BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON APPROPRIATIONS
                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          AB 259 (Dababneh) - Personal information:  privacy
          
           ----------------------------------------------------------------- 
          |                                                                 |
          |                                                                 |
          |                                                                 |
           ----------------------------------------------------------------- 
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Version: February 9, 2015       |Policy Vote: JUD. 6 - 0         |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Hearing Date: August 17, 2015   |Consultant: Jolie Onodera       |
          |                                |                                |
           ----------------------------------------------------------------- 


          This bill meets the criteria for referral to the Suspense File.




          Bill  
          Summary:  AB 259 would require a state or local agency, if the  
          agency was the source of a data breach that compromised  
          specified personal information of a person, to offer to provide  
          appropriate identity theft prevention and mitigation services at  
          no cost to the affected person for not less than 12 months, as  
          specified.


          Fiscal  
          Impact:  
           Potential major costs in the tens to hundreds of millions of  
            dollars (General Fund), depending on the scope of a data  
            breach to any of various state agencies, including but not  
            limited to the Department of Motor Vehicles (DMV), Employment  
            Development Department (EDD), and the Department of Consumer  
            Affairs (DCA), for the provision of credit monitoring services  
            in the event of a data breach. Even one event affecting  







          AB 259 (Dababneh)                                      Page 1 of  
          ?
          
          
            100,000 individuals could result in potential costs of $12  
            million to $36 million (General Fund) to provide credit  
            monitoring services for one year. For context, the DMV has  
            indicated custody of over 27 million records containing  
            personal identifying information.
           Potential major non-reimbursable costs in the tens of millions  
            of dollars (Local Funds) to local agencies to provide credit  
            monitoring services to individuals impacted by data breaches.  
            Costs would be dependent on the frequency of data breaches,  
            the number of individuals impacted, and the time period for  
            which services are provided. 


          Background:  Under existing law, any state or local agency, person, or  
          business that conducts business in the state, and that owns,  
          licenses, or maintains computerized data that includes personal  
          information, is required to disclose any breach of the security  
          of the system following discovery or notification of the breach  
          in the security to any resident of California whose unencrypted  
          personal information was, or is reasonably believed to have  
          been, acquired by an unauthorized person. Existing law specifies  
          the timing and manner in which the disclosure is required to be  
          made, as well as the specific information to be included in the  
          security breach notification. 
          Under recently enacted legislation, AB 1710 (Dickinson) Chapter  
          855/2014, upon a data breach that compromises a person's first  
          name or first initial and last name, along with his or her  
          social security number, driver's license number, or California  
          identification card number, a person or business is required to  
          offer to provide appropriate identity theft prevention and  
          mitigation services to an affected person at no cost for at  
          least 12 months if the person or business was the source of the  
          data breach.


          This bill seeks to extend the same requirement on state and  
          local agencies that are the source of a data breach. 




          Proposed Law:  
           This bill would require a state or local agency that was the  
          source of a data breach to offer to provide appropriate identity  








          AB 259 (Dababneh)                                      Page 2 of  
          ?
          
          
          theft prevention and mitigation services, if any, to be provided  
          at no cost to the affected person for not less than 12 months,  
          along with all information necessary to take advantage of the  
          offer to any person whose information was or may have been  
          breached if the breach exposed an individual's first name or  
          first initial and last name along with their social security  
          number, driver's license number, or California identification  
          card number, to offer to provide appropriate identity theft  
          prevention and mitigation services at no cost to the affected  
          person for not less than 12 months, as specified


          Related  
          Legislation:  AB 1710 (Dickinson) Chapter 855/2014 requires a  
          person or business to offer appropriate identity theft  
          prevention and mitigation services to an affected person at no  
          cost for not less than 12 months if the person or business was  
          the source of the data breach, as specified.


          Staff  
          Comments:  To the extent a data breach of specified personal  
          information occurs, the provisions of this bill could result in  
          substantial costs to various state and local agencies that  
          retain the specified personal data of individuals potentially  
          subject to data breach notification and the provision of  
          identity theft prevention services as required. 
          Based on information surveyed from credit monitoring services,  
          bulk enrollment costs for credit monitoring services in which  
          the vendor is provided with a complete list of individuals at  
          once from the breached entity generally range from $10 to $30  
          per month per person ($120 to $360 per year per person),  
          depending on the type of monitoring package offered by the  
          vendor. 

          For context, numerous state departments retain personal  
          information potentially subject to the provisions of this bill  
          including, but not limited to the Department of Motor Vehicles  
          (27 million records), the Employment Development Department (14  
          million records), the Department of Veterans Affairs (over 1.6  
          million records), and the Department of Consumer Affairs (over 3  
          million records). The number of individuals potentially impacted  
          by this bill is in excess of the tens of millions. To the extent  
          even one data breach occurs, significant costs would likely be  








          AB 259 (Dababneh)                                      Page 3 of  
          ?
          
          
          incurred by these agencies, the magnitude of which would be  
          dependent on the number of records impacted, the number of  
          individuals affected who accept the offered services, and the  
          duration of services provided.


          For every 100,000 individuals whose personal data is  
          compromised, annual costs could range from $12 million to $36  
          million (General Fund) to provide services for 12 months.  
          Moreover, in order to coordinate the administration of the  
          provisions of this bill would likely require additional  
          resources for development of an implementation plan and  
          guidelines, as well as ongoing workload to respond to inquiries.  



                                      -- END --