A state bill sought to require public agencies to offer identity theft prevention or mitigation services at no cost to consumers if there was a breach of personal information, including a Social Security number or drivers license number. (Justin Sullivan / Getty Images)
News of stores and hospitals hit hard by major cyberattacks has mobilized California lawmakers to increase safeguards against identity theft in the private sector. But strengthening laws to protect personal information in the event of a government data breach has proved much harder.
Legislation to require state and local agencies to provide 12 months of identity theft protection for anyone affected by a government data breach — similar to what’s required of businesses — stalled in a fiscal committee in the Legislature amid concerns over the costs it would impose on cash-strapped state and local budgets.
The bill by Assemblyman Matt Dababneh (D-Woodland Hills) was meant to motivate government agencies to better secure sensitive information, a strategy that its supporters said worked when major retailers, such as Home Depot and Target, were failing to protect their customers.
But opponents argued that as state and federal agencies increasingly share data centers, it would be difficult to discern which agency was liable for a breach. The real burden, security experts said, would instead fall on taxpayers — many of whom will not only have lost their data but would end up having to foot the bill too.
“Once you have a Social Security number stolen, once you have your credit card information stolen, you can never be made whole again,” said Chester Wisniewski, principal research scientist at Sophos, a security software and hardware company. “You can’t put the genie back in the bottle.”
Long before cybersecurity became a national focus amid a contentious election, California lawmakers were grappling with the growing threat of security breaches across the state. A 2016 report from then-Atty. Gen. Kamala Harris found that though the number of attacks nationwide remained relatively flat in 2015, the actual records compromised had drastically increased, from 4.3 million in 2014 to more than 24 million the following year.
In that time, just six breaches were responsible for 70% of nearly 50 million records stolen in California. The hardest hit was health insurance provider Anthem, which had 10.4 million records breached in 2015. Just below it were retail giants Target and Living Social, each which compromised 7.5 million of the stolen records in 2013.
The attacks spurred lawmakers to pass a 2014 state law that required any person or business responsible for a breach of Social Security or driver’s license numbers to offer an identity theft protection or mitigation service to those affected at no cost, for at least 12 months.
Dababneh has since sought to extend the measure to state agencies responsible for transferring, storing and destroying the kinds of personal data that are often more valuable to hackers. In recent years, according to a state legislative analysis, security breaches have been reported in at least 10 California public agencies, including the California State University system, the Departments of Motor Vehicles, Social Services and Employment Development.
As major retailers and private companies have moved to fortify their cybersecurity teams, Dababneh said, “what we have seen is the technology that our public agencies and even state and federal agencies are using, compared to the private market, is falling farther and farther behind.”
But security experts say private companies have been more motivated by negative publicity than state law to boost their information security teams.
And Dababneh’s bill, similar to another that was blocked last year, has faced a larger hurdle: its cost. His latest proposal was rejected by the Assembly Appropriations Committee, which found it could cost hundreds of millions — even billions — of dollars for state and local agencies. If an attack on the Department of Motor Vehicles were to compromise one quarter of its 26 million driver’s license records, the committee’s analysis said, the expense for providing identity theft prevention to the affected residents would be more than $1 billion, assuming a cost of $15 monthly per person.
If 6,000 people were affected, the cost was estimated at roughly $1 million.
In an opposition letter, the California State Assn. of Counties, the Urban Counties of California, and the League of California Cities said “a large enough data breach could result in millions of dollars in costs to local governments already struggling to provide basic services to their residents.”
Dababneh said his goal is to look into the possibilities of creating an insurance market through which state agencies could pool together their resources to fund the identity theft protection or mitigations services. Security experts doubt those services would be beneficial to residents after their information has been stolen, saying the pooled money would be better spent on prevention services.
For now, prevention is the major focus of the most significant cybersecurity bill sailing through the legislative process with bipartisan support. The bill by Assemblyman Jay Obernolte (R-Big Bear Lake) would establish the California Cybersecurity Integration Center to develop a cybersecurity strategy. It would require the director of the state’s Office of Emergency Services to administer $193 million in federal grant money for cybersecurity prevention measures.
Assemblyman Ed Chau (D-Arcadia), chairman of his chamber’s privacy and consumer protection committee, said multiple reasons have kept lawmakers from figuring out how to deal with the complex and evolving threat of security breaches to public and private networks, including costs, the intangible nature of the threat and differences of opinion between the public and private sectors on information security.
“It is not an exaggeration to say that cybersecurity may well be the single biggest challenge that the public sector will face over the next decade or more,” he said in a statement. “We don’t necessarily need legislation for every new technology that comes along, or in response to every data breach, but we should certainly be thinking and talking about it.”