Amended in Senate July 8, 2013

Amended in Senate June 25, 2013

Amended in Senate June 11, 2013

Amended in Assembly April 18, 2013

California Legislature—2013–14 Regular Session

Assembly BillNo. 1274


Introduced by Assembly Member Bradford

February 22, 2013


An act to add Title 1.81.4 (commencing with Section 1798.98) to Part 4 of Division 3 of the Civil Code, relating to privacy.

LEGISLATIVE COUNSEL’S DIGEST

AB 1274, as amended, Bradford. Privacy: customer electrical or natural gas usage data.

Existing law prohibits, except as specified, an electrical corporation or gas corporation, and a local publicly owned utility, from sharing, disclosing, or otherwise making accessible to a 3rd party a consumer’s electric or gas usage that is made available as a part of an advanced metering infrastructure, including the name, account number, and residence of the customer (data). Existing law requires the electrical corporation or gas corporation, and a local publicly owned utility, to use reasonable security procedures and practices to provide a consumer’s unencrypted data from unauthorized access, destruction, use, modification, or disclosure.

Existing law makes the willful obtaining of personal identifying information, as defined, and use of that information for any unlawful purpose, a felony or misdemeanor. Existing law authorizes a person that has been injured as a result of a violation of this prohibition to bring an action against a claimant, as defined, to establish that they are a victim of identity theft, in connection with the claimant’s claim against that person and to bring a cross-complaint if the claimant has brought an action to recover on a claim against the person. A person who proves that he or she is a victim of identity theft by a preponderance of evidence is entitled to a judgment providing for actual damages, attorney’s fees, and costs, and any equitable relief that the court deems appropriate.

This bill would prohibit a business from sharing, disclosing, or otherwise making accessible to any 3rd party a customer’s electrical or natural gas usagebegin insert dataend insert without obtaining the express consent of the customer and conspicuously disclosing to whom the disclosure will be made and how the data will be used. The bill would require a business and a nonaffiliated 3rd party, pursuant to a contract, to implement and maintain reasonable security procedures and practices to protect the data from unauthorized disclosure. The bill would prohibit a business from providing an incentive or discount to the customer for accessing the data without the prior consent of the customer. The bill would require a business to take reasonable stepsbegin delete with regard to the disposal ofend deletebegin insert to dispose thatend insert customer databegin delete no longer to be retainedend deletebegin insert within its custody or control when the data is no longer to be retained by the business, as specifiedend insert. The bill would authorize a customer to bring a civil action for actual damages not to exceed $500 for each willful violation of these provisions.

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Title 1.81.4 (commencing with Section 1798.98)
2is added to Part 4 of Division 3 of the Civil Code, to read:

3 

4Title 1.81.4.  PRIVACY OF CUSTOMER ELECTRICAL
5OR NATURAL GAS USAGE DATA

6

 

7

1798.98.  

(a) For the purposes of this title, the following
8definitions shall apply:

9(1) “Business” means a sole proprietorship, partnership,
10corporation, association, or other group, however organized and
11whether or not organized to operate at a profit, including a financial
P3    1institution organized, chartered, or holding a license or
2authorization certificate under the law of this state, any other state,
3the United States, or of any other country, or the parent or the
4subsidiary of a financial institution.

5(2) “Customer” means a customer of an electrical or gas
6corporation or a local publicly owned electric utility that permits
7a business to have access to data in association with purchasing
8or leasing a product or obtaining a service from the business.

9(3) “Data” means a customer’s electrical or natural gas usage
10that is made available to the business as part of an advanced
11metering infrastructure provided by an electrical corporation, a
12gas corporation, or a local publicly owned electric utility, and
13includes the name, account number, or physical address of the
14customer.

15(4) “Electrical corporation” has the same meaning as in Section
16218 of the Public Utilities Code.

17(5) “Gas corporation” has the same meaning as in Section 222
18of the Public Utilities Code.

19(6) “Local publicly owned electric utility” has the same meaning
20as in Section 224.3 of the Public Utilities Code.

21(b) Unless otherwise required or authorized by federal or state
22law, a business shall not share, disclose, or otherwise make
23accessible to any third party a customer’s data without obtaining
24the express consent of the customer and conspicuously disclosing
25to whom the disclosure will be made and how the data will be
26 used.

27(c) A business that discloses data, with the express consent of
28the customer, pursuant to a contract with a nonaffiliated third party,
29shall require by contract that the third party implement and
30maintain reasonable security procedures and practices appropriate
31to the nature of the information, to protect the data from
32unauthorized access, destruction, use, modification, or disclosure.

33(d) A business shall implement and maintain reasonable security
34procedures and practices appropriate to the nature of the
35information to protect the data from unauthorized access,
36destruction, use, modification, or disclosure.

37(e) A business shall not provide an incentive or discount to the
38customer for accessing the data without the prior consent of the
39customer.

P4    1(f) A business shall take all reasonable steps to dispose, or
2arrange for the disposal, of customer data within its custody or
3control when the records are no longer to be retained by the
4business by (1) shredding, (2) erasing, or (3) otherwise modifying
5the data in those records to make it unreadable or undecipherable
6through any means.

7(g) The provisions of this section do not apply to an electrical
8corporation, a gas corporation, or a local publicly owned electric
9utility or a business that secures the data as a result of a contract
10with an electrical or gas corporation or a local publicly owned
11electric utility under the provisionsbegin insert of subdivision (e)end insert of Section
128380 orbegin insert subdivision (e) ofend insert 8381 of the Public Utilities Code.

13

1798.99.  

begin insert(a)end insertbegin insertend insertA customer harmed by the releasebegin delete andend deletebegin insert orend insert
14 unauthorized use of his or her customer data, in violation of Section
151798.98, may bring a civil action to recover actual damages in an
16amount not to exceed five hundred dollars ($500) for each willful
17violation.

18(b) The rights, remedies, and penalties established by this title
19are in addition to the rights, remedies, or penalties established
20under any other law.

21(c) Nothing in this title shall abrogate any authority of the
22Attorney General to enforce existing law.



O

    95