Data Breaches Could Cost Considerably More for California Public Agencies with AB 241
Friday, April 14, 2017
Measure AB 241, creating new requirements for public agencies in the event of a data breach, continues to move through the legislative process. AB 241 (Dababneh – D) would amend Section 1798.29 of the Civil Code and require California state and local government agencies to provide at least 12 months of free identity theft protection and mitigation services to consumers affected by data breaches of government agencies.
Identity theft prevention and mitigation services would be required to be provided if names are exposed in combination with a Social Security number or a driver’s license number as part of the data breach. Services offered may include credit report monitoring and security freezes provided by credit reporting agencies which aid in the prevention of fraud and identity theft. The public agency must also provide all necessary information for affected consumers to take advantage of the offer. Existing law already requires private businesses to offer the same services to affected individuals following a data breach.
Organizations in support of Measure AB 241 including the Los Angeles County Professional Peace Officers Association suggest that equalizing the standards for public agencies and private entities will strengthen confidence in public agencies to manage personal data. Other organizations such as the California Chamber of Commerce and Computing Technology Industry Association - CompTIA support the measure because it ensures individuals affected by data breaches will receive the necessary level of protection regardless of the type of entity breached. Organizations registered in support of Measure AB 241 include the Association of California Life & Health Insurance Companies, California Bankers Association, California Business Properties Association, California Cable and Telecommunications Association, California Grocers Association, Organization of SMUD Employees, Personal Insurance Federation of California, San Diego Court Employees, and San Luis Obispo County Employees.
Organizations registered in opposition of the measure include the California State Association of Counties (CSAC), League of California Cities (LOCC), and Urban Counties of California (UCC). These entities are concerned with the potential ambiguity regarding what constitutes remedial services for data breaches and the cost associated with providing free services to affected individuals. In a letter of opposition authored by multiple organizations, entities including CSAC, LOCC, and UCC stated that “…AB 241 should at least be amended to ensure local agencies are only liable for systems and data that are fully within their control – shared systems with the state or federal government should be limited to the residents within local jurisdiction.”
The California Department of Justice’s “California Data Breach Report” from 2012 to 2015 states that 657 reports of data breaches were submitted to the Attorney General including reports from public agencies. The reported data breaches compromised the personal data of more than 500 California residents. In recent years, public institutions that have reported data breaches include California State University, Department of Corrections and Rehabilitation, Department of Public Health, Department of State Hospitals, Correctional Health Care Services, Department of Social Services, Department of Justice, Department of Child Support Services, Employment Development Department, and the Department of Motor Vehicles.
MISAC will continue to monitor the AB 241and update its membership on status and, if adopted, strategies for addressing the new financial risks for their public agencies.