BILL ANALYSIS ��
AB 2455
Page 1
Date of Hearing: April 25, 2012
ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT
Cameron Smyth, Chair
AB 2455 (Campos) - As Amended: March 21, 2012
SUBJECT : Identity theft: local agencies.
SUMMARY : Applies the provisions of the state's existing
information privacy breach notice law to local public agencies.
Specifically, this bill :
1)Applies the provisions of the state's existing information
privacy breach notice law to local agencies.
2)Declares that if the Commission on State Mandates determines
that this act contains costs mandated by the state,
reimbursement to local agencies and school districts for those
costs shall be made pursuant to Part 7 (commencing with
Section 17500) of Division 4 of Title 2 of the Government
Code.
3)Makes a non-substantive technical correction.
EXISTING LAW :
1)Requires any state office, officer, or executive agency that
owns or licenses computerized data that includes personal
information to disclose any breach of the security of the
system following discovery or notification of the breach in
the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.
Provides further that disclosure shall be made in the most
expedient time possible and without unreasonable delay.
2)Notwithstanding the above notice requirements, a person,
business, or agency that maintains its own notification
procedures as part of an information security policy that is
consistent with the requirements of the security breach law,
shall be deemed to be in compliance with the notification of
state law if the agency, person, or business notifies subject
persons in accordance with its own policies.
3)Defines "breach of the security of the system" to mean
�
AB 2455
Page 2
"unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of
personal information maintained by the agency. Good faith
acquisition of personal information by an employee or agent of
the agency for the purposes of the agency is not a breach of
the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure."
4)Defines "personal information" to mean an individual's first
name or first initial and last name in combination with any
one or more of the following data elements, when either the
name or the data elements are not encrypted: social security
number, driver's license number or California identification
card number, account number, credit or debit card number, in
combination with any required security code, access code, or
password that would permit access to an individual's financial
account, medical information, or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
5)Provides that notice required under the above provisions may
be made by written notice or electronic notice, if the latter
is consistent with federal electronic signature standards.
Provides, however, that substitute notice, as specified, may
be used if the person, business, or agency determines that the
cost of providing notice would exceed $250,000 or that the
affected class of subject persons exceeds 500,000, or the
person, business, or agency does not have sufficient contact
information.
6)Requires, under federal law, that any entity covered by the
Health Insurance Portability and Accountability Act (HIPAA),
to notify any person whose personal information is compromised
by a data security breach and specifies the required content
of the notice.
FISCAL EFFECT : Unknown. This bill is keyed fiscal and a state
mandate.
COMMENTS :
1)This bill would extend the provisions of California's existing
state data breach notification law to local public agencies.
�
AB 2455
Page 3
This is an author-sponsored measure.
2)According to the author, "U.S. households experienced about
$13.3 billion in direct financial losses due to identity theft
in 2010. Among households with losses of at least one dollar,
the average loss was about $2,200. In the past five years,
there have been numerous incidences of data breaches
throughout the state and local governments. Fortunately, for
state data breaches, state agencies are required to comply
with the Information Practices Act of 1977. With local
governments, there may be a patchwork of disclosure
requirements, however existing law provides no certainty that
a consumer, taxpayer, or citizen receive disclosure about
their personal information being breached."
3)The California Information Privacy Act of 1977 operationalizes
the state constitutional guarantee of privacy by providing
limits on the collection, management and dissemination of
personal information by state agencies. That Act includes
provisions requiring state agencies and private businesses to
notify California residents if the agency believes that
personalized data it holds was acquired by an unauthorized
person.
According to the author, California's first-in-the nation data
breach notification statute was based on the premise that
individuals have a right to know when a data breach has
occurred and affected them. If consumers are made aware that
their personal information may have been compromised, they are
able to take steps to protect themselves from fraud or
identity theft. This requirement applies to state agencies,
but local public agencies have heretofore been exempt.
Based on information provided by the author's office, at least
twelve instances of local government data breaches have been
identified between 2006 and 2012. The numbers of individuals
affected range from 8 to 445,000 people, and the reasons for
breach include lost disks, stolen computers, and hacking.
Because the unauthorized disclosure of personal information can
occur at both the state and local level, the author contends
that there is no logical reason for the law to require
notifications for breaches of the same kinds of information at
one level of government but not another.
�
AB 2455
Page 4
4)California's data breach notification law currently requires
state agencies that own or license electronic data that
includes personal information to disclose to California
residents when unencrypted data is believed to have been
acquired by an unauthorized person. The agency must make the
disclosure expediently and without unreasonable delay, subject
to the needs of law enforcement.
The notice must be written in plain language and include the
name and contact information of the agency, a list of the
types of personal information compromised, time and date of
the breach, length of any delays, a general description of the
incident, contact information for credit reporting agencies.
At its discretion, the agency may also include information
about the agency's response and advice on preventing fraud and
identity theft after a breach.
Notices going to more than 500 California residents must also be
shared with the Office of the Attorney General. Notice may
take the form of a written notice, an electronic notice (as
specified in federal law), or a substitute notice if the
notification would cost more than $250,000, include more than
500,000 people, or if the agency does not have adequate
contact information. The substitute notice must include email
notice where possible, conspicuous posting on the agency's
Internet web site, and notification to major statewide media
and the state Office of Information Security.
Additionally, agencies that maintain their own breach
notification procedures for personal information, provide
notice in compliance with those procedures, and otherwise
comply with the timing requirements of the measure (disclosure
must be expedient and without unreasonable delay, subject to
specified exceptions) are deemed to be in compliance with the
law.
It is unclear how many local agencies already have notification
procedures, although Sacramento County is known to have
procedures for reporting unauthorized disclosures of protected
health information.
This bill would apply these same provisions to all local public
agencies.
5)The topic of information privacy has been heavily legislated
�
AB 2455
Page 5
over the past decade. Major bills in the area include:
a) SB 24 (Simitian) Chapter 197, Statutes of 2011, amended
California's security breach notification law to provide
that any agency, person, or business required to issue a
notification under existing law must meet additional
requirements regarding that notification, such as a "plain
language" mandate, and must include contact information
regarding the breach, the types of information breached,
and, if possible to determine, the date, estimated date, or
date range of the breach.
b) SB 1166 (Simitian, 2010) contained provisions roughly
comparable to those contained in SB 24 of 2011 (see above).
The bill passed on the Assembly Floor on a 50-25 vote, but
was subsequently vetoed.
c) SB 20 (Simitian, 2009) contained provisions roughly
comparable to those contained in SB 24 of 2011 (see above).
The bill passed on the Assembly Floor on a 56-13 vote, but
was subsequently vetoed.
d) SB 364 (Simitian, 2008) would have required that breach
notifications be written in plain language and contain
specified information, such as the name of the entity that
maintained the computerized data at the time of the breach
and a description of the categories of personal information
that was breached. The bill passed on the Assembly Floor
on a 57-19 vote, but was subsequently vetoed.
e) AB 1656 (Jones, 2008) would have prohibited specified
entities that sell goods or services from storing or
failing to limit access to payment related information
unless a specified exception applies. The bill passed on
the Assembly Floor on a 79-0 vote, but was subsequently
vetoed.
f) AB 779 (Jones, 2007) contained provisions roughly
comparable to those contained in AB 1656 of 2008 (see
above). The bill passed on the Assembly Floor on a 58-2
vote, but was subsequently vetoed.
g) AB 786 (Ruskin, 2006) would have provided California
State University employees with four hours of time off with
pay to minimize damages stemming from a data breach. AB
�
AB 2455
Page 6
786 was held in Assembly Appropriations.
h) AB 2505 (Nunez, 2006) would have created the California
Information Security Response Team consisting of specified
state government officials for the purpose of centralizing
the state response to information security breaches and
computer-related crimes. AB 2505 failed passage on the
Senate floor.
i) SB 852 (Bowen) would have triggered the data breach
notification provision irrespective of whether the data was
computerized or not. It also would have required the
Office of Privacy Protection to receive a copy of the
notice sent to the consumer. SB 852 failed in the Assembly
Business and Professions Committee.
j) SB 1512 (Machado), 2005-06 Session, would have increased
the dollar threshold for the "substitute notice" provision
from $250,000 to $500,000. SB 1512 was held in the Senate
Judiciary Committee.
aa) SB 1386 (Peace), Chapter 915, Statutes of 2002, requires
a state agency, a person or business that conducts business
in California and owns or licenses computerized data that
includes personal information, as defined, to disclose in
specified ways any breach of the security of the data, as
defined, to any resident of California whose unencrypted
personal information was or is reasonably believed to have
been acquired by an unauthorized person.
The California Office of Privacy states that there are
currently sixteen separate bills related to privacy and
personal information pending in the Legislature.
1)This bill was heard in the Judiciary Committee on April 17,
where it was approved on a 10-0 vote.
2)This bill is keyed a state mandate which means that if the
Commission on State Mandates deems this a reimbursable
mandate, then the state could be responsible for all of the
notice and other costs associated with this bill.
3)Support arguments : According to Consumers Union, AB 2455
"would provide consumers with more protection from identity
theft by requiring notice of a data breach from local agencies
�
AB 2455
Page 7
when there is a breach of?important personal information.
Consumers' personal identifying information is the key to a
consumer's financial life. This information can create serious
consequences for consumers if it is not kept secure?�I]dentity
theft continues to be a number one reported complaint.
Consumers can't protect themselves if they aren't even told
that files containing information about them have been
accessed by unauthorized persons."
Opposition arguments : The expansion of the state's data breach
notice law to all local agencies would arguably impose new
bureaucratic costs and delays in the operation of local
agencies. Furthermore, some local agencies will need time and
resources to learn how to implement the law properly, which
may initially mean an increase in unwarranted notices and a
concomitant increase in the time and effort spent by
individuals responding to phantom breaches.
REGISTERED SUPPORT / OPPOSITION :
Support
American Civil Liberties Union (ACLU)
American Federation of State, County and Municipal Employees
(AFSCME)
California School Employees Association (CSEA)
California Teachers Association
Consumer Federation of California
Consumers Union
Privacy Rights Clearinghouse
Opposition
None received.
Analysis Prepared by : Hank Dempsey / L. GOV. / (916) 319-3958