When a Data Breach Happens, Will California Pay for Protection?

The chairman of the Assembly's Banking and Finance Committee is proposing that in the event of a breach of government data, California state and local agencies would be required to provide identity theft protection or mitigation services at no cost to constituents whose personal data may have been compromised.

by / February 8, 2017

The chairman of the Assembly's Banking and Finance Committee is proposing that in the event of a breach of government data, California state and local agencies would be required to provide identity theft protection or mitigation services at no cost to constituents whose personal data may have been compromised.

The idea is the central purpose of the reintroduced legislation (AB 241) put forward this week by Assemblyman Matt Dababneh, D-Encino. State law already extends the same requirements to businesses or individuals. Under Dababneh's bill, the free identity theft protection would be offered for a period of at least 12 months.

Analysis

The legislation would potentially impact hundreds of thousands of records and millions of Californians in future years. Between 2012 and 2015, the state Attorney General said it received reports of 657 data breaches that involved the personal information of more than 500 California residents, according to the California Department of Justice's 2016 data breach report. Government accounted for 5 percent of those breaches and 2 percent of total records breaches between 2012-15, the report said.

For big breaches, offering identity theft protection is costly. In 2015, the federal government spent a reported $133 million to provide ID theft protection services to an estimated 21.5 million people whose personal information was stolen in the much-publicized hacking of the Office of Personnel Management. In a separate incident, Utah spent millions of dollars for two years' worth of ID protection when Security Security numbers were stolen from the state's health department.

Dababneh introduced legislation nearly identical to AB 241 in 2015. That bill (AB 259) stalled in Appropriations. A committee analysis found Dababneh's legislation in 2015 would incur "potential major costs in the tens to hundreds of millions of dollars, depending on the scope of a data breach to any of various state agencies." Further findings from that analysis:

Even one event affecting 100,000 individuals could result in potential costs of $12 million to $36 million (General Fund) to provide credit monitoring services for one year.

Based on information surveyed from credit monitoring services, bulk enrollment costs for credit monitoring services in which the vendor is provided with a complete list of individuals at once from the breached entity generally range from $10 to $30 per month per person ($120 to $360 per year per person), depending on the type of monitoring package offered by the vendor.

The five biggest breaches (by number of records) reported to the California Attorney General 2012-15:


Source: California Attorney General

The U.S. market for identity theft protection services is $3 billion to $4 billion, according to one research firm. "Identity theft protection firms use software to track unauthorized use of credit and other personal information," IBIS World reported in 2013. "[By] 2018, this industry is forecast to increase at an annualized rate of 2.1 percent to $3.8 billion."

This article was originally published on Techwire.

Matt Williams Contributing Writer

Matt Williams was previously the news editor of Govtech.com, and is now a contributor to Government Technology and Public CIO magazines. He also previously served as the managing editor of TechWire, a sister publication to Government Technology.2