BILL ANALYSIS                                                                                                                                                                                                    Ó




                   Senate Appropriations Committee Fiscal Summary
                            Senator Kevin de León, Chair


          AB 1149 (Campos) - Identity theft: local agencies.
          
          Amended: As Introduced          Policy Vote: Judiciary 7-0
          Urgency: No                     Mandate: Yes
          Hearing Date: August 30, 2013                           
          Consultant: Jolie Onodera       
          
          SUSPENSE FILE.
           

          Bill Summary: AB 1149 would extend the existing data breach  
          disclosure requirements that are currently required of state  
          agencies, and any person or business conducting business in  
          California, to local agencies, as specified.

          Fiscal Impact: Unknown, potentially significant  
          state-reimbursable costs in the hundreds of thousands to  
          millions of dollars (General Fund) should the mandated  
          notification requirements on local agencies be determined to  
          constitute a state-reimbursable mandate by the Commission on  
          State Mandates. There are over 1,000 school districts,  
          approximately 550 counties and cities, 340 local police  
          departments, 58 county sheriff departments, probation  
          departments, and an unknown number of local commissions and  
          boards. At a minimum, local agencies would need to have a  
          protocol established in order to respond timely in the event of  
          a data breach. Ongoing costs would be dependent on the frequency  
          and size of data breaches, and the process of notification  
          utilized by each local agency.  

          Background: Existing law requires agencies, as defined, persons,  
          or businesses that conduct business in California, which own or  
          license computerized data that includes personal information, as  
          defined, to disclose any security breach concerning that data to  
          any California resident whose unencrypted personal information  
          was, or is believed to have been, acquired by an unauthorized  
          person. The disclosure must be made in the most expedient time  
          possible and without unreasonable delay, consistent with the  
          legitimate needs of law enforcement, as specified, or any  
          measures necessary to determine the scope of the breach and  
          restore the reasonable integrity of the data system.









          AB 1149 (Campos)
          Page 1


          When an agency, person, or business is required to issue a data  
          security breach notification pursuant to the above provisions,  
          the notification must be written in plain language and provide  
          specified information, including the name and contact  
          information of the reporting agency, person, or business, the  
          type of personal information that was the subject of the breach,  
          information about the timing and nature of the breach, whether  
          notification of the breach was delayed as a result of a law  
          enforcement investigation, and contact information for the major  
          credit reporting bureaus.

          "Personal information," for purposes of the breach notification  
          statute includes an individual's first name or first initial and  
          last name in combination with one or more of the following data  
          elements, when either the name or data elements are not  
          encrypted: social security number, driver's license number or  
          California identification card number, account number, credit or  
          debit card number, in combination with any required security  
          code, access code, or password, medical information, health  
          insurance information.

          The recently released Data Breach Report 2012 by the Attorney  
          General (AG) of the California Department of Justice noted in  
          its key findings that 131 data breaches, each affecting more  
          than 500 California residents, were reported by businesses and  
          state agencies in 2012. The average breach incident involved the  
          information of 22,500 individuals, and the total number of  
          Californians whose personal information was breached was over  
          2.5 million.
          
          Proposed Law: This bill would extend the disclosure and  
          notification requirements placed on specified state agencies,  
          and any person or business conducting business in California, to  
          apply to a breach of computerized data that is owned, licensed,  
          or maintained by a local agency, as defined. For purposes of the  
          provisions of this bill:

          "Local agency" includes a county, city, whether general law or  
          chartered, city and county, school district, municipal  
          corporation, district, political subdivision, or any board,  
          commission, or agency, thereof, other local public agency or  
          entities that are legislative bodies of a local agency, as  
          specified (Government Code (GC) § 6252(a)).
           








          AB 1149 (Campos)
          Page 2


          Related Legislation: SB 46 (Corbett) 2013 would expand the scope  
          of personal information subject to existing security breach  
          disclosure requirements to include data breaches involving a  
          user name or email address, when taken in combination with a  
          password or security question and answer that would permit  
          access to an online account. This bill is pending in the  
          Assembly Judiciary Committee.

          Prior Legislation: AB 2455 (Campos) 2012 was identical to this  
          measure. This bill was held on the Suspense File of the Assembly  
          Committee on Appropriations.
          
          SB 24 (Simitian) Chapter 197/2011 amended California's security  
          breach notification law to provide that any agency, person, or  
          business required to issue a notification under existing law  
          must be written in "plain language' and must provide detailed  
          information about the breach.
          
          Staff Comments: By extending existing data breach disclosure  
          requirements that are currently required of specified state  
          agencies and any person or business conducting business in  
          California, to local agencies, as specified, this bill creates a  
          state-mandated local program by imposing new duties on local  
          agencies.

          Under existing state law, local agencies are not subject to  
          California's security breach notification law. That law,  
          codified as an amendment to the Information Practices Act of  
          1977 (the Act), explicitly exempts local agencies from its  
          provisions. Specifically, the following entities are not  
          included in the term "agency" as it pertains to the Act and are  
          therefore exempt from the requirements of the Act, including  
          Title 1.8 (Personal Data) of Part 4 of Division 3 of the Civil  
          Code, which encompasses the provisions on data breach  
          notification (Civil Code § 1798.3(b)(1)-(4)) :
                 The California Legislature.
                 Any agency established under Article VI of the  
               California Constitution (the Judicial Branch, including the  
               Supreme Court, courts of appeal, and superior courts).
                 The State Compensation Insurance Fund (SCIF), except as  
               to records which contain personal information about the  
               employees of the SCIF.
                 A local agency, as defined in GC § 6252(a), noted above.









          AB 1149 (Campos)
          Page 3


          The costs to local agencies to comply with existing data breach  
          notification requirements are unknown, but could be significant,  
          potentially in the hundreds of thousands to millions of dollars  
          statewide. There are over 1,000 school districts, approximately  
          550 counties and cities, 340 local police departments, 58 county  
          sheriff departments, probation departments, and an unknown  
          number of local commissions and boards. Ongoing costs would be  
          dependent on the frequency and size of data breaches, and the  
          process of notification utilized by each local agency (written,  
          electronic, or substitute notice (if the cost of providing  
          notice would exceed $250,000 or affect more than 500,000  
          persons)). At a minimum, it is assumed that local agencies would  
          need to develop a protocol, and possibly provide training, in  
          order to respond timely in the event of a data breach. 

          Whether or not the costs to local agencies would be subject to  
          reimbursement by the state is unknown, and would be subject to  
          determination by the Commission on State Mandates (COSM).  
          Likewise, it is unknown how the COSM will consider the  
          provisions of this bill in the context of the laws of general  
          application, as discussed by the courts in County of Los Angeles  
          v. State of California, 43 Cal.3d 46 (1987) and the City of  
          Sacramento v. State of California, 50 Cal.3d 51 (1990). In these  
          cases, the California Supreme Court ruled that state laws that  
          extended worker compensation and unemployment insurance  
          protections to local employees did not constitute reimbursable  
          mandates. Specifically, the court found that local government  
          employer obligations were comparable to other employers, and  
          were not attributable to providing a new program to the public.  
          More generally, the Commission determined that if a statute  
          imposes similar obligations on the private and public sector,  
          the public sector's costs to comply with the requirement do not  
          constitute a state-reimbursable mandate.