BILL ANALYSIS �Ó
SB 441
Page 1
Date of Hearing: August 3, 2016
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Lorena Gonzalez, Chair
SB 441
(Wolk) - As Amended June 22, 2016
-----------------------------------------------------------------
|Policy |Judiciary |Vote:|10-0 |
|Committee: | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
|-------------+-------------------------------+-----+-------------|
| | | | |
| | | | |
| | | | |
-----------------------------------------------------------------
Urgency: No State Mandated Local Program: NoReimbursable: No
SUMMARY:
This bill exempts from disclosure under the California Public
Records Act (CPRA) any unique identifying code used by the
public agency to identify a contractor or vendor, unless the
identifier is used in a public bidding or an audit involving the
�
SB 441
Page 2
public agency.
FISCAL EFFECT:
Any costs for state and local agencies to comply with this
requirement should be minor and absorbable.
COMMENTS:
Purpose. This bill is in response to an email scam perpetrated
against the City of Dixon, which resulted in the diversion of
city payments of up to $1.3 million from the intended
contractor's bank account into an account established in another
bank by the scammers. According to an investigation of the
incident, the city received an email containing the logo of the
contractor that had performed work that purported to provide the
city with new payment instructions. A subsequent investigation
showed that the message was sent from an email address that was
quite similar to an email address of the actual contractor. The
city assumed the message was legitimate and directed its next
payment as instructed, only to discover that the contractor
never received payment and had never sent an email with
instructions to change the payment method. The city assumed the
email was legitimate, in part, because it contained the unique
identification code used by the city to identify the contractor
for remitting and tracking payments.
It is unclear whether or not the scammers obtained the
identification number from a public records request, but that
was surely a possibility. SB 441, therefore, amends the CPRA to
specify that a public agency is not required to disclose any
identification number, alphanumeric character, or other unique
code that the agency uses to identify a vendor or contractor.
The most recent amendments, which addressed concerns raised by
�
SB 441
Page 3
the California Newspaper Publishers Association, specify that
this exemption would not apply when the code is used in a public
bidding or an audit involving the public agency.
Analysis Prepared by:Chuck Nicol / APPR. / (916)
319-2081