CSAC has taken an opposition position on Assembly Bill 259, by Assembly Member Matthew Dababneh. 

Current law requires an agency that owns or licenses computerized data that includes personal information to provide notification of any breach in the security of that data to any California resident whose personal information may have been compromised by the breach. AB 259 would additionally require an agency, if the agency was the source of the breach and the breach compromised a person’s social security number, driver’s license number, or California identification card number, to offer to provide the person with identity theft prevention and mitigation services at no cost for not less than 12 months.

CSAC opposes AB 259 for the following reasons:

Interconnectedness with State and Federal Agencies
State and federal agencies and their associated data centers (such as the Department of Justice and Department of Veterans’ Affairs) now require more interconnection with local governments. An example of a major connection is with the California Department of Motor Vehicles (DMV), which requires local agencies to renew our DMV network access agreements on an annual basis. This interconnection begs the question of which agency would be liable in certain breaches if a hacker accesses DMV driver’s license information by utilizing the county’s connection to the DMV, which agency must cover the costs associated with the provisions of AB 259. If it were a local government employee who perpetuated the breach, would the local agency cover the $100/person cost for credit monitoring for possibly millions of Californians affected? Would the same liability apply had the breach occurred through the county’s connection to a state or federal agency but not by someone within the county? To avoid such lack of clarity in these situations, AB 259 should at least be amended to ensure local agencies are only liable for systems and data that are fully within their control – shared systems with the state or federal government should be limited to the residents within the local jurisdiction.

What is “Appropriate”?
AB 259 contains an undefined standard of “appropriate” remedial services. Our coalition is troubled that a lack of specificity could lead to an expansive opinion of what measures must be taken by local governments to remedy a data breach for those affected.

Cost Concerns
The requirements in AB 259 add to existing requirements that local agencies notify residents and consumers of any identity theft (Ca. Civil Code §1798.29). The additional requirement to provide the free services outlined in AB 259 could pose crippling costs to our agencies. The average cost of annual credit monitoring is $100 per year; a large enough data breach could result in millions of dollars in costs to local governments already struggling to provide basic services to their residents. AB 259 should be amended with a funding mechanism to provide the initial and ongoing resources for local governments to meet the requirements of this bill.

Additional feedback from counties is appreciated.

Governor Brown Signs Paid Sick Leave Clean-Up Bill

The Governor this week signed AB 304 (Chapter No. 67, Statues of 2015) by Assembly Member Lorena Gonzalez. CSAC and the California Chamber of Commerce worked diligently since the beginning of this year with the author’s office and labor interests to include as much clarification and flexibility language in the bill as possible; while not all of our requests and concerns were met, it remains a bill that will ensure far smoother implementation of last year’s Healthy Workplaces, Healthy Families Act of 2014 (the Act).

CSAC included an in-depth analysis of the provisions of both the initial Act and the newly-signed AB 304 in our CSAC Bulletin lead article on July 2. We would note the following highlights included in the clean-up measure:

Exempts from the provisions of the Act both 1937 Act and CalPERS’ retired annuitants.

1. Alternative accrual methods. Employers will now have an additional method of accrual for paid sick leave: the employee can accrue the leave on a regular basis via an accrual rate other than hours worked (i.e., per week, per pay period or per month).
2. Frontloading. AB 304 adds a provision for employers to provide 24 hours or three days of paid sick leave to new employees for use by the completion of 120 days of employment.
3. The bill specifies that the 30-day eligibility period before an employee is entitled to the paid sick leave must be with the same employer.
4. Full amount of leave defined. For those employers utilizing the method of frontloading the full amount of leave to an employee at the beginning of each year, AB 304 provides that “full amount of leave” means three days or 24 hours and “beginning of the year” means at the beginning of each calendar year, 12-month basis or year of employment.
5. Grandfathered policies. AB 304 will allow employers that have existing paid sick leave policies for a class of employees that was in effect before January 1, 2015 and provides at least one day or eight hours of paid sick leave/PTO within three months of employment and the employee was eligible to earn at least three days or 24 hours of paid sick leave/PTO within nine months of employment to continue moving forward with that policy for new and existing employees.
6. Calculating rate of pay. Clean-up language clarifies how to calculate the rate of pay for sick leave, and provides two calculation methods for nonexempt employees: a) regular rate of pay for a workweek, and b) dividing the employee’s total wages by total hours worked during the full pay periods of the prior 90 days of employment.
7. Reinstatement of leave. AB 304 will provide that the amount of sick leave reinstated to an employee rehired within 12 months of separation is only that up to the six days or 48 hours of unused accrued sick leave.

AB 304 contains an urgency clause, which means the bill will go into effect immediately upon signing by the Governor. The bill is currently enduring the committee process in the Senate with a goal of getting to the Governor prior to the legislative summer recess (July 17).