BILL ANALYSIS                                                                                                                                                                                                    

                                                                  AB 1149
                                                                  Page  1

          AB 1149 (Campos)
          As Introduced  February 22, 2013
          Majority vote 

           LOCAL GOVERNMENT    9-0         JUDICIARY           10-0        
          |Ayes:|Achadjian, Levine, Alejo, |Ayes:|Wieckowski, Wagner,       |
          |     |Bradford, Gordon,         |     |Alejo, Chau, Dickinson,   |
          |     |Melendez, Mullin,         |     |Garcia, Gorell,           |
          |     |Waldron, Atkins           |     |Maienschein, Muratsuchi,  |
          |     |                          |     |Stone                     |

           APPROPRIATIONS      17-0                                        
          |Ayes:|Gatto, Harkey, Bigelow,   |     |                          |
          |     |Bocanegra, Bradford, Ian  |     |                          |
          |     |Calderon, Campos,         |     |                          |
          |     |Donnelly, Eggman, Gomez,  |     |                          |
          |     |Hall, Ammiano, Linder,    |     |                          |
          |     |Pan, Quirk, Wagner, Weber |     |                          |
          |     |                          |     |                          |
           SUMMARY  :  Extends the provisions of the state's existing  
          information privacy breach notice law to local public agencies.   
          Specifically,  this bill  :

          1)Applies the provisions of the state's existing information  
            privacy breach notice law to local agencies.

          2)Declares that if the Commission on State Mandates determines  
            that this bill contains costs mandated by the state,  
            reimbursement to local agencies and school districts for those  
            costs shall be made pursuant to existing state law.

          3)Makes non-substantive, technical corrections.

           FISCAL EFFECT  :  According to the Assembly Appropriations  
          Committee, the Legislative Counsel has opined this bill  
          constitutes a state mandate that is subject to reimbursement of  


                                                                  AB 1149
                                                                  Page  2

          local costs by the state.  The specific mandate is the required  
          notification of a breach, as specified.  Estimated costs to the  
          state for reimbursements could exceed $150,000.  The estimates  
          depend on the number of breaches, which is difficult to  
          forecast.  However, there are about 550 cities and counties and  
          about 1,000 school districts.  Among the thousands of special  
          districts only hundreds may be eligible for reimbursement under  
          the state mandate program.

           COMMENTS  :  This bill extends the provisions of California's  
          existing data breach notification law to local public agencies.   
          This bill is sponsored by the author.

          According to the author's office, "Local government agencies  
          have some of our most personal information - date of birth,  
          social security number, driver's license number, medical  
          information, etc.  This is the type of personal information that  
          identity thieves thrive upon.  Identity theft was responsible  
          for more than $13.3 billion in financial loses in 2010 and can  
          take months and even years to wipe off your record.  AB 1149  
          applies the same notification requirements to local governments  
          that have existed for state government since 1977.  It is  
          perfectly reasonable, and long overdue, that county and city  
          offices notify us when our personal data is compromised so that  
          we can protect ourselves."

          The California Information Privacy Act of 1977 (Act)  
          operationalizes the state constitutional guarantee of privacy by  
          limiting the collection, management and dissemination of  
          personal information by state agencies.  That Act includes  
          provisions requiring state agencies and private businesses to  
          notify California residents if the agency or business believes  
          an unauthorized person has accessed personalized data it holds.

          California's data breach notification statute was based on the  
          premise that individuals have a right to know when a data breach  
          has occurred and affected them.  If consumers are made aware  
          that their personal information may have been compromised, they  
          are able to take steps to protect themselves from fraud or  
          identity theft.  This requirement applies to state agencies.   
          Local public agencies are exempt from these data-breach  
          notification requirements.

          The law requires state agencies that own or license electronic  


                                                                  AB 1149
                                                                  Page  3

          data that includes personal information to disclose to  
          California residents when unencrypted data is believed to have  
          been acquired by an unauthorized person.  The agency must make  
          the disclosure expediently and without unreasonable delay,  
          subject to the needs of law enforcement.  The notice must be  
          written in plain language and include the name and contact  
          information of the agency, a list of the types of personal  
          information compromised, time and date of the breach, length of  
          any delays, a general description of the incident, and contact  
          information for credit reporting agencies.  The agency may also  
          include information about the agency's response and advice on  
          preventing fraud and identity theft after a breach. 

          Notices going to more than 500 California residents must also be  
          shared with the Office of the Attorney General.  Notice may take  
          the form of a written notice, an electronic notice (as specified  
          in federal law), or a substitute notice if the notification  
          would cost more than $250,000, include more than 500,000 people,  
          or if the agency does not have adequate contact information.   
          The substitute notice must include email notice where possible,  
          conspicuous posting on the agency's Internet Web site, and  
          notification to major statewide media and the state Office of  
          Information Security.  Agencies that maintain their own breach  
          notification procedures for personal information, provide notice  
          in compliance with those procedures, and otherwise comply with  
          the timing requirements of current law are deemed to be in  
          compliance with the law. 

          This bill would apply these same provisions to all local public  
          agencies, which the bill defines to include the following:   
          counties; cities (both general law and charter cities); cities  
          and counties; school districts; municipal corporations;  
          districts; political subdivisions; any board, commission or  
          agency of the above-named entities; other local public agencies;  
          and, specified entities that are legislative bodies of a local  

          The extent of data breaches of local agency information is not  
          definitively documented.  According to a list provided by the  
          Privacy Rights Clearinghouse, about a dozen local agency data  
          breaches have occurred since 2006.

          The California State Association of Counties, the Urban Counties  
          Caucus, the League of California Cities, and the California  


                                                                  AB 1149
                                                                  Page  4

          Special Districts Association have expressed concerns about the  
          fiscal and operational impacts of this bill.  They note that  
          local agencies must comply with federal requirements under HIPAA  
          regarding the privacy of health information.  They believe this  
          bill's provisions could impact many departments within their  
          agencies, particularly counties, and are concerned with the  
          "potentially costly new responsibilities on local agencies at a  
          time when we are challenged to deliver core public services  
          given difficult fiscal conditions."

          This bill is substantially similar to AB 2455 (Campos) of 2012,  
          which was held in the Assembly Appropriations Committee.

          Support arguments:  Supporters argue that this bill "strengthens  
          the state's consumer protections and ensures that consumers can  
          continue entrusting their personal information to California's  
          local agencies."

          Opposition arguments:  Opponents could argue that the need for  
          this bill has not adequately been demonstrated and that more  
          information regarding data breaches of local agency information  
          should be gathered and documented before legislating in this  

          Analysis Prepared by  :    Angela Mapp / L. GOV. / (916) 319-3958 

                                                                FN: 0000801