BILL ANALYSIS                                                                                                                                                                                                    

                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2013-2014 Regular Session

          AB 1149 (Campos)
          As Introduced
          Hearing Date: June 25, 2013
          Fiscal: Yes
          Urgency: No

                           Identity Theft: Local Agencies


          Existing law requires any state agency, and any person or  
          business that conducts business in California, which owns or  
          licenses computerized data that includes personal information as  
          defined, to disclose any security breach concerning that data to  
          any California resident whose unencrypted personal information  
          was, or is believed to have been, acquired by an unauthorized  
          person.  This bill would extend these existing data breach  
          disclosure requirements to local agencies.


          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  (See Civ. Code Secs.  
          1798.29(a), 1798.82(a).)  This law requires state agencies and  
          businesses to notify residents when the security of their  
          personal information, as defined, is breached.  Mandatory  
          notification ensures that residents are made aware of the  
          breach, allowing them to take appropriate action to mitigate or  
          prevent potential financial losses due to fraudulent activity,  
          as well as to limit the potential dissemination of personal  
          information.  Since its passage in 2003, all but four states  
          have enacted similar security breach notification laws, and  
          governments around the world are considering enacting such laws.  
           In the past year, "at least 13 states introduced security  
          breach notice legislation, many expanding the scope of laws,  
          setting additional requirements related to notification, or  
          changing penalties for those responsible for breaches."   


          AB 1149 (Campos)
          Page 2 of ?

          (National Conference of State Legislatures, 2012 Security Breach  
           [as of June 15, 2013].)

          Although existing California law requires state agencies and  
          businesses to notify affected consumers when there is a breach  
          in the security of their information, the law does not place  
          similar requirements on local agencies.  This gap in the law  
          creates a unique problem when personal information owned or  
          licensed by a local governmental entity is compromised.  A data  
          breach that occurred in 2008 illustrates the nature of this  
          problem.  Early that year, computer equipment owned by  
          Systematic Automation, Inc., a data processing firm in  
          Fullerton, was stolen during a commercial burglary.  The stolen  
          equipment contained data files with more than 40,000 names,  
          addresses, and Social Security numbers of California residents.   
          (See Los Angeles Times, DWP workers' financial data stolen  
          [as of June 15, 2013]; Orange County Register, 40,000 names,  
          Social Security numbers on stolen computer  
           [as of June 15, 2013].)  Normally, a breach of this type  
          would trigger the breach notification provisions in Civil Code  
          Section 1798.82 that apply to businesses.  However, some of the  
          personal information stolen pertained to 8,275 employees of the  
          Los Angeles Department of Water and Power (DPW), including  
          employee identification numbers and deferred compensation  
          balances.  For this subset of compromised data, which was not  
          owned or licensed by Systematic Automation but was merely  
          maintained on behalf of a local governmental agency, the law  
          requires that the non-owning business notify the owner of the  
          data, who then would normally make the required security breach  
          disclosures to affected California residents.  But because the  
          owner in this case was a local governmental agency, the duty to  
          disclose under California's security breach notification law was  
          not triggered.  Although DPW did, indeed, notify affected  
          employees, it's exemption from the security breach notification  
          law meant that any failure by the agency to follow the standard  
          imposed on state agencies and California businesses would have  
          left affected residents unknowingly in a vulnerable position.

          AB 1149 is intended to fill this gap by subjecting local  
          agencies, as defined, to the same notification requirements that  
          presently apply to state agencies and California businesses.   
          The author and supporters of this bill note that local  


          AB 1149 (Campos)
          Page 3 of ?

          government agencies maintain computerized records containing  
          some of our most personal information, and that a security  
          breach concerning this data would have the same potential  
          consequences as breaches of similar data in the possession of  
          businesses and state agencies.

                                CHANGES TO EXISTING LAW
           Existing law  requires any agency, person, or business that owns  
          or licenses computerized data that includes personal information  
          to disclose a breach of the security of the system to any  
          California resident whose unencrypted personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  The disclosure must be made in the most  
          expedient time possible and without unreasonable delay,  
          consistent with the legitimate needs of law enforcement, as  
          specified.  (Civ. Code Sec. 1798.29(a), (c); Civ. Code Sec.  
          1798.82(a), (c).)

           Existing law  requires any agency, person, or business that  
          maintains computerized data that includes personal information  
          that the agency, person, or business does not own to notify the  
          owner or licensee of the information of any security breach  
          immediately following discovery if the personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  (Civ. Code Secs. 1798.29(b), 1798.82(b).)

           Existing law  defines "personal information," for purposes of the  
          breach notification statute, to include the individual's first  
          name or first initial and last name in combination with one or  
          more of the following data elements, when either the name or the  
          data elements are not encrypted: social security number;  
          driver's license number or California Identification Card  
          number; account number, credit or debit card number, in  
          combination with any required security code, access code, or  
          password that would permit access to an individual's financial  
          account; medical information; or health insurance information.   
          "Personal information" does not include publicly available  
          information that is lawfully made available to the general  
          public from federal, state, or local government records.  (Civ.  
          Code Sec. 1798.29(g), (h); Civ. Code Sec. 1798.82(h), (i).)

           Existing law  provides that when an agency, person, or business  
          is required to issue a data security breach notification  
          pursuant to the above provisions, that notification must be  
          written in plain language and provide specified information,  


          AB 1149 (Campos)
          Page 4 of ?

          including: the name and contact information of the reporting  
          agency, person, or business; the type of personal information  
          that was the subject of the breach; information about the timing  
          and nature of the breach; whether notification of the breach was  
          delayed as a result of a law enforcement investigation; and  
          contact information for the major credit reporting bureaus.   
          Existing law specifies that the agency, person, or business may  
          include additional information that would be useful to the  
          person in taking steps to mitigate potential damages caused by  
          the breach.  (Civ. Code Secs. 1798.29(d), 1798.82(d).)

           Existing law  defines "local agency" as including a county; city,  
          whether general law or chartered; city and county; school  
          district; municipal corporation; district; political  
          subdivision; or any board, commission or agency thereof; other  
          local public agency; or entities that are legislative bodies of  
          a local agency, as specified.  (Gov. Code Sec. 6252.)

           This bill  would expand the above disclosure and notification  
          requirements to apply to a breach of computerized data that is  
          owned, licensed, or maintained by a local agency by defining the  
          term "agency" to include a local agency, as defined.
          1.   Stated need for the bill  

          According to the author:

               AB 1149 applies the same notification requirements to local  
               governments that have existed for state government since  
               1977.  It is perfectly reasonable, and long overdue, that  
               county and city offices notify us when our personal data is  
               compromised so that we can protect ourselves. 

               Local government[al] agencies have some of our most  
               personal information - date of birth, social security  
               number, driver's license number, medical information, etc.   
               This is the type of personal information that identity  
               thieves thrive upon.  Identity theft was responsible for  
               more than $13.3 billion in financial loses in 2010 and can  
               take months and even years to wipe off your record. 

               If state agencies or private companies release your  
               personal information, regardless of how it occurs, they  
               must notify you so you can take steps to protect yourself  


          AB 1149 (Campos)
          Page 5 of ?

               against identity theft.  Local agencies should be held to  
               the same standard.  AB 1149 accomplishes this.
          2.   Application of breach disclosure duties to local agencies  

          Local agencies are not currently subject to California's  
          security breach notification law.  That law, codified as an  
          amendment to the Information Practices Act of 1977, explicitly  
          exempts local agencies from its provisions.  (See Civil Code  
          Section 1798.3(b)(4).)  Consequently, it is difficult to  
          ascertain how often local agencies suffer data security  
          breaches, or what scope of information is compromised during a  
          breach.  The author has provided the Committee with a list of 16  
          breaches that occurred at local agencies since 2006.  These  
          breaches range from minor hacking incidents involving a few  
          individuals to the deliberate publication of thousands of  
          California residents' personal information.  Had these breaches  
          occurred at state agencies or California businesses, those  
          entities would have been required to notify all affected persons  
          according to the process specified in the security breach  
          notification law.  This bill extends existing disclosure duties  
          to local agencies based on the premise that the consequences of  
          a data breach - and the need for an affected person to have  
          knowledge of the breach to take appropriate protective steps -  
          is the same whether the data is held by a private business or  
          state agency, or by a local agency.

          3.   Privacy as a fundamental right in California

           The right to privacy is a fundamental right protected by article  
          I, section 1 of the California Constitution.  The Legislature  
          has expressly declared that "all individuals have a right of  
          privacy in information pertaining to them," and has found that: 

               (1) The right to privacy is being threatened by the  
               indiscriminate collection, maintenance, and dissemination  
               of personal information and the lack of effective laws and  
               legal remedies.

                (2) The increasing use of computers and other  
               sophisticated information technology has greatly magnified  
               the potential risk to individual privacy that can occur  
               from the maintenance of personal information.

                (3) In order to protect the privacy of individuals, it is  
               necessary that the maintenance and dissemination of  


          AB 1149 (Campos)
          Page 6 of ?

               personal information be subject to strict limits. (Civ.  
               Code Sec. 1798.1 (emphasis added).)  

          This bill builds upon the fundamental right to privacy by  
          expanding the scope California's existing data breach security  
          law to include breaches at local agencies.  As the information  
          presented by the author regarding local agency data breaches  
          reflects, the privacy rights of California residents are put in  
          jeopardy by data breaches that occur at local agencies just as  
          they are by breaches at businesses and state agencies.  This  
          bill helps to ensure that the fundamental right to privacy is  
          respected, and that consistent steps will be taken to notify  
          affected residents in the wake of a data breach, regardless of  
          the level of government involved.

          4.   Opposition concerns

           The groups in opposition raise concerns over the potential  
          fiscal impact this measure would have to local agency budgets,  
          as well as the potential operational or practical impact it  
          would have on how local agencies respond to security breaches of  
          data systems containing personal information.

               a.   Potential fiscal impact
               The opposition contends that compliance with this measure  
               could be very costly for local agencies, and notes, while  
               the bill imposes "significant new duties on public agencies  
               statewide," it does not "identif[y] a means to cover any  
               associated cost."  In response, the author states that "the  
               bill is a candidate to be a state mandate, thus  

               Staff notes that should this bill be approved by this  
               Committee, it will be referred to the Senate Committee on  
               Appropriations for a complete fiscal analysis.

               b.   Potential operational impact
               The groups in opposition raise further concern about the  
               potential operational impact this bill could have.  They  
               note that local agencies are already subject to federally  
               imposed health information privacy requirements under the  
               federal Health Insurance Portability and Accountability Act  
               of 1996 (HIPPA), and can opt to design and implement local  
               procedures for the release of personal information not  


          AB 1149 (Campos)
          Page 7 of ?

               governed by HIPPA.

               Staff notes that, while it appears at least some local  
               agencies do disclose data breaches to affected California  
               residents, it is not clear that all local agencies do so,  
               or that all local agencies follow the same notification  
               standards and procedures.  This bill would eliminate the  
               possibility that a patchwork of inconsistent local security  
               breach notification laws could develop in the state, or  
               that certain local agencies could opt out of adopting  
               notification procedures.

               The groups in opposition further state that this bill  
               could, "either in practice or precedent," subject local  
               agencies to other provisions of the Information Practices  
               Act of 1977, which could impose additional and potentially  
               costly new responsibilities on local agencies.  Staff  
               notes, such an expansive reading of this bill does not  
               appear to be justified.  Subdivision (k) of section 1 makes  
               explicit the limited scope of this bill.  It states:

                    (k) Notwithstanding the exception specified in  
                    paragraph (4) of subdivision (b) of Section 1798.3,  
                    for purposes of this section, "agency" includes a  
                    local agency, as defined in subdivision (a) of Section  
                    6252 of the Government Code.  (AB 1149, Sec. 1,  
                    Subdivision (k) [emphasis added].)

               By its terms, AB 1149 would only amend the existing  
               security breach notification law codified at Civil Code  
               Section 1798.29, and would not affect any other section of  
               the Information Practices Act.  Consequently, provisions  
               like Civil Code Section 1798.45, which permits an  
               individual to bring a civil action against an "agency" for  
               failure to comply with the Information Practices Act, would  
               likely not provide a private right of action to litigants  
               seeking to bring civil actions against local agencies for  
               failing to comply with this bill.

           Support  :  American Civil Liberties Union of California;  
          California Cable & Telecommunications Association; California  
          Federation of Teachers; Consumer Federation of California;  
          Glendale City Employees Association; Organization of Sacramento  
          Municipal Utilities District Employees; Privacy Rights  
          Clearinghouse; San Bernardino Public Employees Association; San  


          AB 1149 (Campos)
          Page 8 of ?

          Luis Obispo County Employees Association; Santa Rosa City  
          Employees Association

           Opposition  :  Association of California Healthcare Districts;  
          California Association of Joint Powers Authorities; California  
          Special Districts Association; California State Association of  
          Counties; League of California Cities; Urban Counties Caucus

           Source  :  Author

           Related Pending Legislation  :  SB 46 (Corbett) would expand the  
          scope of personal information subject to existing security  
          breach disclosure requirements to include data breaches  
          involving a user name or email address, when taken in  
          combination with a password or security question and answer that  
          would permit access to an online account.  This bill is in the  
          Assembly Judiciary Committee.

           Prior Legislation  :  

          AB 2455 (Campos, 2012) was an identical measure to this bill,  
          and would have extended to local agencies the same data breach  
          notification requirements to which state agencies and California  
          businesses are already subject.  This bill died in the Assembly  
          Appropriations Committee.

          SB 24 (Simitian, Chapter 197, Statutes of 2011) amended  
          California's security breach notification law to provide that  
          any agency, person, or business required to issue a notification  
          under existing law must be written in "plain language" and must  
          provide detailed information about the breach.

          AB 2362 (Keene, 2008) would have required an agency, when  
          collecting personal information from a resident to provide  
          notice to the resident that his or her personal information is  
          being handled in a secure manner that guards against  
          unauthorized disclosure and, in the event of a breach of the  
          security of the system, to provide timely and appropriate  
          notice.  This bill died in the Senate Judiciary Committee.

          AB 1656 (Jones, 2008) would have, among other things, required a  
          person, business, or agency that maintains personal information  
          to include in a breach notification to the owner or licensee of  
          the information a description of the categories of personal  


          AB 1149 (Campos)
          Page 9 of ?

          information that were, or may have been, acquired, a toll-free  
          or local telephone number or e-mail address that individuals may  
          use to contact the agency, person, or business, and the  
          telephone numbers and addresses of the major credit reporting  
          agencies.  This bill was vetoed by the Governor.

          AB 1779 (Jones, 2008) was a similar bill to AB 1656.  This bill  
          died in the Senate Judiciary Committee.

          AB 779 (Jones, 2007) was a similar bill to AB 1656.  This bill  
          was vetoed by the Governor.

          AB 1298 (Jones, Chapter 699, Statutes of 2007) amended  
          California's security breach notification law to add medical  
          information and health insurance information to the data  
          elements that, when combined with the individual's name, would  
          constitute personal information that would require disclosure  
          when acquired, or believed to be acquired, by an unauthorized  
          person due to a security breach.

          AB 2505 (Nunez, 2006) would have created the California  
          Information Security Response Team consisting of state  
          government officials for the purpose of      centralizing the  
          state response to security breaches.  This bill failed passage  
          on the Senate Floor.

          SB 852 (Bowen, 2006) would have required that a security breach  
          notification be issued regardless of whether or not the data  
          breached was computerized.  The bill would also have required  
          notice to the Office of Privacy Protection.  This bill failed in  
          the Assembly Business and Professions Committee.
          SB 1279 (Bowen, 2004) was a similar bill to SB 852.  This bill  
          died on the Assembly Floor.

           Prior Vote  :

          Assembly Committee on Local Government (Ayes 9, Noes 0)
          Assembly Committee on the Judiciary (Ayes 10, Noes 0)
          Assembly Committee on Appropriations (Ayes 17, Noes 0)
          Assembly Floor (Ayes 78, Noes 0)




          AB 1149 (Campos)
          Page 10 of ?