Assembly BillNo. 1710

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
P3    1the information relates. The term “maintain” includes personal
2information that a business maintains but does not own or license.

3(b) A business that owns, licenses, or maintains personal
4information about a California resident shall implement and
5maintain reasonable security procedures and practices appropriate
6to the nature of the information, to protect the personal information
7from unauthorized access, destruction, use, modification, or
8disclosure.

9(c) A business that discloses personal information about a
10California resident pursuant to a contract with a nonaffiliated third
11party that is not subject to subdivision (b) shall require by contract
12that the third party implement and maintain reasonable security
13procedures and practices appropriate to the nature of the
14information, to protect the personal information from unauthorized
15access, destruction, use, modification, or disclosure.

16(d) For purposes of this section, the following terms have the
17following meanings:

18(1) “Personal information” means an individual’s first name or
19first initial and his or her last name in combination with any one
20or more of the following data elements, when either the name or
21the data elements are not encrypted or redacted:

22(A) Social security number.

23(B) Driver’s license number or California identification card
24number.

25(C) Account number, credit or debit card number, in
26combination with any required security code, access code, or
27password that would permit access to an individual’s financial
28account.

29(D) Medical information.

30(2) “Medical information” means any individually identifiable
31information, in electronic or physical form, regarding the
32individual’s medical history or medical treatment or diagnosis by
33a health care professional.

34(3) “Personal information” does not include publicly available
35information that is lawfully made available to the general public
36from federal, state, or local government records.

37(e) The provisions of this section do not apply to any of the
38following:

P4    1(1) A provider of health care, health care service plan, or
2contractor regulated by the Confidentiality of Medical Information
3Act (Part 2.6 (commencing with Section 56) of Division 1).

4(2) A financial institution as defined in Section 4052 of the
5Financial Code and subject to the California Financial Information
6Privacy Act (Division 1.2 (commencing with Section 4050) of the
7Financial Code).

8(3) A covered entity governed by the medical privacy and
9security rules issued by the federal Department of Health and
10Human Services, Parts 160 and 164 of Title 45 of the Code of
11Federal Regulations, established pursuant to the Health Insurance
12Portability and Availability Act of 1996 (HIPAA).

13(4) An entity that obtains information under an agreement
14pursuant to Article 3 (commencing with Section 1800) of Chapter
151 of Division 2 of the Vehicle Code and is subject to the
16confidentiality requirements of the Vehicle Code.

17(5) A business that is regulated by state or federal law providing
18greater protection to personal information than that provided by
19this section in regard to the subjects addressed by this section.
20Compliance with that state or federal law shall be deemed
21compliance with this section with regard to those subjects. This
22paragraph does not relieve a business from a duty to comply with
23any other requirements of other state and federal law regarding
24the protection and privacy of personal information.

26

1798.82.  

(a) A person or business that conducts business in
27California, and that owns or licenses computerized data that
28includes personal information, shall disclose a breach of the
29security of the system following discovery or notification of the
30breach in the security of the data to a resident of California whose
31personal information was, or is reasonably believed to have been,
32acquired by an unauthorized person unless the data was encrypted
33in conformance with the Advanced Encryption Standard of the
34National Institute of Standards and Technology, Federal
35Information Processing Standards Publication 197, as amended
36from time to time. The disclosure shall be made in the most
37expedient time possible and without unreasonable delay, consistent
38with the legitimate needs of law enforcement, as provided in
39subdivision (c), or any measures necessary to determine the scope
40of the breach and restore the reasonable integrity of the data system.

P5    1(b) (1) A person or business that maintains computerized data
2that includes personal information that the person or business does
3not own shall notify the owner or licensee of the information of
4the breach of the security of the data immediately following
5discovery, if the personal information was, or is reasonably
6believed to have been, acquired by an unauthorized person.

7(2) In addition to notifying the owner or licensee of the data,
8the person or business that maintains the data shall notify persons
9affected by the breach at the same time that notice is given to the
10owner or licensee by United States mail if the person or business
11has a mailing address for the subject persons or email notice if the
12person or business has an email address for the subject persons. If
13the subject persons cannot be notified by mail or email, the person
14or business shall provide notice by the following methods:

15(A) Conspicuous posting of the notice on the Internet Web site
16page of the person or business, if the person or business maintains
17an Internet Web site page, for at least 30 days.

18(B) Notification to major statewide media.

19(c) The notification required by this section may be delayed if
20a law enforcement agency determines that the notification will
21impede a criminal investigation. The notification required by this
22section shall be made promptly after the law enforcement agency
23determines that it will not compromise the investigation.

24(d) A person or business that is required to issue a security
25breach notification pursuant to this section shall meet all of the
26following requirements:

27(1) The security breach notification shall be written in plain
28language.

29(2) The security breach notification shall include, at a minimum,
30the following information:

31(A) The name and contact information of the reporting person
32or business subject to this section.

33(B) A list of the types of personal information that were or are
34reasonably believed to have been the subject of a breach.

35(C) If the information is possible to determine at the time the
36notice is provided, then any of the following: (i) the date of the
37breach, (ii) the estimated date of the breach, or (iii) the date range
38within which the breach occurred. The notification shall also
39include the date of the notice.

P6    1(D) Whether notification was delayed as a result of a law
2enforcement investigation, if that information is possible to
3determine at the time the notice is provided.

4(E) A general description of the breach incident, if that
5information is possible to determine at the time the notice is
6provided.

7(F) The toll-free telephone numbers and addresses of the major
8credit reporting agencies if the breach exposed a social security
9number or a driver’s license or California identification card
10number.

11(G) If the person or business providing the notification was the
12source of the breach, an offer to provide appropriate identity theft
13prevention and mitigation services, if any, shall be provided at no
14cost to the affected person for not less than 24 months, along with
15all information necessary to take advantage of the offer to any
16person whose information was or may have been breached if the
17breach exposed or may have exposed personal information defined
18in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

19(3) At the discretion of the person or business, the security
20breach notification may also include any of the following:

21(A) Information about what the person or business has done to
22protect individuals whose information has been breached.

23(B) Advice on steps that the person whose information has been
24breached may take to protect himself or herself.

25(4) In the case of a breach of the security of the system involving
26personal information defined in paragraph (2) of subdivision (h)
27for an online account, and no other personal information defined
28in paragraph (1) of subdivision (h), the person or business may
29comply with this section by providing the security breach
30notification in electronic or other form that directs the person whose
31personal information has been breached promptly to change his
32or her password and security question or answer, as applicable, or
33to take other steps appropriate to protect the online account with
34the person or business and all other online accounts for which the
35person whose personal information has been breached uses the
36same user name or email address and password or security question
37or answer.

38(5) In the case of a breach of the security of the system involving
39personal information defined in paragraph (2) of subdivision (h)
40for login credentials of an email account furnished by the person
P7    1or business, the person or business shall not comply with this
2section by providing the security breach notification to that email
3address, but may, instead, comply with this section by providing
4notice by another method described in subdivision (j) or by clear
5and conspicuous notice delivered to the resident online when the
6resident is connected to the online account from an Internet
7Protocol address or online location from which the person or
8business knows the resident customarily accesses the account.

9(e) A covered entity under the federal Health Insurance
10Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
11et seq.) will be deemed to have complied with the notice
12requirements in subdivision (d) if it has complied completely with
13Section 13402(f) of the federal Health Information Technology
14for Economic and Clinical Health Act (Public Law 111-5).
15However, nothing in this subdivision shall be construed to exempt
16a covered entity from any other provision of this section.

17(f) A person or business that is required to issue a security breach
18notification pursuant to this section to more than 500 California
19residents as a result of a single breach of the security system shall
20electronically submit a single sample copy of that security breach
21notification, excluding any personally identifiable information, to
22the Attorney General. A single sample copy of a security breach
23notification shall not be deemed to be within subdivision (f) of
24Section 6254 of the Government Code.

25(g) For purposes of this section, “breach of the security of the
26system” means unauthorized acquisition of computerized data that
27compromises the security, confidentiality, or integrity of personal
28information maintained by the person or business. Good faith
29acquisition of personal information by an employee or agent of
30the person or business for the purposes of the person or business
31is not a breach of the security of the system, provided that the
32personal information is not used or subject to further unauthorized
33disclosure.

34(h) For purposes of this section, “personal information” means
35either of the following:

36(1) An individual’s first name or first initial and last name in
37combination with any one or more of the following data elements,
38when either the name or the data elements are not encrypted in
39conformance with the Advanced Encryption Standard of the
40National Institute of Standards and Technology, Federal
P8    1Information Processing Standards Publication 197, as amended
2from time to time:

3(A) Social security number.

4(B) Driver’s license number or California identification card
5number.

6(C) Account number, credit or debit card number, in
7combination with any required security code, access code, or
8password that would permit access to an individual’s financial
9account.

10(D) Medical information.

11(E) Health insurance information.

12(2) A user name or email address, in combination with a
13password or security question and answer that would permit access
14to an online account.

15(i) (1) For purposes of this section, “personal information” does
16not include publicly available information that is lawfully made
17available to the general public from federal, state, or local
18government records.

19(2) For purposes of this section, “medical information” means
20any information regarding an individual’s medical history, mental
21or physical condition, or medical treatment or diagnosis by a health
22care professional.

23(3) For purposes of this section, “health insurance information”
24means an individual’s health insurance policy number or subscriber
25identification number, any unique identifier used by a health insurer
26to identify the individual, or any information in an individual’s
27application and claims history, including any appeals records.

28(j) For purposes of this section, “notice” may be provided by
29one of the following methods:

30(1) Written notice.

31(2) Electronic notice, if the notice provided is consistent with
32the provisions regarding electronic records and signatures set forth
33in Section 7001 of Title 15 of the United States Code.

34(3) Substitute notice, if the person or business demonstrates that
35the cost of providing notice would exceed two hundred fifty
36thousand dollars ($250,000), or that the affected class of subject
37persons to be notified exceeds 500,000, or the person or business
38does not have sufficient contact information. Substitute notice
39shall consist of all of the following:

P9    1(A) Email notice when the person or business has an email
2address for the subject persons.

3(B) Conspicuous posting of the notice on the Internet Web site
4page of the person or business, if the person or business maintains
5one.

6(C) Notification to major statewide media.

7(k) Notwithstanding subdivision (j), a person or business that
8maintains its own notification procedures as part of an information
9security policy for the treatment of personal information and is
10otherwise consistent with the timing requirements of this part, shall
11be deemed to be in compliance with the notification requirements
12of this section if the person or business notifies subject persons in
13accordance with its policies in the event of a breach of security of
14the system.

16

1798.85.  

(a) Except as provided in this section, a person or
17entity may not do any of the following:

18(1) Publicly post or publicly display in any manner an
19individual’s social security number. “Publicly post” or “publicly
20display” means to intentionally communicate or otherwise make
21available to the general public.

22(2) Print an individual’s social security number on any card
23required for the individual to access products or services provided
24by the person or entity.

25(3) Require an individual to transmit his or her social security
26number over the Internet, unless the connection is secure or the
27social security number is encrypted.

28(4) Require an individual to use his or her social security number
29to access an Internet Web site, unless a password or unique
30personal identification number or other authentication device is
31also required to access the Internet Web site.

32(5) Print an individual’s social security number on any materials
33that are mailed to the individual, unless state or federal law requires
34the social security number to be on the document to be mailed.
35Notwithstanding this paragraph, social security numbers may be
36included in applications and forms sent by mail, including
37documents sent as part of an application or enrollment process, or
38to establish, amend or terminate an account, contract or policy, or
39to confirm the accuracy of the social security number. A social
40security number that is permitted to be mailed under this section
P10   1may not be printed, in whole or in part, on a postcard or other
2 mailer not requiring an envelope, or visible on the envelope or
3without the envelope having been opened.

4(6) Sell, advertise for sale, or offer to sell an individual’s social
5security number. For purposes of this paragraph, the following
6apply:

7 (A) “Sell” shall not include the release of an individual’s social
8security number if the release of the social security number is
9incidental to a larger transaction and is necessary to identify the
10individual in order to accomplish a legitimate business purpose.

11(B) The release of a social security number for the purpose of
12marketing is not a legitimate business purpose.

begin insert

13(C) “Sell” shall not include the release of an individual’s social
14security number for a purpose specifically authorized or
15specifically allowed by federal or state law.

end insert

16(b) This section does not prevent the collection, use, or release
17of a social security number as required by state or federal law or
18the use of a social security number for internal verification or
19administrative purposes.

20(c) This section does not prevent an adult state correctional
21facility, an adult city jail, or an adult county jail from releasing an
22inmate’s social security number, with the inmate’s consent and
23upon request by the county veterans service officer or the United
24States Department of Veterans Affairs, for the purposes of
25determining the inmate’s status as a military veteran and his or her
26eligibility for federal, state, or local veterans’ benefits or services.

27(d) This section does not apply to documents that are recorded
28or required to be open to the public pursuant to Chapter 3.5
29(commencing with Section 6250), Chapter 14 (commencing with
30Section 7150) or Chapter 14.5 (commencing with Section 7220)
31of Division 7 of Title 1 of, Article 9 (commencing with Section
3211120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
339 (commencing with Section 54950) of Part 1 of Division 2 of
34Title 5 of, the Government Code. This section does not apply to
35records that are required by statute, case law, or California Rule
36of Court, to be made available to the public by entities provided
37for in Article VI of the California Constitution.

38(e) (1) In the case of a health care service plan, a provider of
39health care, an insurer or a pharmacy benefits manager, a contractor
40as defined in Section 56.05, or the provision by any person or
P11   1entity of administrative or other services relative to health care or
2insurance products or services, including third-party administration
3or administrative services only, this section shall become operative
4in the following manner:

5(A) On or before January 1, 2003, the entities listed in paragraph
6(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
7(a) as these requirements pertain to individual policyholders or
8individual contractholders.

9(B) On or before January 1, 2004, the entities listed in paragraph
10(1) shall comply with paragraphs (1) to (5), inclusive, of
11subdivision (a) as these requirements pertain to new individual
12policyholders or new individual contractholders and new groups,
13including new groups administered or issued on or after January
141, 2004.

15(C) On or before July 1, 2004, the entities listed in paragraph
16(1) shall comply with paragraphs (1) to (5), inclusive, of
17subdivision (a) for all individual policyholders and individual
18contractholders, for all groups, and for all enrollees of the Healthy
19Families and Medi-Cal programs, except that for individual
20policyholders, individual contractholders and groups in existence
21prior to January 1, 2004, the entities listed in paragraph (1) shall
22comply upon the renewal date of the policy, contract, or group on
23or after July 1, 2004, but no later than July 1, 2005.

24(2) A health care service plan, a provider of health care, an
25insurer or a pharmacy benefits manager, a contractor, or another
26person or entity as described in paragraph (1) shall make reasonable
27efforts to cooperate, through systems testing and other means, to
28ensure that the requirements of this article are implemented on or
29before the dates specified in this section.

30(3) Notwithstanding paragraph (2), the Director of the
31Department of Managed Health Care, pursuant to the authority
32granted under Section 1346 of the Health and Safety Code, or the
33Insurance Commissioner, pursuant to the authority granted under
34Section 12921 of the Insurance Code, and upon a determination
35of good cause, may grant extensions not to exceed six months for
36compliance by health care service plans and insurers with the
37requirements of this section when requested by the health care
38service plan or insurer. Any extension granted shall apply to the
39health care service plan or insurer’s affected providers, pharmacy
40benefits manager, and contractors.

P12   1(f) If a federal law takes effect requiring the United States
2Department of Health and Human Services to establish a national
3unique patient health identifier program, a provider of health care,
4a health care service plan, a licensed health care professional, or
5a contractor, as those terms are defined in Section 56.05, that
6complies with the federal law shall be deemed in compliance with
7this section.

8(g) A person or entity may not encode or embed a social security
9number in or on a card or document, including, but not limited to,
10using a barcode, chip, magnetic strip, or other technology, in place
11of removing the social security number, as required by this section.

12(h) This section shall become operative, with respect to the
13University of California, in the following manner:

14(1) On or before January 1, 2004, the University of California
15shall comply with paragraphs (1), (2), and (3) of subdivision (a).

16(2) On or before January 1, 2005, the University of California
17shall comply with paragraphs (4) and (5) of subdivision (a).

18(i) This section shall become operative with respect to the
19Franchise Tax Board on January 1, 2007.

20(j) This section shall become operative with respect to the
21California community college districts on January 1, 2007.

22(k) This section shall become operative with respect to the
23California State University system on July 1, 2005.

24(l) This section shall become operative, with respect to the
25California Student Aid Commission and its auxiliary organization,
26in the following manner:

27(1) On or before January 1, 2004, the commission and its
28auxiliary organization shall comply with paragraphs (1), (2), and
29(3) of subdivision (a).

30(2) On or before January 1, 2005, the commission and its
31auxiliary organization shall comply with paragraphs (4) and (5)
32of subdivision (a).