BILL ANALYSIS �Ó
SB 441
Page 1
Date of Hearing: June 28, 2016
ASSEMBLY COMMITTEE ON JUDICIARY
Mark Stone, Chair
SB
441 (Wolk) - As Amended June 22, 2016
SENATE VOTE: Not Relevant
SUBJECT: California Public Records Act: exemptions
KEY ISSUE: Should the public records act be amended to exempt
identification numbers or other unique codes that a public
agency uses to identify a vendor or contractor, so as to protect
against fraudulent uses of those numbers or codes?
SYNOPSIS
This bill would amend the California Public Records Act (CPRA)
to exempt from disclosure the unique identification numbers or
alphanumeric codes that a public agency uses to identify a
public contractor or vendor for billing, payment, or other
internal administrative purposes. The bill, as amended in the
Assembly, is a response to an e-mail scam perpetrated against
the City of Dixon. That scam resulted in the diversion of city
payments of up to $1.3 million from the intended contractor's
bank account into an account established in another bank by the
scammers. According to an investigation of the incident, the
city received an email containing the logo of the contractor
�
SB 441
Page 2
that had performed work. The e-mail purported to provide the
city with new payment instructions. A subsequent investigation
showed that the message was sent from an e-mail address that was
quite similar to an e-mail address of the actual contractor.
The city assumed the message was legitimate and directed its
next payment as instructed, only to discover that the contractor
never received payment and had never sent an e-mail with
instructions to change the payment method. The city assumed the
e-mail was legitimate, in part, because it contained the unique
identification code that the city used to identify the
contractor for remitting and tracking payments. It is unclear
whether or not the scammers obtained the identification number
from a public records request, but that was surely a
possibility. This bill, therefore, would amend the CPRA to
specify that a public agency is not required to disclose any
identification number, alphanumeric character, or other unique
code that the agency uses to identify a vendor or contractor.
Recent amendments, taken by the author to address concerns
raised by the California Newspaper Publishers Association, would
specify that the exemption would not apply if the code is used
in a public bidding or an audit involving the public agency.
This seems a very reasonable compromise that balances the
competing interests of public access to government records with
the need to protect public agencies against fraud. While the
public certainly has an interest in knowing the identity of
vendors and contractors that receive public funds, and the
amount of those contracts, there is no significant interest in
knowing the otherwise random numbers or alphanumeric codes that
the agency uses for internal administrative purposes. Because
this bill was amended in the Assembly to address a different
topic, the Senate votes are irrelevant. The bill is sponsored
by the City of Dixon and supported by the League of California
Cities. There is no opposition to this bill.
SUMMARY: Exempts from disclosure under the CPRA any unique
identification number or code that a public agency uses to
identify a vendor or contractor, except as specified.
Specifically, this bill:
�
SB 441
Page 3
1)Provides that nothing in the CPRA requires the disclosure of
an identification number, alphanumeric character, or other
unique identifying code that a public agency uses to identify
a vendor or contractor, or an affiliate of a vendor or
contractor, unless the identification number, alphanumeric
character, or other unique identifying code is used in a
public bidding or an audit involving the public agency.
2)Finds and declares, as required by the California
Constitution, that this limitation on the public's right of
access to public records is necessary to protect the public
interest by balancing the right of the public to access
relevant information about contractors, vendors, and their
affiliates used by public agencies, while at the same time
preventing the misuse of identification information that may
be used to defraud local agencies.
EXISTING LAW provides, under the California Public Records Act
(CPRA), that all public records shall be open to inspection at
all times during the business hours of any state or local public
agency and that every person has a right to inspect or copy any
public record, unless the public record is expressly exempted
from disclosure or the public interest in disclosing the public
record is clearly outweighed by the public interest in not
disclosing the public record. (Government Code Section 6250 et
seq.)
FISCAL EFFECT: As currently in print this bill is keyed fiscal.
COMMENTS: According to the author, this bill, as amended in the
Assembly, is a response to an e-mail scam perpetrated against
the City of Dixon. That incident resulted in payments of up to
�
SB 441
Page 4
$1.3 million in public funds being diverted from an intended
contractor's bank account into an account established in a
different bank by the scammers. Like most people and entities,
public or private, the City of Dixon increasingly pays its bills
electronically through an "Automated Clearing House" (ACH).
According to an independent investigation, the city received an
email containing the logo of the contractor that had performed
work for the city. The e-mail purported to inform the city that
ACH payments should go to another account maintained by the
contractor and provided the city with new payment instructions
and account numbers. A subsequent investigation showed that the
message was sent from an e-mail address that was quite similar
to e-mail address of the actual contractor. The city assumed
that the message was legitimate and directed its next ACH
payment as instructed, only to discover that the contractor
never received payment and had never sent an e-mail with
instructions to change the payment method. The city assumed the
e-mail was legitimate, in part, because it contained the unique
identification code that the city used to identify the
contractor for billing and other internal administrative
purposes. It is unclear whether or not the scammers obtained the
identification number from a public records request, but that
was surely a possibility. The author hopes that this bill will
reduce the opportunity for such fraudulent diversions.
According to the author and supporters, the use of such
identification numbers in conjunction with an ACH payment system
allows public agencies to quickly identify and effectively track
and remit payments. Unfortunately, these numbers are found in
the enumeration of claims published in a city council agenda
packet. These packets are in turn available upon request, yet
there is no exemption in the CPRA that would permit withholding
or redacting these numbers from a public records request. This
bill, therefore, would amend the CPRA to specify that a public
agency is not required to disclose any identification number,
alphanumeric character, or other unique code that the agency
uses to identify a vendor or contractor.
�
SB 441
Page 5
Recent amendments, taken by the author to address concerns
raised the California Newspaper Publishers Association, would
specify that the exemption would not apply if the code is used
in a public bidding or an audit involving the public agency.
That is, the number would only be withheld from a public records
request where the number is otherwise only created by the public
agency and used for strictly internal purposes. This seems to
be a reasonable compromise that balances the competing interests
of public access to government records and information, while at
the same time protecting public agencies against fraud. While
the public certainly has an interest in knowing the identity of
vendors and contractors that receive public funds, there is no
significant interest in knowing the otherwise random numbers or
alphanumeric codes that the agency uses for internal
administrative purposes.
Arguments in Support: According to the sponsor, the City of
Dixon, vendor identification numbers are "unique identifiers
created and used by public agencies statewide to provide a
uniform system to quickly identify vendors and effectively track
and remit payments. [Yet currently] there is no specific
exemption in the [CPRA] to prevent the disclosure of vendor
identification numbers." The City of Dixon believes that SB 441
appropriately "seeks to reduce the risk of a public agency
falling victim to the type of fraud that the City faced earlier
this year. The fraud attempt underscores how easy it is for
criminals to obtain information meant for internal use and
utilize it to carry out similar scams against public entities."
The City of Dixon concludes that "SB 441 balances the public's
right to government transparency with the duty to protect public
funds."
The League of California Cities writes that "this measure
addresses concerns arising from documented attempts to defraud
local agencies and appropriately considers the public interest
served by not disclosing unique vendor identification numbers.
�
SB 441
Page 6
Unique vendor numbers serve only to allow city staff to
correctly and efficiently issue and track payments. Under this
measure, public disclosure of vendors and amounts paid will
still be available," but at the same time "the measure will help
deter and prevent attempts to defraud local agencies."
REGISTERED SUPPORT / OPPOSITION:
Support
City of Dixon (sponsor)
League of California Cities
Opposition
None on file
Analysis Prepared by:Thomas Clark / JUD. / (916)
319-2334
�
SB 441
Page 7