SB 364 Senate Bill - INTRODUCED

BILL NUMBER: SB 364	INTRODUCED
	BILL TEXT


INTRODUCED BY   Senator Simitian

                        FEBRUARY 20, 2007

   An act to repeal and amend Section 1798.29 of the Civil Code,
relating to personal information.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 364, as introduced, Simitian. Personal information: privacy.
   Existing law requires any agency that owns or licenses
computerized data that includes personal information, as defined, to
disclose in specified ways, any breach of the security of the data,
as defined, to any California resident whose unencrypted personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person. Existing law allows an agency to provide that
disclosure by substitute notice, as specified, if the agency
demonstrates that the cost of disclosure would exceed $250,000, or
that the affected class exceeds 500,000 persons, or that the agency
does not have sufficient contact information.
   In addition to the other substitute notice provisions, this bill
would instead allow for substitute notice if the agency demonstrates
that the cost of disclosure would exceed $100,000. The bill would
also repeal a duplicative provision of law.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 1798.29 of the Civil Code, as added by Section
2 of Chapter 915 of the Statutes of 2002, is repealed. 
   1798.29.  (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
   (b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
   (c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
   (d) For purposes of this section, "breach of the security of the
system" means unauthorized aquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
   (e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
   (1) Social security number.
   (2) Driver's license number or California Identification Card
number.
   (3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
   (f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
   (g) For purposes of this section, "notice" may be provided by one
of the following methods:
   (1) Written notice.
   (2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
   (3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
   (A) E-mail notice when the agency has an e-mail address for the
subject persons.
   (B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
   (C) Notification to major statewide media.
   (h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.

  SEC. 2.  Section 1798.29 of the Civil Code, as added by Section 2
of Chapter 1054 of the Statutes of 2002, is amended to read:
   1798.29.  (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
   (b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
   (c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
   (d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
   (e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
   (1) Social security number.
   (2) Driver's license number or California Identification Card
number.
   (3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
   (f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
   (g) For purposes of this section, "notice" may be provided by one
of the following methods:
   (1) Written notice.
   (2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
   (3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed  two   one 
hundred  fifty  thousand dollars  ($250,000)
  ($100,000)  , or that the affected class of
subject persons to be notified exceeds 500,000, or the agency does
not have sufficient contact information. Substitute notice shall
consist of all of the following:
   (A) E-mail notice when the agency has an e-mail address for the
subject persons.
   (B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
   (C) Notification to major statewide media.
   (h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.