BILL ANALYSIS �Ó
AB 259
Page 1
Date of Hearing: March 25, 2015
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Jimmy Gomez, Chair
AB
259 (Dababneh) - As Introduced February 9, 2015
-----------------------------------------------------------------
|Policy |Privacy and Consumer |Vote:|11-0 |
|Committee: |Protection | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill requires a public agency that is the source of a data
breach and is required to give affected persons notice of the
breach to offer to provide at least 12 months of appropriate
identity theft prevention and mitigation services at no cost to
the affected persons if the breach exposed unencrypted social
security, driver's license, or California identification card
numbers.
FISCAL EFFECT:
�
AB 259
Page 2
Potentially significant, unabsorbable General Fund costs (in
excess of $150,000) if a security breach of sufficient magnitude
were to occur at an agency that holds substantial personal data.
COMMENTS:
1)Purpose. According to the author, this bill is intended to
provide persons affected by a state or local agency data
breach with at least 12 months of free identity theft
protection and mitigation services. Nearly identical identity
theft protection and mitigation service standards were enacted
last year in AB 1710 (Dickinson) with respect to private
businesses. The author contends extending those standards to
cover data breaches from state and local agencies would
enhance consumer protections.
2)Background. There have been several high-profile data
breaches in recent years, including several breaches at major
retailers, and more recently the February 2015 breach at
health insurer Anthem. These data breaches are increasing
both in frequency and scope, with the California Attorney
General reporting a record number of incidents in 2014, and
the Anthem breach alone having compromised 80 million records.
Several state and local agencies also suffered data breaches
in recent years, including at least 10 significant incidents
of data breach among state agencies during 2012-2014. AB 259
is intended to extend the identity theft protection and
mitigation service requirements currently in place for private
�
AB 259
Page 3
businesses to data breaches by state and local agencies.
3)Appropriate services, if any. The operative requirement in AB
259 has been duplicated from AB 1710, which requires an
offending agency to "?offer to provide appropriate identity
theft prevention and mitigation services, if any?" Following
the passage of AB 1710, this language gave rise to the
following questions of interpretation: (i) must an offer
always be made, and (ii) what constitutes "appropriate"
identity theft prevention and mitigation services?
The first question stems from whether the qualification "if
any" is intended to modify the services being offered, or
qualify whether an offer must be made in every circumstance.
Presumably, the intent behind AB 1710 was that an offer must
be made to provide appropriate remedial services if any such
services exist. Some legal commentators have suggested,
however, that the "if any" addition could be read to qualify
the offer requirement, meaning an offending business would
have discretion in deciding whether to offer remedial services
following a breach.
The second question relates to the undefined standard of
"appropriate" remedial services, and what type or amount of
services would be deemed appropriate in different
circumstances. Services offered voluntarily by private
businesses often include credit report monitoring services,
�
AB 259
Page 4
"freezing" a person's credit report to prevent unauthorized
credit applications, and identity theft insurance. However,
it remains unresolved whether these measures are always
appropriate under the new legal requirement, whether they
would be appropriate in every circumstance, and, in this case,
whether they would be appropriate for a government agency.
Though these are open questions, there remains some value in
patterning in AB 259 after AB 1710, as the two provisions will
hopefully be resolved together. However, it seems likely the
first major breach for which enforcement is sought under
either provision will require a court to settle the above
questions of statutory interpretation.
Analysis Prepared by:Joel Tashjian / APPR. / (916)
319-2081