BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
AB 1149 (Campos)
As Introduced
Hearing Date: June 25, 2013
Fiscal: Yes
Urgency: No
TH
SUBJECT
Identity Theft: Local Agencies
DESCRIPTION
Existing law requires any state agency, and any person or
business that conducts business in California, which owns or
licenses computerized data that includes personal information as
defined, to disclose any security breach concerning that data to
any California resident whose unencrypted personal information
was, or is believed to have been, acquired by an unauthorized
person. This bill would extend these existing data breach
disclosure requirements to local agencies.
BACKGROUND
In 2003, California's first-in-the nation security breach
notification law went into effect. (See Civ. Code Secs.
1798.29(a), 1798.82(a).) This law requires state agencies and
businesses to notify residents when the security of their
personal information, as defined, is breached. Mandatory
notification ensures that residents are made aware of the
breach, allowing them to take appropriate action to mitigate or
prevent potential financial losses due to fraudulent activity,
as well as to limit the potential dissemination of personal
information. Since its passage in 2003, all but four states
have enacted similar security breach notification laws, and
governments around the world are considering enacting such laws.
In the past year, "at least 13 states introduced security
breach notice legislation, many expanding the scope of laws,
setting additional requirements related to notification, or
changing penalties for those responsible for breaches."
(more)
�
AB 1149 (Campos)
Page 2 of ?
(National Conference of State Legislatures, 2012 Security Breach
Legislation
[as of June 15, 2013].)
Although existing California law requires state agencies and
businesses to notify affected consumers when there is a breach
in the security of their information, the law does not place
similar requirements on local agencies. This gap in the law
creates a unique problem when personal information owned or
licensed by a local governmental entity is compromised. A data
breach that occurred in 2008 illustrates the nature of this
problem. Early that year, computer equipment owned by
Systematic Automation, Inc., a data processing firm in
Fullerton, was stolen during a commercial burglary. The stolen
equipment contained data files with more than 40,000 names,
addresses, and Social Security numbers of California residents.
(See Los Angeles Times, DWP workers' financial data stolen
[as of June 15, 2013]; Orange County Register, 40,000 names,
Social Security numbers on stolen computer
[as of June 15, 2013].) Normally, a breach of this type
would trigger the breach notification provisions in Civil Code
Section 1798.82 that apply to businesses. However, some of the
personal information stolen pertained to 8,275 employees of the
Los Angeles Department of Water and Power (DPW), including
employee identification numbers and deferred compensation
balances. For this subset of compromised data, which was not
owned or licensed by Systematic Automation but was merely
maintained on behalf of a local governmental agency, the law
requires that the non-owning business notify the owner of the
data, who then would normally make the required security breach
disclosures to affected California residents. But because the
owner in this case was a local governmental agency, the duty to
disclose under California's security breach notification law was
not triggered. Although DPW did, indeed, notify affected
employees, it's exemption from the security breach notification
law meant that any failure by the agency to follow the standard
imposed on state agencies and California businesses would have
left affected residents unknowingly in a vulnerable position.
AB 1149 is intended to fill this gap by subjecting local
agencies, as defined, to the same notification requirements that
presently apply to state agencies and California businesses.
The author and supporters of this bill note that local
�
AB 1149 (Campos)
Page 3 of ?
government agencies maintain computerized records containing
some of our most personal information, and that a security
breach concerning this data would have the same potential
consequences as breaches of similar data in the possession of
businesses and state agencies.
CHANGES TO EXISTING LAW
Existing law requires any agency, person, or business that owns
or licenses computerized data that includes personal information
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified. (Civ. Code Sec. 1798.29(a), (c); Civ. Code Sec.
1798.82(a), (c).)
Existing law requires any agency, person, or business that
maintains computerized data that includes personal information
that the agency, person, or business does not own to notify the
owner or licensee of the information of any security breach
immediately following discovery if the personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. (Civ. Code Secs. 1798.29(b), 1798.82(b).)
Existing law defines "personal information," for purposes of the
breach notification statute, to include the individual's first
name or first initial and last name in combination with one or
more of the following data elements, when either the name or the
data elements are not encrypted: social security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account; medical information; or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records. (Civ.
Code Sec. 1798.29(g), (h); Civ. Code Sec. 1798.82(h), (i).)
Existing law provides that when an agency, person, or business
is required to issue a data security breach notification
pursuant to the above provisions, that notification must be
written in plain language and provide specified information,
�
AB 1149 (Campos)
Page 4 of ?
including: the name and contact information of the reporting
agency, person, or business; the type of personal information
that was the subject of the breach; information about the timing
and nature of the breach; whether notification of the breach was
delayed as a result of a law enforcement investigation; and
contact information for the major credit reporting bureaus.
Existing law specifies that the agency, person, or business may
include additional information that would be useful to the
person in taking steps to mitigate potential damages caused by
the breach. (Civ. Code Secs. 1798.29(d), 1798.82(d).)
Existing law defines "local agency" as including a county; city,
whether general law or chartered; city and county; school
district; municipal corporation; district; political
subdivision; or any board, commission or agency thereof; other
local public agency; or entities that are legislative bodies of
a local agency, as specified. (Gov. Code Sec. 6252.)
This bill would expand the above disclosure and notification
requirements to apply to a breach of computerized data that is
owned, licensed, or maintained by a local agency by defining the
term "agency" to include a local agency, as defined.
COMMENT
1. Stated need for the bill
According to the author:
AB 1149 applies the same notification requirements to local
governments that have existed for state government since
1977. It is perfectly reasonable, and long overdue, that
county and city offices notify us when our personal data is
compromised so that we can protect ourselves.
Local government[al] agencies have some of our most
personal information - date of birth, social security
number, driver's license number, medical information, etc.
This is the type of personal information that identity
thieves thrive upon. Identity theft was responsible for
more than $13.3 billion in financial loses in 2010 and can
take months and even years to wipe off your record.
If state agencies or private companies release your
personal information, regardless of how it occurs, they
must notify you so you can take steps to protect yourself
�
AB 1149 (Campos)
Page 5 of ?
against identity theft. Local agencies should be held to
the same standard. AB 1149 accomplishes this.
2. Application of breach disclosure duties to local agencies
Local agencies are not currently subject to California's
security breach notification law. That law, codified as an
amendment to the Information Practices Act of 1977, explicitly
exempts local agencies from its provisions. (See Civil Code
Section 1798.3(b)(4).) Consequently, it is difficult to
ascertain how often local agencies suffer data security
breaches, or what scope of information is compromised during a
breach. The author has provided the Committee with a list of 16
breaches that occurred at local agencies since 2006. These
breaches range from minor hacking incidents involving a few
individuals to the deliberate publication of thousands of
California residents' personal information. Had these breaches
occurred at state agencies or California businesses, those
entities would have been required to notify all affected persons
according to the process specified in the security breach
notification law. This bill extends existing disclosure duties
to local agencies based on the premise that the consequences of
a data breach - and the need for an affected person to have
knowledge of the breach to take appropriate protective steps -
is the same whether the data is held by a private business or
state agency, or by a local agency.
3. Privacy as a fundamental right in California
The right to privacy is a fundamental right protected by article
I, section 1 of the California Constitution. The Legislature
has expressly declared that "all individuals have a right of
privacy in information pertaining to them," and has found that:
(1) The right to privacy is being threatened by the
indiscriminate collection, maintenance, and dissemination
of personal information and the lack of effective laws and
legal remedies.
(2) The increasing use of computers and other
sophisticated information technology has greatly magnified
the potential risk to individual privacy that can occur
from the maintenance of personal information.
(3) In order to protect the privacy of individuals, it is
necessary that the maintenance and dissemination of
�
AB 1149 (Campos)
Page 6 of ?
personal information be subject to strict limits. (Civ.
Code Sec. 1798.1 (emphasis added).)
This bill builds upon the fundamental right to privacy by
expanding the scope California's existing data breach security
law to include breaches at local agencies. As the information
presented by the author regarding local agency data breaches
reflects, the privacy rights of California residents are put in
jeopardy by data breaches that occur at local agencies just as
they are by breaches at businesses and state agencies. This
bill helps to ensure that the fundamental right to privacy is
respected, and that consistent steps will be taken to notify
affected residents in the wake of a data breach, regardless of
the level of government involved.
4. Opposition concerns
The groups in opposition raise concerns over the potential
fiscal impact this measure would have to local agency budgets,
as well as the potential operational or practical impact it
would have on how local agencies respond to security breaches of
data systems containing personal information.
a. Potential fiscal impact
The opposition contends that compliance with this measure
could be very costly for local agencies, and notes, while
the bill imposes "significant new duties on public agencies
statewide," it does not "identif[y] a means to cover any
associated cost." In response, the author states that "the
bill is a candidate to be a state mandate, thus
reimbursable."
Staff notes that should this bill be approved by this
Committee, it will be referred to the Senate Committee on
Appropriations for a complete fiscal analysis.
b. Potential operational impact
The groups in opposition raise further concern about the
potential operational impact this bill could have. They
note that local agencies are already subject to federally
imposed health information privacy requirements under the
federal Health Insurance Portability and Accountability Act
of 1996 (HIPPA), and can opt to design and implement local
procedures for the release of personal information not
�
AB 1149 (Campos)
Page 7 of ?
governed by HIPPA.
Staff notes that, while it appears at least some local
agencies do disclose data breaches to affected California
residents, it is not clear that all local agencies do so,
or that all local agencies follow the same notification
standards and procedures. This bill would eliminate the
possibility that a patchwork of inconsistent local security
breach notification laws could develop in the state, or
that certain local agencies could opt out of adopting
notification procedures.
The groups in opposition further state that this bill
could, "either in practice or precedent," subject local
agencies to other provisions of the Information Practices
Act of 1977, which could impose additional and potentially
costly new responsibilities on local agencies. Staff
notes, such an expansive reading of this bill does not
appear to be justified. Subdivision (k) of section 1 makes
explicit the limited scope of this bill. It states:
(k) Notwithstanding the exception specified in
paragraph (4) of subdivision (b) of Section 1798.3,
for purposes of this section, "agency" includes a
local agency, as defined in subdivision (a) of Section
6252 of the Government Code. (AB 1149, Sec. 1,
Subdivision (k) [emphasis added].)
By its terms, AB 1149 would only amend the existing
security breach notification law codified at Civil Code
Section 1798.29, and would not affect any other section of
the Information Practices Act. Consequently, provisions
like Civil Code Section 1798.45, which permits an
individual to bring a civil action against an "agency" for
failure to comply with the Information Practices Act, would
likely not provide a private right of action to litigants
seeking to bring civil actions against local agencies for
failing to comply with this bill.
Support : American Civil Liberties Union of California;
California Cable & Telecommunications Association; California
Federation of Teachers; Consumer Federation of California;
Glendale City Employees Association; Organization of Sacramento
Municipal Utilities District Employees; Privacy Rights
Clearinghouse; San Bernardino Public Employees Association; San
�
AB 1149 (Campos)
Page 8 of ?
Luis Obispo County Employees Association; Santa Rosa City
Employees Association
Opposition : Association of California Healthcare Districts;
California Association of Joint Powers Authorities; California
Special Districts Association; California State Association of
Counties; League of California Cities; Urban Counties Caucus
HISTORY
Source : Author
Related Pending Legislation : SB 46 (Corbett) would expand the
scope of personal information subject to existing security
breach disclosure requirements to include data breaches
involving a user name or email address, when taken in
combination with a password or security question and answer that
would permit access to an online account. This bill is in the
Assembly Judiciary Committee.
Prior Legislation :
AB 2455 (Campos, 2012) was an identical measure to this bill,
and would have extended to local agencies the same data breach
notification requirements to which state agencies and California
businesses are already subject. This bill died in the Assembly
Appropriations Committee.
SB 24 (Simitian, Chapter 197, Statutes of 2011) amended
California's security breach notification law to provide that
any agency, person, or business required to issue a notification
under existing law must be written in "plain language" and must
provide detailed information about the breach.
AB 2362 (Keene, 2008) would have required an agency, when
collecting personal information from a resident to provide
notice to the resident that his or her personal information is
being handled in a secure manner that guards against
unauthorized disclosure and, in the event of a breach of the
security of the system, to provide timely and appropriate
notice. This bill died in the Senate Judiciary Committee.
AB 1656 (Jones, 2008) would have, among other things, required a
person, business, or agency that maintains personal information
to include in a breach notification to the owner or licensee of
the information a description of the categories of personal
�
AB 1149 (Campos)
Page 9 of ?
information that were, or may have been, acquired, a toll-free
or local telephone number or e-mail address that individuals may
use to contact the agency, person, or business, and the
telephone numbers and addresses of the major credit reporting
agencies. This bill was vetoed by the Governor.
AB 1779 (Jones, 2008) was a similar bill to AB 1656. This bill
died in the Senate Judiciary Committee.
AB 779 (Jones, 2007) was a similar bill to AB 1656. This bill
was vetoed by the Governor.
AB 1298 (Jones, Chapter 699, Statutes of 2007) amended
California's security breach notification law to add medical
information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information that would require disclosure
when acquired, or believed to be acquired, by an unauthorized
person due to a security breach.
AB 2505 (Nunez, 2006) would have created the California
Information Security Response Team consisting of state
government officials for the purpose of centralizing the
state response to security breaches. This bill failed passage
on the Senate Floor.
SB 852 (Bowen, 2006) would have required that a security breach
notification be issued regardless of whether or not the data
breached was computerized. The bill would also have required
notice to the Office of Privacy Protection. This bill failed in
the Assembly Business and Professions Committee.
SB 1279 (Bowen, 2004) was a similar bill to SB 852. This bill
died on the Assembly Floor.
Prior Vote :
Assembly Committee on Local Government (Ayes 9, Noes 0)
Assembly Committee on the Judiciary (Ayes 10, Noes 0)
Assembly Committee on Appropriations (Ayes 17, Noes 0)
Assembly Floor (Ayes 78, Noes 0)
**************
�
AB 1149 (Campos)
Page 10 of ?