AB 1710, as amended, Dickinson. Personal information: privacy.
Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
This bill would make nonsubstantive, technical changes to these provisions.
end deleteThis bill would instead require a person or business conducting business in California that owns or licenses computerized or noncomputerized data that contains personal information to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. If the person or business was the source of the breach, the bill would require the person or business to offer to provide appropriate identity theft prevention and mitigation services to the affected person at no cost for not less than 24 months if the breach exposed or may have exposed specified personal information. The bill would also require a person or business that maintains but does not own the data to notify the persons affected within 15 days of the breach using specified methods.
end insertbegin insertThis bill would prohibit a person or business that sells goods or services to any resident of California and accepts as payment a credit card, debit card, or other payment device, from storing, retaining, sending, or failing to limit access to payment-related data, as defined, retaining a primary account number, or storing sensitive authentication data subsequent to an authorization, as specified, unless a specified exception applies. The bill would make a person or business liable for the reimbursement of all reasonable and actual costs of providing notice of a breach of the security of a system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, and for the reasonable and actual cost of card replacement as a result of a breach, to the owner or licensee of the information. The bill would authorize this liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach.
end insertbegin insertExisting law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
end insertbegin insertThis bill would expand these provisions to businesses that own, license, or maintain personal information about a California resident, as specified.
end insertbegin insertExisting law authorizes any customer injured by a violation of specified provisions relating to customer records to institute a civil action to recover damages and penalties, as specified.
end insertbegin insertThis bill would, in addition to any other available remedies, authorize a public prosecutor to bring an action to recover a civil penalty not exceeding $500, or for a willful, intentional, or reckless violation not exceeding $3,000, per violation.
end insertbegin insertExisting law prohibits a person or entity, with specified exceptions, from publicly posting or displaying an individual’s social security number or doing certain other acts that might compromise the security of an individual’s social security number, unless otherwise required by federal or state law.
end insertbegin insertThis bill would also prohibit the sale, advertisement for sale, or offer to sell of an individual’s social security number. The bill would, in addition to any other available remedies for a violation of these provisions, authorize a public prosecutor to bring an action to recover a civil penalty not exceeding $500 per violation.
end insertVote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertSection 1724.4 is added to the end insertbegin insertCivil Codeend insertbegin insert, to read:end insert
begin insert(a) In addition to being subject to the provisions of
3Title 1.81 (commencing with Section 1798.80) of Part 4, a person
4or business that sells goods or services to any resident of California
5and accepts as payment a credit card, debit card, or other payment
6device shall not do any of the following:
7(1) Store payment-related data, unless the person or business
8complies with both of the following:
9(A) The person or business has a payment data retention and
10disposal policy that limits the amount of payment-related data and
11the time that data is retained to only the amount and time required
12for business, legal, or regulatory purposes as explicitly documented
13in the policy.
14(B) The person or business retains payment-related data only
15for a time period and in a manner explicitly permitted by the policy.
16(2) Store sensitive authentication data subsequent to an
17authorization, even if that data is encrypted. Sensitive
18authentication data includes all of the following:
19(A) The full contents of any data track from a payment card or
20other payment device.
21(B) The card verification code or any value used to verify
22transactions when the payment device is not present.
23(C) The personal identification number (PIN) or the encrypted
24PIN block.
25(3) Store any payment-related data that is not needed for
26business,
legal, or regulatory purposes.
27(4) Store any of the following data elements:
28(A) Payment verification code.
P4 1(B) Payment verification value.
2(C) PIN verification value.
3(D) Social security number.
4(E) Driver’s license number.
5(5) Retain the primary account number unless retained in a
6manner consistent with the other requirements of this subdivision
7and in a form that is unreadable and unusable by unauthorized
8persons anywhere it is stored.
9(6) Send payment-related data over open, public networks
unless
10the data is encrypted using strong cryptography and security
11protocols or otherwise rendered indecipherable.
12(7) Fail to limit access to payment-related data to only those
13individuals whose job requires that access.
14(b) (1) This section shall not apply to any person or business
15subject to Sections 6801 to 6809, inclusive, of Title 15 of the United
16States Code and state or federal statutes or regulations
17implementing those sections, if the person or business is subject
18to compliance oversight by a state or federal regulatory agency
19with respect to those sections.
20(2) Nothing in this section shall prohibit a person or business
21that sells goods or services to any California resident and accepts
22as payment a credit card, debit card, or other payment device from
23storing payment-related data
for the sole purpose of processing
24ongoing or recurring payments, provided that the payment-related
25data is maintained in accordance with this section.
26(c) For purposes of this section, “payment-related data” means
27any computerized information described in subdivision (h) of
28Section 1798.82, whether individually or in combination with any
29other information described in that paragraph.
begin insertSection 1724.6 is added to the end insertbegin insertCivil Codeend insertbegin insert, to read:end insert
begin insert(a) A person or business subject to Section 1724.4
32shall be liable for the reimbursement of all reasonable and actual
33costs of providing notice pursuant to subdivision (a) of Section
341798.82 and for the reasonable and actual cost of card replacement
35as a result of a breach described in that section, to the owner or
36licensee of the information.
37(b) The liability of a person or business subject to Section 1724.4
38to reimburse the owner or licensee may be excused, in whole or
39in part, if the person or business can demonstrate compliance with
P5 1all provisions of Section 1724.4 at the time of the breach of security
2of the system.
begin insertSection 1798.81.5 of the end insertbegin insertCivil Codeend insertbegin insert is amended to
4read:end insert
(a) begin insert(1)end insertbegin insert end insert It is the intent of the Legislature to ensure
6that personal information about California residents is protected.
7To that end, the purpose of this section is to encourage businesses
8thatbegin delete own or licenseend deletebegin insert own, license, or maintainend insert personal information
9about Californians to provide reasonable security for that
10information.begin delete Forend delete
11begin insert(2)end insertbegin insert end insertbegin insertForend insert the purpose of this section, thebegin delete phrase “owns or licenses” begin insert terms “own” and
12is intended to include, but is not limited to,end delete
13“license” includeend insert personal information that a business retains as
14part of the business’ internal customer account or for the purpose
15of using that information in transactions with the person to whom
16the information relates.begin insert The term “maintain” includes personal
17information that a business maintains but does not own or license.end insert
18(b) A business thatbegin delete owns or licensesend deletebegin insert
owns, licenses, or maintainsend insert
19 personal information about a California resident shall implement
20and maintain reasonable security procedures and practices
21appropriate to the nature of the information, to protect the personal
22information from unauthorized access, destruction, use,
23modification, or disclosure.
24(c) A business that discloses personal information about a
25California resident pursuant to a contract with a nonaffiliated third
26partybegin insert that is not subject to subdivision (b)end insert shall require by contract
27that the third party implement and maintain reasonable security
28procedures and practices appropriate to the nature of the
29information, to protect the personal information from unauthorized
30access, destruction, use, modification, or disclosure.
31(d) For purposes of this section, the following terms have the
32following meanings:
33(1) “Personal information” means an individual’s first name or
34first initial and his or her last name in combination with any one
35or more of the following data elements, when either the name or
36the data elements are not encrypted or redacted:
37(A) Social security number.
38(B) Driver’s license number or California identification card
39number.
P6 1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.
5(D) Medical information.
6(2) “Medical information” means any individually identifiable
7information, in electronic or physical form, regarding the
8individual’s medical history or medical treatment or diagnosis by
9a health care professional.
10(3) “Personal information” does not include publicly available
11information that is lawfully made available to the general public
12from federal, state, or local government records.
13(e) The provisions of this section do not apply to any of the
14following:
15(1) A provider of health care, health care service plan, or
16contractor regulated by the Confidentiality of Medical Information
17Act (Part 2.6 (commencing with Section 56) of Division 1).
18(2) A financial institution as defined in Section 4052 of the
19Financial Code and subject to the
California Financial Information
20Privacy Act (Division 1.2 (commencing with Section 4050) of the
21Financial Code.
22(3) A covered entity governed by the medical privacy and
23security rules issued by the federal Department of Health and
24Human Services, Parts 160 and 164 of Title 45 of the Code of
25Federal Regulations, established pursuant to the Health Insurance
26Portability and Availability Act of 1996 (HIPAA).
27(4) An entity that obtains information under an agreement
28pursuant to Article 3 (commencing with Section 1800) of Chapter
291 of Division 2 of the Vehicle Code and is subject to the
30confidentiality requirements of the Vehicle Code.
31(5) A business that is regulated by state or federal law providing
32greater protection to personal information than that provided by
33this section in regard to the subjects addressed by this
section.
34Compliance with that state or federal law shall be deemed
35compliance with this section with regard to those subjects. This
36paragraph does not relieve a business from a duty to comply with
37any other requirements of other state and federal law regarding
38the protection and privacy of personal information.
Section 1798.82 of the Civil Code is amended to read:
(a) A person or business that conducts business in
2California, and that owns or licenses computerizedbegin insert or
3noncomputerizedend insert data that includes personal information, shall
4disclose a breach of the security of the system following discovery
5or notification of the breach in the security of the data to a resident
6of California whosebegin delete unencryptedend delete personal information was, or is
7reasonably believed to have been, acquired by an unauthorized
8person. The disclosure shall be made in the most expedient time
9possible and without unreasonable delay, consistent with the
10legitimate needs of
law enforcement, as provided in subdivision
11(c), or any measures necessary to determine the scope of the breach
12and restore the reasonable integrity of the data system.
13(b) begin insert(1)end insertbegin insert end insertA person or business that maintains computerizedbegin insert or
14noncomputerizedend insert data that includes personal information that the
15person or business does not own shall notify the owner or licensee
16of the information of
the breach of the security of the data
17immediately following discovery, if the personal information was,
18or is reasonably believed to have been, acquired by an unauthorized
19person.
20(2) In addition to notifying the owner of the data, the person or
21business that maintains the data shall notify persons affected by
22the breach within 15 days of the breach using the following
23methods:
24(A) Email notice if the person or business has an email address
25for the subject persons.
26(B) Conspicuous posting
of the notice on the Internet Web site
27page of the person or business, if the person or business maintains
28an Internet Web site page, for at least 30 days.
29(C) Notification to major statewide media.
end insert
30(c) The notification required by this section may be delayed if
31a law enforcement agency determines that the notification will
32impede a criminal investigation. The notification required by this
33section shall be madebegin insert
promptlyend insert after the law enforcement agency
34determines that it will not compromise the investigation.
35(d) A person or business that is required to issue a security
36breach notification pursuant to this section shall meet all of the
37following requirements:
38(1) The security breach notification shall be written in plain
39language.
P8 1(2) The security breach notification shall include, at a minimum,
2the following information:
3(A) The name and contact information of the reporting person
4or business subject to this section.
5(B) A list of the types of personal information
that were or are
6reasonably believed to have been the subject of a breach.
7(C) If the information is possible to determine at the time the
8notice is provided, then any of the following: (i) the date of the
9breach, (ii) the estimated date of the breach, or (iii) the date range
10within which the breach occurred. The notification shall also
11include the date of the notice.
12(D) Whether notification was delayed as a result of a law
13enforcement investigation, if that information is possible to
14determine at the time the notice is provided.
15(E) A general description of the breach incident, if that
16information is possible to determine at the time the notice is
17provided.
18(F) The toll-free telephone numbers and addresses of the major
19credit reporting agencies if the breach exposed a social security
20number or a driver’s license or California identification card
21number.
22(G) If the person or business providing the notification was the
23source of the breach, an offer to provide appropriate identity theft
24prevention and mitigation services, such as credit monitoring,
25shall be provided at no cost to the affected person for not less than
2624 months, along with all information necessary to take advantage
27of the offer to any person whose information was or may have been
28breached if the breach exposed or may have exposed personal
29information defined in paragraph (1) of subdivision (h).
30(3) At the discretion of the
person or business, the security
31breach notification may also include any of the following:
32(A) Information about what the person or business has done to
33protect individuals whose information has been breached.
34(B) Advice on steps that the person whose information has been
35breached may take to protect himself or herself.
36(4) In the case of a breach of the security of the system involving
37personal information defined in paragraph (2) of subdivision (h)
38for an online account, and no other personal information defined
39in paragraph (1) of subdivision (h), the person or business may
40comply with this section by providing the security breach
P9 1notification in electronic or other form that directs the person whose
2personal
information has been breached promptly to change his
3or her password and security question or answer, as applicable, or
4to take other steps appropriate to protect the online account with
5the person or business and all other online accounts for which the
6person whose personal information has been breached uses the
7same user name or email address and password or security question
8or answer.
9(5) In the case of a breach of the security of the system involving
10personal information defined in paragraph (2) of subdivision (h)
11for login credentials of an email account furnished by the person
12or business, the person or business shall not comply with this
13section by providing the security breach notification to that email
14address, but may, instead, comply with this section by providing
15notice by another method described in subdivision (j) or by clear
16and
conspicuous notice delivered to the resident online when the
17resident is connected to the online account from an Internet
18Protocol address or online location from which the person or
19business knows the resident customarily accesses the account.
20(e) A covered entity under the federal Health Insurance
21Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
22et seq.) will be deemed to have complied with the notice
23requirements in subdivision (d) if it has complied completely with
24Section 13402(f) of the federal Health Information Technology
25for Economic and Clinical Health Act (Public Law 111-5).
26However, nothing in this subdivision shall be construed to exempt
27a covered entity from any other provision of this section.
28(f) A person or business that is required to issue a security breach
29
notification pursuant to this section to more than 500 California
30residents as a result of a single breach of the security system shall
31electronically submit a single sample copy of that security breach
32notification, excluding any personally identifiable information, to
33the Attorney General. A single sample copy of a security breach
34notification shall not be deemed to be within subdivision (f) of
35Section 6254 of the Government Code.
36(g) For purposes of this section, “breach of the security of the
37system” means unauthorized acquisition of computerizedbegin insert or
38noncomputerizedend insert data that compromises the security,
39confidentiality, or integrity of personal information maintained by
40the person or business. Good faith acquisition of personal
P10 1information by an
employee or agent of the person or business for
2the purposes of the person or business is not a breach of the security
3of the system, provided that the personal information is not used
4or subject to further unauthorized disclosure.
5(h) For purposes of this section, “personal information” means
6either of the following:
7(1) An individual’s first name or first initial and last name in
8combination with any one or more of the following databegin delete elements,
9when either the name or the data elements are not encrypted:end delete
10begin insert elements:end insert
11(A) Social security number.
12(B) Driver’s license number or California identification card
13number.
14(C) Account number, credit or debit card number, in
15combination with any required security code, access code, or
16password that would permit access to an individual’s financial
17account.
18(D) Medical information.
19(E) Health insurance information.
20(2) A user name or email address, in combination with a
21password or security question and answer that would permit access
22to an online account.
23(i) (1) For purposes of this section,
“personal information” does
24not include publicly available information that is lawfully made
25available to the general public from federal, state, or local
26government records.
27(2) For purposes of this section, “medical information” means
28any information regarding an individual’s medical history, mental
29or physical condition, or medical treatment or diagnosis by a health
30care professional.
31(3) For purposes of this section, “health insurance information”
32means an individual’s health insurance policy number or subscriber
33identification number, any unique identifier used by a health insurer
34to identify the individual, or any information in an individual’s
35application and claims history, including any appeals records.
36(j) For
purposes of this section, “notice” may be provided by
37one of the following methods:
38(1) Written notice.
P11 1(2) Electronic notice, if the notice provided is consistent with
2the provisions regarding electronic records and signatures set forth
3in Section 7001 of Title 15 of the United States Code.
4(3) Substitute notice, if the person or business demonstrates that
5the cost of providing notice would exceed two hundred fifty
6thousand dollars ($250,000), or that the affected class of subject
7persons to be notified exceeds 500,000, or the person or business
8does not have sufficient contact information. Substitute notice
9shall consist of all of the following:
10(A) Email
notice when the person or business has an email
11address for the subject persons.
12(B) Conspicuous posting of the notice on the Internet Web site
13page of the person or business, if the person or business maintains
14one.
15(C) Notification to major statewide media.
16(k) Notwithstanding subdivision (j), a person or business that
17maintains its own notification procedures as part of an information
18security policy for the treatment of personal information and is
19otherwise consistent with the timing requirements of this part, shall
20be deemed to be in compliance with the notification requirements
21of this section if the person or business notifies subject persons in
22accordance with its policies in the event of a breach of security
of
23the system.
begin insertSection 1798.84 of the end insertbegin insertCivil Codeend insertbegin insert is amended to read:end insert
(a) Any waiver of a provision of this title is contrary
26to public policy and is void and unenforceable.
27(b) In addition to any other available remedies for a violation
28of this title, a public prosecutor authorized pursuant to Section
2917204 of the Business and Professions Code may bring an action
30to recover a civil penalty not exceeding five hundred dollars ($500)
31per violation, or, in the case of a willful, intentional, or reckless
32violation, a penalty not exceeding three thousand dollars ($3,000)
33per violation.
34(b)
end delete
35begin insert(c)end insert Any customer injured by a violation of this title may institute
36a civil action to recover damages.
37(c)
end delete
38begin insert(d)end insert In addition, for a willful, intentional, or reckless violation
39of Section 1798.83, a customer may recover a civil penalty not to
40exceed three thousand dollars ($3,000) per violation; otherwise,
P12 1the customer may recover a civil penalty of up to five hundred
2dollars ($500) per violation for a violation of Section 1798.83.
3(d)
end delete
4begin insert(e)end insert Unless the violation is willful, intentional, or reckless, a
5business that is alleged to have not provided all the information
6required by subdivision (a) of Section 1798.83, to have provided
7inaccurate information, failed to provide any of the information
8required by subdivision (a) of Section 1798.83, or failed to provide
9information in the time period required by subdivision (b) of
10Section 1798.83, may assert as a complete defense in any action
11in law or equity that it thereafter provided regarding the information
12that was alleged to be untimely, all the information, or accurate
13information, to all customers who were provided incomplete or
14inaccurate information, respectively, within 90 days of the date
15the business knew that it had failed to provide the information,
16timely information, all the information, or the accurate
information,
17respectively.
18(e)
end delete
19begin insert(f)end insert Any business that violates, proposes to violate, or has violated
20this title may be enjoined.
21(f)
end delete
22begin insert(g)end insert (1) A cause of action shall not lie against a business for
23disposing of abandoned records containing personal information
24by shredding, erasing, or otherwise modifying the personal
25
information in the records to make it unreadable or undecipherable
26through any means.
27(2) The Legislature finds and declares that when records
28containing personal information are abandoned by a business, they
29often end up in the possession of a storage company or commercial
30landlord. It is the intent of the Legislature in paragraph (1) to create
31a safe harbor for such a record custodian who properly disposes
32of the records in accordance with paragraph (1).
33(g)
end delete
34begin insert(h)end insert A prevailing plaintiff in any action commenced under
35Section 1798.83 shall also be entitled to recover his or her
36reasonable attorney’s fees and
costs.
37(h)
end delete
38begin insert(i)end insert The rights and remedies available under this section are
39cumulative to each other and to any other rights and remedies
40available under law.
begin insertSection 1798.85 of the end insertbegin insertCivil Codeend insertbegin insert is amended to read:end insert
(a) Except as provided in this section, a person or
3entity may not do any of the following:
4(1) Publicly post or publicly display in any manner an
5individual’s social security number. “Publicly post” or “publicly
6display” means to intentionally communicate or otherwise make
7available to the general public.
8(2) Print an individual’s social security number on any card
9required for the individual to access products or services provided
10by the person or entity.
11(3) Require an individual to transmit his or her social security
12number over the Internet, unless the connection is secure or the
13social security number is encrypted.
14(4) Require an individual to use his or her social security number
15to access an Internet Web site, unless a password or unique
16personal identification number or other authentication device is
17also required to access the Internet Web site.
18(5) Print an individual’s social security number on any materials
19that are mailed to the individual, unless state or federal law requires
20the social security number to be on the document to be mailed.
21Notwithstanding this paragraph, social security numbers may be
22included in applications and forms sent by mail, including
23documents sent as part of an application or enrollment process, or
24to establish, amend or terminate an account, contract or policy, or
25to confirm the accuracy of the social security number. A social
26security number that is permitted to be mailed under this section
27may not be printed, in whole or in part, on a postcard or other
28
mailer not requiring an envelope, or visible on the envelope or
29without the envelope having been opened.
30(6) Sell, advertise for sale, or offer to sell an individual’s social
31security number.
32(b) This section does not prevent the collection, use, or release
33of a social security number as required by state or federal law or
34the use of a social security number for internal verification or
35administrative purposes.
36(c) This section does not prevent an adult state correctional
37facility, an adult city jail, or an adult county jail from releasing an
38inmate’s social security number, with the inmate’s consent and
39upon request by the county veterans service officer or the United
40States Department of Veterans Affairs, for
the purposes of
P14 1determining the inmate’s status as a military veteran and his or her
2eligibility for federal, state, or local veterans’ benefits or services.
3(d) This section does not apply to documents that are recorded
4or required to be open to the public pursuant to Chapter 3.5
5(commencing with Section 6250), Chapter 14 (commencing with
6Section 7150) or Chapter 14.5 (commencing with Section 7220)
7of Division 7 of Title 1 of, Article 9 (commencing with Section
811120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
99 (commencing with Section 54950) of Part 1 of Division 2 of
10Title 5 of, the Government Code. This section does not apply to
11records that are required by statute, case law, or California Rule
12of Court, to be made available to the public by entities provided
13for in Article VI of the California Constitution.
14(e) (1) In the case of a
health care service plan, a provider of
15health care, an insurer or a pharmacy benefits manager, a contractor
16as defined in Section 56.05, or the provision by any person or
17entity of administrative or other services relative to health care or
18insurance products or services, including third-party administration
19or administrative services only, this section shall become operative
20in the following manner:
21(A) On or before January 1, 2003, the entities listed in paragraph
22(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
23(a) as these requirements pertain to individual policyholders or
24individual contractholders.
25(B) On or before January 1, 2004, the entities listed in paragraph
26(1) shall comply with paragraphs (1) to (5), inclusive, of
27subdivision (a) as these requirements pertain to new individual
28policyholders or new individual contractholders and new groups,
29
including new groups administered or issued on or after January
301, 2004.
31(C) On or before July 1, 2004, the entities listed in paragraph
32(1) shall comply with paragraphs (1) to (5), inclusive, of
33subdivision (a) for all individual policyholders and individual
34contractholders, for all groups, and for all enrollees of the Healthy
35Families and Medi-Cal programs, except that for individual
36policyholders, individual contractholders and groups in existence
37prior to January 1, 2004, the entities listed in paragraph (1) shall
38comply upon the renewal date of the policy, contract, or group on
39or after July 1, 2004, but no later than July 1, 2005.
P15 1(2) A health care service plan, a provider of health care, an
2insurer or a pharmacy benefits manager, a contractor, or another
3person or entity as described in paragraph (1) shall make reasonable
4efforts to cooperate, through systems testing and
other means, to
5ensure that the requirements of this article are implemented on or
6before the dates specified in this section.
7(3) Notwithstanding paragraph (2), the Director of the
8Department of Managed Health Care, pursuant to the authority
9granted under Section 1346 of the Health and Safety Code, or the
10Insurance Commissioner, pursuant to the authority granted under
11Section 12921 of the Insurance Code, and upon a determination
12of good cause, may grant extensions not to exceed six months for
13compliance by health care service plans and insurers with the
14requirements of this section when requested by the health care
15service plan or insurer. Any extension granted shall apply to the
16health care service plan or insurer’s affected providers, pharmacy
17benefits manager, and contractors.
18(f) If a federal law takes effect requiring the United States
19Department of Health and Human Services
to establish a national
20unique patient health identifier program, a provider of health care,
21a health care service plan, a licensed health care professional, or
22a contractor, as those terms are defined in Section 56.05, that
23complies with the federal law shall be deemed in compliance with
24this section.
25(g) A person or entity may not encode or embed a social security
26number in or on a card or document, including, but not limited to,
27using a barcode, chip, magnetic strip, or other technology, in place
28of removing the social security number, as required by this section.
29(h) This section shall become operative, with respect to the
30University of California, in the following manner:
31(1) On or before January 1, 2004, the University of California
32shall comply with paragraphs (1), (2), and (3) of subdivision (a).
33(2) On or before January 1, 2005, the University of California
34shall comply with paragraphs (4) and (5) of subdivision (a).
35(i) This section shall become operative with respect to the
36Franchise Tax Board on January 1, 2007.
37(j) This section shall become operative with respect to the
38California community college districts on January 1, 2007.
39(k) This section shall become operative with respect to the
40California State University system on July 1, 2005.
P16 1(l) This section shall become operative, with respect to the
2California Student Aid Commission and its auxiliary organization,
3in the following manner:
4(1) On or before
January 1, 2004, the commission and its
5auxiliary organization shall comply with paragraphs (1), (2), and
6(3) of subdivision (a).
7(2) On or before January 1, 2005, the commission and its
8auxiliary organization shall comply with paragraphs (4) and (5)
9of subdivision (a).
10(m) In addition to any other available remedies for a violation
11of this title, a public prosecutor authorized pursuant to Section
1217204 of the Business and Professions Code may bring an action
13to recover a civil penalty not exceeding five hundred dollars ($500)
14per violation.
O
98