BILL ANALYSIS                                                                                                                                                                                                    

                                                                  AB 1149
                                                                  Page  1

          AB 1149 (Campos)
          As Amended  September 4, 2013
          Majority vote
          |ASSEMBLY:  |78-0 |(May 29, 2013)  |SENATE: |39-0 |(September 9,  |
          |           |     |                |        |     |2013)          |
           Original Committee Reference:    L. GOV.  

           SUMMARY  :  Extends the provisions of the state's existing  
          information privacy breach notice law to local public agencies.   

           The Senate amendments  add language to avoid chaptering out  
          issues with SB 46 (Corbett) of the current legislative session.

           FISCAL EFFECT  :  According to the Senate Appropriations  
          Committee, unknown, potentially significant state-reimbursable  
          costs in the hundreds of thousands to millions of dollars  
          (General Fund) should the mandated notification requirements on  
          local agencies be determined to constitute a state-reimbursable  
          mandate by the Commission on State Mandates.  There are over  
          1,000 school districts, approximately 550 counties and cities,  
          340 local police departments, 58 county sheriff departments,  
          probation departments, and an unknown number of local  
          commissions and boards.  At a minimum, local agencies would need  
          to have a protocol established in order to respond timely in the  
          event of a data breach.  Ongoing costs would be dependent on the  
          frequency and size of data breaches, and the process of  
          notification utilized by each local agency.  

          AS PASSED BY THE ASSEMBLY  , this bill:

          1)Applied the provisions of the state's existing information  
            privacy breach notice law to local agencies.

          2)Declared that if the Commission on State Mandates determines  
            that this bill contains costs mandated by the state,  
            reimbursement to local agencies and school districts for those  
            costs shall be made pursuant to existing state law.

          3)Made non-substantive, technical corrections.


                                                                  AB 1149
                                                                  Page  2

          COMMENTS  :  This bill extends the provisions of California's  
          existing data breach notification law to local public agencies.   
          This bill is sponsored by the author.

          According to the author's office, "Local government agencies  
          have some of our most personal information - date of birth,  
          social security number, driver's license number, medical  
          information, etc.  This is the type of personal information that  
          identity thieves thrive upon.  Identity theft was responsible  
          for more than $13.3 billion in financial loses in 2010 and can  
          take months and even years to wipe off your record.  AB 1149  
          applies the same notification requirements to local governments  
          that have existed for state government since 1977.  It is  
          perfectly reasonable, and long overdue, that county and city  
          offices notify us when our personal data is compromised so that  
          we can protect ourselves."

          The California Information Privacy Act of 1977 (Act)  
          operationalizes the state constitutional guarantee of privacy by  
          limiting the collection, management and dissemination of  
          personal information by state agencies.  That Act includes  
          provisions requiring state agencies and private businesses to  
          notify California residents if the agency or business believes  
          an unauthorized person has accessed personalized data it holds.

          California's data breach notification statute was based on the  
          premise that individuals have a right to know when a data breach  
          has occurred and affected them.  If consumers are made aware  
          that their personal information may have been compromised, they  
          are able to take steps to protect themselves from fraud or  
          identity theft.  This requirement applies to state agencies.   
          Local public agencies are exempt from these data-breach  
          notification requirements.

          The law requires state agencies that own or license electronic  
          data that includes personal information to disclose to  
          California residents when unencrypted data is believed to have  
          been acquired by an unauthorized person.  The agency must make  
          the disclosure expediently and without unreasonable delay,  
          subject to the needs of law enforcement.  The notice must be  
          written in plain language and include the name and contact  
          information of the agency, a list of the types of personal  
          information compromised, time and date of the breach, length of  
          any delays, a general description of the incident, and contact  


                                                                  AB 1149
                                                                  Page  3

          information for credit reporting agencies.  The agency may also  
          include information about the agency's response and advice on  
          preventing fraud and identity theft after a breach. 

          Notices going to more than 500 California residents must also be  
          shared with the Office of the Attorney General.  Notice may take  
          the form of a written notice, an electronic notice (as specified  
          in federal law), or a substitute notice if the notification  
          would cost more than $250,000, include more than 500,000 people,  
          or if the agency does not have adequate contact information.   
          The substitute notice must include email notice where possible,  
          conspicuous posting on the agency's Internet Web site, and  
          notification to major statewide media and the state Office of  
          Information Security.  Agencies that maintain their own breach  
          notification procedures for personal information, provide notice  
          in compliance with those procedures, and otherwise comply with  
          the timing requirements of current law are deemed to be in  
          compliance with the law. 

          This bill would apply these same provisions to all local public  
          agencies, which the bill defines to include the following:   
          counties; cities (both general law and charter cities); cities  
          and counties; school districts; municipal corporations;  
          districts; political subdivisions; any board, commission or  
          agency of the above-named entities; other local public agencies;  
          and, specified entities that are legislative bodies of a local  

          The extent of data breaches of local agency information is not  
          definitively documented.  According to a list provided by the  
          Privacy Rights Clearinghouse, about a dozen local agency data  
          breaches have occurred since 2006.

          The California State Association of Counties, the Urban Counties  
          Caucus, the League of California Cities, and the California  
          Special Districts Association have expressed concerns about the  
          fiscal and operational impacts of this bill.  They note that  
          local agencies must comply with federal requirements under  
          Health Insurance Portability and Accountability Act of 1996  
          (HIPAA) regarding the privacy of health information.  They  
          believe this bill's provisions could impact many departments  
          within their agencies, particularly counties, and are concerned  
          with the "potentially costly new responsibilities on local  
          agencies at a time when we are challenged to deliver core public  
          services given difficult fiscal conditions."


                                                                  AB 1149
                                                                  Page  4

          This bill is substantially similar to AB 2455 (Campos) of 2012,  
          which was held in the Assembly Appropriations Committee.
          Support arguments:  Supporters argue that this bill "strengthens  
          the state's consumer protections and ensures that consumers can  
          continue entrusting their personal information to California's  
          local agencies."

          Opposition arguments:  Opponents could argue that the need for  
          this bill has not adequately been demonstrated and that more  
          information regarding data breaches of local agency information  
          should be gathered and documented before legislating in this  

          Analysis Prepared by  :    Angela Mapp / L. GOV. / (916) 319-3958 

                                                               FN: 0002456