BILL ANALYSIS Ó AB 259 Page 1 ASSEMBLY THIRD READING AB 259 (Dababneh) As Introduced February 9, 2015 Majority vote ------------------------------------------------------------------- |Committee |Votes |Ayes |Noes | |----------------+------+--------------------+----------------------| |Privacy |11-0 |Gatto, Wilk, Baker, | | | | |Calderon, Chang, | | | | |Chau, Cooper, | | | | |Dababneh, Dahle, | | | | |Gordon, Low | | | | | | | |----------------+------+--------------------+----------------------| |Appropriations |17-0 |Gomez, Bigelow, | | | | |Bonta, Calderon, | | | | |Chang, Daly, | | | | |Eggman, Gallagher, | | | | |Eduardo Garcia, | | | | |Gordon, Holden, | | | | |Jones, Quirk, | | | | |Rendon, Wagner, | | | | |Weber, Wood | | ------------------------------------------------------------------- SUMMARY: Requires a public agency that is the source of a data AB 259 Page 2 breach to offer at least 12 months of identity theft prevention and mitigation services at no cost to affected consumers. Specifically, this bill: 1)Requires a public agency that is the source of a data breach and is required to provide affected persons with notice of the breach to provide at least 12 months of appropriate identity theft prevention and mitigation services at no cost to the affected persons. 2)Requires a public agency to give affected persons all information necessary to take advantage of the offer for identity theft prevention and mitigation services. 3)Requires a public agency to offer identity theft prevention and mitigation services only if the breach exposed, or may have exposed, a person's name in combination with a Social Security number or a driver's license number. 4)Requires a public agency that delays the specified notification at the direction of law enforcement to make the notification promptly after a law enforcement agency determines that notification will not compromise any criminal investigation. 5)Makes other technical and nonsubstantive amendments. FISCAL EFFECT: According to the Assembly Appropriations Committee, potentially significant, unabsorbable General Fund costs, likely in the millions of dollars, if a security breach of sufficient magnitude were to occur at an agency that holds substantial personal data COMMENTS: AB 259 Page 3 1)Purpose of this bill. This bill is intended to provide individuals affected by a state or local agency data breach with at least 12 months of identity theft protection for free. While existing law already requires any private business responsible for a significant breach to offer at least 12 months of identity theft prevention mitigation services, no such requirement exists for public agencies. This bill would extend these protections to include state and local agencies. This measure is author-sponsored. 2)Author's statement. According to the author's office, "Whether a data breach occurs at a state agency or a business, the same standards should be in place to protect consumers. A breach resulting in the release of Social Security or driver license numbers can lead to identity theft, forcing consumers to monitor their personal information for years to come." 3)Recent data breaches. More than 80 million people in the United States were impacted by the February 2015 data breach at health insurer Anthem. Information stolen in the breach included current and former customers' names, birth dates, medical identification numbers, Social Security numbers, home addresses, email addresses, and employment and income data. 4)During 2012 to 2014, the following California public agencies reported breaches: California State University, Department of Corrections and Rehabilitation, Department of Public Health, Department of State Hospitals, Correctional Health Care Services, Department of Social Services, Department of Justice, Department of Child Support Services, Employment Development Department, and the Department of Motor Vehicles. AB 259 Page 4 Analysis Prepared by: Jennie Bretschneider / P. & C.P. / (916) 319-2200 FN: 0000586