BILL ANALYSIS ��
AB 1149
Page 1
Date of Hearing: May 15, 2013
ASSEMBLY COMMITTEE ON APPROPRIATIONS
Mike Gatto, Chair
AB 1149 (Campos) - As Introduced: February 22, 2013
Policy Committee:
JudiciaryVote:10-0
Local Government 9-0
Urgency: No State Mandated Local Program:
Yes Reimbursable: Yes
SUMMARY
This bill extends the provisions of the state's existing
information privacy breach notice law to local public agencies.
FISCAL EFFECT
Legislative Counsel has opined this bill constitutes a state
mandate that is subject to reimbursement of local costs by the
state. The specific mandate is the required notification of a
breach, as specified.
Estimated costs to the state for reimbursements could exceed
$150,000. The estimates depend on the number of breaches, which
is difficult to forecast. However, there are about 550 cities
and counties and about 1,000 school districts. Among the
thousands of special districts only hundreds may be eligible for
reimbursement under the state mandate program.
COMMENTS
1)Purpose . The author notes local government agencies have some
of our most personal information, such as date of birth,
social security number, driver's license number and medical
information. This is the type of personal information
identity thieves thrive upon. According to the author,
identity theft was responsible for more than $13.3 billion in
financial loses in 2010. AB 1149 applies the same notification
requirements to local governments that have existed for state
government since 1977. The author argues these requirements
�
AB 1149
Page 2
are reasonable and overdue.
2)Support . Supporters, including The Privacy Rights
Clearinghouse, believe this bill will fill a gap in
California's existing breach notification law. Supporters
argue a great deal of highly sensitive personal information is
collected and held by local governments, yet local governments
are not required to provide any notifications to individuals
who may be the victim of a data breach. They contend the end
result of this failure to notify can be identity theft, as
individuals have no other mechanism for discovering the
existence of the breach.
3)Concerns . The California State Association of Counties, the
Urban Counties Caucus, the League of California Cities and the
California Special Districts Association have expressed
concerns about the fiscal and operational impacts of this
bill. They note local agencies must comply with federal
requirements under HIPAA regarding the privacy of health
information. They believe this bill's provisions could impact
many departments within their agencies, particularly counties,
and are concerned with the potentially costly new
responsibilities on local agencies at a time when we are
challenged to deliver core public services given difficult
fiscal conditions.
4)Background . The California Information Privacy Act of 1977
(Act) implements the state constitutional guarantee of privacy
by limiting the collection, management and dissemination of
personal information by state agencies. The act includes
provisions requiring state agencies and private businesses to
notify California residents if the agency or business believes
an unauthorized person has accessed personalized data it
holds.
5)Previous legislation . This bill is substantially similar to
AB 2455 (Campos, 2012) , which was held on this committee's
Suspense File.
Analysis Prepared by : Roger Dunstan / APPR. / (916) 319-2081
�
AB 1149
Page 3