BILL NUMBER: SB 1386 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY JUNE 6, 2002
AMENDED IN SENATE MARCH 20, 2002
INTRODUCED BY Senator Peace
FEBRUARY 12, 2002
An act to amend Section 11019.9 of the Government Code,
relating to privacy. , renumber, and add Section
1798.82 of, and to add Section 1798.29 to, the Civil Code, relating
to personal information.
LEGISLATIVE COUNSEL'S DIGEST
SB 1386, as amended, Peace. Public records
Personal information : privacy.
Existing law regulates the maintenance and dissemination of
personal information by state agencies, as defined, and requires each
agency to keep an accurate account of disclosures made pursuant to
specified provisions. Existing law also requires a business, as
defined, to take all reasonable steps to destroy a customer's records
that contain personal information when the business will no longer
retain those records. Existing law provides civil remedies for
violations of these provisions.
This bill would require state agencies and businesses that
maintain computer data systems that contain personal information to
disclose, as specified, any breach of the security of the systems, as
defined, to any person whose personal information was, or may have
been, accessed by an unauthorized person. This bill would also make
a statement of legislative findings and declarations regarding
privacy and financial security.
The California Public Records Act requires state and local
agencies to make public records available upon receipt of a request
that reasonably describes an identifiable record not otherwise exempt
from disclosure by express provisions of law, and upon payment of
fees to cover costs.
Existing law also requires a state department or agency to enact
and maintain a permanent privacy policy consistent with specified
principles.
This bill would provide that information withheld pursuant to this
privacy policy is not subject to disclosure under the California
Public Records Act.
Vote: majority. Appropriation: no. Fiscal committee:
no yes . State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 11019.9 of the Government Code is amended to
read:
11019.9. (a) Each state department and state agency shall enact
and maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977 (Title 1.8 (commencing with Section
1798) of Part 4 of Division 3 of the Civil Code), that includes, but
is not limited to, the following principles:
(1) Personally identifiable information is only obtained through
lawful means.
(2) The purposes for which personally identifiable data are
collected are specified at or prior to the time of collection, and
any subsequent use is limited to the fulfillment of purposes not
inconsistent with those purposes previously specified.
(3) Personal data shall not be disclosed, made available, or
otherwise used for purposes other than those specified, except with
the consent of the subject of the data, or as authorized by law or
regulation.
(4) Personal data collected must be relevant to the purpose for
which it is collected.
(5) The general means by which personal data is protected against
loss, unauthorized access, use, modification or disclosure shall be
posted, unless that disclosure of general means would compromise
legitimate state department or state agency objectives or law
enforcement purposes.
(b) Each state department or state agency shall designate a
position within the department or agency, the duties of which shall
include, but not be limited to, responsibility for the privacy policy
within that department or agency.
(c) Information withheld pursuant to this section is not subject
to disclosure under the California Public Records Act (Chapter 3.5
(commencing with Section 6250) of Division 7 of Title 1).
SECTION 1. (a) The privacy and financial security of individuals
is increasingly at risk due to the ever more widespread collection of
personal information by both the private and public sector.
(b) Credit card transactions, magazine subscriptions, telephone
numbers, real estate records, automobile registrations, consumer
surveys, warranty registrations, credit reports, and Internet sites
are all sources of personal information and form the source material
for identity thieves.
(c) Identity theft is one of the fastest growing crimes committed
in California. Criminals who steal personal information such as
social security numbers use the information to open credit card
accounts, write bad checks, buy cars, and commit other financial
crimes with other people's identities. The Los Angeles County Sheriff'
s Department reports that the 1,932 identity theft cases it received
in the year 2000 represented a 108 percent increase over the previous
year's caseload.
(d) Identity theft is costly, to the marketplace and to consumers.
The Secret Service estimated the cost of identity theft at seven
hundred forty-five million dollars ($745,000,000) in the year 1997.
According to a May 2000 survey by CalPIRG and the Privacy Rights
Clearinghouse, the average consumer victim spends 175 hours and eight
hundred dollars ($800) resolving identity theft problems. During
this time, consumers often have trouble establishing new credit,
renting apartments, and finding employment, since many applications
require a credit check as part of the approval process.
(e) According to the Attorney General, victims of identity theft
must act quickly to minimize the damage; therefore expeditious
notification of possible misuse of a person's personal information is
imperative.
SEC. 2. Section 1798.29 is added to the Civil Code, to read:
1798.29. (a) Any agency that maintains a computerized data system
that contains personal information shall disclose any breach of the
security of the system immediately, or as soon as is practicable
thereafter, following discovery of the breach in the security of the
data to any person whose personal information was, or may have been,
accessed by an unauthorized person.
(b) For purposes of this section, "breach of the security of the
system" means unauthorized access to personal information contained
in a database that could be used to violate Section 530.5 of the
Penal Code.
SEC. 3. Section 1798.82 of the Civil Code is amended and
renumbered to read:
1798.82.
1798.83. (a) Any customer injured by a violation of this
title may institute a civil action to recover damages.
(b) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(c) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.
SEC. 4. Section 1798.82 is added to the Civil Code, to read:
1798.82. (a) Any person or business that maintains a computerized
data system that contains personal information shall disclose any
breach of the security of the system immediately, or as soon as is
practicable thereafter, following discovery of the breach in the
security of the data to any person whose personal information was, or
may have been, accessed by an unauthorized person.
(b) For purposes of this section, "breach of the security of the
system" means unauthorized access to personal information contained
in a database that could be used to violate Section 530.5 of the
Penal Code.