BILL ANALYSIS                                                                                                                                                                                                    



                                                                     SB 272


                                                                    Page  1





          SENATE THIRD READING


          SB  
          272 (Hertzberg)


          As Amended  September 2, 2015


          Majority vote


          SENATE VOTE:  37-0


           -------------------------------------------------------------------- 
          |Committee       |Votes|Ayes                   |Noes                 |
          |                |     |                       |                     |
          |                |     |                       |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Judiciary       |10-0 |Mark Stone, Wagner,    |                     |
          |                |     |Alejo, Chau, Chiu,     |                     |
          |                |     |Gallagher, Cristina    |                     |
          |                |     |Garcia, Holden,        |                     |
          |                |     |Maienschein, O'Donnell |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Local           |9-0  |Maienschein, Gonzalez, |                     |
          |Government      |     |Alejo, Chiu, Cooley,   |                     |
          |                |     |Linder, Low, Mullin,   |                     |
          |                |     |Waldron                |                     |
          |                |     |                       |                     |
          |----------------+-----+-----------------------+---------------------|
          |Appropriations  |17-0 |Gomez, Bigelow, Bloom, |                     |
          |                |     |Bonta, Calderon,       |                     |
          |                |     |Chang, Daly, Eggman,   |                     |
          |                |     |Gallagher, Eduardo     |                     |








                                                                     SB 272


                                                                    Page  2





          |                |     |Garcia, Holden, Jones, |                     |
          |                |     |Quirk, Rendon, Wagner, |                     |
          |                |     |Weber, Wood            |                     |
          |                |     |                       |                     |
           -------------------------------------------------------------------- 


          SUMMARY:  Requires cities, counties, special districts, and  
          joint powers authorities, by July 2016, to create a catalogue of  
          their enterprise systems and make the catalog available to the  
          public, including on the agency's Web site.  Specifically, this  
          bill: 


          1)Defines "enterprise system" as a software application or  
            computer system that collects, stores, exchanges, and analyzes  
            information used by the public agency that is:  a) a  
            multi-departmental system or a system that contains  
            information collected about the public; and b) a "system of  
            record," i.e. serving as an original source of data within an  
            agency.


          2)Stipulates that an enterprise system does not include:


             a)   Information technology security systems, including  
               firewalls and other cybersecurity systems;


             b)   Physical access control systems, employee identification  
               management systems, video monitoring, and other physical  
               control systems;


             c)   Infrastructure and mechanical control systems, including  
               those that control or manage street lights, electrical,  
               natural gas, or water or sewer functions;









                                                                     SB 272


                                                                    Page  3






             d)   Systems related to 911 dispatch and operation or  
               emergency services;


             e)   Systems that would be restricted from disclosure  
               pursuant to existing law, as specified, which exempts from  
               the California Public Records Act (PRA) the disclosure of  
               information security records that would reveal  
               vulnerabilities of an information technology system or  
               increase the potential for cyber-attacks, as specified;  
               and,


             f)   The specific records that the information technology  
               system collects, stores, exchanges, or analyzes.


          3)Requires that the catalog, for each system, disclose:


             a)   Current system vendor;


             b)   Current system product;


             c)   A brief statement of the system's purpose;


             d)   A general description of categories or types of data;


             e)   The department that serves as the system's primary  
               custodian;


             f)   How frequently system data is collected; and,









                                                                     SB 272


                                                                    Page  4






             g)   How frequently system data is updated.


          4)Specifies that if, on the facts of the particular case, the  
            public interest served by not disclosing specified information  
            on enterprises systems clearly outweighs the public interest  
            served by disclosure of the record, the local agency may  
            instead provide a system name, brief title, or identifier of  
            the system.


          EXISTING LAW:  


          1)Provides, under the PRA, that all public agency records are  
            open to public inspection upon request, unless the records are  
            otherwise exempt from public disclosure.  


          2)Requires a public agency to make non-exempt electronic public  
            records available to the public in any electronic format in  
            which it holds the information or, if requested, in an  
            electronic format used by the agency to create copies for its  
            own or other agency's use.  However, a public agency is not  
            required to release an electronic record in an electronic form  
            if its release would jeopardize or compromise the security or  
            integrity of the original record or of any proprietary  
            software in which it is maintained.  


          3)Provides that nothing in the PRA shall be construed to require  
            the disclosure of an information security record of a public  
            agency, if, on the facts of the particular case, disclosure of  
            that record would reveal vulnerabilities to, or otherwise  
            increase the potential for an attack on, an information  
            technology system of a public agency.  










                                                                     SB 272


                                                                    Page  5





          FISCAL EFFECT:  According to the Assembly Appropriations  
          Committee, Proposition 42 was passed by voters on June 3, 2014,  
          and requires all local governments to comply with the PRA and  
          the Ralph M. Brown Act (Brown Act) and with any subsequent  
          changes to those Acts.  Proposition 42 also eliminated  
          reimbursements to local agencies for costs of complying with the  
          PRA and the Brown Act.  As the bill furthers the purpose of the  
          PRA, local agencies' costs to create catalogues of their  
          respective enterprise systems would be nonreimbursable.


          COMMENTS:  According to the author, this measure seeks to move  
          government toward "a more effective digital future" by assisting  
          access to government data through "online portals."  However,  
          the substantive provisions of this bill do not actually require  
          (or even encourage) local agencies to make existing records more  
          accessible (i.e. in an electronic format), much less create open  
          data portals.  Instead, the author states that this bill  
          constitutes a first step toward that a larger "open data" goal.   
          Specifically, this bill would require a local agency (other than  
          a school district) to create to a catalogue of their "enterprise  
          systems" and make the catalog available to the public, including  
          on the agency's Web site.  This bill defines "enterprise system"  
          as a software application or computer system that collects,  
          stores, exchanges, and analyzes information used by the public  
          agency that is:  a) a multi-departmental system or a system that  
          contains information collected about the public; and b) a  
          "system of record," i.e. serving as an original source of data  
          within an agency.  The bill also specifies what an "enterprise  
          system" does not include, such as information security systems,  
          physical access control systems, or systems related to 911  
          dispatch and operation services.  


          In addition to providing a catalog of "enterprise systems," this  
          bill would also require the catalog to include additional  
          information, including the system vendor and product and  
          information about how often information is collected and  
          updated.  Although those either opposed to or expressing  








                                                                     SB 272


                                                                    Page  6





          concerns about the bill contend that providing vendor and  
          product information about their data collection systems could  
          create security breaches, the author notes that the California  
          PRA already permits a public agency to withhold any information  
          that could reveal system vulnerabilities. 


          While the opposition's security concerns may be overstated and  
          possibly already addressed by existing law, there is nonetheless  
          a legitimate question as to whether this measure is  
          appropriately placed in the PRA.  Although the intent language  
          in this bill proclaims that it serves the purposes of the PRA  
          and California Constitution Article 1, Section 3, this claim is  
          debatable.  The purpose of the PRA is to ensure that people have  
          the right to access "the writings of public officials and  
          agencies."  Although the PRA does not say so expressly, it is  
          clear from the legislative history of the PRA, case law  
          interpreting the PRA, and the overall statutory scheme that the  
          purpose of the PRA is to give people access to existing  
          documents that are created and maintained by a public agency in  
          the normal course of its business.  This proposal appears to  
          expand the purpose of the PRA by requiring the creation of new  
          documents.  


          The placement of this bill's language in the PRA is likely an  
          attempt to avoid the creation of a reimbursable local mandate.   
          The California Constitution provides that whenever the  
          Legislature or any state agency mandates a new program or higher  
          level of service on a local government, the state shall  
          reimburse the local government for the costs of that program or  
          increased level of service.  (California Constitution Article  
          XIII B, Section 6.)  However, Proposition 42 amended the state  
          constitution to eliminate the state's responsibility to pay  
          local governments for the costs that they incur in complying  
          with the PRA.  Historically those costs have included the  
          relatively modest burden of locating and physically retrieving  
          existing documents if and when a public record request is made.   
          Copying costs may be offset by modest fees collected from the  








                                                                     SB 272


                                                                    Page  7





          requester, so long as the fees do not exceed the actual costs of  
          copying documents.   


          Since Proposition 42 was approved by the voters in 2014, there  
          is more at stake for local governments when it comes to  
          legislative proposals for amending the PRA.  Most notably, in  
          its official analysis of Proposition 42, the Legislative  
          Analyst's Office (LAO) warned of the possibility that the state  
          legislature might be tempted to place new mandates in the PRA in  
          order to avoid reimbursing local governments.  Specifically, the  
          LAO summary concluded that Proposition 42 could "change the  
          future behavior of state officials.  This is because under  
          Proposition 42, the state could make changes to the Public  
          Records Act and it would not have to pay local governments for  
          their costs.  Thus, state officials might make more changes to  
          this law than they would have otherwise.  In this case, local  
          governments could incur additional costs - potentially in the  
          tens of millions of dollars annually in the future."  [Emphasis  
          added.]


          Unlike past amendments to the PRA, this bill does not exempt  
          a category of public records from disclosure, remove an  
          existing exemption, or require the disclosure of an existing  
          document.  Indeed, the bill says nothing about what records  
          should or should not be disclosed, which is the primary  
          purpose of the PRA.  Rather, this bill would require local  
          agencies to conduct an inventory of their "enterprise  
          systems" and put it in the form of a new catalog that must  
          contain specified information without reimbursing the  
          agencies for the cost of doing so. 




          Analysis Prepared by:                                             
                          Thomas Clark / JUD. / (916) 319-2334  FN:  
          0001980








                                                                     SB 272


                                                                    Page  8