BILL ANALYSIS �Ó
AB 1149
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 1149 (Campos)
As Amended September 4, 2013
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |78-0 |(May 29, 2013) |SENATE: |39-0 |(September 9, |
| | | | | |2013) |
-----------------------------------------------------------------
Original Committee Reference: L. GOV.
SUMMARY : Extends the provisions of the state's existing
information privacy breach notice law to local public agencies.
The Senate amendments add language to avoid chaptering out
issues with SB 46 (Corbett) of the current legislative session.
FISCAL EFFECT : According to the Senate Appropriations
Committee, unknown, potentially significant state-reimbursable
costs in the hundreds of thousands to millions of dollars
(General Fund) should the mandated notification requirements on
local agencies be determined to constitute a state-reimbursable
mandate by the Commission on State Mandates. There are over
1,000 school districts, approximately 550 counties and cities,
340 local police departments, 58 county sheriff departments,
probation departments, and an unknown number of local
commissions and boards. At a minimum, local agencies would need
to have a protocol established in order to respond timely in the
event of a data breach. Ongoing costs would be dependent on the
frequency and size of data breaches, and the process of
notification utilized by each local agency.
AS PASSED BY THE ASSEMBLY , this bill:
1)Applied the provisions of the state's existing information
privacy breach notice law to local agencies.
2)Declared that if the Commission on State Mandates determines
that this bill contains costs mandated by the state,
reimbursement to local agencies and school districts for those
costs shall be made pursuant to existing state law.
3)Made non-substantive, technical corrections.
�
AB 1149
Page 2
COMMENTS : This bill extends the provisions of California's
existing data breach notification law to local public agencies.
This bill is sponsored by the author.
According to the author's office, "Local government agencies
have some of our most personal information - date of birth,
social security number, driver's license number, medical
information, etc. This is the type of personal information that
identity thieves thrive upon. Identity theft was responsible
for more than $13.3 billion in financial loses in 2010 and can
take months and even years to wipe off your record. AB 1149
applies the same notification requirements to local governments
that have existed for state government since 1977. It is
perfectly reasonable, and long overdue, that county and city
offices notify us when our personal data is compromised so that
we can protect ourselves."
The California Information Privacy Act of 1977 (Act)
operationalizes the state constitutional guarantee of privacy by
limiting the collection, management and dissemination of
personal information by state agencies. That Act includes
provisions requiring state agencies and private businesses to
notify California residents if the agency or business believes
an unauthorized person has accessed personalized data it holds.
California's data breach notification statute was based on the
premise that individuals have a right to know when a data breach
has occurred and affected them. If consumers are made aware
that their personal information may have been compromised, they
are able to take steps to protect themselves from fraud or
identity theft. This requirement applies to state agencies.
Local public agencies are exempt from these data-breach
notification requirements.
The law requires state agencies that own or license electronic
data that includes personal information to disclose to
California residents when unencrypted data is believed to have
been acquired by an unauthorized person. The agency must make
the disclosure expediently and without unreasonable delay,
subject to the needs of law enforcement. The notice must be
written in plain language and include the name and contact
information of the agency, a list of the types of personal
information compromised, time and date of the breach, length of
any delays, a general description of the incident, and contact
�
AB 1149
Page 3
information for credit reporting agencies. The agency may also
include information about the agency's response and advice on
preventing fraud and identity theft after a breach.
Notices going to more than 500 California residents must also be
shared with the Office of the Attorney General. Notice may take
the form of a written notice, an electronic notice (as specified
in federal law), or a substitute notice if the notification
would cost more than $250,000, include more than 500,000 people,
or if the agency does not have adequate contact information.
The substitute notice must include email notice where possible,
conspicuous posting on the agency's Internet Web site, and
notification to major statewide media and the state Office of
Information Security. Agencies that maintain their own breach
notification procedures for personal information, provide notice
in compliance with those procedures, and otherwise comply with
the timing requirements of current law are deemed to be in
compliance with the law.
This bill would apply these same provisions to all local public
agencies, which the bill defines to include the following:
counties; cities (both general law and charter cities); cities
and counties; school districts; municipal corporations;
districts; political subdivisions; any board, commission or
agency of the above-named entities; other local public agencies;
and, specified entities that are legislative bodies of a local
agency.
The extent of data breaches of local agency information is not
definitively documented. According to a list provided by the
Privacy Rights Clearinghouse, about a dozen local agency data
breaches have occurred since 2006.
The California State Association of Counties, the Urban Counties
Caucus, the League of California Cities, and the California
Special Districts Association have expressed concerns about the
fiscal and operational impacts of this bill. They note that
local agencies must comply with federal requirements under
Health Insurance Portability and Accountability Act of 1996
(HIPAA) regarding the privacy of health information. They
believe this bill's provisions could impact many departments
within their agencies, particularly counties, and are concerned
with the "potentially costly new responsibilities on local
agencies at a time when we are challenged to deliver core public
services given difficult fiscal conditions."
�
AB 1149
Page 4
This bill is substantially similar to AB 2455 (Campos) of 2012,
which was held in the Assembly Appropriations Committee.
Support arguments: Supporters argue that this bill "strengthens
the state's consumer protections and ensures that consumers can
continue entrusting their personal information to California's
local agencies."
Opposition arguments: Opponents could argue that the need for
this bill has not adequately been demonstrated and that more
information regarding data breaches of local agency information
should be gathered and documented before legislating in this
arena.
Analysis Prepared by : Angela Mapp / L. GOV. / (916) 319-3958
FN: 0002456