BILL ANALYSIS ��
AB 2455
Page 1
Date of Hearing: April 17, 2012
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
AB 2455 (Campos) - As Amended: March 21, 2012
SUBJECT : DATA Security Breach Notices: Local Agencies
KEY ISSUE : Should the existing law that requires state agencies
to notify affected persons in the event of a data security
breach be extended to impose the same requirement on local
agencies?
FISCAL EFFECT : As currently in print this bill is keyed
fiscal.
SYNOPSIS
This bill would extend to local agencies the same data breach
notification requirements to which state agencies are already
subject. Enacted in 2002 as an effort to better combat identity
theft in a digital age, California's landmark security breach
notification law requires both state agencies and private
businesses that own or maintain personal information (in
computerized form) to notify any person whose personal
information is compromised as a result of a data breach.
However, because the data breach notification statute falls
within the state's 1977 Information Practices Act (IPA), it does
not apply to local agencies - which were expressly exempted from
the IPA. This bill would provide that, notwithstanding that
exemption, local agencies will henceforth be subject to the same
notification requirements that presently apply to state
agencies. According to the author, local agencies often hold
the same kinds of sensitive information that are held by state
agencies and private businesses and, therefore, should be held
to the same notification requirements. The author cites a
number of incidents in which personal data held by local
agencies have been compromised in one manner or another in the
past few years. There is no known opposition to this bill.
SUMMARY : Extends to local agencies an existing statute that
requires state agencies that own or license computerized
personal data to notify any person whose personal data is
subject to a data security breach.
�
AB 2455
Page 2
EXISTING LAW :
1)Requires any state agency that owns or licenses computerized
data that includes personal information to disclose any breach
of the data to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Requires any state
agency that maintains, but does not own, personal information
to notify the owner or licensor of the data of any breach.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
(Civil Code Section 1798.29.)
2)Requires any person or business that conducts business in
California, and that owns or licenses computerized data that
includes personal information to disclose any breach of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires any person or
business that maintains, but does not own, personal
information to notify the owner or licensor of the data of any
breach. Provides further that disclosure shall be made in the
most expedient time possible and without unreasonable delay.
(Civil Code Section 1798.82.)
3)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information. (Civil Code Sections 1798.29 (g) and 1798.82
(g).)
4)Provides that when an agency, person, or business is required
to issue a data security breach notification pursuant to the
above provisions, that notification must be written in plain
language and provide specified information, including the name
and contact information of the reporting agency, person, or
business; information about the timing and nature of the
breach; and contact information for the major credit reporting
bureaus. Specifies that the agency, person, or business may
include additional information that would be useful to the
�
AB 2455
Page 3
person in taking steps to mitigate potential damages caused by
the breach. (Civil Code Sections 1798.29 (d) and 1798.82
(d).)
5)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with existing law shall be deemed to be in
compliance with the notification of state law if the agency,
person, or business notifies subject persons in accordance
with its own policies. (Civil Code Sections 1798.29 (h) and
1798.82 (h).)
6)Exempts local agencies from the state Information Practices
Act, of which the above provisions are a part. (Civil Code
Section 1798.3(b)(4).)
COMMENTS : Under California's data security breach notification
law, a person, business, or state agency that keeps, maintains,
or leases computerized data that contains personal information
must provide appropriate notices if personal information is
compromised as a result of a data breach. The purpose for these
notice requirements is obvious enough: when a person's personal
information is compromised there are steps that he or she can
take to mitigate the possibility that the personal information
will be misused, but a person cannot take those steps unless he
or she is first aware that the personal information has been
compromised.
Over the past few years, this Committee has heard several bills
that have expanded or fine-tuned existing law. For example,
last year this Committee heard SB 24 (Chapter 197, Statutes of
2011), which prescribed the contents of the required security
notices so that such notices will provide more useful
information to the victims of a security breach and be uniform
throughout the state. The existing breach notification law
consists of two parallel sections in the Civil Code: one section
applies to state agencies and another, nearly identical, section
applies to persons and businesses. However, because the section
relating to state agencies is located within the state's
Information Practices Act (IPA) of 1977, it does not apply to
local government agencies - which were expressly exempted from
the original IPA in 1985. It is not clear from extant
legislative history why local agencies were carved out of the
IPA at that time. This bill would specify that, for purposes of
�
AB 2455
Page 4
the security breach notification provisions only, a covered
"agency" includes a local agency as well as a state agency.
Local agencies, therefore, would continue to be exempted from
other provisions of the IPA, except where otherwise provided.
For purposes of this bill, "local agency" is given the standard
definition that currently exists in Section 6252 of the
Government Code: a city; county, city and county; school
district; municipal corporation; district; political
subdivision; or any board, commission or agency thereof; other
local public agency; or entities that are legislative bodies of
a local agency.
Scope of the Problem : Partly because local agencies are not
currently subject to the breach notification law, it is
difficult to ascertain the exact scope of the problem among
local agencies. The author provided the Committee with a list
identifying a handful of breaches that have occurred at local
agencies in the past few years, ranging from at least one
hacking incident to a few law enforcement and social service
agencies that misplaced laptops containing files with personal
information. Had these breaches occurred at state agencies,
those agencies would have been required to notify all affected
persons or, if this had not been possible, then to provide
"substitute notice" by posting the information on a website and
notifying major statewide media and the statewide Office of
Information Security. This bill is premised on the reasonable
assumption that the consequences of a data breach - and the need
for the affected person to have knowledge of the breach and take
appropriate protective steps - is the same whether the data is
held by a state agency or by a local agency. What's good for
the goose, in other words, is good for the gosling.
ARGUMENTS IN SUPPORT : According to the author, whatever the
original reason for exempting local agencies when the IPA, in
the 21st century the state's breach notification law should "no
longer �be] considered optional for any type of employer or any
level of government." The author claims that "in the past five
years, there have been numerous incidents of data breaches
throughout state and local government." The author concedes
that some governments may already be providing notices when a
breach occur, but at best this only results in "a patchwork of
disclosure requirements" that provide no certainty to the
consumer, taxpayer, or citizen whose personal information has
been breached.
�
AB 2455
Page 5
The Privacy Rights Clearinghouse argues that "a great deal of
highly sensitive personal information is collected and held by
local governments," yet "local governments are not required to
provide any notifications to individuals who may be the victim
of a data breach . . . The end result of this failure to notify
can be identity theft, as individuals have no other mechanism
for discovering the existence of the information." PRC believes
that this bill will fill a "major gap" in California's existing
breach notification law. Consumers Union supports this bill for
substantially the same reason, noting that "�p]rompt notice to
all consumers after each security breach gives consumers a
chance to take steps to discover an actual or attempted identity
theft as early as possible."
REGISTERED SUPPORT / OPPOSITION :
Support
ACLU
AFSCME
California School Employees Association
California Teachers Association
Consumer Federation of California
Consumers Union
Privacy Rights Clearinghouse
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334