BILL ANALYSIS �Ó
AB 259
Page 1
ASSEMBLY THIRD READING
AB
259 (Dababneh)
As Introduced February 9, 2015
Majority vote
-------------------------------------------------------------------
|Committee |Votes |Ayes |Noes |
|----------------+------+--------------------+----------------------|
|Privacy |11-0 |Gatto, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Chau, Cooper, | |
| | |Dababneh, Dahle, | |
| | |Gordon, Low | |
| | | | |
|----------------+------+--------------------+----------------------|
|Appropriations |17-0 |Gomez, Bigelow, | |
| | |Bonta, Calderon, | |
| | |Chang, Daly, | |
| | |Eggman, Gallagher, | |
| | |Eduardo Garcia, | |
| | |Gordon, Holden, | |
| | |Jones, Quirk, | |
| | |Rendon, Wagner, | |
| | |Weber, Wood | |
-------------------------------------------------------------------
SUMMARY: Requires a public agency that is the source of a data
�
AB 259
Page 2
breach to offer at least 12 months of identity theft prevention
and mitigation services at no cost to affected consumers.
Specifically, this bill:
1)Requires a public agency that is the source of a data breach and
is required to provide affected persons with notice of the
breach to provide at least 12 months of appropriate identity
theft prevention and mitigation services at no cost to the
affected persons.
2)Requires a public agency to give affected persons all
information necessary to take advantage of the offer for
identity theft prevention and mitigation services.
3)Requires a public agency to offer identity theft prevention and
mitigation services only if the breach exposed, or may have
exposed, a person's name in combination with a Social Security
number or a driver's license number.
4)Requires a public agency that delays the specified notification
at the direction of law enforcement to make the notification
promptly after a law enforcement agency determines that
notification will not compromise any criminal investigation.
5)Makes other technical and nonsubstantive amendments.
FISCAL EFFECT: According to the Assembly Appropriations
Committee, potentially significant, unabsorbable General Fund
costs, likely in the millions of dollars, if a security breach of
sufficient magnitude were to occur at an agency that holds
substantial personal data
COMMENTS:
�
AB 259
Page 3
1)Purpose of this bill. This bill is intended to provide
individuals affected by a state or local agency data breach with
at least 12 months of identity theft protection for free. While
existing law already requires any private business responsible
for a significant breach to offer at least 12 months of identity
theft prevention mitigation services, no such requirement exists
for public agencies. This bill would extend these protections
to include state and local agencies. This measure is
author-sponsored.
2)Author's statement. According to the author's office, "Whether
a data breach occurs at a state agency or a business, the same
standards should be in place to protect consumers. A breach
resulting in the release of Social Security or driver license
numbers can lead to identity theft, forcing consumers to monitor
their personal information for years to come."
3)Recent data breaches. More than 80 million people in the United
States were impacted by the February 2015 data breach at health
insurer Anthem. Information stolen in the breach included
current and former customers' names, birth dates, medical
identification numbers, Social Security numbers, home addresses,
email addresses, and employment and income data.
4)During 2012 to 2014, the following California public agencies
reported breaches: California State University, Department of
Corrections and Rehabilitation, Department of Public Health,
Department of State Hospitals, Correctional Health Care
Services, Department of Social Services, Department of Justice,
Department of Child Support Services, Employment Development
Department, and the Department of Motor Vehicles.
�
AB 259
Page 4
Analysis Prepared by:
Jennie Bretschneider / P. & C.P. / (916) 319-2200
FN:
0000586