BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 1149|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 1149
Author: Campos (D)
Amended: 9/4/13 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 7-0, 6/25/13
AYES: Evans, Walters, Anderson, Corbett, Jackson, Leno, Monning
SENATE APPROPRIATIONS COMMITTEE : 7-0, 8/30/13
AYES: De León, Walters, Gaines, Hill, Lara, Padilla, Steinberg
ASSEMBLY FLOOR : 78-0, 5/29/13 - See last page for vote
SUBJECT : Identity theft: local agencies
SOURCE : Author
DIGEST : This bill extends existing data breach disclosure
requirements, currently applicable to any state agency, person
or business, to local agencies.
Senate Floor Amendments of 9/4/13 add double-jointing provisions
to prevent chaptering out issues with SB 46 (Corbett).
ANALYSIS :
Existing law:
1. Requires any agency, person, or business that owns or
licenses computerized data that includes personal information
CONTINUED
�
AB 1149
Page
2
to disclose a breach of the security of the system to any
California resident whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure must be made in the most
expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as
specified.
2. Requires any agency, person, or business that maintains
computerized data that includes personal information that the
agency, person, or business does not own to notify the owner
or licensee of the information of any security breach
immediately following discovery if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
3. Defines "personal information," for purposes of the breach
notification statute, to include the individual's first name
or first initial and last name in combination with one or
more of the following data elements, when either the name or
the data elements are not encrypted: social security number;
driver's license number or California Identification Card
number; account number, credit or debit card number, in
combination with any required security code, access code, or
password that permits access to an individual's financial
account; medical information; or health insurance
information. "Personal information" does not include
publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
4. Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to the
above provisions, that notification must be written in plain
language and provide specified information, including: the
name and contact information of the reporting agency, person,
or business; the type of personal information that was the
subject of the breach; information about the timing and
nature of the breach; whether notification of the breach was
delayed as a result of a law enforcement investigation; and
contact information for the major credit reporting bureaus.
Specifies that the agency, person, or business may include
additional information that would be useful to the person in
taking steps to mitigate potential damages caused by the
CONTINUED
�
AB 1149
Page
3
breach.
5. Defines "local agency" as including a county; city, whether
general law or chartered; city and county; school district;
municipal corporation; district; political subdivision; or
any board, commission or agency thereof; other local public
agency; or entities that are legislative bodies of a local
agency, as specified.
This bill expands the above disclosure and notification
requirements to apply to a breach of computerized data that is
owned, licensed, or maintained by a local agency by defining the
term "agency" to include a local agency, as defined.
This bill contains double-jointing language to prevent
chaptering out issues with SB 46 (Corbett).
Background
In 2003, California's first-in-the nation security breach
notification law went into effect. This law requires state
agencies and businesses to notify residents when the security of
their personal information, as defined, is breached. Mandatory
notification ensures that residents are made aware of the
breach, allowing them to take appropriate action to mitigate or
prevent potential financial losses due to fraudulent activity,
as well as to limit the potential dissemination of personal
information. Since its passage in 2003, all but four states
have enacted similar security breach notification laws, and
governments around the world are considering enacting such laws.
In the past year, "at least 13 states introduced security
breach notice legislation, many expanding the scope of laws,
setting additional requirements related to notification, or
changing penalties for those responsible for breaches."
(National Conference of State Legislatures, 2012 Security Breach
Legislation
[as of June 15, 2013].)
Although existing California law requires state agencies and
businesses to notify affected consumers when there is a breach
in the security of their information, the law does not place
similar requirements on local agencies. This gap in the law
creates a unique problem when personal information owned or
CONTINUED
�
AB 1149
Page
4
licensed by a local governmental entity is compromised. A data
breach that occurred in 2008 illustrates the nature of this
problem. Early that year, computer equipment owned by
Systematic Automation, Inc., a data processing firm in
Fullerton, was stolen during a commercial burglary. The stolen
equipment contained data files with more than 40,000 names,
addresses, and Social Security numbers of California residents.
(See Los Angeles Times, Department of Water and Power [DWP]
workers' financial data stolen
[as of June 15, 2013]; Orange County Register, 40,000 names,
Social Security numbers on stolen computer
[as of June 15, 2013].) Normally, a breach of this type
would trigger the breach notification provisions in current law
that apply to businesses. However, some of the personal
information stolen pertained to 8,275 employees of the Los
Angeles DWP, including employee identification numbers and
deferred compensation balances. For this subset of compromised
data, which was not owned or licensed by Systematic Automation
but was merely maintained on behalf of a local governmental
agency, the law requires that the non-owning business notify the
owner of the data, who then would normally make the required
security breach disclosures to affected California residents.
But because the owner in this case was a local governmental
agency, the duty to disclose under California's security breach
notification law was not triggered. Although DPW did, indeed,
notify affected employees, it's exemption from the security
breach notification law meant that any failure by the agency to
follow the standard imposed on state agencies and California
businesses would have left affected residents unknowingly in a
vulnerable position.
Prior Legislation
AB 2455 (Campos, 2012) was identical this bill, and would have
extended to local agencies the same data breach notification
requirements to which state agencies and California businesses
are already subject. This bill died in the Assembly
Appropriations Committee.
SB 24 (Simitian, Chapter 197, Statutes of 2011) amended
California's security breach notification law to provide that
any agency, person, or business required to issue a notification
CONTINUED
�
AB 1149
Page
5
under existing law must be written in "plain language" and must
provide detailed information about the breach.
AB 2362 (Keene, 2008) would have required an agency, when
collecting personal information from a resident to provide
notice to the resident that his or her personal information is
being handled in a secure manner that guards against
unauthorized disclosure and, in the event of a breach of the
security of the system, to provide timely and appropriate
notice. This bill died in the Senate Judiciary Committee.
AB 1656 (Jones, 2008) would have required a person, business, or
agency that maintains personal information to include in a
breach notification to the owner or licensee of the information
a description of the categories of personal information that
were, or may have been, acquired, a toll-free or local telephone
number or e-mail address that individuals may use to contact the
agency, person, or business, and the telephone numbers and
addresses of the major credit reporting agencies. This bill was
vetoed by the Governor.
AB 1298 (Jones, Chapter 699, Statutes of 2007) amended
California's security breach notification law to add medical
information and health insurance information to the data
elements that, when combined with the individual's name, would
constitute personal information that would require disclosure
when acquired, or believed to be acquired, by an unauthorized
person due to a security breach.
AB 2505 (Nunez, 2006) would have created the California
Information Security Response Team consisting of state
government officials for the purpose of centralizing the state
response to security breaches. This bill failed passage on the
Senate Floor.
SB 852 (Bowen, 2006) would have required that a security breach
notification be issued regardless of whether or not the data
breached was computerized. The bill would also have required
notice to the Office of Privacy Protection. This bill failed in
the Assembly Business and Professions Committee.
SB 1279 (Bowen, 2004) was a similar bill to SB 852. This bill
died on the Assembly Floor.
CONTINUED
�
AB 1149
Page
6
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: Yes
According to the Senate Appropriations Committee, unknown,
potentially significant state-reimbursable costs in the hundreds
of thousands to millions of dollars (General Fund) should the
mandated notification requirements on local agencies be
determined to constitute a state-reimbursable mandate by the
Commission on State Mandates. There are over 1,000 school
districts, approximately 550 counties and cities, 340 local
police departments, 58 county sheriff departments, probation
departments, and an unknown number of local commissions and
boards. At a minimum, local agencies would need to have a
protocol established in order to respond timely in the event of
a data breach. Ongoing costs would be dependent on the
frequency and size of data breaches, and the process of
notification utilized by each local agency.
SUPPORT : (Verified 9/5/13)
American Civil Liberties Union of California
California Cable & Telecommunications Association
California Federation of Teachers
California Police Chiefs Association
California Public Interest Research Group
Consumer Federation of California
Glendale City Employees Association
Organization of Sacramento Municipal Utilities District
Employees
Privacy Rights Clearinghouse
San Bernardino Public Employees Association
San Luis Obispo County Employees Association
Santa Rosa City Employees Association
OPPOSITION : (Verified 9/5/13)
Association of California Healthcare Districts
California Association of Joint Powers Authorities
California Special Districts Association
California State Association of Counties
League of California Cities
Urban Counties Caucus
ARGUMENTS IN SUPPORT : According to the author:
CONTINUED
�
AB 1149
Page
7
AB 1149 applies the same notification requirements to local
governments that have existed for state government since
1977. It is perfectly reasonable, and long overdue, that
county and city offices notify us when our personal data is
compromised so that we can protect ourselves.
Local government[al] agencies have some of our most
personal information - date of birth, social security
number, driver's license number, medical information, etc.
This is the type of personal information that identity
thieves thrive upon. Identity theft was responsible for
more than $13.3 billion in financial loses in 2010 and can
take months and even years to wipe off your record.
If state agencies or private companies release your
personal information, regardless of how it occurs, they
must notify you so you can take steps to protect yourself
against identity theft. Local agencies should be held to
the same standard. AB 1149 accomplishes this.
ARGUMENTS IN OPPOSITION : The groups in opposition state that
this bill could, "either in practice or precedent," subject
local agencies to other provisions of the Information Practices
Act of 1977, which could impose additional and potentially
costly new responsibilities on local agencies. These groups
raise further concern about the potential operational impact
this bill could have. They note that local agencies are already
subject to federally imposed health information privacy
requirements under the federal Health Insurance Portability and
Accountability Act of 1996 (HIPPA), and can opt to design and
implement local procedures for the release of personal
information not governed by HIPPA.
ASSEMBLY FLOOR : 78-0, 5/29/13
AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom,
Blumenfield, Bocanegra, Bonilla, Bonta, Bradford, Brown,
Buchanan, Ian Calderon, Campos, Chau, Chávez, Chesbro, Conway,
Cooley, Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox,
Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon,
Gorell, Gray, Grove, Hagman, Hall, Harkey, Roger Hernández,
Jones, Jones-Sawyer, Levine, Linder, Logue, Lowenthal,
Maienschein, Mansoor, Medina, Melendez, Mitchell, Morrell,
Mullin, Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson,
CONTINUED
�
AB 1149
Page
8
Perea, V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas,
Skinner, Stone, Ting, Wagner, Waldron, Weber, Wieckowski,
Wilk, Williams, Yamada, John A. Pérez
NO VOTE RECORDED: Holden, Vacancy
AL:d 9/5/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED