BILL ANALYSIS Ó Senate Appropriations Committee Fiscal Summary Senator Kevin de León, Chair AB 1149 (Campos) - Identity theft: local agencies. Amended: As Introduced Policy Vote: Judiciary 7-0 Urgency: No Mandate: Yes Hearing Date: August 12, 2013 Consultant: Jolie Onodera This bill meets the criteria for referral to the Suspense File. Bill Summary: AB 1149 would extend the existing data breach disclosure requirements that are currently required of state agencies, and any person or business conducting business in California, to local agencies, as specified. Fiscal Impact: Unknown, potentially significant state-reimbursable costs in the hundreds of thousands to millions of dollars (General Fund) should the mandated notification requirements on local agencies be determined to constitute a state-reimbursable mandate by the Commission on State Mandates. There are over 1,000 school districts, approximately 550 counties and cities, 340 local police departments, 58 county sheriff departments, probation departments, and an unknown number of local commissions and boards. At a minimum, local agencies would need to have a protocol established in order to respond timely in the event of a data breach. Ongoing costs would be dependent on the frequency and size of data breaches, and the process of notification utilized by each local agency. Background: Existing law requires agencies, as defined, persons, or businesses that conduct business in California, which own or license computerized data that includes personal information, as defined, to disclose any security breach concerning that data to any California resident whose unencrypted personal information was, or is believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. AB 1149 (Campos) Page 1 When an agency, person, or business is required to issue a data security breach notification pursuant to the above provisions, the notification must be written in plain language and provide specified information, including the name and contact information of the reporting agency, person, or business, the type of personal information that was the subject of the breach, information about the timing and nature of the breach, whether notification of the breach was delayed as a result of a law enforcement investigation, and contact information for the major credit reporting bureaus. "Personal information," for purposes of the breach notification statute includes an individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or data elements are not encrypted: social security number, driver's license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password, medical information, health insurance information. The recently released Data Breach Report 2012 by the Attorney General (AG) of the California Department of Justice noted in its key findings that 131 data breaches, each affecting more than 500 California residents, were reported by businesses and state agencies in 2012. The average breach incident involved the information of 22,500 individuals, and the total number of Californians whose personal information was breached was over 2.5 million. Proposed Law: This bill would extend the disclosure and notification requirements placed on specified state agencies, and any person or business conducting business in California, to apply to a breach of computerized data that is owned, licensed, or maintained by a local agency, as defined. For purposes of the provisions of this bill: "Local agency" includes a county, city, whether general law or chartered, city and county, school district, municipal corporation, district, political subdivision, or any board, commission, or agency, thereof, other local public agency or entities that are legislative bodies of a local agency, as specified (Government Code (GC) § 6252(a)). AB 1149 (Campos) Page 2 Related Legislation: SB 46 (Corbett) 2013 would expand the scope of personal information subject to existing security breach disclosure requirements to include data breaches involving a user name or email address, when taken in combination with a password or security question and answer that would permit access to an online account. This bill is pending in the Assembly Judiciary Committee. Prior Legislation: AB 2455 (Campos) 2012 was identical to this measure. This bill was held on the Suspense File of the Assembly Committee on Appropriations. SB 24 (Simitian) Chapter 197/2011 amended California's security breach notification law to provide that any agency, person, or business required to issue a notification under existing law must be written in "plain language' and must provide detailed information about the breach. Staff Comments: By extending existing data breach disclosure requirements that are currently required of specified state agencies and any person or business conducting business in California, to local agencies, as specified, this bill creates a state-mandated local program by imposing new duties on local agencies. Under existing state law, local agencies are not subject to California's security breach notification law. That law, codified as an amendment to the Information Practices Act of 1977 (the Act), explicitly exempts local agencies from its provisions. Specifically, the following entities are not included in the term "agency" as it pertains to the Act and are therefore exempt from the requirements of the Act, including Title 1.8 (Personal Data) of Part 4 of Division 3 of the Civil Code, which encompasses the provisions on data breach notification (Civil Code § 1798.3(b)(1)-(4)) : The California Legislature. Any agency established under Article VI of the California Constitution (the Judicial Branch, including the Supreme Court, courts of appeal, and superior courts). The State Compensation Insurance Fund (SCIF), except as to records which contain personal information about the employees of the SCIF. A local agency, as defined in GC § 6252(a), noted above. AB 1149 (Campos) Page 3 The costs to local agencies to comply with existing data breach notification requirements are unknown, but could be significant, potentially in the hundreds of thousands to millions of dollars statewide. There are over 1,000 school districts, approximately 550 counties and cities, 340 local police departments, 58 county sheriff departments, probation departments, and an unknown number of local commissions and boards. Ongoing costs would be dependent on the frequency and size of data breaches, and the process of notification utilized by each local agency (written, electronic, or substitute notice (if the cost of providing notice would exceed $250,000 or affect more than 500,000 persons)). At a minimum, it is assumed that local agencies would need to develop a protocol, and possibly provide training, in order to respond timely in the event of a data breach. Whether or not the costs to local agencies would be subject to reimbursement by the state is unknown, and would be subject to determination by the Commission on State Mandates (COSM). Likewise, it is unknown how the COSM will consider the provisions of this bill in the context of the laws of general application, as discussed by the courts in County of Los Angeles v. State of California, 43 Cal.3d 46 (1987) and the City of Sacramento v. State of California, 50 Cal.3d 51 (1990). In these cases, the California Supreme Court ruled that state laws that extended worker compensation and unemployment insurance protections to local employees did not constitute reimbursable mandates. Specifically, the court found that local government employer obligations were comparable to other employers, and were not attributable to providing a new program to the public. More generally, the Commission determined that if a statute imposes similar obligations on the private and public sector, the public sector's costs to comply with the requirement do not constitute a state-reimbursable mandate.