BILL ANALYSIS Ó AB 1149 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 1149 (Campos) As Amended September 4, 2013 Majority vote ----------------------------------------------------------------- |ASSEMBLY: |78-0 |(May 29, 2013) |SENATE: |39-0 |(September 9, | | | | | | |2013) | ----------------------------------------------------------------- Original Committee Reference: L. GOV. SUMMARY : Extends the provisions of the state's existing information privacy breach notice law to local public agencies. The Senate amendments add language to avoid chaptering out issues with SB 46 (Corbett) of the current legislative session. FISCAL EFFECT : According to the Senate Appropriations Committee, unknown, potentially significant state-reimbursable costs in the hundreds of thousands to millions of dollars (General Fund) should the mandated notification requirements on local agencies be determined to constitute a state-reimbursable mandate by the Commission on State Mandates. There are over 1,000 school districts, approximately 550 counties and cities, 340 local police departments, 58 county sheriff departments, probation departments, and an unknown number of local commissions and boards. At a minimum, local agencies would need to have a protocol established in order to respond timely in the event of a data breach. Ongoing costs would be dependent on the frequency and size of data breaches, and the process of notification utilized by each local agency. AS PASSED BY THE ASSEMBLY , this bill: 1)Applied the provisions of the state's existing information privacy breach notice law to local agencies. 2)Declared that if the Commission on State Mandates determines that this bill contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to existing state law. 3)Made non-substantive, technical corrections. AB 1149 Page 2 COMMENTS : This bill extends the provisions of California's existing data breach notification law to local public agencies. This bill is sponsored by the author. According to the author's office, "Local government agencies have some of our most personal information - date of birth, social security number, driver's license number, medical information, etc. This is the type of personal information that identity thieves thrive upon. Identity theft was responsible for more than $13.3 billion in financial loses in 2010 and can take months and even years to wipe off your record. AB 1149 applies the same notification requirements to local governments that have existed for state government since 1977. It is perfectly reasonable, and long overdue, that county and city offices notify us when our personal data is compromised so that we can protect ourselves." The California Information Privacy Act of 1977 (Act) operationalizes the state constitutional guarantee of privacy by limiting the collection, management and dissemination of personal information by state agencies. That Act includes provisions requiring state agencies and private businesses to notify California residents if the agency or business believes an unauthorized person has accessed personalized data it holds. California's data breach notification statute was based on the premise that individuals have a right to know when a data breach has occurred and affected them. If consumers are made aware that their personal information may have been compromised, they are able to take steps to protect themselves from fraud or identity theft. This requirement applies to state agencies. Local public agencies are exempt from these data-breach notification requirements. The law requires state agencies that own or license electronic data that includes personal information to disclose to California residents when unencrypted data is believed to have been acquired by an unauthorized person. The agency must make the disclosure expediently and without unreasonable delay, subject to the needs of law enforcement. The notice must be written in plain language and include the name and contact information of the agency, a list of the types of personal information compromised, time and date of the breach, length of any delays, a general description of the incident, and contact AB 1149 Page 3 information for credit reporting agencies. The agency may also include information about the agency's response and advice on preventing fraud and identity theft after a breach. Notices going to more than 500 California residents must also be shared with the Office of the Attorney General. Notice may take the form of a written notice, an electronic notice (as specified in federal law), or a substitute notice if the notification would cost more than $250,000, include more than 500,000 people, or if the agency does not have adequate contact information. The substitute notice must include email notice where possible, conspicuous posting on the agency's Internet Web site, and notification to major statewide media and the state Office of Information Security. Agencies that maintain their own breach notification procedures for personal information, provide notice in compliance with those procedures, and otherwise comply with the timing requirements of current law are deemed to be in compliance with the law. This bill would apply these same provisions to all local public agencies, which the bill defines to include the following: counties; cities (both general law and charter cities); cities and counties; school districts; municipal corporations; districts; political subdivisions; any board, commission or agency of the above-named entities; other local public agencies; and, specified entities that are legislative bodies of a local agency. The extent of data breaches of local agency information is not definitively documented. According to a list provided by the Privacy Rights Clearinghouse, about a dozen local agency data breaches have occurred since 2006. The California State Association of Counties, the Urban Counties Caucus, the League of California Cities, and the California Special Districts Association have expressed concerns about the fiscal and operational impacts of this bill. They note that local agencies must comply with federal requirements under Health Insurance Portability and Accountability Act of 1996 (HIPAA) regarding the privacy of health information. They believe this bill's provisions could impact many departments within their agencies, particularly counties, and are concerned with the "potentially costly new responsibilities on local agencies at a time when we are challenged to deliver core public services given difficult fiscal conditions." AB 1149 Page 4 This bill is substantially similar to AB 2455 (Campos) of 2012, which was held in the Assembly Appropriations Committee. Support arguments: Supporters argue that this bill "strengthens the state's consumer protections and ensures that consumers can continue entrusting their personal information to California's local agencies." Opposition arguments: Opponents could argue that the need for this bill has not adequately been demonstrated and that more information regarding data breaches of local agency information should be gathered and documented before legislating in this arena. Analysis Prepared by : Angela Mapp / L. GOV. / (916) 319-3958 FN: 0002456