Amended in Assembly April 24, 2014

Amended in Assembly March 28, 2014

California Legislature—2013–14 Regular Session

Assembly BillNo. 1710


Introduced by Assembly Members Dickinson and Wieckowski

February 13, 2014


An act to amend Sections 1798.81.5, 1798.82, 1798.84, and 1798.85 of, and to add Sections 1724.4 and 1724.6 to, the Civil Code, relating to personal information privacy.

LEGISLATIVE COUNSEL’S DIGEST

AB 1710, as amended, Dickinson. Personal information: privacy.

Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

This bill would instead require a person or business conducting business in California that owns or licenses computerizedbegin delete or noncomputerizedend delete data that contains personal information to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized personbegin insert unless the data was encrypend insertbegin insertted, as specifiedend insert. If the person or business was the source of the breach, the bill would require the person or business to offer to provide appropriate identity theft prevention and mitigation servicesbegin insert, if any,end insert to the affected person at no cost for not less than 24 months if the breach exposed or may have exposed specified personal information. The bill would also require a person or business that maintains but does not own the data to notify the persons affectedbegin delete within 15 days of the breach using specified methodsend deletebegin insert at the same time that notice is given to the owner or licensee, as specifiedend insert.

This bill would prohibit a person or business that sells goods or services to any resident of California and accepts as payment a credit card, debit card, or other payment device, from storing, retaining, sending, or failing to limit access to payment-related data, as defined, retaining a primary account number, or storing sensitive authentication data subsequent to an authorization, as specified, unless a specified exception applies. The bill would make a person or business liable for the reimbursement of all reasonable and actual costs of providing notice of a breach of the security of a system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized personbegin insert unless the data was encrypted, as specifiedend insert, and for the reasonable and actual cost of card replacement as a result of a breach, to the owner or licensee of the information. The bill would authorize this liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach.

Existing law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

This bill would expand these provisions to businesses that own, license, or maintain personal information about a California resident, as specified.

begin delete

Existing law authorizes any customer injured by a violation of specified provisions relating to customer records to institute a civil action to recover damages and penalties, as specified.

end delete
begin delete

This bill would, in addition to any other available remedies, authorize a public prosecutor to bring an action to recover a civil penalty not exceeding $500, or for a willful, intentional, or reckless violation not exceeding $3,000, per violation.

end delete

Existing law prohibits a person or entity, with specified exceptions, from publicly posting or displaying an individual’s social security number or doing certain other acts that might compromise the security of an individual’s social security number, unless otherwise required by federal or state law.

This bill would alsobegin insert, except as specified,end insert prohibit the sale, advertisement for sale, or offer to sell of an individual’s social security number. The bill would, in addition to any other available remedies for a violation of these provisions, authorize a public prosecutor to bring an action to recover a civil penalty not exceeding $500 per violation.

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

Section 1724.4 is added to the Civil Code, to
2read:

3

1724.4.  

(a) In addition to being subject to the provisions of
4Title 1.81 (commencing with Section 1798.80) of Part 4, a person
5or business that sells goods or services to any resident of California
6and accepts as payment a credit card, debit card, or other payment
7device shall not do any of the following:

8(1) Store payment-related data, unless the person or business
9complies with both of the following:

10(A) The person or business has a payment data retention and
11disposal policy that limits the amount of payment-related data and
12the time that data is retained to only the amount and time required
13for business, legal, or regulatory purposes as explicitly documented
14in the policy.

15(B) The person or business retains payment-related data only
16for a time period and in a manner explicitly permitted by the policy.

17(2) Store sensitive authentication data subsequent to an
18authorization, even if that data is encrypted. Sensitive
19authentication data includes all of the following:

20(A) The full contents of any data track from a payment card or
21other payment device.

22(B) The card verification code or any value used to verify
23transactions when the payment device is not present.

24(C) The personal identification number (PIN) or the encrypted
25PIN block.

P4    1(3) Store any payment-related data that is not needed for
2business, legal, or regulatory purposes.

3(4) Store any of the following data elements:

4(A) Payment verification code.

5(B) Payment verification value.

6(C) PIN verification value.

begin delete

7(D) Social security number.

end delete
begin delete

8(E) Driver’s license number.

end delete

9(5) Retain the primary account number unless retained in a
10manner consistent with the other requirements of this subdivision
11and in a form that is unreadable and unusable by unauthorized
12persons anywhere it is stored.

13(6) Send payment-related data over open, public networks unless
14the data is encrypted using strong cryptography and security
15protocols or otherwise rendered indecipherable.

16(7) Fail to limit access to payment-related data to only those
17individuals whose job requires that access.

18(b) (1) This section shall not apply to any person or business
19subject to Sections 6801 to 6809, inclusive, of Title 15 of the
20United States Code and state or federal statutes or regulations
21implementing those sections, if the person or business is subject
22to compliance oversight by a state or federal regulatory agency
23with respect to those sections.

24(2) Nothing in this section shall prohibit a person or business
25that sells goods or services to any California resident and accepts
26as payment a credit card, debit card, or other payment device from
27storing payment-related data for the sole purpose of processing
28ongoing or recurring payments, provided that the payment-related
29data is maintained in accordance with this section.

30(c) For purposes of this section, “payment-related data” means
31any computerized information described in subdivision (h) of
32Section 1798.82, whether individually or in combination with any
33other information described in that paragraph.

34

SEC. 2.  

Section 1724.6 is added to the Civil Code, to read:

35

1724.6.  

(a) A person or business subject to Section 1724.4
36shall be liable for the reimbursement of all reasonable and actual
37costs of providing notice pursuant to subdivision (a) of Section
381798.82 and for the reasonable and actual cost of card replacement
39as a result of a breach described in that section, to the owner or
40licensee of the information.

P5    1(b) The liability of a person or business subject to Section 1724.4
2to reimburse the owner or licensee may be excused, in whole or
3in part, if the person or business can demonstrate compliance with
4all provisions of Section 1724.4 at the time of the breach of security
5of the system.

6

SEC. 3.  

Section 1798.81.5 of the Civil Code is amended to
7read:

8

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
9that personal information about California residents is protected.
10To that end, the purpose of this section is to encourage businesses
11that own, license, or maintain personal information about
12Californians to provide reasonable security for that information.

13(2) For the purpose of this section, the terms “own” and
14“license” include personal information that a business retains as
15part of the business’ internal customer account or for the purpose
16of using that information in transactions with the person to whom
17the information relates. The term “maintain” includes personal
18information that a business maintains but does not own or license.

19(b) A business that owns, licenses, or maintains personal
20information about a California resident shall implement and
21maintain reasonable security procedures and practices appropriate
22to the nature of the information, to protect the personal information
23from unauthorized access, destruction, use, modification, or
24disclosure.

25(c) A business that discloses personal information about a
26California resident pursuant to a contract with a nonaffiliated third
27party that is not subject to subdivision (b) shall require by contract
28that the third party implement and maintain reasonable security
29procedures and practices appropriate to the nature of the
30information, to protect the personal information from unauthorized
31access, destruction, use, modification, or disclosure.

32(d) For purposes of this section, the following terms have the
33following meanings:

34(1) “Personal information” means an individual’s first name or
35first initial and his or her last name in combination with any one
36or more of the following data elements, when either the name or
37the data elements are not encrypted or redacted:

38(A) Social security number.

39(B) Driver’s license number or California identification card
40number.

P6    1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(2) “Medical information” means any individually identifiable
7information, in electronic or physical form, regarding the
8individual’s medical history or medical treatment or diagnosis by
9a health care professional.

10(3) “Personal information” does not include publicly available
11information that is lawfully made available to the general public
12from federal, state, or local government records.

13(e) The provisions of this section do not apply to any of the
14following:

15(1) A provider of health care, health care service plan, or
16contractor regulated by the Confidentiality of Medical Information
17Act (Part 2.6 (commencing with Section 56) of Division 1).

18(2) A financial institution as defined in Section 4052 of the
19Financial Code and subject to the California Financial Information
20Privacy Act (Division 1.2 (commencing with Section 4050) of the
21Financial Code.

22(3) A covered entity governed by the medical privacy and
23security rules issued by the federal Department of Health and
24Human Services, Parts 160 and 164 of Title 45 of the Code of
25Federal Regulations, established pursuant to the Health Insurance
26Portability and Availability Act of 1996 (HIPAA).

27(4) An entity that obtains information under an agreement
28pursuant to Article 3 (commencing with Section 1800) of Chapter
291 of Division 2 of the Vehicle Code and is subject to the
30confidentiality requirements of the Vehicle Code.

31(5) A business that is regulated by state or federal law providing
32greater protection to personal information than that provided by
33this section in regard to the subjects addressed by this section.
34Compliance with that state or federal law shall be deemed
35compliance with this section with regard to those subjects. This
36paragraph does not relieve a business from a duty to comply with
37any other requirements of other state and federal law regarding
38the protection and privacy of personal information.

39

SEC. 4.  

Section 1798.82 of the Civil Code is amended to read:

P7    1

1798.82.  

(a) A person or business that conducts business in
2California, and that owns or licenses computerizedbegin delete or
3noncomputerizedend delete
begin insert end insert data that includes personal information, shall
4disclose a breach of the security of the system following discovery
5or notification of the breach in the security of the data to a resident
6of California whose personal information was, or is reasonably
7believed to have been, acquired by an unauthorized personbegin insert unless
8the data was encrypted in conformance with the Advanced
9Encryption Standard of the National Institute of Standards and
10Technology, Federal Information Processing Standards Publication
11197, as amended from time to timeend insert
. The disclosure shall be made
12in the most expedient time possible and without unreasonable
13delay, consistent with the legitimate needs of law enforcement, as
14provided in subdivision (c), or any measures necessary to determine
15the scope of the breach and restore the reasonable integrity of the
16data system.

17(b) (1) A person or business that maintains computerizedbegin delete or
18noncomputerizedend delete
data that includes personal information that the
19person or business does not own shall notify the owner or licensee
20of the information of the breach of the security of the data
21immediately following discovery, if the personal information was,
22or is reasonably believed to have been, acquired by an unauthorized
23person.

24(2) In addition to notifying the owner begin insertor licensee end insertof the data,
25the person or business that maintains the data shall notify persons
26affected by the breachbegin delete within 15 days of the breach using the
27following methods:end delete
begin insert at the same time that notice is given to the
28owner or licensee byend insert

29begin delete(A)end deletebegin deleteend deletebegin deleteEmailend deletebegin insert United States mail if the person or business has a
30mailing address for the subject persons or emailend insert
notice if the
31person or business has an email address for the subject persons.begin insert If
32the subject persons cannot be notified by mail or email, the person
33or business shall provide notice by the following methods:end insert

begin delete

34(B)

end delete

35begin insert(A)end insert Conspicuous posting of the notice on the Internet Web site
36page of the person or business, if the person or business maintains
37an Internet Web site page, for at least 30 days.

begin delete

38(C)

end delete

39begin insert(B)end insert Notification to major statewide media.

P8    1(c) The notification required by this section may be delayed if
2a law enforcement agency determines that the notification will
3impede a criminal investigation. The notification required by this
4section shall be made promptly after the law enforcement agency
5determines that it will not compromise the investigation.

6(d) A person or business that is required to issue a security
7breach notification pursuant to this section shall meet all of the
8following requirements:

9(1) The security breach notification shall be written in plain
10language.

11(2) The security breach notification shall include, at a minimum,
12the following information:

13(A) The name and contact information of the reporting person
14or business subject to this section.

15(B) A list of the types of personal information that were or are
16reasonably believed to have been the subject of a breach.

17(C) If the information is possible to determine at the time the
18notice is provided, then any of the following: (i) the date of the
19breach, (ii) the estimated date of the breach, or (iii) the date range
20within which the breach occurred. The notification shall also
21include the date of the notice.

22(D) Whether notification was delayed as a result of a law
23enforcement investigation, if that information is possible to
24determine at the time the notice is provided.

25(E) A general description of the breach incident, if that
26information is possible to determine at the time the notice is
27provided.

28(F) The toll-free telephone numbers and addresses of the major
29credit reporting agencies if the breach exposed a social security
30number or a driver’s license or California identification card
31number.

32(G) If the person or business providing the notification was the
33source of the breach, an offer to provide appropriate identity theft
34prevention and mitigation services,begin delete such as credit monitoring,end deletebegin insert if
35any,end insert
shall be provided at no cost to the affected person for not less
36than 24 months, along with all information necessary to take
37advantage of the offer to any person whose information was or
38may have been breached if the breach exposed or may have
39exposed personal information defined in begin insertsubparagraphs (A) and
40(B) of end insert
paragraph (1) of subdivision (h).

P9    1(3) At the discretion of the person or business, the security
2breach notification may also include any of the following:

3(A) Information about what the person or business has done to
4protect individuals whose information has been breached.

5(B) Advice on steps that the person whose information has been
6breached may take to protect himself or herself.

7(4) In the case of a breach of the security of the system involving
8personal information defined in paragraph (2) of subdivision (h)
9for an online account, and no other personal information defined
10in paragraph (1) of subdivision (h), the person or business may
11comply with this section by providing the security breach
12notification in electronic or other form that directs the person whose
13personal information has been breached promptly to change his
14or her password and security question or answer, as applicable, or
15to take other steps appropriate to protect the online account with
16the person or business and all other online accounts for which the
17person whose personal information has been breached uses the
18same user name or email address and password or security question
19or answer.

20(5) In the case of a breach of the security of the system involving
21personal information defined in paragraph (2) of subdivision (h)
22for login credentials of an email account furnished by the person
23or business, the person or business shall not comply with this
24section by providing the security breach notification to that email
25address, but may, instead, comply with this section by providing
26notice by another method described in subdivision (j) or by clear
27and conspicuous notice delivered to the resident online when the
28resident is connected to the online account from an Internet
29Protocol address or online location from which the person or
30business knows the resident customarily accesses the account.

31(e) A covered entity under the federal Health Insurance
32Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
33et seq.) will be deemed to have complied with the notice
34requirements in subdivision (d) if it has complied completely with
35Section 13402(f) of the federal Health Information Technology
36for Economic and Clinical Health Act (Public Law 111-5).
37However, nothing in this subdivision shall be construed to exempt
38a covered entity from any other provision of this section.

39(f) A person or business that is required to issue a security breach
40 notification pursuant to this section to more than 500 California
P10   1residents as a result of a single breach of the security system shall
2electronically submit a single sample copy of that security breach
3notification, excluding any personally identifiable information, to
4the Attorney General. A single sample copy of a security breach
5notification shall not be deemed to be within subdivision (f) of
6Section 6254 of the Government Code.

7(g) For purposes of this section, “breach of the security of the
8system” means unauthorized acquisition of computerizedbegin delete or
9noncomputerizedend delete
begin insert end insert data that compromises the security,
10confidentiality, or integrity of personal information maintained by
11the person or business. Good faith acquisition of personal
12information by an employee or agent of the person or business for
13the purposes of the person or business is not a breach of the security
14of the system, provided that the personal information is not used
15or subject to further unauthorized disclosure.

16(h) For purposes of this section, “personal information” means
17either of the following:

18(1) An individual’s first name or first initial and last name in
19combination with any one or more of the following data elementsbegin insert,
20when either the name or the data elements are not encrypted in
21conformance with the Advanced Encryption Standard of the
22National Institute of Standards and Technology, Federal
23 Information Processing Standards Publication 197, as amended
24from time to timeend insert
:

25(A) Social security number.

26(B) Driver’s license number or California identification card
27number.

28(C) Account number, credit or debit card number, in
29combination with any required security code, access code, or
30password that would permit access to an individual’s financial
31account.

32(D) Medical information.

33(E) Health insurance information.

34(2) A user name or email address, in combination with a
35password or security question and answer that would permit access
36to an online account.

37(i) (1) For purposes of this section, “personal information” does
38not include publicly available information that is lawfully made
39available to the general public from federal, state, or local
40government records.

P11   1(2) For purposes of this section, “medical information” means
2any information regarding an individual’s medical history, mental
3or physical condition, or medical treatment or diagnosis by a health
4care professional.

5(3) For purposes of this section, “health insurance information”
6means an individual’s health insurance policy number or subscriber
7identification number, any unique identifier used by a health insurer
8to identify the individual, or any information in an individual’s
9application and claims history, including any appeals records.

10(j) For purposes of this section, “notice” may be provided by
11one of the following methods:

12(1) Written notice.

13(2) Electronic notice, if the notice provided is consistent with
14the provisions regarding electronic records and signatures set forth
15in Section 7001 of Title 15 of the United States Code.

16(3) Substitute notice, if the person or business demonstrates that
17the cost of providing notice would exceed two hundred fifty
18thousand dollars ($250,000), or that the affected class of subject
19persons to be notified exceeds 500,000, or the person or business
20does not have sufficient contact information. Substitute notice
21shall consist of all of the following:

22(A) Email notice when the person or business has an email
23address for the subject persons.

24(B) Conspicuous posting of the notice on the Internet Web site
25page of the person or business, if the person or business maintains
26one.

27(C) Notification to major statewide media.

28(k) Notwithstanding subdivision (j), a person or business that
29maintains its own notification procedures as part of an information
30security policy for the treatment of personal information and is
31otherwise consistent with the timing requirements of this part, shall
32be deemed to be in compliance with the notification requirements
33of this section if the person or business notifies subject persons in
34accordance with its policies in the event of a breach of security of
35the system.

36

SEC. 5.  

Section 1798.84 of the Civil Code is amended to read:

37

1798.84.  

(a) Any waiver of a provision of this title is contrary
38to public policy and is void and unenforceable.

begin delete

39(b) In addition to any other available remedies for a violation
40of this title, a public prosecutor authorized pursuant to Section
P12   117204 of the Business and Professions Code may bring an action
2to recover a civil penalty not exceeding five hundred dollars ($500)
3per violation, or, in the case of a willful, intentional, or reckless
4violation, a penalty not exceeding three thousand dollars ($3,000)
5per violation.

end delete
begin delete

6(c)

end delete

7begin insert(b)end insert Any customer injured by a violation of this title may institute
8a civil action to recover damages.

begin delete

9(d)

end delete

10begin insert(c)end insert In addition, for a willful, intentional, or reckless violation
11of Section 1798.83, a customer may recover a civil penalty not to
12exceed three thousand dollars ($3,000) per violation; otherwise,
13the customer may recover a civil penalty of up to five hundred
14dollars ($500) per violation for a violation of Section 1798.83.

begin delete

15(e)

end delete

16begin insert(d)end insert Unless the violation is willful, intentional, or reckless, a
17business that is alleged to have not provided all the information
18required by subdivision (a) of Section 1798.83, to have provided
19inaccurate information, failed to provide any of the information
20required by subdivision (a) of Section 1798.83, or failed to provide
21information in the time period required by subdivision (b) of
22Section 1798.83, may assert as a complete defense in any action
23in law or equity that it thereafter provided regarding the information
24that was alleged to be untimely, all the information, or accurate
25information, to all customers who were provided incomplete or
26inaccurate information, respectively, within 90 days of the date
27the business knew that it had failed to provide the information,
28timely information, all the information, or the accurate information,
29respectively.

begin delete

30(f)

end delete

31begin insert(e)end insert Any business that violates, proposes to violate, or has
32violated this title may be enjoined.

begin delete

33(g)

end delete

34begin insert(f)end insert (1) A cause of action shall not lie against a business for
35disposing of abandoned records containing personal information
36by shredding, erasing, or otherwise modifying the personal
37 information in the records to make it unreadable or undecipherable
38through any means.

39(2) The Legislature finds and declares that when records
40containing personal information are abandoned by a business, they
P13   1often end up in the possession of a storage company or commercial
2landlord. It is the intent of the Legislature in paragraph (1) to create
3a safe harbor for such a record custodian who properly disposes
4of the records in accordance with paragraph (1).

begin delete

5(h)

end delete

6begin insert(g)end insert A prevailing plaintiff in any action commenced under
7Section 1798.83 shall also be entitled to recover his or her
8reasonable attorney’s fees and costs.

begin delete

9(i)

end delete

10begin insert(h)end insert The rights and remedies available under this section are
11cumulative to each other and to any other rights and remedies
12available under law.

13

SEC. 6.  

Section 1798.85 of the Civil Code is amended to read:

14

1798.85.  

(a) Except as provided in this section, a person or
15entity may not do any of the following:

16(1) Publicly post or publicly display in any manner an
17individual’s social security number. “Publicly post” or “publicly
18display” means to intentionally communicate or otherwise make
19available to the general public.

20(2) Print an individual’s social security number on any card
21required for the individual to access products or services provided
22by the person or entity.

23(3) Require an individual to transmit his or her social security
24number over the Internet, unless the connection is secure or the
25social security number is encrypted.

26(4) Require an individual to use his or her social security number
27to access an Internet Web site, unless a password or unique
28personal identification number or other authentication device is
29also required to access the Internet Web site.

30(5) Print an individual’s social security number on any materials
31that are mailed to the individual, unless state or federal law requires
32the social security number to be on the document to be mailed.
33Notwithstanding this paragraph, social security numbers may be
34included in applications and forms sent by mail, including
35documents sent as part of an application or enrollment process, or
36to establish, amend or terminate an account, contract or policy, or
37to confirm the accuracy of the social security number. A social
38security number that is permitted to be mailed under this section
39may not be printed, in whole or in part, on a postcard or other
P14   1 mailer not requiring an envelope, or visible on the envelope or
2without the envelope having been opened.

3(6) Sell, advertise for sale, or offer to sell an individual’s social
4security numberbegin insert except where the social security number is
5incidental to the transactionend insert
.

6(b) This section does not prevent the collection, use, or release
7of a social security number as required by state or federal law or
8the use of a social security number for internal verification or
9administrative purposes.

10(c) This section does not prevent an adult state correctional
11facility, an adult city jail, or an adult county jail from releasing an
12inmate’s social security number, with the inmate’s consent and
13upon request by the county veterans service officer or the United
14States Department of Veterans Affairs, for the purposes of
15determining the inmate’s status as a military veteran and his or her
16eligibility for federal, state, or local veterans’ benefits or services.

17(d) This section does not apply to documents that are recorded
18or required to be open to the public pursuant to Chapter 3.5
19(commencing with Section 6250), Chapter 14 (commencing with
20Section 7150) or Chapter 14.5 (commencing with Section 7220)
21of Division 7 of Title 1 of, Article 9 (commencing with Section
2211120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
239 (commencing with Section 54950) of Part 1 of Division 2 of
24Title 5 of, the Government Code. This section does not apply to
25records that are required by statute, case law, or California Rule
26of Court, to be made available to the public by entities provided
27for in Article VI of the California Constitution.

28(e) (1) In the case of a health care service plan, a provider of
29health care, an insurer or a pharmacy benefits manager, a contractor
30as defined in Section 56.05, or the provision by any person or
31entity of administrative or other services relative to health care or
32insurance products or services, including third-party administration
33or administrative services only, this section shall become operative
34in the following manner:

35(A) On or before January 1, 2003, the entities listed in paragraph
36(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
37(a) as these requirements pertain to individual policyholders or
38individual contractholders.

39(B) On or before January 1, 2004, the entities listed in paragraph
40(1) shall comply with paragraphs (1) to (5), inclusive, of
P15   1subdivision (a) as these requirements pertain to new individual
2policyholders or new individual contractholders and new groups,
3 including new groups administered or issued on or after January
41, 2004.

5(C) On or before July 1, 2004, the entities listed in paragraph
6(1) shall comply with paragraphs (1) to (5), inclusive, of
7subdivision (a) for all individual policyholders and individual
8contractholders, for all groups, and for all enrollees of the Healthy
9Families and Medi-Cal programs, except that for individual
10policyholders, individual contractholders and groups in existence
11prior to January 1, 2004, the entities listed in paragraph (1) shall
12comply upon the renewal date of the policy, contract, or group on
13or after July 1, 2004, but no later than July 1, 2005.

14(2) A health care service plan, a provider of health care, an
15insurer or a pharmacy benefits manager, a contractor, or another
16person or entity as described in paragraph (1) shall make reasonable
17efforts to cooperate, through systems testing and other means, to
18ensure that the requirements of this article are implemented on or
19before the dates specified in this section.

20(3) Notwithstanding paragraph (2), the Director of the
21Department of Managed Health Care, pursuant to the authority
22granted under Section 1346 of the Health and Safety Code, or the
23Insurance Commissioner, pursuant to the authority granted under
24Section 12921 of the Insurance Code, and upon a determination
25of good cause, may grant extensions not to exceed six months for
26compliance by health care service plans and insurers with the
27requirements of this section when requested by the health care
28service plan or insurer. Any extension granted shall apply to the
29health care service plan or insurer’s affected providers, pharmacy
30benefits manager, and contractors.

31(f) If a federal law takes effect requiring the United States
32Department of Health and Human Services to establish a national
33unique patient health identifier program, a provider of health care,
34a health care service plan, a licensed health care professional, or
35a contractor, as those terms are defined in Section 56.05, that
36complies with the federal law shall be deemed in compliance with
37this section.

38(g) A person or entity may not encode or embed a social security
39number in or on a card or document, including, but not limited to,
P16   1using a barcode, chip, magnetic strip, or other technology, in place
2of removing the social security number, as required by this section.

3(h) This section shall become operative, with respect to the
4University of California, in the following manner:

5(1) On or before January 1, 2004, the University of California
6shall comply with paragraphs (1), (2), and (3) of subdivision (a).

7(2) On or before January 1, 2005, the University of California
8shall comply with paragraphs (4) and (5) of subdivision (a).

9(i) This section shall become operative with respect to the
10Franchise Tax Board on January 1, 2007.

11(j) This section shall become operative with respect to the
12California community college districts on January 1, 2007.

13(k) This section shall become operative with respect to the
14California State University system on July 1, 2005.

15(l) This section shall become operative, with respect to the
16California Student Aid Commission and its auxiliary organization,
17in the following manner:

18(1) On or before January 1, 2004, the commission and its
19auxiliary organization shall comply with paragraphs (1), (2), and
20(3) of subdivision (a).

21(2) On or before January 1, 2005, the commission and its
22auxiliary organization shall comply with paragraphs (4) and (5)
23of subdivision (a).

24(m) In addition to any other available remedies for a violation
25of this title, a public prosecutor authorized pursuant to Section
2617204 of the Business and Professions Code may bring an action
27to recover a civil penalty not exceeding five hundred dollars ($500)
28per violation.



O

    97