BILL ANALYSIS ��
AB 2455
Page 1
Date of Hearing: May 9, 2012
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Felipe Fuentes, Chair
AB 2455 (Campos) - As Amended: March 21, 2012
Policy Committee:
JudiciaryVote:10-0
Local Government 9-0
Urgency: No State Mandated Local Program:
Yes Reimbursable: Yes
SUMMARY
This bill requires local agencies to comply with the state's
information privacy breach notification law, which requires an
agency that owns or licenses a computer data system including
personal information to provide notification to impacted persons
following any breach of the data whereby personal information
was, or is believed to have been acquired.
The notification requirement includes providing specified
information to those impacted, either by written notice or
electronically. If the cost of notification would exceed
$250,000 or the number of persons to be notified exceeds
500,000, a substitute notice can be provided, consisting of an
email notice to persons for which the agency has an email
address, a posting about the breach on the agency's website, and
notification to major statewide media and the Office of
Information Security within the California Technology Agency. If
a local agency has its own notification procedures consistent
with the state's notification requirements, it is deemed in
compliance with the state requirements.
FISCAL EFFECT
Any costs for counties to comply with the state notification
requirements would be state reimbursable. These costs, which are
unknown and would depend on the number and size of any breaches,
could exceed $150,000 in any fiscal year.
COMMENTS
�
AB 2455
Page 2
1)Background . The existing breach notification law consists of
two parallel sections in the Civil Code: one section applying
to state agencies and another, nearly identical, section
applying to persons and businesses. The section relating to
state agencies is located within the state's Information
Practices Act (IPA) of 1977, and does not apply to local
government agencies - which were expressly exempted from the
original IPA in 1985. It is not clear why local agencies were
carved out of the IPA, but one possible reason is a concern
over potential costs to the state of imposing a local mandate.
2)Purpose . According to the author, the state's breach
notification law should "no longer �be] considered optional
for any type of employer or any level of government." The
author concedes that some governments may already be providing
notices when a breach occurs, but contends this results in "a
patchwork of disclosure requirements" that provides no
certainty to the consumer, taxpayer, or citizen whose personal
information has been breached.
Based on information provided by the author's office, at least
12 instances of local government data breaches have been
identified between 2006 and 2012. The numbers of individuals
affected range from eight to 445,000 people, and the reasons
for breach include lost disks, stolen computers, and hacking.
Analysis Prepared by : Chuck Nicol / APPR. / (916) 319-2081