AB 1710, as amended, Dickinson. Personal information: privacy.
Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
This bill would instead require a person or business conducting business in California that owns or licenses computerized data that contains personal information to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person unless the data was encrypted, as specified. If the person or business was the source of the breach, the bill would require the person or business to offer to provide appropriate identity theft prevention and mitigation services, if any, to the affected person at no cost for not less than 24 months if the breach exposed or may have exposed specified personal information. The bill would also require a person or business that maintains but does not own the data to notify the persons affected at the same time that notice is given to the owner or licensee, as specified.
This bill would prohibit a person or business that sells goods or services to any resident of California and accepts as payment a credit card, debit card, or other payment device, from storing, retaining, sending, or failing to limit access to payment-related data, as defined, retaining a primary account number, or storing sensitive authentication data subsequent to an authorization, as specified, unless a specified exception applies. The bill would make a person or business liable for the reimbursement of all reasonable and actual costs of providing notice of a breach of the security of a system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person unless the data was encrypted, as specified, and for the reasonable and actual cost of card replacement as a result of a breach, to the owner or licensee of the information. The bill would authorize this liability to be excused, in whole or in part, if the person or business, can demonstrate compliance with specified provisions at the time of the breach.
end deleteExisting law requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
This bill would expand these provisions to businesses that own, license, or maintain personal information about a California resident, as specified.
Existing law prohibits a person or entity, with specified exceptions, from publicly posting or displaying an individual’s social security number or doing certain other acts that might compromise the security of an individual’s social security number, unless otherwise required by federal or state law.
This bill would also, except as specified, prohibit the sale, advertisement for sale, or offer to sell of an individual’s social security number.begin delete The bill would, in addition to any other available remedies for a violation of these provisions, authorize a public prosecutor to bring an action to recover a civil penalty not exceeding $500 per violation.end delete
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1724.4 is added to the Civil Code, to
2read:
(a) In addition to being subject to the provisions of
4Title 1.81 (commencing with Section 1798.80) of Part 4, a person
5or business that sells goods or services to any resident of California
6and accepts as payment a credit card, debit card, or other payment
7device shall not do any of the following:
8(1) Store payment-related data, unless the person or business
9complies with both of the following:
10(A) The person or business has a payment data retention and
11disposal policy that limits the amount of payment-related data and
12the time that data is retained to only the amount and time required
13for business, legal, or
regulatory purposes as explicitly documented
14in the policy.
15(B) The person or business retains payment-related data only
16for a time period and in a manner explicitly permitted by the policy.
17(2) Store sensitive authentication data subsequent to an
18authorization, even if that data is encrypted. Sensitive
19authentication data includes all of the following:
20(A) The full contents of any data track from a payment card or
21other payment device.
22(B) The card verification code or any value used to verify
23transactions when the payment device is not present.
24(C) The personal identification number (PIN) or the
encrypted
25PIN block.
26(3) Store any payment-related data that is not needed for
27business, legal, or regulatory purposes.
28(4) Store any of the following data elements:
29(A) Payment verification code.
30(B) Payment verification value.
31(C) PIN verification value.
32(5) Retain the primary account number unless retained in a
33manner consistent with the other requirements of this subdivision
P4 1and in a form that is unreadable and unusable by unauthorized
2persons anywhere it is stored.
3(6) Send payment-related data over open, public networks unless
4the data is encrypted using strong cryptography and security
5protocols or otherwise rendered indecipherable.
6(7) Fail to limit access to payment-related data to only those
7individuals whose job requires that access.
8(b) (1) This section shall not apply to any person or business
9subject to Sections 6801 to 6809, inclusive, of Title 15 of the
10United States Code and state
or federal statutes or regulations
11implementing those sections, if the person or business is subject
12to compliance oversight by a state or federal regulatory agency
13with respect to those sections.
14(2) Nothing in this section shall prohibit a person or business
15that sells goods or services to any California resident and accepts
16as payment a credit card, debit card, or other payment device from
17storing payment-related data for the sole purpose of processing
18ongoing or recurring payments, provided that the payment-related
19data is maintained in accordance with this section.
20(c) For purposes of this section, “payment-related data” means
21any computerized information described in subdivision (h) of
22Section 1798.82, whether individually or in combination with any
23other information
described in that paragraph.
Section 1724.6 is added to the Civil Code, to read:
(a) A person or business subject to Section 1724.4
26shall be liable for the reimbursement of all reasonable and actual
27costs of providing notice pursuant to subdivision (a) of Section
281798.82 and for the reasonable and actual cost of card replacement
29as a result of a breach described in that section, to the owner or
30licensee of the information.
31(b) The liability of a person or business subject to Section 1724.4
32to reimburse the owner or licensee may be excused, in whole or
33in part, if the person or business can demonstrate compliance with
34all provisions of Section 1724.4 at the time of the breach of security
35of the
system.
Section 1798.81.5 of the Civil Code is amended
38to read:
(a) (1) It is the intent of the Legislature to ensure
40that personal information about California residents is protected.
P5 1To that end, the purpose of this section is to encourage businesses
2that own, license, or maintain personal information about
3Californians to provide reasonable security for that information.
4(2) For the purpose of this section, the terms “own” and
5“license” include personal information that a business retains as
6part of the business’ internal customer account or for the purpose
7of using that information in transactions with the person to whom
8the information relates. The term “maintain” includes personal
9information
that a business maintains but does not own or license.
10(b) A business that owns, licenses, or maintains personal
11information about a California resident shall implement and
12maintain reasonable security procedures and practices appropriate
13to the nature of the information, to protect the personal information
14from unauthorized access, destruction, use, modification, or
15disclosure.
16(c) A business that discloses personal information about a
17California resident pursuant to a contract with a nonaffiliated third
18party that is not subject to subdivision (b) shall require by contract
19that the third party implement and maintain reasonable security
20procedures and practices appropriate to the nature of the
21information, to protect the personal information from unauthorized
22access,
destruction, use, modification, or disclosure.
23(d) For purposes of this section, the following terms have the
24following meanings:
25(1) “Personal information” means an individual’s first name or
26first initial and his or her last name in combination with any one
27or more of the following data elements, when either the name or
28the data elements are not encrypted or redacted:
29(A) Social security number.
30(B) Driver’s license number or California identification card
31number.
32(C) Account number, credit or debit card number, in
33combination with any required security code, access code, or
34password that
would permit access to an individual’s financial
35account.
36(D) Medical information.
37(2) “Medical information” means any individually identifiable
38information, in electronic or physical form, regarding the
39individual’s medical history or medical treatment or diagnosis by
40a health care professional.
P6 1(3) “Personal information” does not include publicly available
2information that is lawfully made available to the general public
3from federal, state, or local government records.
4(e) The provisions of this section do not apply to any of the
5following:
6(1) A provider of health care, health care service plan,
or
7contractor regulated by the Confidentiality of Medical Information
8Act (Part 2.6 (commencing with Section 56) of Division 1).
9(2) A financial institution as defined in Section 4052 of the
10Financial Code and subject to the California Financial Information
11Privacy Act (Division 1.2 (commencing with Section 4050) of the
12Financialbegin delete Code.end deletebegin insert Code).end insert
13(3) A covered entity governed by the medical privacy and
14security rules issued by the federal Department of Health and
15Human Services, Parts 160 and 164 of Title 45 of the Code of
16Federal Regulations, established pursuant to the Health Insurance
17Portability and
Availability Act of 1996 (HIPAA).
18(4) An entity that obtains information under an agreement
19pursuant to Article 3 (commencing with Section 1800) of Chapter
201 of Division 2 of the Vehicle Code and is subject to the
21confidentiality requirements of the Vehicle Code.
22(5) A business that is regulated by state or federal law providing
23greater protection to personal information than that provided by
24this section in regard to the subjects addressed by this section.
25Compliance with that state or federal law shall be deemed
26compliance with this section with regard to those subjects. This
27paragraph does not relieve a business from a duty to comply with
28any other requirements of other state and federal law regarding
29the protection and privacy of personal
information.
Section 1798.82 of the Civil Code is amended to read:
(a) A person or business that conducts business in
33California, and that owns or licenses computerized data that
34includes personal information, shall disclose a breach of the
35security of the system following discovery or notification of the
36breach in the security of the data to a resident of California whose
37personal information was, or is reasonably believed to have been,
38acquired by an unauthorized person unless the data was encrypted
39in conformance with the Advanced Encryption Standard of the
40National Institute of Standards and Technology, Federal
P7 1Information Processing Standards Publication 197, as amended
2from time to time. The disclosure shall be made in the most
3expedient time possible and without unreasonable delay, consistent
4
with the legitimate needs of law enforcement, as provided in
5subdivision (c), or any measures necessary to determine the scope
6of the breach and restore the reasonable integrity of the data system.
7(b) (1) A person or business that maintains computerized data
8that includes personal information that the person or business does
9not own shall notify the owner or licensee of the information of
10the breach of the security of the data immediately following
11discovery, if the personal information was, or is reasonably
12believed to have been, acquired by an unauthorized person.
13(2) In addition to notifying the owner or licensee of the data,
14the person or business that maintains the data shall notify persons
15affected by the breach at the same time that notice
is given to the
16owner or licensee by
17
United States mail if the person or business has a mailing address
18for the subject persons or email notice if the person or business
19has an email address for the subject persons. If the subject persons
20cannot be notified by mail or email, the person or business shall
21provide notice by the following methods:
22(A) Conspicuous posting of the notice on the Internet Web site
23page of the person or business, if the person or business maintains
24an Internet Web site page, for at least 30 days.
25(B) Notification to major statewide media.
26(c) The notification required by this section may be delayed if
27a law enforcement agency determines that the notification will
28impede a criminal investigation. The notification required
by this
29section shall be made promptly after the law enforcement agency
30determines that it will not compromise the investigation.
31(d) A person or business that is required to issue a security
32breach notification pursuant to this section shall meet all of the
33following requirements:
34(1) The security breach notification shall be written in plain
35language.
36(2) The security breach notification shall include, at a minimum,
37the following information:
38(A) The name and contact information of the reporting person
39or business subject to this section.
P8 1(B) A list of the types of personal information that were or
are
2reasonably believed to have been the subject of a breach.
3(C) If the information is possible to determine at the time the
4notice is provided, then any of the following: (i) the date of the
5breach, (ii) the estimated date of the breach, or (iii) the date range
6within which the breach occurred. The notification shall also
7include the date of the notice.
8(D) Whether notification was delayed as a result of a law
9enforcement investigation, if that information is possible to
10determine at the time the notice is provided.
11(E) A general description of the breach incident, if that
12information is possible to determine at the time the notice is
13provided.
14(F) The toll-free telephone numbers and addresses of the major
15credit reporting agencies if the breach exposed a social security
16number or a driver’s license or California identification card
17number.
18(G) If the person or business providing the notification was the
19source of the breach, an offer to provide appropriate identity theft
20prevention and mitigation services, if any, shall be provided at no
21cost to the affected person for not less than 24 months, along with
22all information necessary to take advantage of the offer to any
23person whose information was or may have been breached if the
24breach exposed or may have exposed personal information defined
25in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
26(3) At the discretion of the person or
business, the security
27breach notification may also include any of the following:
28(A) Information about what the person or business has done to
29protect individuals whose information has been breached.
30(B) Advice on steps that the person whose information has been
31breached may take to protect himself or herself.
32(4) In the case of a breach of the security of the system involving
33personal information defined in paragraph (2) of subdivision (h)
34for an online account, and no other personal information defined
35in paragraph (1) of subdivision (h), the person or business may
36comply with this section by providing the security breach
37notification in electronic or other form that directs the person whose
38personal information has been
breached promptly to change his
39or her password and security question or answer, as applicable, or
40to take other steps appropriate to protect the online account with
P9 1the person or business and all other online accounts for which the
2person whose personal information has been breached uses the
3same user name or email address and password or security question
4or answer.
5(5) In the case of a breach of the security of the system involving
6personal information defined in paragraph (2) of subdivision (h)
7for login credentials of an email account furnished by the person
8or business, the person or business shall not comply with this
9section by providing the security breach notification to that email
10address, but may, instead, comply with this section by providing
11notice by another method described in subdivision (j) or by clear
12and
conspicuous notice delivered to the resident online when the
13resident is connected to the online account from an Internet
14Protocol address or online location from which the person or
15business knows the resident customarily accesses the account.
16(e) A covered entity under the federal Health Insurance
17Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
18et seq.) will be deemed to have complied with the notice
19requirements in subdivision (d) if it has complied completely with
20Section 13402(f) of the federal Health Information Technology
21for Economic and Clinical Health Act (Public Law 111-5).
22However, nothing in this subdivision shall be construed to exempt
23a covered entity from any other provision of this section.
24(f) A person or business that is required to issue a security
breach
25
notification pursuant to this section to more than 500 California
26residents as a result of a single breach of the security system shall
27electronically submit a single sample copy of that security breach
28notification, excluding any personally identifiable information, to
29the Attorney General. A single sample copy of a security breach
30notification shall not be deemed to be within subdivision (f) of
31Section 6254 of the Government Code.
32(g) For purposes of this section, “breach of the security of the
33system” means unauthorized acquisition of computerized data that
34compromises the security, confidentiality, or integrity of personal
35information maintained by the person or business. Good faith
36acquisition of personal information by an employee or agent of
37the person or business for the purposes of the person or business
38is not a
breach of the security of the system, provided that the
39personal information is not used or subject to further unauthorized
40disclosure.
P10 1(h) For purposes of this section, “personal information” means
2either of the following:
3(1) An individual’s first name or first initial and last name in
4combination with any one or more of the following data elements,
5when either the name or the data elements are not encrypted in
6conformance with the Advanced Encryption Standard of the
7National Institute of Standards and Technology, Federal
8
Information Processing Standards Publication 197, as amended
9from time to time:
10(A) Social security number.
11(B) Driver’s license number or California identification card
12number.
13(C) Account number, credit or debit card number, in
14combination with any required security code, access code, or
15password that would permit access to an individual’s financial
16account.
17(D) Medical information.
18(E) Health insurance information.
19(2) A user name or email address, in combination with a
20password or security question and answer
that would permit access
21to an online account.
22(i) (1) For purposes of this section, “personal information” does
23not include publicly available information that is lawfully made
24available to the general public from federal, state, or local
25government records.
26(2) For purposes of this section, “medical information” means
27any information regarding an individual’s medical history, mental
28or physical condition, or medical treatment or diagnosis by a health
29care professional.
30(3) For purposes of this section, “health insurance information”
31means an individual’s health insurance policy number or subscriber
32identification number, any unique identifier used by a health insurer
33to identify the
individual, or any information in an individual’s
34application and claims history, including any appeals records.
35(j) For purposes of this section, “notice” may be provided by
36one of the following methods:
37(1) Written notice.
38(2) Electronic notice, if the notice provided is consistent with
39the provisions regarding electronic records and signatures set forth
40in Section 7001 of Title 15 of the United States Code.
P11 1(3) Substitute notice, if the person or business demonstrates that
2the cost of providing notice would exceed two hundred fifty
3thousand dollars ($250,000), or that the affected class of subject
4persons to be notified exceeds 500,000, or the person or business
5does
not have sufficient contact information. Substitute notice
6shall consist of all of the following:
7(A) Email notice when the person or business has an email
8address for the subject persons.
9(B) Conspicuous posting of the notice on the Internet Web site
10page of the person or business, if the person or business maintains
11one.
12(C) Notification to major statewide media.
13(k) Notwithstanding subdivision (j), a person or business that
14maintains its own notification procedures as part of an information
15security policy for the treatment of personal information and is
16otherwise consistent with the timing requirements of this part, shall
17be deemed to be in compliance
with the notification requirements
18of this section if the person or business notifies subject persons in
19accordance with its policies in the event of a breach of security of
20the system.
Section 1798.84 of the Civil Code is amended to read:
(a) Any waiver of a provision of this title is contrary
23to public policy and is void and unenforceable.
24(b) Any customer injured by a violation of this title may institute
25a civil action to recover damages.
26(c) In addition, for a willful, intentional, or reckless violation
27of Section 1798.83, a customer may recover a civil penalty not to
28exceed three thousand dollars ($3,000) per violation; otherwise,
29the customer may recover a civil penalty of up to five hundred
30dollars ($500) per violation for a violation of Section 1798.83.
31(d) Unless the violation is
willful, intentional, or reckless, a
32business that is alleged to have not provided all the information
33required by subdivision (a) of Section 1798.83, to have provided
34inaccurate information, failed to provide any of the information
35required by subdivision (a) of Section 1798.83, or failed to provide
36information in the time period required by subdivision (b) of
37Section 1798.83, may assert as a complete defense in any action
38in law or equity that it thereafter provided regarding the information
39that was alleged to be untimely, all the information, or accurate
40information, to all customers who were provided incomplete or
P12 1inaccurate information, respectively, within 90 days of the date
2the business knew that it had failed to provide the information,
3timely information, all the information, or the accurate information,
4respectively.
5(e) Any business that violates, proposes to violate, or has
6violated this title may be enjoined.
7(f) (1) A cause of action shall not lie against a business for
8disposing of abandoned records containing personal information
9by shredding, erasing, or otherwise modifying the personal
10
information in the records to make it unreadable or undecipherable
11through any means.
12(2) The Legislature finds and declares that when records
13containing personal information are abandoned by a business, they
14often end up in the possession of a storage company or commercial
15landlord. It is the intent of the Legislature in paragraph (1) to create
16a safe harbor for such a record custodian who properly disposes
17of the records in accordance with paragraph (1).
18(g) A prevailing plaintiff in any action commenced under
19Section 1798.83 shall also be entitled to recover his or her
20reasonable attorney’s fees and costs.
21(h) The rights and remedies available under this section are
22cumulative to each other and to any
other rights and remedies
23available under law.
Section 1798.85 of the Civil Code is amended to read:
(a) Except as provided in this section, a person or
27entity may not do any of the following:
28(1) Publicly post or publicly display in any manner an
29individual’s social security number. “Publicly post” or “publicly
30display” means to intentionally communicate or otherwise make
31available to the general public.
32(2) Print an individual’s social security number on any card
33required for the individual to access products or services provided
34by the person or entity.
35(3) Require an individual to transmit his or her social security
36number over the Internet, unless the
connection is secure or the
37social security number is encrypted.
38(4) Require an individual to use his or her social security number
39to access an Internet Web site, unless a password or unique
P13 1personal identification number or other authentication device is
2also required to access the Internet Web site.
3(5) Print an individual’s social security number on any materials
4that are mailed to the individual, unless state or federal law requires
5the social security number to be on the document to be mailed.
6Notwithstanding this paragraph, social security numbers may be
7included in applications and forms sent by mail, including
8documents sent as part of an application or enrollment process, or
9to establish, amend or terminate an account, contract or policy, or
10to confirm the accuracy of
the social security number. A social
11security number that is permitted to be mailed under this section
12may not be printed, in whole or in part, on a postcard or other
13
mailer not requiring an envelope, or visible on the envelope or
14without the envelope having been opened.
15(6) Sell, advertise for sale, or offer to sell an individual’s social
16security numberbegin delete except where the social security number is .begin insert For purposes of this paragraph, the
17incidental to the transactionend delete
18following apply:end insert
19 (A) “Sell” shall not include the release of an individual’s social
20security number if the release of the social security number is
21incidental to a larger transaction and is necessary to identify the
22individual in order to accomplish a legitimate
business purpose.
23(B) The release of a social security number for the purpose of
24marketing is not a legitimate business purpose.
25(b) This section does not prevent the collection, use, or release
26of a social security number as required by state or federal law or
27the use of a social security number for internal verification or
28administrative purposes.
29(c) This section does not prevent an adult state correctional
30facility, an adult city jail, or an adult county jail from releasing an
31inmate’s social security number, with the inmate’s consent and
32upon request by the county veterans service officer or the United
33States Department of Veterans Affairs, for the purposes of
34determining the inmate’s status as a military veteran
and his or her
35eligibility for federal, state, or local veterans’ benefits or services.
36(d) This section does not apply to documents that are recorded
37or required to be open to the public pursuant to Chapter 3.5
38(commencing with Section 6250), Chapter 14 (commencing with
39Section 7150) or Chapter 14.5 (commencing with Section 7220)
40of Division 7 of Title 1 of, Article 9 (commencing with Section
P14 111120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
29 (commencing with Section 54950) of Part 1 of Division 2 of
3Title 5 of, the Government Code. This section does not apply to
4records that are required by statute, case law, or California Rule
5of Court, to be made available to the public by entities provided
6for in Article VI of the California Constitution.
7(e) (1) In the case of a health care service plan, a provider of
8health care, an insurer or a pharmacy benefits manager, a contractor
9as defined in Section 56.05, or the provision by any person or
10entity of administrative or other services relative to health care or
11insurance products or services, including third-party administration
12or administrative services only, this section shall become operative
13in the following manner:
14(A) On or before January 1, 2003, the entities listed in paragraph
15(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
16(a) as these requirements pertain to individual policyholders or
17individual contractholders.
18(B) On or before January 1, 2004, the entities listed in paragraph
19(1) shall comply with paragraphs (1) to (5), inclusive, of
20subdivision
(a) as these requirements pertain to new individual
21policyholders or new individual contractholders and new groups,
22
including new groups administered or issued on or after January
231, 2004.
24(C) On or before July 1, 2004, the entities listed in paragraph
25(1) shall comply with paragraphs (1) to (5), inclusive, of
26subdivision (a) for all individual policyholders and individual
27contractholders, for all groups, and for all enrollees of the Healthy
28Families and Medi-Cal programs, except that for individual
29policyholders, individual contractholders and groups in existence
30prior to January 1, 2004, the entities listed in paragraph (1) shall
31comply upon the renewal date of the policy, contract, or group on
32or after July 1, 2004, but no later than July 1, 2005.
33(2) A health care service plan, a provider of health care, an
34insurer or a pharmacy benefits manager, a contractor, or another
35person
or entity as described in paragraph (1) shall make reasonable
36efforts to cooperate, through systems testing and other means, to
37ensure that the requirements of this article are implemented on or
38before the dates specified in this section.
39(3) Notwithstanding paragraph (2), the Director of the
40Department of Managed Health Care, pursuant to the authority
P15 1granted under Section 1346 of the Health and Safety Code, or the
2Insurance Commissioner, pursuant to the authority granted under
3Section 12921 of the Insurance Code, and upon a determination
4of good cause, may grant extensions not to exceed six months for
5compliance by health care service plans and insurers with the
6requirements of this section when requested by the health care
7service plan or insurer. Any extension granted shall apply to the
8health care service plan or insurer’s affected
providers, pharmacy
9benefits manager, and contractors.
10(f) If a federal law takes effect requiring the United States
11Department of Health and Human Services to establish a national
12unique patient health identifier program, a provider of health care,
13a health care service plan, a licensed health care professional, or
14a contractor, as those terms are defined in Section 56.05, that
15complies with the federal law shall be deemed in compliance with
16this section.
17(g) A person or entity may not encode or embed a social security
18number in or on a card or document, including, but not limited to,
19using a barcode, chip, magnetic strip, or other technology, in place
20of removing the social security number, as required by this section.
21(h) This section shall become operative, with respect to the
22University of California, in the following manner:
23(1) On or before January 1, 2004, the University of California
24shall comply with paragraphs (1), (2), and (3) of subdivision (a).
25(2) On or before January 1, 2005, the University of California
26shall comply with paragraphs (4) and (5) of subdivision (a).
27(i) This section shall become operative with respect to the
28Franchise Tax Board on January 1, 2007.
29(j) This section shall become operative with respect to the
30California community college districts on January 1, 2007.
31(k) This section shall
become operative with respect to the
32California State University system on July 1, 2005.
33(l) This section shall become operative, with respect to the
34California Student Aid Commission and its auxiliary organization,
35in the following manner:
36(1) On or before January 1, 2004, the commission and its
37auxiliary organization shall comply with paragraphs (1), (2), and
38(3) of subdivision (a).
P16 1(2) On or before January 1, 2005, the commission and its
2auxiliary organization shall comply with paragraphs (4) and (5)
3of subdivision (a).
4(m) In addition to any other available remedies for a violation
5of this title, a public prosecutor authorized pursuant to
Section
617204 of the Business and Professions Code may bring an action
7to recover a civil penalty not exceeding five hundred dollars ($500)
8per violation.
O
96