BILL NUMBER: AB 1387 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY MAY 13, 2003
AMENDED IN ASSEMBLY APRIL 30, 2003
AMENDED IN ASSEMBLY APRIL 21, 2003
INTRODUCED BY Assembly Member Yee
FEBRUARY 21, 2003
An act to add Sections 9174, 9926, 9927, 9928, and 9929 to the
Government Code, relating to the Legislature.
LEGISLATIVE COUNSEL'S DIGEST
AB 1387, as amended, Yee. Legislature.
Under existing law, each house of the Legislature appoints its own
employees.
This bill would require that each house of the Legislature use a
unique number other than an individual's social security number to
identify its employees, beginning January 1, 2005.
Under existing law, state agencies in the executive branch are
required to establish a permanent privacy policy that includes
certain provisions.
This bill would require that each house of the Legislature
establish and maintain a permanent privacy policy that includes the
principles set forth in existing law for state agencies. The bill
would also require each house to provide specified notice to persons
before collecting personal information, to establish rules for
persons using this personal information, to establish safeguards to
protect the confidentiality of the personal information, and to
provide notification of any breach in security.
The provisions of this bill would become operative on January 1,
2005.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 9174 is added to the Government Code, to read:
9174. On and after January 1, 2005, each house of the Legislature
shall use a unique identifying number other than an individual's
social security number to identify its employees.
SEC. 2. Section 9926 is added to the Government Code, to read:
9926. (a) Each house of the Legislature shall establish and
maintain a permanent privacy policy that includes, but is not limited
to, the following principles:
(1) Personally identifiable information is obtained only through
lawful means.
(2) The purposes for which personally identifiable data are
requested are specified at or prior to the time of collection, and
any subsequent use is limited to the fulfillment of purposes not
inconsistent with those purposes previously specified.
(3) Personal data is not disclosed, made available, or otherwise
used for purposes other than those specified, except with the consent
of the subject of the data, or as authorized by statute, regulation,
rule, or policy adopted by the Committee on Rules of the house.
(4) Personal data collected is relevant to the purpose for which
it is collected.
(5) The general means by which personal data is protected against
loss, unauthorized access, use modification, or disclosure is posted,
unless that disclosure of general means would compromise legitimate
objectives of either house of the Legislature or law enforcement
purposes.
(b) Each house of the Legislature shall designate a position
within the house, the duties of which shall include, but not be
limited to, responsibility for the privacy policy within that house.
SEC. 3. Section 9927 is added to the Government Code, to read:
9927. Each house of the Legislature shall provide, on or with any
form used to collect personal information from individuals, the
notice specified in this section. When contact with the individual
is of a regularly recurring nature, an initial notice followed by a
periodic notice at least once per session satisfies this requirement.
This requirement is also satisfied by notification each session to
individuals of the availability of the notice. The notice shall
include all of the following:
(a) The title, business address, and telephone number of the
official who is responsible for the system of records.
(b) The authority, whether granted or required by
statute, regulation, rule, or policy adopted by the Committee on
Rules of the house, that authorizes or requires the
maintenance of the information.
(c) With respect to each item of information, whether submission
of the information is mandatory or voluntary.
(d) The consequences, if any, of not providing all or any part of
the requested information.
(e) The principal purpose or purposes within the Legislature for
which the information is to be used.
The notice required by this section does not apply to requirements
for an individual to provide his or her name, identifying number,
photograph, address, or similar identifying information if this
information is used only for the purpose of identification and
communication with the individual by the Legislature, except that
requirements for an individual's social security number shall conform
to the provisions of state and federal law. The notice required by
this section does not apply to the Legislature when it uses forms
adopted by another state agency.
SEC. 4. Section 9928 is added to the Government Code, to read:
9928. (a) Each house of the Legislature shall establish rules of
conduct for persons involved in the design, development, operation,
disclosure, or maintenance of records containing personal
information, and instruct each such person with respect to those
rules.
(b) Each house of the Legislature with the assistance of the
Legislative Counsel shall establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure the
security and confidentiality of records consistent with existing law,
and to protect against anticipated threats or hazards to their
security or integrity that could result in any injury.
SEC. 5. Section 9929 is added to the Government Code, to read:
9929. (a) If a house of the Legislature owns or has license to
computerized data that includes personal information, following
discovery or notice of any breach in the security of its computerized
data system the house shall notify any person whose unencrypted
personal information was, or is reasonably believed to have been,
thereby acquired by an unauthorized person. The notification shall be
made in the most expedient time possible and without unreasonable
delay, consistent with subdivision (c) and any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system. Following discovery or notice of a
breach in the security of the Legislature's computerized data
systems, the Legislative Counsel shall notify the affected house of
the Legislature in the most expedient time possible and without
unnecessary delay. Unless the Legislature discovers or is notified
of a breach by other means, the Legislature shall not be required to
make the notification to persons whose unencrypted personal
information was, or is believed to have been, acquired by an
unauthorized person, until the Legislature receives notice of the
breach from the Legislative Counsel.
(b) If a house of the Legislature maintains computerized data that
includes personal information that the house does not own or have
license to, immediately following discovery or notice of any breach
in the security of its computerized data system the house shall
notify the owner or licensee of any personal information that was, or
is reasonably believed to have been, thereby acquired by an
unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation.
(d) For purposes of this section, "breach in the security" of a
system means the unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the house of the Legislature. Good faith
acquisition of personal information by an employee or agent of either
house of the Legislature for the purposes of the house is not a
breach of the security of the system, provided that the personal
information is not made subject to unauthorized disclosure.
(e) For purposes of this section, "personal information" means a
person's first name or first initial and last name in combination
with one or more of the following data elements, when either the name
or the data element or elements are not encrypted:
(1) The person's social security number.
(2) The person's driver's license number or California
identification card number.
(3) The person's account number, credit or debit card number, in
combination with any required security code, access code, or password
that would permit access to the person's financial account.
(f) For purposes of this section, "personal information" does not
include information that is lawfully made available to the general
public from federal, state, or local government records.
(g) For purposes of this section, notification may be provided by
one of the following methods:
(1) Written notice.
(2) E-mail.
(3) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(4) Substitute notice, if the cost of providing notice would
exceed two hundred fifty thousand dollars ($250,000), or the affected
class of subject persons to be notified exceeds 500,000, or the
house of the Legislature does not have sufficient contact
information. Substitute notice may be provided by performing both of
the following:
(A) Conspicuous posting of the notice on the Web site page of each
house of the Legislature.
(B) Notification to major statewide media.
(h) Notwithstanding subdivision (g), if a house of the Legislature
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and its
procedures are consistent with the timing requirements of this
section, it shall be deemed to be in compliance with the notification
requirements of this section if it notifies subject persons in
accordance with its policies in the event of a breach in the security
of the system.
SEC. 6. The provisions of this act shall become operative on
January 1, 2005.