BILL ANALYSIS                                                                                                                                                                                                    Ó


          |SENATE RULES COMMITTEE            |                       AB 1149|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
                                    THIRD READING

          Bill No:  AB 1149
          Author:   Campos (D)
          Amended:  9/4/13 in Senate
          Vote:     21

           SENATE JUDICIARY COMMITTEE  :  7-0, 6/25/13
          AYES: Evans, Walters, Anderson, Corbett, Jackson, Leno, Monning

           SENATE APPROPRIATIONS COMMITTEE  :  7-0, 8/30/13
          AYES:  De León, Walters, Gaines, Hill, Lara, Padilla, Steinberg

           ASSEMBLY FLOOR  :  78-0, 5/29/13 - See last page for vote

           SUBJECT  :    Identity theft:  local agencies

           SOURCE  :     Author

           DIGEST  :    This bill extends existing data breach disclosure  
          requirements, currently applicable to any state agency, person  
          or business, to local agencies.

           Senate Floor Amendments  of 9/4/13 add double-jointing provisions  
          to prevent chaptering out issues with SB 46 (Corbett).

           ANALYSIS  :    

          Existing law:

          1. Requires any agency, person, or business that owns or  
             licenses computerized data that includes personal information  


                                                                    AB 1149

             to disclose a breach of the security of the system to any  
             California resident whose unencrypted personal information  
             was, or is reasonably believed to have been, acquired by an  
             unauthorized person.  The disclosure must be made in the most  
             expedient time possible and without unreasonable delay,  
             consistent with the legitimate needs of law enforcement, as  

          2. Requires any agency, person, or business that maintains  
             computerized data that includes personal information that the  
             agency, person, or business does not own to notify the owner  
             or licensee of the information of any security breach  
             immediately following discovery if the personal information  
             was, or is reasonably believed to have been, acquired by an  
             unauthorized person.  

          3. Defines "personal information," for purposes of the breach  
             notification statute, to include the individual's first name  
             or first initial and last name in combination with one or  
             more of the following data elements, when either the name or  
             the data elements are not encrypted: social security number;  
             driver's license number or California Identification Card  
             number; account number, credit or debit card number, in  
             combination with any required security code, access code, or  
             password that permits access to an individual's financial  
             account; medical information; or health insurance  
             information.  "Personal information" does not include  
             publicly available information that is lawfully made  
             available to the general public from federal, state, or local  
             government records.  

          4. Provides that when an agency, person, or business is required  
             to issue a data security breach notification pursuant to the  
             above provisions, that notification must be written in plain  
             language and provide specified information, including: the  
             name and contact information of the reporting agency, person,  
             or business; the type of personal information that was the  
             subject of the breach; information about the timing and  
             nature of the breach; whether notification of the breach was  
             delayed as a result of a law enforcement investigation; and  
             contact information for the major credit reporting bureaus.   
             Specifies that the agency, person, or business may include  
             additional information that would be useful to the person in  
             taking steps to mitigate potential damages caused by the  



                                                                    AB 1149


          5. Defines "local agency" as including a county; city, whether  
             general law or chartered; city and county; school district;  
             municipal corporation; district; political subdivision; or  
             any board, commission or agency thereof; other local public  
             agency; or entities that are legislative bodies of a local  
             agency, as specified.  

          This bill expands the above disclosure and notification  
          requirements to apply to a breach of computerized data that is  
          owned, licensed, or maintained by a local agency by defining the  
          term "agency" to include a local agency, as defined.

          This bill contains double-jointing language to prevent  
          chaptering out issues with SB 46 (Corbett).

          In 2003, California's first-in-the nation security breach  
          notification law went into effect.  This law requires state  
          agencies and businesses to notify residents when the security of  
          their personal information, as defined, is breached.  Mandatory  
          notification ensures that residents are made aware of the  
          breach, allowing them to take appropriate action to mitigate or  
          prevent potential financial losses due to fraudulent activity,  
          as well as to limit the potential dissemination of personal  
          information.  Since its passage in 2003, all but four states  
          have enacted similar security breach notification laws, and  
          governments around the world are considering enacting such laws.  
           In the past year, "at least 13 states introduced security  
          breach notice legislation, many expanding the scope of laws,  
          setting additional requirements related to notification, or  
          changing penalties for those responsible for breaches."   
          (National Conference of State Legislatures, 2012 Security Breach  
           [as of June 15, 2013].)

          Although existing California law requires state agencies and  
          businesses to notify affected consumers when there is a breach  
          in the security of their information, the law does not place  
          similar requirements on local agencies.  This gap in the law  
          creates a unique problem when personal information owned or  



                                                                    AB 1149

          licensed by a local governmental entity is compromised.  A data  
          breach that occurred in 2008 illustrates the nature of this  
          problem.  Early that year, computer equipment owned by  
          Systematic Automation, Inc., a data processing firm in  
          Fullerton, was stolen during a commercial burglary.  The stolen  
          equipment contained data files with more than 40,000 names,  
          addresses, and Social Security numbers of California residents.   
          (See Los Angeles Times, Department of Water and Power [DWP]  
          workers' financial data stolen  
          [as of June 15, 2013]; Orange County Register, 40,000 names,  
          Social Security numbers on stolen computer  
           [as of June 15, 2013].)  Normally, a breach of this type  
          would trigger the breach notification provisions in current law  
          that apply to businesses.  However, some of the personal  
          information stolen pertained to 8,275 employees of the Los  
          Angeles DWP, including employee identification numbers and  
          deferred compensation balances.  For this subset of compromised  
          data, which was not owned or licensed by Systematic Automation  
          but was merely maintained on behalf of a local governmental  
          agency, the law requires that the non-owning business notify the  
          owner of the data, who then would normally make the required  
          security breach disclosures to affected California residents.   
          But because the owner in this case was a local governmental  
          agency, the duty to disclose under California's security breach  
          notification law was not triggered.  Although DPW did, indeed,  
          notify affected employees, it's exemption from the security  
          breach notification law meant that any failure by the agency to  
          follow the standard imposed on state agencies and California  
          businesses would have left affected residents unknowingly in a  
          vulnerable position.

           Prior Legislation  

          AB 2455 (Campos, 2012) was identical this bill, and would have  
          extended to local agencies the same data breach notification  
          requirements to which state agencies and California businesses  
          are already subject.  This bill died in the Assembly  
          Appropriations Committee.

          SB 24 (Simitian, Chapter 197, Statutes of 2011) amended  
          California's security breach notification law to provide that  
          any agency, person, or business required to issue a notification  



                                                                    AB 1149

          under existing law must be written in "plain language" and must  
          provide detailed information about the breach.

          AB 2362 (Keene, 2008) would have required an agency, when  
          collecting personal information from a resident to provide  
          notice to the resident that his or her personal information is  
          being handled in a secure manner that guards against  
          unauthorized disclosure and, in the event of a breach of the  
          security of the system, to provide timely and appropriate  
          notice.  This bill died in the Senate Judiciary Committee.

          AB 1656 (Jones, 2008) would have required a person, business, or  
          agency that maintains personal information to include in a  
          breach notification to the owner or licensee of the information  
          a description of the categories of personal information that  
          were, or may have been, acquired, a toll-free or local telephone  
          number or e-mail address that individuals may use to contact the  
          agency, person, or business, and the telephone numbers and  
          addresses of the major credit reporting agencies.  This bill was  
          vetoed by the Governor.

          AB 1298 (Jones, Chapter 699, Statutes of 2007) amended  
          California's security breach notification law to add medical  
          information and health insurance information to the data  
          elements that, when combined with the individual's name, would  
          constitute personal information that would require disclosure  
          when acquired, or believed to be acquired, by an unauthorized  
          person due to a security breach.

          AB 2505 (Nunez, 2006) would have created the California  
          Information Security Response Team consisting of state  
          government officials for the purpose of centralizing the state  
          response to security breaches.  This bill failed passage on the  
          Senate Floor.

          SB 852 (Bowen, 2006) would have required that a security breach  
          notification be issued regardless of whether or not the data  
          breached was computerized.  The bill would also have required  
          notice to the Office of Privacy Protection.  This bill failed in  
          the Assembly Business and Professions Committee.

          SB 1279 (Bowen, 2004) was a similar bill to SB 852.  This bill  
          died on the Assembly Floor.



                                                                    AB 1149

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  Yes

          According to the Senate Appropriations Committee, unknown,  
          potentially significant state-reimbursable costs in the hundreds  
          of thousands to millions of dollars (General Fund) should the  
          mandated notification requirements on local agencies be  
          determined to constitute a state-reimbursable mandate by the  
          Commission on State Mandates.  There are over 1,000 school  
          districts, approximately 550 counties and cities, 340 local  
          police departments, 58 county sheriff departments, probation  
          departments, and an unknown number of local commissions and  
          boards.  At a minimum, local agencies would need to have a  
          protocol established in order to respond timely in the event of  
          a data breach.  Ongoing costs would be dependent on the  
          frequency and size of data breaches, and the process of  
          notification utilized by each local agency.  

           SUPPORT  :   (Verified  9/5/13)

          American Civil Liberties Union of California
          California Cable & Telecommunications Association
          California Federation of Teachers
          California Police Chiefs Association
          California Public Interest Research Group
          Consumer Federation of California
          Glendale City Employees Association
          Organization of Sacramento Municipal Utilities District  
          Privacy Rights Clearinghouse
          San Bernardino Public Employees Association
          San Luis Obispo County Employees Association
          Santa Rosa City Employees Association

           OPPOSITION  :    (Verified  9/5/13)

          Association of California Healthcare Districts
          California Association of Joint Powers Authorities
          California Special Districts Association
          California State Association of Counties
          League of California Cities
          Urban Counties Caucus

           ARGUMENTS IN SUPPORT  :    According to the author:



                                                                    AB 1149

             AB 1149 applies the same notification requirements to local  
             governments that have existed for state government since  
             1977.  It is perfectly reasonable, and long overdue, that  
             county and city offices notify us when our personal data is  
             compromised so that we can protect ourselves. 

             Local government[al] agencies have some of our most  
             personal information - date of birth, social security  
             number, driver's license number, medical information, etc.   
             This is the type of personal information that identity  
             thieves thrive upon.  Identity theft was responsible for  
             more than $13.3 billion in financial loses in 2010 and can  
             take months and even years to wipe off your record. 

             If state agencies or private companies release your  
             personal information, regardless of how it occurs, they  
             must notify you so you can take steps to protect yourself  
             against identity theft.  Local agencies should be held to  
             the same standard.  AB 1149 accomplishes this.

           ARGUMENTS IN OPPOSITION  :    The groups in opposition state that  
          this bill could, "either in practice or precedent," subject  
          local agencies to other provisions of the Information Practices  
          Act of 1977, which could impose additional and potentially  
          costly new responsibilities on local agencies.  These groups  
          raise further concern about the potential operational impact  
          this bill could have. They note that local agencies are already  
          subject to federally imposed health information privacy  
          requirements under the federal Health Insurance Portability and  
          Accountability Act of 1996 (HIPPA), and can opt to design and  
          implement local procedures for the release of personal  
          information not governed by HIPPA.

           ASSEMBLY FLOOR  :  78-0, 5/29/13
          AYES:  Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom,  
            Blumenfield, Bocanegra, Bonilla, Bonta, Bradford, Brown,  
            Buchanan, Ian Calderon, Campos, Chau, Chávez, Chesbro, Conway,  
            Cooley, Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox,  
            Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon,  
            Gorell, Gray, Grove, Hagman, Hall, Harkey, Roger Hernández,  
            Jones, Jones-Sawyer, Levine, Linder, Logue, Lowenthal,  
            Maienschein, Mansoor, Medina, Melendez, Mitchell, Morrell,  
            Mullin, Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson,  



                                                                    AB 1149

            Perea, V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas,  
            Skinner, Stone, Ting, Wagner, Waldron, Weber, Wieckowski,  
            Wilk, Williams, Yamada, John A. Pérez
          NO VOTE RECORDED:  Holden, Vacancy

          AL:d  9/5/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****