BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 259 (Dababneh) - Personal information: privacy
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: February 9, 2015 |Policy Vote: JUD. 6 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 17, 2015 |Consultant: Jolie Onodera |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: AB 259 would require a state or local agency, if the
agency was the source of a data breach that compromised
specified personal information of a person, to offer to provide
appropriate identity theft prevention and mitigation services at
no cost to the affected person for not less than 12 months, as
specified.
Fiscal
Impact:
Potential major costs in the tens to hundreds of millions of
dollars (General Fund), depending on the scope of a data
breach to any of various state agencies, including but not
limited to the Department of Motor Vehicles (DMV), Employment
Development Department (EDD), and the Department of Consumer
Affairs (DCA), for the provision of credit monitoring services
in the event of a data breach. Even one event affecting
�
AB 259 (Dababneh) Page 1 of
?
100,000 individuals could result in potential costs of $12
million to $36 million (General Fund) to provide credit
monitoring services for one year. For context, the DMV has
indicated custody of over 27 million records containing
personal identifying information.
Potential major non-reimbursable costs in the tens of millions
of dollars (Local Funds) to local agencies to provide credit
monitoring services to individuals impacted by data breaches.
Costs would be dependent on the frequency of data breaches,
the number of individuals impacted, and the time period for
which services are provided.
Background: Under existing law, any state or local agency, person, or
business that conducts business in the state, and that owns,
licenses, or maintains computerized data that includes personal
information, is required to disclose any breach of the security
of the system following discovery or notification of the breach
in the security to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Existing law specifies
the timing and manner in which the disclosure is required to be
made, as well as the specific information to be included in the
security breach notification.
Under recently enacted legislation, AB 1710 (Dickinson) Chapter
855/2014, upon a data breach that compromises a person's first
name or first initial and last name, along with his or her
social security number, driver's license number, or California
identification card number, a person or business is required to
offer to provide appropriate identity theft prevention and
mitigation services to an affected person at no cost for at
least 12 months if the person or business was the source of the
data breach.
This bill seeks to extend the same requirement on state and
local agencies that are the source of a data breach.
Proposed Law:
This bill would require a state or local agency that was the
source of a data breach to offer to provide appropriate identity
�
AB 259 (Dababneh) Page 2 of
?
theft prevention and mitigation services, if any, to be provided
at no cost to the affected person for not less than 12 months,
along with all information necessary to take advantage of the
offer to any person whose information was or may have been
breached if the breach exposed an individual's first name or
first initial and last name along with their social security
number, driver's license number, or California identification
card number, to offer to provide appropriate identity theft
prevention and mitigation services at no cost to the affected
person for not less than 12 months, as specified
Related
Legislation: AB 1710 (Dickinson) Chapter 855/2014 requires a
person or business to offer appropriate identity theft
prevention and mitigation services to an affected person at no
cost for not less than 12 months if the person or business was
the source of the data breach, as specified.
Staff
Comments: To the extent a data breach of specified personal
information occurs, the provisions of this bill could result in
substantial costs to various state and local agencies that
retain the specified personal data of individuals potentially
subject to data breach notification and the provision of
identity theft prevention services as required.
Based on information surveyed from credit monitoring services,
bulk enrollment costs for credit monitoring services in which
the vendor is provided with a complete list of individuals at
once from the breached entity generally range from $10 to $30
per month per person ($120 to $360 per year per person),
depending on the type of monitoring package offered by the
vendor.
For context, numerous state departments retain personal
information potentially subject to the provisions of this bill
including, but not limited to the Department of Motor Vehicles
(27 million records), the Employment Development Department (14
million records), the Department of Veterans Affairs (over 1.6
million records), and the Department of Consumer Affairs (over 3
million records). The number of individuals potentially impacted
by this bill is in excess of the tens of millions. To the extent
even one data breach occurs, significant costs would likely be
�
AB 259 (Dababneh) Page 3 of
?
incurred by these agencies, the magnitude of which would be
dependent on the number of records impacted, the number of
individuals affected who accept the offered services, and the
duration of services provided.
For every 100,000 individuals whose personal data is
compromised, annual costs could range from $12 million to $36
million (General Fund) to provide services for 12 months.
Moreover, in order to coordinate the administration of the
provisions of this bill would likely require additional
resources for development of an implementation plan and
guidelines, as well as ongoing workload to respond to inquiries.
-- END --