BILL ANALYSIS �Ó
Senate Appropriations Committee Fiscal Summary
Senator Kevin de León, Chair
AB 1149 (Campos) - Identity theft: local agencies.
Amended: As Introduced Policy Vote: Judiciary 7-0
Urgency: No Mandate: Yes
Hearing Date: August 12, 2013
Consultant: Jolie Onodera
This bill meets the criteria for referral to the Suspense File.
Bill Summary: AB 1149 would extend the existing data breach
disclosure requirements that are currently required of state
agencies, and any person or business conducting business in
California, to local agencies, as specified.
Fiscal Impact: Unknown, potentially significant
state-reimbursable costs in the hundreds of thousands to
millions of dollars (General Fund) should the mandated
notification requirements on local agencies be determined to
constitute a state-reimbursable mandate by the Commission on
State Mandates. There are over 1,000 school districts,
approximately 550 counties and cities, 340 local police
departments, 58 county sheriff departments, probation
departments, and an unknown number of local commissions and
boards. At a minimum, local agencies would need to have a
protocol established in order to respond timely in the event of
a data breach. Ongoing costs would be dependent on the frequency
and size of data breaches, and the process of notification
utilized by each local agency.
Background: Existing law requires agencies, as defined, persons,
or businesses that conduct business in California, which own or
license computerized data that includes personal information, as
defined, to disclose any security breach concerning that data to
any California resident whose unencrypted personal information
was, or is believed to have been, acquired by an unauthorized
person. The disclosure must be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as specified, or any
measures necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.
�
AB 1149 (Campos)
Page 1
When an agency, person, or business is required to issue a data
security breach notification pursuant to the above provisions,
the notification must be written in plain language and provide
specified information, including the name and contact
information of the reporting agency, person, or business, the
type of personal information that was the subject of the breach,
information about the timing and nature of the breach, whether
notification of the breach was delayed as a result of a law
enforcement investigation, and contact information for the major
credit reporting bureaus.
"Personal information," for purposes of the breach notification
statute includes an individual's first name or first initial and
last name in combination with one or more of the following data
elements, when either the name or data elements are not
encrypted: social security number, driver's license number or
California identification card number, account number, credit or
debit card number, in combination with any required security
code, access code, or password, medical information, health
insurance information.
The recently released Data Breach Report 2012 by the Attorney
General (AG) of the California Department of Justice noted in
its key findings that 131 data breaches, each affecting more
than 500 California residents, were reported by businesses and
state agencies in 2012. The average breach incident involved the
information of 22,500 individuals, and the total number of
Californians whose personal information was breached was over
2.5 million.
Proposed Law: This bill would extend the disclosure and
notification requirements placed on specified state agencies,
and any person or business conducting business in California, to
apply to a breach of computerized data that is owned, licensed,
or maintained by a local agency, as defined. For purposes of the
provisions of this bill:
"Local agency" includes a county, city, whether general law or
chartered, city and county, school district, municipal
corporation, district, political subdivision, or any board,
commission, or agency, thereof, other local public agency or
entities that are legislative bodies of a local agency, as
specified (Government Code (GC) § 6252(a)).
�
AB 1149 (Campos)
Page 2
Related Legislation: SB 46 (Corbett) 2013 would expand the scope
of personal information subject to existing security breach
disclosure requirements to include data breaches involving a
user name or email address, when taken in combination with a
password or security question and answer that would permit
access to an online account. This bill is pending in the
Assembly Judiciary Committee.
Prior Legislation: AB 2455 (Campos) 2012 was identical to this
measure. This bill was held on the Suspense File of the Assembly
Committee on Appropriations.
SB 24 (Simitian) Chapter 197/2011 amended California's security
breach notification law to provide that any agency, person, or
business required to issue a notification under existing law
must be written in "plain language' and must provide detailed
information about the breach.
Staff Comments: By extending existing data breach disclosure
requirements that are currently required of specified state
agencies and any person or business conducting business in
California, to local agencies, as specified, this bill creates a
state-mandated local program by imposing new duties on local
agencies.
Under existing state law, local agencies are not subject to
California's security breach notification law. That law,
codified as an amendment to the Information Practices Act of
1977 (the Act), explicitly exempts local agencies from its
provisions. Specifically, the following entities are not
included in the term "agency" as it pertains to the Act and are
therefore exempt from the requirements of the Act, including
Title 1.8 (Personal Data) of Part 4 of Division 3 of the Civil
Code, which encompasses the provisions on data breach
notification (Civil Code § 1798.3(b)(1)-(4)) :
The California Legislature.
Any agency established under Article VI of the
California Constitution (the Judicial Branch, including the
Supreme Court, courts of appeal, and superior courts).
The State Compensation Insurance Fund (SCIF), except as
to records which contain personal information about the
employees of the SCIF.
A local agency, as defined in GC § 6252(a), noted above.
�
AB 1149 (Campos)
Page 3
The costs to local agencies to comply with existing data breach
notification requirements are unknown, but could be significant,
potentially in the hundreds of thousands to millions of dollars
statewide. There are over 1,000 school districts, approximately
550 counties and cities, 340 local police departments, 58 county
sheriff departments, probation departments, and an unknown
number of local commissions and boards. Ongoing costs would be
dependent on the frequency and size of data breaches, and the
process of notification utilized by each local agency (written,
electronic, or substitute notice (if the cost of providing
notice would exceed $250,000 or affect more than 500,000
persons)). At a minimum, it is assumed that local agencies would
need to develop a protocol, and possibly provide training, in
order to respond timely in the event of a data breach.
Whether or not the costs to local agencies would be subject to
reimbursement by the state is unknown, and would be subject to
determination by the Commission on State Mandates (COSM).
Likewise, it is unknown how the COSM will consider the
provisions of this bill in the context of the laws of general
application, as discussed by the courts in County of Los Angeles
v. State of California, 43 Cal.3d 46 (1987) and the City of
Sacramento v. State of California, 50 Cal.3d 51 (1990). In these
cases, the California Supreme Court ruled that state laws that
extended worker compensation and unemployment insurance
protections to local employees did not constitute reimbursable
mandates. Specifically, the court found that local government
employer obligations were comparable to other employers, and
were not attributable to providing a new program to the public.
More generally, the Commission determined that if a statute
imposes similar obligations on the private and public sector,
the public sector's costs to comply with the requirement do not
constitute a state-reimbursable mandate.