notification requirements.
The law requires state agencies that own or license electronic
�
AB 1149
Page 3
data that includes personal information to disclose to
California residents when unencrypted data is believed to have
been acquired by an unauthorized person. The agency must make
the disclosure expediently and without unreasonable delay,
subject to the needs of law enforcement. The notice must be
written in plain language and include the name and contact
information of the agency, a list of the types of personal
information compromised, time and date of the breach, length of
any delays, a general description of the incident, and contact
information for credit reporting agencies. The agency may also
include information about the agency's response and advice on
preventing fraud and identity theft after a breach.
Notices going to more than 500 California residents must also be
shared with the Office of the Attorney General. Notice may take
the form of a written notice, an electronic notice (as specified
in federal law), or a substitute notice if the notification
would cost more than $250,000, include more than 500,000 people,
or if the agency does not have adequate contact information.
The substitute notice must include email notice where possible,
conspicuous posting on the agency's Internet Web site, and
notification to major statewide media and the state Office of
Information Security. Agencies that maintain their own breach
notification procedures for personal information, provide notice
in compliance with those procedures, and otherwise comply with
the timing requirements of current law are deemed to be in
compliance with the law.
This bill would apply these same provisions to all local public
agencies, which the bill defines to include the following:
counties; cities (both general law and charter cities); cities
and counties; school districts; municipal corporations;
districts; political subdivisions; any board, commission or
agency of the above-named entities; other local public agencies;
and, specified entities that are legislative bodies of a local
agency.
The extent of data breaches of local agency information is not
definitively documented. According to a list provided by the
Privacy Rights Clearinghouse, about a dozen local agency data
breaches have occurred since 2006.
The California State Association of Counties, the Urban Counties
Caucus, the League of California Cities, and the California
�
AB 1149
Page 4
Special Districts Association have expressed concerns about the
fiscal and operational impacts of this bill. They note that
local agencies must comply with federal requirements under HIPAA
regarding the privacy of health information. They believe this
bill's provisions could impact many departments within their
agencies, particularly counties, and are concerned with the
"potentially costly new responsibilities on local agencies at a
time when we are challenged to deliver core public services
given difficult fiscal conditions."
This bill is substantially similar to AB 2455 (Campos) of 2012,
which was held in the Assembly Appropriations Committee.
Support arguments: Supporters argue that this bill "strengthens
the state's consumer protections and ensures that consumers can
continue entrusting their personal information to California's
local agencies."
Opposition arguments: Opponents could argue that the need for
this bill has not adequately been demonstrated and that more
information regarding data breaches of local agency information
should be gathered and documented before legislating in this
arena.
Analysis Prepared by : Angela Mapp / L. GOV. / (916) 319-3958
FN: 0000801