BILL ANALYSIS Ó SB 272 Page 1 Date of Hearing: June 30, 2015 ASSEMBLY COMMITTEE ON JUDICIARY Mark Stone, Chair SB 272 (Hertzberg) - As Amended June 25, 2015 SENATE VOTE: 37-0 SUBJECT: The California Public Records Act: local agencies: inventory KEY ISSUES: 1)Should A local agencY, other than a school district, be required to create, post online, and Annually update a catalog of the systems that it uses to collect and manage data? 2)DO the benefits of this bill justify the potential costs to local agencies and the risk, however small, that posting vendor and product details could expose system vulnerabilities? 3)Given that the purpose of Public records ACT is to promote access to existing documents, as opposed to requiring the creation of new documents, should this bill be codified somewhere other than in the public records Act? SB 272 Page 2 SYNOPSIS The bill, according to the author, is intended to be a "first step" in a more ambitious effort to bring the data management practices of local governments into the digital age and provide government, business, and private citizens with open access to a growing body of government-collected information. Specifically, this bill would require a local agency, other than a school district, to create a "catalog" of all information technology systems that it uses to manage data. The bill does not require the disclosure of particular records or data sets; rather, it requires a local agency to essentially make an inventory and, based on this inventory, create and post online a catalog of its data management systems, hardware, and software applications. The catalog would include specified pieces of information, including the identity of the system vendor and system product. The author hopes that this catalog will provide the state with an inventory of the systems currently used by local agencies, so as to better plan and facilitate the development of more open, accessible, integrated, and modern data management systems. The bill is supported by a broad coalition of business and labor groups who believe that easily accessible and open data will spur economic growth and improve government services. The bill is opposed by the local agencies that would be required by the bill to create these catalogs. Opponents argue that the costs of creating these catalogs will exceed the benefits; that the bill is vague about what "systems" local agencies must include in the catalog; that revealing vendors, products, and custodians of data in the catalog could expose system vulnerabilities and increase security threats; and that the measure imposes a mandate on local government but avoids state reimbursement by inserting the requirement in the Public Records Act. As noted in the analysis, many areas of concern about the bill remain, but may be resolvable. However, because the author and stakeholders have been unable to reach agreement on these concerns, the Committee encourages the author to continue working with the opposition. The bill will be heard in the SB 272 Page 3 Assembly Local Government should it pass out of this Committee. SUMMARY: Requires a local agency to create a catalog of information technology systems, as defined, and to make the catalog publicly accessible, as specified. Specifically, this bill: 1)Makes legislative findings and declarations relating to the changing manner in which government data is gathered and maintained; the greater use and volume of electronic data; and the need to make this data accessible in a manner consistent with the California Public Records Act. 2)Requires a local agency to create a catalog of its information technology systems, as defined, and to make that catalog publicly available upon request in the office of the clerk of the agency's legislative body. Requires the local agency to post the catalog in a prominent location on its Internet Web site, if the agency has a Website. 3)Requires the catalog to disclose a list of the information technology systems used by the agency and, for each system, disclose all of the following: a) Current system vendor. b) Current system product. c) A brief statement of the system's purpose. d) A general description of categories and types of system data. e) The department that serves as the primary custodian of SB 272 Page 4 system data. f) How frequently system data is collected and updated. 4)Defines "information technology systems" to mean hardware and software that collect, store, exchange, and analyze information that the agency uses. However, "information technology system" shall not include any of the following: a) Information technology security systems, including firewalls and other cybersecurity systems. b) Systems that would be restricted from disclosure under Government Code Section 6254.19, which generally exempts from disclosure any record that would expose the vulnerabilities of an information technology system of a public agency. c) The specific records that the information technology system collects, stores, exchanges, or analyzes. 5)Requires local agencies to complete the catalog required by this bill, and post it online, no later July 1, 2016; thereafter, the agency shall update the catalog annually. EXISTING LAW: 1)Provides, under the Public Records Act, that all public agency records are open to public inspection upon request, unless the records are otherwise exempt from public disclosure. (Government Code Section 6250 et seq. All further statutory references are to this code, unless otherwise indicated.) 2)Requires a public agency to make non-exempt electronic public records available to the public in any electronic format in which it holds the information or, if requested, in an electronic format used by the agency to create copies for its SB 272 Page 5 own or other agency's use. However, a public agency is not required to release an electronic record in an electronic form if its release would jeopardize or compromise the security or integrity of the original record or of any proprietary software in which it is maintained. (Section 6253.9.) 3)Provides that nothing in the Public Records Act shall be construed to require the disclosure of an information security record of a public agency, if, on the facts of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency. (Section 6254.19.) FISCAL EFFECT: As currently in print this bill is keyed fiscal. COMMENTS: California's Public Records Act (PRA) requires that the documents and "writings" of a public agency be open and available for public inspection, unless they are exempt from disclosure. (Sections 6250-6270.) The PRA is premised on the principle that "access to information concerning the conduct of the people's business is a fundamental and necessary right of every person in this state." A "public record" is defined to mean "any writing containing information relating to the conduct of the public's business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics." A "writing" is defined, in turn, to include any "handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting by electronic mail or facsimile, and every other means of recording upon any tangible thing any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combinations thereof, and any record thereby created, regardless of the manner in which the record has been stored." (Sections 6250-6252.) SB 272 Page 6 Public Record Access in the Digital Age. Since the PRA was enacted in 1968, public agencies have increasingly created and maintained records in electronic formats that can be searched, indexed, copied, downloaded, and analyzed in countless and creative ways. Reflecting this new reality, AB 2799 (Chapter 982, Statutes of 2000) required local agencies to disclose non-exempt electronic records, where they existed, in an electronic format, so long as doing so would not compromise the integrity of the record. Importantly, AB 2799 clarified that "Nothing in this section shall be construed to require the public agency to reconstruct a record in an electronic format if the agency no longer has the record available in an electronic format." (Section 6253.9(c).) Similar efforts to promote disclosure of electronic records have occurred at the federal level. For example, in 2012 President Obama signed a U.S. Office of Management and Budget memorandum directing federal agencies to publish information online and in formats that can be easily accessed, searched, and downloaded online using common browsers and search engines. The executive memorandum declares that "by December 31, 2019, all permanent electronic records in Federal agencies will be managed electronically to the fullest extent possible for eventual transfer [to the National Archives and Records Administration] in an electronic format." (See OMB, Memorandum M-12-18, August 24, 2012. ( https://www.whitehouse.gov/sites/default/files/omb/memoranda/201 2/m-12-18.pdf ) California has made similar efforts in recent years, albeit with limited success. For example, SB 1002 (Yee, 2012) originally set out to establish a statewide, integrated, open data portal. In its final version, however, the bill more modestly required the state's Chief Information Officer to conduct a study in order to evaluate how the state might go about providing the public with access to electronic records in an open, standardized, and readily accessible format. This measure was vetoed by Governor Brown, who noted in his veto message that he SB 272 Page 7 believed a legislatively-mandated study was not necessary to achieve this objective. In the current legislative session, four bills have been introduced that seek to foster "open data" by one means or another. Two of these bills apply to state agencies: SB 573 (Pan) would have the Governor appoint a Chief Data Office to, among other things, create a statewide "open data portal," thereby creating a single point of entry to access data from several state agencies. This bill is currently in the Assembly Accountability and Administrative Review Committee. Similarly, AB 1215 (Ting) would have created the California Open Data Act to require state agencies to make public data available on an Internet Web portal. That bill, however, was held in the Assembly Appropriations Committee. One other bill, in addition to the one which is the subject of this analysis, applies to local agencies. AB 169 (Maienschein) requires any local agency (other than a school district) that posts an electronic public record on its Internet Web site to post the record in a format that allows the record to be retrieved, downloaded, indexed, and searched by a commonly used Internet search application. That bill is awaiting hearing in the Senate Judiciary Committee. Purpose of this Bill. The bill presently before this Committee, SB 272, is the other bill this session that applies to local agencies. The bill's legislative findings and declarations indicate the measure seeks to move government toward "a more effective digital future" by assisting access to government data through "online portals." However, unlike the bills discussed above, the substantive provisions of SB 272 do not actually require (or even encourage) local agencies to make existing records more accessible (i.e. in an electronic format), much less create open data portals. Instead, the author states that SB 272 constitutes a first step toward that a larger "open data" goal. Specifically, SB 272 would require a local agency (other than a school district) to create a "catalog" of its "information technology systems" - that is, the various hardware SB 272 Page 8 and software programs that it uses for data management purposes. The bill also requires the catalog to be posted on the agency's Internet Website, if it has one. The catalog would identify the system used by the agency and include the following information: (1) the current system vendor; (2) the current system product; (3) a brief statement of the system's purpose; (4) a general description of the categories and types of data used in the system; (5) the department that serves as the custodian of the system data; (6) how frequently system data is collected; and (7) how frequently system data is updated. Definition of "Information Technology System" A Work In Progress. A prior version of this bill required a local agency to create a catalog of the "enterprise systems" that it uses. However, many stakeholders representing local agencies reasonably expressed that the definition of "enterprise system" in the bill was vague and uncertain. The Committee's search of the Internet and other sources turned up no consistent definition of the term "enterprise systems," although several definitions collectively suggested an "integrated" information technology system that an "enterprise" (a private or public sector entity) uses to manage data across its several departments or divisions. The term "enterprise system" is not used elsewhere in statute. A more common and familiar term, "information technology system," is used in the PRA. As most recently amended, this bill uses the term "information technology system," rather than "enterprise system." It defines "information technology system" to mean the hardware and software that the agency uses to collect, store, exchange, and analyze the information that it collects. Perhaps more significantly, the bill excludes certain items from the definition of "information technology system," specifically information technology security systems, including firewalls and other cybersecurity systems; records that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency; and the specific records that the information technology system collects, stores, exchanges, or analyzes. SB 272 Page 9 Although the definition of "information technology system" in this bill remains too opened-ended, according to the opponents of this bill, the overall purpose of the catalog is intended to create an inventory of the computer systems, including especially data management hardware and software, that a local agency use to handle the data it collects. Opponents fear the existing definition is still "overly broad and would require that agencies list systems that are for internal purposes" that would not be of use to persons seeking access to public records. As noted below, the author and stakeholders may wish to continue refining the definition of "information technology system" if the bill passes out of this Committee and is referred to the Assembly Local Government Committee. Outstanding Issues and Concerns. This bill has been the subject of numerous discussions between the author's office, Committee staff, and associations representing local government entities throughout the state. Although the most recent amendments address many of the concerns of local agency representatives, significant issues remain unresolved. The most important concerns and sources of opposition relate to determining which "information technology systems" must be included in the catalog; whether vendor name and system product must be included in the catalog; which local government office should be in charge of creating and maintaining the catalog; and whether or not the bill is properly placed in the Public Records Act. More generally, opponents question whether the uncertain benefits of the legislation are worth the time and money that will be necessary for local agencies to comply with the bill's provisions. The remainder of this analysis takes up these issues in turn and recommends that the author commit to working with stakeholders to address these concerns if the bill moves out of this Committee and to the Assembly Local Government Committee. SB 272 Page 10 Limiting Scope of "Information Technology Systems" to the Agency's "Core Services." Opponents argue that the catalog should be restricted to those "information technology systems" that serve the "core functions" or "core services" of the local agency. They argue that without such a limitation the catalog could become unwieldy, as the agency would be required to include every piece of hardware and every software application that has been downloaded onto every one of the agency's computers. For example, an Excel spreadsheet for routine internal office operations could be construed as an "information technology system" under this bill. The problem with this proposal, however, is that "core services" and "core functions" can be just as vague and uncertain as "information technology system" or "enterprise system." The Urban Counties Caucus has suggested to Committee staff that "core services" could be defined as those which are "essential to the public's health and safety." For a county, this could include roads, jail, law enforcement, public mental health and other social services. However, because different agencies provide different services, it would be difficult to develop a definition of what constitutes "core services" for all agencies. Nonetheless, opponents are probably correct that the existing definition is too broad and would need to be limited in some way. The Committee urges the author to continue working with stakeholders to develop a more circumscribed definition of "information technology systems" if the bill moves forward. Inclusion of System Vendor and System Product. Another major issue concerns whether an agency should be required to include the system vendor and product in the catalog it creates and posts on its Website. Several of the letters of opposition contend that including this information will create a cybersecurity risk. Opponents claim that providing this information will make it easier for hackers and malware distributors, who are familiar with the vulnerabilities unique to certain brands of software or hardware, to breach or SB 272 Page 11 otherwise compromise agency systems and databases. The author correctly points out, however, that contracts with service providers are already subject to public records requests, and therefore hackers who wanted to get this information could do so under existing law. Opponents reasonably counter that the catalog will make it considerably easier for hackers by obviating the need for multiple and often time-consuming request for public records and giving hackers the information that they need in a single location. In addition, hackers may be reluctant to make public record requests that will leave a trail of their activity. Finally, opponents contend that contracts do not always contain the most up-to-date information, as updates and new products may be uploaded to the system without a change in the contract. However, even if the security risk is small, the Committee may wish to inquire how knowing vendor and product information will help the public better access public records. Members of the public generally want access to public records, not the name of the vendor that operates the system managing those records. Who is Responsible for the Catalog? This bill requires that the catalog be available upon request "in the office of the clerk of the agency's legislative body." If the clerk is responsible for making the catalog available upon request, then presumably the clerk is also responsible for maintaining the catalog in its office and, presumably, keeping the catalog up to date. The California Association of Clerks and Elections Officials (CACEO) opposes this bill, unless it is amended, and one of the association's requested amendments is for the bill to leave it up to the legislative body to determine which public entity or official shall have responsibility for maintaining and updating the catalog and responding to requests. In some cases, the legislative body may choose to assign responsibility to the clerks. In other cases, it may opt to assign responsibility to a Chief Information Office, or an IT specialist. At any rate, it seems reasonable for the legislative body to assign the responsibility for maintaining the catalog and making it available upon request to the party it chooses, who may or may SB 272 Page 12 not be the clerk of the legislative body. Should this bill be placed in the Public Records Act? Although the intent language in this bill proclaims that it serves the purposes of the Public Records Act and Section 3 of Article 1 of the California Constitution, this claim may be open to debate. As an opponent of this bill concisely states, "SB 272 deals with a listing of data systems. CPRA deals with records." The purpose of the PRA is to ensure that people have the right to access "the writings of public officials and agencies." Although the PRA does not say so expressly, it is clear from the legislative history of the PRA, case law interpreting the PRA, and the overall statutory scheme that the purpose of the PRA is to give people access to existing documents that are created and maintained by a public agency in the normal course of its business. (As discussed in Rogers v. Superior Court (1993) 19 Cal.App.4th 469, agencies are not required to recreate documents that have been destroyed or discarded, and thus it would seem to follow that agencies cannot be required to create documents that do not already exist.) To be sure, this case law has focused on the agency's obligation to the demands of a requester, not to the demands of the Legislature. But since PRA was enacted in 1968, it has hewed to this purpose by addressing required disclosures and exemptions the existing documents created and maintained by public agencies; the Legislature has not, under the PRA, required an agency to create new documents. This proposal appears to expand the purpose of the PRA by requiring the creation of new documents. The Committee could not find any other provision of the PRA that requires an agency to create a document in this manner. More revealingly, provisions of the Government Code that do require the creation of documents are not included within the sections that constitute the Public Records Act (Sections 6250-6270, which constitute Chapter 3.5 of Title 1, Division 7 of the Government SB 272 Page 13 Code), even though those provisions may be tangentially related to public records and information practices. For example, Government Code Section 11015.5 requires every state agency that collects personal information electronically on the Internet, as specified, to prominently display specified information about the types of personal information it collects and the purpose for which the information is collected. The section that would be created by this bill appears to have more in common with this provision than it does with the provisions of the Public Records Act dealing with existing records. The placement of this bill's language in the PRA is likely an attempt to avoid the creation of a reimbursable local mandate. The California Constitution provides that whenever the Legislature or any state agency mandates a new program or higher level of service on a local government, the state shall reimburse the local government for the costs of that program or increased level of service. (Cal. Const. art. XIII B, Section 6 [Also See Section 17514, which codifies this principle].) However, Proposition 42 amended the state constitution to eliminate the state's responsibility to pay local governments for the costs that they incur in complying with the Public Records Act. Historically those costs have included the relatively modest burden of locating and physically retrieving existing documents if and when a public record request is made. Copying costs may be offset by modest fees collected from the requester, so long as the fees do not exceed the actual costs of copying documents. Since Proposition 42 was approved by the voters in 2014, there is more at stake for local governments when it comes to legislative proposals for amending the PRA. Most notably, in its official analysis of Proposition 42, the Legislative Analyst's Office warned of the possibility that the state legislature might be tempted to place new mandates in the Public Records Act in order to avoid reimbursing local governments. Specifically, the LAO summary wrote the following when SB 272 Page 14 estimating the potential costs to local governments: Potential Effect on Local Costs: The measure could also change the future behavior of state officials. This is because under Proposition 42, the state could make changes to the Public Records Act and it would not have to pay local governments for their costs. Thus, state officials might make more changes to this law than they would have otherwise. In this case, local governments could incur additional costs-potentially in the tens of millions of dollars annually in the future. [Emphasis added.] Unlike past amendments to the Public Records Act, this bill does not exempt a category of public records from disclosure, remove an existing exemption, or require the disclosure of an existing document. Indeed, the bill says nothing about what records should or should not be disclosed, which is the primary purpose of the Public Records Act. Rather, this bill would require local agencies to conduct an inventory of their information technology systems and put it in the form of a new catalog that must contain specified information without reimbursing the agencies for the cost of doing so. Conclusion: If this bill moves forward, the Committee encourages the author, opponents, and concerned stakeholders to consider the following before the bill is heard in the Local Government Committee: 1)Whether to place further parameters around the definition of "information technology systems." 2)Whether it is necessary to include the system vendor and system product in the catalog. 3)Whether the legislative body should be free to identify an SB 272 Page 15 appropriate custodian of the catalog. 4)Whether the exemption for a "school district" should be changed to the broader, but more commonly used, "local educational agency." ARGUMENTS IN SUPPORT: According to the author, "Local government agencies throughout California possess a potentially powerful tool for improving the lives of Californians: data. In too many cases, however, local agencies - and the constituents they serve - do not know what data they have collected or how to access it. SB 272 will identify what information is being kept by local agencies, how it is maintained, and who is responsible. Publishing a catalog of this information will reveal how accessible and usable the information is for public review and analysis, and immediately empower Californians to utilize this information." The author believes that harnessing the power of this data "could help spur economic growth, tackle major infrastructure issues and set millions of Californians on a path toward upward mobility. Properly gathered and clearly understood data would also help empower state and local agencies to collaborate more effectively and improve service delivery." A broad coalition of business groups and trade associations, led by the California Manufacturers & Technology Association, supports SB 272 because they say it will promote "open and accessible local government practices." The coalition believes that SB 272 is "a critical first step in the process of providing uniformity in understanding where we are today with regard to data collection systems. SB 272 moves California forward in modernizing open government in California." California Forward Action Fund (CFAF) believes that "this bill will modernize California's approach to the California Public Records Act and allow local governments to embrace open data in SB 272 Page 16 a smart, measured way." CFAF contends that Proposition 42 "paved the way for more innovation in local government record disclosure and created energy to have cities, counties, special districts to embrace open data principles. However, policy makers must be careful and deliberate about local government data as to not burden systems and staff with new state requirements. SB 272 finds that balance." Several other groups, from organized labor to the high-technology business sector, support this bill because they believe that requiring local agencies to create catalogs of their data management systems will somehow lead to an integrated and open data system, spur economic growth, and "empower" local agencies to "work together more effectively and to intelligently allocate resources to better deliver public services." ARGUMENTS IN OPPOSITION: Several associations representing cities, counties, special districts, and an array of other local agencies oppose this bill. All but one of the groups or associations that originally only submitted letters of "concern" have changed their position to "oppose unless amended." The California Association of Clerks and Elections Officials (CACEO) oppose this bill unless amended to address a number of its concerns. First, the clerks oppose automatically designating the "clerk of the agency's legislative body" as the custodian of the agency's catalog. CACEO argues that, depending upon the locality, the clerks, who may or may not be knowledgeable about information systems, may not be the most appropriate agency official to be responsible for the catalog. CACEO therefore recommends that SB 272 be amended to authorize the legislative body to designate the official that it deems most appropriate. This "could be the IT director, chief information officer or other appropriate official" to "act as custodian of the completed catalog, and make the catalog available to the public." SB 272 Page 17 CACEO is also "deeply concerned", especially in light of Proposition 42, "that SB 272 would create yet another unfunded mandate on local agencies" by placing its provisions in the PRA. CACEO "sees no nexus between the subject of SB 272 and the subject dealt with in the California Public Records Act. SB 272 merely deals with listing of data systems. The CPRA deals with records . . . Amending the CPRA in the manner that SB 272 proposes would create confusion and a measure of conflict with the CPRA as to what constitutes an identifiable record." Therefore, CACEO believes that "SB 272 should be added to the Government Code as a body of law separate from the CPRA." The Urban Counties Caucus (UCC), the Rural County Representatives of California (RCRC), and the California State Sheriffs Association (CSAA), who originally wrote a joint letter of "concern," now oppose this bill unless amended to, among other things, narrow the definition of "information technology systems" to include only the systems used to perform "core services." They also ask the author to remove the "system vendor" and "system product" from the catalog requirements. In support of this proposed amendment, they write that "County IT experts have raised a concern with asking for the name of the vendor and the product version. Many of our modern county software applications are connected to the Internet to provide on-line services to residents and therefore could be vulnerable to malicious hacking. It is unclear what the public benefit would be in providing the name of the vendor and the product version. We have also heard from an FBI cyber security expert that providing this type of information should be a concern for municipalities." UCC, RCRC, and CSAA, like many other local government stakeholders, also oppose placing the provisions of this bill in the PRA. They write: "Since the passage of Proposition 42, local agencies cannot receive reimbursement for the costs to comply with the California Public Records Act. Therefore, the new requirements in SB 272 would be unfunded and could be costly for counties to comply. To provide a catalogue SB 272 Page 18 of all these systems could be time-consuming and it is unclear what benefit much of this information would provide to the general public." Finally, SB 272 was opposed by many school districts and other local educational agencies, for many of the same reasons articulated by other opponents. However, given that the most recent amendments exempt school districts from the bill, they will apparently remove their opposition to the bill, although at the time of this writing only one entity - the California Association of School Administrators - has formally removed its opposition. REGISTERED SUPPORT / OPPOSITION: Support AFSCME Associated Builders and Contractors of California Building Owners and Contractors of California California Asian Pacific Chamber of Commerce SB 272 Page 19 California Broadcasters Association California Business Properties Association California Business Roundtable California Forward Action Fund California League of Food Processors California Manufacturers & Technology Association California Professional Firefighters California Retailers Association Commercial Real Estate Development Association Family Business Association Firearms Policy Coalition International Council of Shopping Centers Los Angeles Business Federation SB 272 Page 20 National Federation of Independent Businesses San Diego Regional Data Library San Francisco Technology Democrats Sunlight Foundation Urban Strategies Council Concern City of Roseville Opposition Association of California Water Agencies California Association of Clerks and Election Officials California Association of School Business Officials SB 272 Page 21 California County Superintendents Educational Services Association California Municipal Utilities Association California Police Chiefs Association California State Association of Counties California State Sheriffs Association City of Camarillo City of Diamond Bar Desert Water Agency El Dorado Irrigation District League of California Cities Los Angeles Unified School District Madera County Board of Supervisors Municipal Information Systems Association of California SB 272 Page 22 Newhall County Water District Orange County Department of Education Rowland Water District Rural County Representatives of California San Diego Unified School District Urban County Caucuses Analysis Prepared by:Thomas Clark / JUD. / (916) 319-2334