BILL ANALYSIS �Ó
SB 272
Page 1
SENATE THIRD READING
SB
272 (Hertzberg)
As Amended September 2, 2015
Majority vote
SENATE VOTE: 37-0
--------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Judiciary |10-0 |Mark Stone, Wagner, | |
| | |Alejo, Chau, Chiu, | |
| | |Gallagher, Cristina | |
| | |Garcia, Holden, | |
| | |Maienschein, O'Donnell | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Local |9-0 |Maienschein, Gonzalez, | |
|Government | |Alejo, Chiu, Cooley, | |
| | |Linder, Low, Mullin, | |
| | |Waldron | |
| | | | |
|----------------+-----+-----------------------+---------------------|
|Appropriations |17-0 |Gomez, Bigelow, Bloom, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, Eggman, | |
| | |Gallagher, Eduardo | |
�
SB 272
Page 2
| | |Garcia, Holden, Jones, | |
| | |Quirk, Rendon, Wagner, | |
| | |Weber, Wood | |
| | | | |
--------------------------------------------------------------------
SUMMARY: Requires cities, counties, special districts, and
joint powers authorities, by July 2016, to create a catalogue of
their enterprise systems and make the catalog available to the
public, including on the agency's Web site. Specifically, this
bill:
1)Defines "enterprise system" as a software application or
computer system that collects, stores, exchanges, and analyzes
information used by the public agency that is: a) a
multi-departmental system or a system that contains
information collected about the public; and b) a "system of
record," i.e. serving as an original source of data within an
agency.
2)Stipulates that an enterprise system does not include:
a) Information technology security systems, including
firewalls and other cybersecurity systems;
b) Physical access control systems, employee identification
management systems, video monitoring, and other physical
control systems;
c) Infrastructure and mechanical control systems, including
those that control or manage street lights, electrical,
natural gas, or water or sewer functions;
�
SB 272
Page 3
d) Systems related to 911 dispatch and operation or
emergency services;
e) Systems that would be restricted from disclosure
pursuant to existing law, as specified, which exempts from
the California Public Records Act (PRA) the disclosure of
information security records that would reveal
vulnerabilities of an information technology system or
increase the potential for cyber-attacks, as specified;
and,
f) The specific records that the information technology
system collects, stores, exchanges, or analyzes.
3)Requires that the catalog, for each system, disclose:
a) Current system vendor;
b) Current system product;
c) A brief statement of the system's purpose;
d) A general description of categories or types of data;
e) The department that serves as the system's primary
custodian;
f) How frequently system data is collected; and,
�
SB 272
Page 4
g) How frequently system data is updated.
4)Specifies that if, on the facts of the particular case, the
public interest served by not disclosing specified information
on enterprises systems clearly outweighs the public interest
served by disclosure of the record, the local agency may
instead provide a system name, brief title, or identifier of
the system.
EXISTING LAW:
1)Provides, under the PRA, that all public agency records are
open to public inspection upon request, unless the records are
otherwise exempt from public disclosure.
2)Requires a public agency to make non-exempt electronic public
records available to the public in any electronic format in
which it holds the information or, if requested, in an
electronic format used by the agency to create copies for its
own or other agency's use. However, a public agency is not
required to release an electronic record in an electronic form
if its release would jeopardize or compromise the security or
integrity of the original record or of any proprietary
software in which it is maintained.
3)Provides that nothing in the PRA shall be construed to require
the disclosure of an information security record of a public
agency, if, on the facts of the particular case, disclosure of
that record would reveal vulnerabilities to, or otherwise
increase the potential for an attack on, an information
technology system of a public agency.
�
SB 272
Page 5
FISCAL EFFECT: According to the Assembly Appropriations
Committee, Proposition 42 was passed by voters on June 3, 2014,
and requires all local governments to comply with the PRA and
the Ralph M. Brown Act (Brown Act) and with any subsequent
changes to those Acts. Proposition 42 also eliminated
reimbursements to local agencies for costs of complying with the
PRA and the Brown Act. As the bill furthers the purpose of the
PRA, local agencies' costs to create catalogues of their
respective enterprise systems would be nonreimbursable.
COMMENTS: According to the author, this measure seeks to move
government toward "a more effective digital future" by assisting
access to government data through "online portals." However,
the substantive provisions of this bill do not actually require
(or even encourage) local agencies to make existing records more
accessible (i.e. in an electronic format), much less create open
data portals. Instead, the author states that this bill
constitutes a first step toward that a larger "open data" goal.
Specifically, this bill would require a local agency (other than
a school district) to create to a catalogue of their "enterprise
systems" and make the catalog available to the public, including
on the agency's Web site. This bill defines "enterprise system"
as a software application or computer system that collects,
stores, exchanges, and analyzes information used by the public
agency that is: a) a multi-departmental system or a system that
contains information collected about the public; and b) a
"system of record," i.e. serving as an original source of data
within an agency. The bill also specifies what an "enterprise
system" does not include, such as information security systems,
physical access control systems, or systems related to 911
dispatch and operation services.
In addition to providing a catalog of "enterprise systems," this
bill would also require the catalog to include additional
information, including the system vendor and product and
information about how often information is collected and
updated. Although those either opposed to or expressing
�
SB 272
Page 6
concerns about the bill contend that providing vendor and
product information about their data collection systems could
create security breaches, the author notes that the California
PRA already permits a public agency to withhold any information
that could reveal system vulnerabilities.
While the opposition's security concerns may be overstated and
possibly already addressed by existing law, there is nonetheless
a legitimate question as to whether this measure is
appropriately placed in the PRA. Although the intent language
in this bill proclaims that it serves the purposes of the PRA
and California Constitution Article 1, Section 3, this claim is
debatable. The purpose of the PRA is to ensure that people have
the right to access "the writings of public officials and
agencies." Although the PRA does not say so expressly, it is
clear from the legislative history of the PRA, case law
interpreting the PRA, and the overall statutory scheme that the
purpose of the PRA is to give people access to existing
documents that are created and maintained by a public agency in
the normal course of its business. This proposal appears to
expand the purpose of the PRA by requiring the creation of new
documents.
The placement of this bill's language in the PRA is likely an
attempt to avoid the creation of a reimbursable local mandate.
The California Constitution provides that whenever the
Legislature or any state agency mandates a new program or higher
level of service on a local government, the state shall
reimburse the local government for the costs of that program or
increased level of service. (California Constitution Article
XIII B, Section 6.) However, Proposition 42 amended the state
constitution to eliminate the state's responsibility to pay
local governments for the costs that they incur in complying
with the PRA. Historically those costs have included the
relatively modest burden of locating and physically retrieving
existing documents if and when a public record request is made.
Copying costs may be offset by modest fees collected from the
�
SB 272
Page 7
requester, so long as the fees do not exceed the actual costs of
copying documents.
Since Proposition 42 was approved by the voters in 2014, there
is more at stake for local governments when it comes to
legislative proposals for amending the PRA. Most notably, in
its official analysis of Proposition 42, the Legislative
Analyst's Office (LAO) warned of the possibility that the state
legislature might be tempted to place new mandates in the PRA in
order to avoid reimbursing local governments. Specifically, the
LAO summary concluded that Proposition 42 could "change the
future behavior of state officials. This is because under
Proposition 42, the state could make changes to the Public
Records Act and it would not have to pay local governments for
their costs. Thus, state officials might make more changes to
this law than they would have otherwise. In this case, local
governments could incur additional costs - potentially in the
tens of millions of dollars annually in the future." [Emphasis
added.]
Unlike past amendments to the PRA, this bill does not exempt
a category of public records from disclosure, remove an
existing exemption, or require the disclosure of an existing
document. Indeed, the bill says nothing about what records
should or should not be disclosed, which is the primary
purpose of the PRA. Rather, this bill would require local
agencies to conduct an inventory of their "enterprise
systems" and put it in the form of a new catalog that must
contain specified information without reimbursing the
agencies for the cost of doing so.
Analysis Prepared by:
Thomas Clark / JUD. / (916) 319-2334 FN:
0001980
�
SB 272
Page 8