BILL ANALYSIS �
AB 1677
Page 1
CORRECTED - MAY 22, 2007
ASSEMBLY THIRD READING
AB 1677 (Charles Calderon)
As Amended May 15, 2007
Majority vote
JUDICIARY 7-3
-----------------------------------------------------------------
|Ayes:|Jones, Evans, Feuer, | | |
| |Krekorian, Laird, Levine, | | |
| |Lieber | | |
| | | | |
|-----+--------------------------+-----+--------------------------|
|Nays:|Tran, Adams, Keene | | |
| | | | |
-----------------------------------------------------------------
SUMMARY : Requires a business that provides banking and other
financial services over the Internet to implement policies and
procedures for authenticating the legitimacy of Internet
transactions. Specifically, this bill :
1)Requires a business that provides banking or other financial
services over the Internet to implement and maintain
reasonable policies and procedures for authenticating and
verifying the legitimacy of a consumer transaction over the
Internet. Specifies that, at a minimum, polices and
procedures must be consistent with best industry practices,
including, but not limited to, those recommended by the
Federal Financial Institutions Examination Council or the
relevant Recommended Practices of the California Office of
Privacy Protection.
2)Provides that a business that fails to conduct an Internet
transaction with a consumer in compliance with its required
policies and procedures may be subject to a civil penalty in
the amount of $3,000.
3)Provides that any customer injured by a violation of this bill
may institute a civil action to recover damages.
EXISTING LAW :
�
AB 1677
Page 2
1)Makes it unlawful to knowingly access and, without permission,
alter, damage, delete, destroy, or otherwise use any data,
computer, computer system, or compute network to: a) devise
or execute a scheme to fraud or extort; or b) wrongfully
control or obtain money, property, or data.
2)Makes it unlawful to willfully use someone else's personal
identifying information for an unlawful purpose, including to
obtain or attempt to obtain credit, goods, services, or
medical information in the name of the other person without
that person's consent.
3)Requires a business that owns or licenses personal information
about a California resident to implement and maintain
reasonable security procedures and practices in order to
protect the personal information from unauthorized access,
use, modification, or disclosure.
4)Requires commercial Web site operators and online services
that collect personally identifiable information about
California residents to conspicuously post their privacy
policy on their Web site, or in the case of an online service,
to make that policy available to the public.
5)Requires banks, savings associations, and credit unions to
verify the identity of customers opening new accounts.
6)Requires banks and savings associations to safeguard the
information of persons who obtain or have obtained a financial
product or service to be used primarily for personal, family,
or household purposes, with whom the institution has a
continuing relationship.
FISCAL EFFECT : None
COMMENTS : According to the author, this bill will impose
penalties and liability on businesses that provide banking and
financial services on the Internet if they fail to take
reasonable steps to prevent criminal activity, "particularly in
high value Internet [financial] transactions." This bill is
roughly modeled after existing state laws that require
businesses to implement reasonable security procedures to
safeguard their customer's personal information. Similarly,
this bill would require a business that provides on-line banking
�
AB 1677
Page 3
or financial services to implement policies and procedures to
verify the legitimacy of certain consumer transaction on the
Internet. In addition, this bill would provide that a civil
penalty of $3,000 may be imposed on a business that fails to
conduct an Internet transaction in compliance with its
verification policies. Finally, this bill also states that any
customer injured by a fraudulent transaction, where the business
had failed to act in compliance with its policy, could bring a
civil action to recover damages.
This bill, as amended, seeks to ensure that policies and
procedures will be consistent with best industry practices,
including but not limited to those practices recommended by the
Federal Financial Institutions Examination Council (FFIEC) or
the Recommended Practices of the California Office of Privacy
Protection. FFIEC is an inter-agency council made up of members
from the Federal Reserve Board, the Federal Deposit (FDIC),
National Credit Union Administration (NCUA), and the Office of
the Comptroller. The FFEIC guidelines recommend a variety of
customer verification techniques, including passwords, security
questions, smart cards, biometrics, and "out-of-band"
authentication (i.e. verification through some means other than
an Internet transmission, such as a follow-up phone call).
It is important to note that the bill does not appear to impose
very stringent requirements on a business that provides Internet
banking or financial services. It requires businesses to
implement their own policies and procedures, offering rough
guidelines, but does not specify what those policies and
procedures must be. On the other hand, this lack of specificity
is not unprecedented. Civil Code Section 1798.81.5 similarly
requires certain businesses to implement and maintain reasonable
security procedures and practices in order to protect any
personal information contained in customer records. Like this
bill, it imposes a civil penalty if the business fails to comply
with those procedures. This bill tracks that statute and
applies it to authentication of Internet consumer transactions.
The bill is opposed by a number of business, banking, insurance,
and Internet business associations. Opponents, who wrote in
opposition to a "safe harbor" provision that has since been
deleted from this bill, continue to oppose certain features of
the bill. In particular, they "question whether civil penalties
are appropriate when the bill lacks any recognition of the
�
AB 1677
Page 4
obligation for consumers to protect sensitive information in
their own possession," and that the bill therefore "fails to
recognize the shared responsibility of the consumer in
conducting online financial transaction." Second, during the
Committee hearings, a witness questioned the wisdom of linking
policies and procedures to guidelines recommended by FFIEC or
the California Office of Privacy Protection. However, it should
be noted that the bill does not require a business to adopt
these particular recommendations, but only references them as
examples of what might constitute best industry practices.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0000699