BILL NUMBER: SB 1386 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY JUNE 30, 2002
AMENDED IN ASSEMBLY JUNE 20, 2002
AMENDED IN ASSEMBLY JUNE 6, 2002
AMENDED IN SENATE MARCH 20, 2002
INTRODUCED BY Senator Peace
FEBRUARY 12, 2002
An act to amend, renumber, and add Section 1798.82 of, and to add
Section 1798.29 to, the Civil Code, relating to personal information
, and declaring the urgency thereof, to take effect immediately
.
LEGISLATIVE COUNSEL'S DIGEST
SB 1386, as amended, Peace. Personal information: privacy.
(1) Existing law regulates the maintenance and
dissemination of personal information by state agencies, as defined,
and requires each agency to keep an accurate account of disclosures
made pursuant to specified provisions. Existing law also requires a
business, as defined, to take all reasonable steps to destroy a
customer's records that contain personal information when the
business will no longer retain those records. Existing law provides
civil remedies for violations of these provisions.
This bill would require state agencies and businesses that
maintain computer data systems that contain personal information to
disclose, as specified, any breach of the security of the systems, as
defined, to any person whose personal information was, or is
reasonably believed to have been, accessed by an unauthorized person.
This bill would also make a statement of legislative findings and
declarations regarding privacy and financial security.
(2) This bill would declare that it is to take effect immediately
as an urgency statute.
Vote: majority 2/3 .
Appropriation: no. Fiscal committee: yes. State-mandated local
program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. (a) The privacy and financial security of individuals
is increasingly at risk due to the ever more widespread collection of
personal information by both the private and public sector.
(b) Credit card transactions, magazine subscriptions, telephone
numbers, real estate records, automobile registrations, consumer
surveys, warranty registrations, credit reports, and Internet sites
are all sources of personal information and form the source material
for identity thieves.
(c) Identity theft is one of the fastest growing crimes committed
in California. Criminals who steal personal information such as
social security numbers use the information to open credit card
accounts, write bad checks, buy cars, and commit other financial
crimes with other people's identities. The Los Angeles County Sheriff'
s Department reports that the 1,932 identity theft cases it received
in the year 2000 represented a 108 percent increase over the previous
year's caseload.
(d) Identity theft is costly to the marketplace and to consumers.
The Secret Service estimated the cost of identity theft at seven
hundred forty-five million dollars ($745,000,000) in the year 1997.
According to a May 2000 survey by CalPIRG and the Privacy Rights
Clearinghouse, the average consumer victim spends 175 hours and eight
hundred dollars ($800) resolving identity theft problems. During
this time, consumers often have trouble establishing new credit,
renting apartments, and finding employment, since many applications
require a credit check as part of the approval process.
(e) According to the Attorney General, victims of identity theft
must act quickly to minimize the damage; therefore expeditious
notification of possible misuse of a person's personal information is
imperative.
SEC. 2. Section 1798.29 is added to the Civil Code, to read:
1798.29. (a) Any agency that maintains a computerized data system
that contains personal information shall disclose any breach of the
security of the system immediately following discovery of the breach
in the security of the data to any person whose personal information
was, or is reasonably believed to have been, accessed by an
unauthorized person. The notification required by this subdivision
is not required if a law enforcement agency determines that the
notification will impede a criminal investigation. The notification
required by this section shall be made after the law enforcement
agency determines that it would not compromise the investigation.
(b) For purposes of this section, "breach of the security of the
system" means unauthorized access to personal information contained
in a data base that could be used to violate Section 530.5 of the
Penal Code, except that the disclosure of the name, address, or
telephone number, by itself, does not require the notification
specified in this section.
SEC. 3. Section 1798.82 of the Civil Code is amended and
renumbered to read:
1798.83. (a) Any customer injured by a violation of this title
may institute a civil action to recover damages.
(b) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(c) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.
SEC. 4. Section 1798.82 is added to the Civil Code, to read:
1798.82. (a) Any person or business that maintains a computerized
data system that contains personal information shall disclose any
breach of the security of the system immediately following discovery
of the breach in the security of the data to any person whose
personal information was, or is reasonably believed to have been,
accessed by an unauthorized person. The notification required by
this subdivision is not required if a law enforcement agency
determines that the notification will impede a criminal
investigation. The notification required by this section shall be
made after the law enforcement agency determines that it would not
compromise the investigation.
(b) For purposes of this section, "breach of the security of the
system" means unauthorized access to personal information contained
in a database that could be used to violate Section 530.5 of the
Penal Code, except that the disclosure of the name, address, or
telephone number, by itself, does not require the notification
specified in this section.
SEC. 5. This act is an urgency statute necessary for the immediate
preservation of the public peace, health, or safety within the
meaning of Article IV of the Constitution and shall go into immediate
effect. The facts constituting the necessity are:
Because the recent incident at the Stephen P. Teale Data Center
has put the financial information of hundreds of thousands of state
workers at risk of identity theft, and because, currently, an entity
is not required to notify affected people when the security of its
computer data system is compromised, it is necessary that this act
take immediate effect.