BILL ANALYSIS                                                                                                                                                                                                    

                                                                     SB 272

                                                                    Page  1


          272 (Hertzberg)

          As Amended  August 17, 2015

          Majority vote

          SENATE VOTE:  37-0

          |Committee       |Votes|Ayes                  |Noes                |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |Judiciary       |10-0 |Mark Stone, Wagner,   |                    |
          |                |     |Alejo, Chau, Chiu,    |                    |
          |                |     |Gallagher,            |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |Cristina Garcia,      |                    |
          |                |     |Holden, Maienschein,  |                    |
          |                |     |O'Donnell             |                    |
          |                |     |                      |                    |
          |Local           |9-0  |Maienschein,          |                    |
          |Government      |     |Gonzalez, Alejo,      |                    |
          |                |     |Chiu, Cooley, Linder, |                    |
          |                |     |Low, Mullin, Waldron  |                    |
          |                |     |                      |                    |
          |Appropriations  |17-0 |Gomez, Bigelow,       |                    |


                                                                     SB 272

                                                                    Page  2

          |                |     |Bloom, Bonta,         |                    |
          |                |     |Calderon, Chang,      |                    |
          |                |     |Daly, Eggman,         |                    |
          |                |     |Gallagher,            |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |Eduardo Garcia,       |                    |
          |                |     |Holden, Jones, Quirk, |                    |
          |                |     |Rendon, Wagner,       |                    |
          |                |     |Weber, Wood           |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |

          SUMMARY:  Requires cities, counties, special districts, and  
          joint powers authorities, by July 2016, to create a catalogue of  
          their enterprise systems and make the catalog available to the  
          public, including on the agency's Web site.  Specifically, this  

          1)Defines "enterprise system" as a software application or  
            computer system that collects, stores, exchanges, and analyzes  
            information used by the public agency that is:  a) a  
            multi-departmental system or a system that contains  
            information collected about the public; and b) a "system of  
            record," i.e. serving as an original source of data within an  

          2)Stipulates that an enterprise system does not include:

             a)   Information technology security systems, including  
               firewalls and other cybersecurity systems;

             b)   Physical access control systems, employee identification  


                                                                     SB 272

                                                                    Page  3

               management systems, video monitoring, and other physical  
               control systems;

             c)   Infrastructure and mechanical control systems, including  
               those that control or manage street lights, or water or  
               sewer functions;

             d)   Systems related to 911 dispatch and operation or  
               emergency services;

             e)   Systems that would be restricted from disclosure  
               pursuant to existing law, as specified, which exempts from  
               the California Public Records Act (PRA) the disclosure of  
               information security records that would reveal  
               vulnerabilities of an information technology system or  
               increase the potential for cyber-attacks, as specified;  

             f)   The specific records that the information technology  
               system collects, stores, exchanges, or analyzes.

          3)Requires that the catalog, for each system, disclose:

             a)   Current system vendor;

             b)   Current system product;

             c)   A brief statement of the system's purpose;

             d)   A general description of categories or types of data;


                                                                     SB 272

                                                                    Page  4

             e)   The department that serves as the system's primary  

             f)   How frequently system data is collected; and,

             g)   How frequently system data is updated.

          EXISTING LAW:  

          1)Provides, under the PRA, that all public agency records are  
            open to public inspection upon request, unless the records are  
            otherwise exempt from public disclosure.  

          2)Requires a public agency to make non-exempt electronic public  
            records available to the public in any electronic format in  
            which it holds the information or, if requested, in an  
            electronic format used by the agency to create copies for its  
            own or other agency's use.  However, a public agency is not  
            required to release an electronic record in an electronic form  
            if its release would jeopardize or compromise the security or  
            integrity of the original record or of any proprietary  
            software in which it is maintained.  

          3)Provides that nothing in the PRA shall be construed to require  
            the disclosure of an information security record of a public  
            agency, if, on the facts of the particular case, disclosure of  
            that record would reveal vulnerabilities to, or otherwise  
            increase the potential for an attack on, an information  
            technology system of a public agency.  


                                                                     SB 272

                                                                    Page  5

          FISCAL EFFECT:  According to the Assembly Appropriations  
          Committee, Proposition 42 was passed by voters on June 3, 2014,  
          and requires all local governments to comply with the PRA and  
          the Ralph M. Brown Act (Brown Act) and with any subsequent  
          changes to those Acts.  Proposition 42 also eliminated  
          reimbursements to local agencies for costs of complying with the  
          PRA and the Brown Act.  As the bill furthers the purpose of the  
          PRA, local agencies' costs to create catalogues of their  
          respective enterprise systems would be nonreimbursable.

          COMMENTS:  According to the author, this measure seeks to move  
          government toward "a more effective digital future" by assisting  
          access to government data through "online portals."  However,  
          the substantive provisions of this bill do not actually require  
          (or even encourage) local agencies to make existing records more  
          accessible (i.e. in an electronic format), much less create open  
          data portals.  Instead, the author states that this bill  
          constitutes a first step toward that a larger "open data" goal.   
          Specifically, this bill would require a local agency (other than  
          a school district) to create to a catalogue of their "enterprise  
          systems" and make the catalog available to the public, including  
          on the agency's Web site.  The bill defines "enterprise system"  
          as a software application or computer system that collects,  
          stores, exchanges, and analyzes information used by the public  
          agency that is:  a) a multi-departmental system or a system that  
          contains information collected about the public; and b) a  
          "system of record," i.e. serving as an original source of data  
          within an agency.  The bill also specifies what an "enterprise  
          system" does not include, such as information security systems,  
          physical access control systems, or systems related to 911  
          dispatch and operation services.  

          In addition to providing a catalog of "enterprise systems," this  
          bill would also require the catalog to include additional  
          information, including the system vendor and product and  
          information about how often information is collected and  
          updated.  Although those either opposed to or expressing  


                                                                     SB 272

                                                                    Page  6

          concerns about the bill contend that providing vendor and  
          product information about their data collection systems could  
          create security breaches, the author notes that the California  
          PRA already permits a public agency to withhold any information  
          that could reveal system vulnerabilities. 

          While the opposition's security concerns may be overstated and  
          possibly already addressed by existing law, there is nonetheless  
          a legitimate question as to whether this measure is  
          appropriately placed in the PRA.  Although the intent language  
          in this bill proclaims that it serves the purposes of the PRA  
          and California Constitution Article 1, Section 3, this claim is  
          debatable.  The purpose of the PRA is to ensure that people have  
          the right to access "the writings of public officials and  
          agencies."  Although the PRA does not say so expressly, it is  
          clear from the legislative history of the PRA, case law  
          interpreting the PRA, and the overall statutory scheme that the  
          purpose of the PRA is to give people access to existing  
          documents that are created and maintained by a public agency in  
          the normal course of its business.  This proposal appears to  
          expand the purpose of the PRA by requiring the creation of new  

          The placement of this bill's language in the PRA is likely an  
          attempt to avoid the creation of a reimbursable local mandate.   
          The California Constitution provides that whenever the  
          Legislature or any state agency mandates a new program or higher  
          level of service on a local government, the state shall  
          reimburse the local government for the costs of that program or  
          increased level of service.  (California Constitution Article  
          XIII B, Section 6.)  However, Proposition 42 amended the state  
          constitution to eliminate the state's responsibility to pay  
          local governments for the costs that they incur in complying  
          with the PRA.  Historically those costs have included the  
          relatively modest burden of locating and physically retrieving  
          existing documents if and when a public record request is made.   
          Copying costs may be offset by modest fees collected from the  


                                                                     SB 272

                                                                    Page  7

          requester, so long as the fees do not exceed the actual costs of  
          copying documents.   

          Since Proposition 42 was approved by the voters in 2014, there  
          is more at stake for local governments when it comes to  
          legislative proposals for amending the PRA.  Most notably, in  
          its official analysis of Proposition 42, the Legislative  
          Analyst's Office (LAO) warned of the possibility that the state  
          legislature might be tempted to place new mandates in the PRA in  
          order to avoid reimbursing local governments.  Specifically, the  
          LAO summary concluded that Proposition 42 could "change the  
          future behavior of state officials.  This is because under  
          Proposition 42, the state could make changes to the Public  
          Records Act and it would not have to pay local governments for  
          their costs.  Thus, state officials might make more changes to  
          this law than they would have otherwise.  In this case, local  
          governments could incur additional costs - potentially in the  
          tens of millions of dollars annually in the future."  [Emphasis  

          Unlike past amendments to the PRA, this bill does not exempt  
          a category of public records from disclosure, remove an  
          existing exemption, or require the disclosure of an existing  
          document.  Indeed, the bill says nothing about what records  
          should or should not be disclosed, which is the primary  
          purpose of the PRA.  Rather, this bill would require local  
          agencies to conduct an inventory of their "enterprise  
          systems" and put it in the form of a new catalog that must  
          contain specified information without reimbursing the  
          agencies for the cost of doing so. 

          Analysis Prepared by:                                             
                          Thomas Clark / JUD. / (916) 319-2334  FN:  


                                                                     SB 272

                                                                    Page  8