Assembly BillNo. 1710

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.

14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.

20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.

27(d) For purposes of this section, the following terms have the
28following meanings:

29(1) “Personal information” means an individual’s first name or
30first initial and his or her last name in combination with any one
P4    1or more of the following data elements, when either the name or
2the data elements are not encrypted or redacted:

3(A) Social security number.

4(B) Driver’s license number or California identification card
5number.

6(C) Account number, credit or debit card number, in
7combination with any required security code, access code, or
8password that would permit access to an individual’s financial
9account.

10(D) Medical information.

11(2) “Medical information” means any individually identifiable
12information, in electronic or physical form, regarding the
13individual’s medical history or medical treatment or diagnosis by
14a health care professional.

15(3) “Personal information” does not include publicly available
16information that is lawfully made available to the general public
17from federal, state, or local government records.

18(e) The provisions of this section do not apply to any of the
19following:

20(1) A provider of health care, health care service plan, or
21contractor regulated by the Confidentiality of Medical Information
22Act (Part 2.6 (commencing with Section 56) of Division 1).

23(2) A financial institution as defined in Section 4052 of the
24Financial Code and subject to the California Financial Information
25Privacy Act (Division 1.2 (commencing with Section 4050) of the
26Financial Code).

27(3) A covered entity governed by the medical privacy and
28security rules issued by the federal Department of Health and
29Human Services, Parts 160 and 164 of Title 45 of the Code of
30Federal Regulations, established pursuant to the Health Insurance
31Portability and Availability Act of 1996 (HIPAA).

32(4) An entity that obtains information under an agreement
33pursuant to Article 3 (commencing with Section 1800) of Chapter
341 of Division 2 of the Vehicle Code and is subject to the
35confidentiality requirements of the Vehicle Code.

36(5) A business that is regulated by state or federal law providing
37greater protection to personal information than that provided by
38this section in regard to the subjects addressed by this section.
39Compliance with that state or federal law shall be deemed
40compliance with this section with regard to those subjects. This
P5    1paragraph does not relieve a business from a duty to comply with
2any other requirements of other state and federal law regarding
3the protection and privacy of personal information.

5

1798.82.  

(a) A person or business that conducts business in
6California, and that owns or licenses computerized data that
7includes personal information, shall disclose a breach of the
8security of the system following discovery or notification of the
9breach in the security of the data to a resident of California whose
10begin insert unencryptedend insert personal information was, or is reasonably believed
11to have been, acquired by an unauthorizedbegin delete person unless the data
12was encrypted in conformance with the Advanced Encryption
13Standard of the National Institute of Standards and Technology,
14Federal Information Processing Standards Publication 197, as
15amended from time to time.end deletebegin insert person.end insert The disclosure shall be made
16in the most expedient time possible and without unreasonable
17delay, consistent with the legitimate needs of law enforcement, as
18provided in subdivision (c), or any measures necessary to determine
19the scope of the breach and restore the reasonable integrity of the
20data system.

21(b) (1) A person or business that maintains computerized data
22that includes personal information that the person or business does
23not own shall notify the owner or licensee of the information of
24the breach of the security of the data immediately following
25discovery, if the personal information was, or is reasonably
26believed to have been, acquired by an unauthorized person.

27(2) begin deleteIn addition to notifying the owner or licensee of the data,
28the person or business that maintains the data shall notify persons
29affected by the breachend deletebegin insert Except as provided in paragraph (3), if 500
30or more subject persons are affected, a person or business that
31maintains computerized data that includes personal information
32shall notify those subject persons of the breach of the security
33when a credit or debit card number was, or is reasonably believed
34to have been, acquired by an unauthorized person end insertat the same time
35thatbegin insert theend insert notice is given to the owner or licensee by United States
36mail if the person or business has a mailing address for the subject
37persons or email notice if the person or business has an email
38address for the subject persons. If the subject persons cannot be
39notified by mail or email, the person or business shall provide
40notice by the following methods:

P6    1(A) Conspicuous posting of the notice on the Internet Web site
2page of the person or business, if the person or business maintains
3an Internet Web site page, for at least 30 days.

4(B) Notification to major statewide media.

begin insert

5(3) Notwithstanding paragraph (2), the owner or licensee of
6computerized data that includes personal information and a person
7or business that maintains computerized data that includes
8personal information may agree, based on a written contractual
9agreement, to make the owner or licensee responsible for the
10requirement in paragraph (2).

end insert

11(c) The notification required by this section may be delayed if
12a law enforcement agency determines that the notification will
13impede a criminal investigation. The notification required by this
14section shall be made promptly after the law enforcement agency
15determines that it will not compromise the investigation.

16(d) A person or business that is required to issue a security
17breach notification pursuant to this section shall meet all of the
18following requirements:

19(1) The security breach notification shall be written in plain
20language.

21(2) The security breach notification shall include, at a minimum,
22the following information:

23(A) The name and contact information of the reporting person
24or business subject to this section.

25(B) A list of the types of personal information that were or are
26reasonably believed to have been the subject of a breach.

27(C) If the information is possible to determine at the time the
28notice is provided, then any of the following: (i) the date of the
29breach, (ii) the estimated date of the breach, or (iii) the date range
30within which the breach occurred. The notification shall also
31include the date of the notice.

32(D) Whether notification was delayed as a result of a law
33enforcement investigation, if that information is possible to
34determine at the time the notice is provided.

35(E) A general description of the breach incident, if that
36information is possible to determine at the time the notice is
37provided.

38(F) The toll-free telephone numbers and addresses of the major
39credit reporting agencies if the breach exposed a social security
P7    1number or a driver’s license or California identification card
2number.

3(G) If the person or business providing the notification was the
4source of the breach, an offer to provide appropriate identity theft
5prevention and mitigation services, if any, shall be provided at no
6cost to the affected person for not less thanbegin delete 24end deletebegin insert 12end insert months, along
7with all information necessary to take advantage of the offer to
8any person whose information was or may have been breached if
9the breach exposed or may have exposed personal information
10defined in subparagraphs (A) and (B) of paragraph (1) of
11subdivision (h).

12(3) At the discretion of the person or business, the security
13breach notification may also include any of the following:

14(A) Information about what the person or business has done to
15protect individuals whose information has been breached.

16(B) Advice on steps that the person whose information has been
17breached may take to protect himself or herself.

18(4) In the case of a breach of the security of the system involving
19personal information defined in paragraph (2) of subdivision (h)
20for an online account, and no other personal information defined
21in paragraph (1) of subdivision (h), the person or business may
22comply with this section by providing the security breach
23notification in electronic or other form that directs the person whose
24personal information has been breached promptly to change his
25or her password and security question or answer, as applicable, or
26to take other steps appropriate to protect the online account with
27the person or business and all other online accounts for which the
28person whose personal information has been breached uses the
29same user name or email address and password or security question
30or answer.

31(5) In the case of a breach of the security of the system involving
32personal information defined in paragraph (2) of subdivision (h)
33for login credentials of an email account furnished by the person
34or business, the person or business shall not comply with this
35section by providing the security breach notification to that email
36address, but may, instead, comply with this section by providing
37notice by another method described in subdivision (j) or by clear
38and conspicuous notice delivered to the resident online when the
39resident is connected to the online account from an Internet
P8    1Protocol address or online location from which the person or
2business knows the resident customarily accesses the account.

3(e) A covered entity under the federal Health Insurance
4Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
5et seq.) will be deemed to have complied with the notice
6requirements in subdivision (d) if it has complied completely with
7Section 13402(f) of the federal Health Information Technology
8for Economic and Clinical Health Act (Public Law 111-5).
9However, nothing in this subdivision shall be construed to exempt
10a covered entity from any other provision of this section.

11(f) A person or business that is required to issue a security breach
12notification pursuant to this section to more than 500 California
13residents as a result of a single breach of the security system shall
14electronically submit a single sample copy of that security breach
15notification, excluding any personally identifiable information, to
16the Attorney General. A single sample copy of a security breach
17notification shall not be deemed to be within subdivision (f) of
18Section 6254 of the Government Code.

19(g) For purposes of this section, “breach of the security of the
20system” means unauthorized acquisition of computerized data that
21compromises the security, confidentiality, or integrity of personal
22information maintained by the person or business. Good faith
23acquisition of personal information by an employee or agent of
24the person or business for the purposes of the person or business
25is not a breach of the security of the system, provided that the
26personal information is not used or subject to further unauthorized
27disclosure.

28(h) For purposes of this section, “personal information” means
29either of the following:

30(1) An individual’s first name or first initial and last name in
31combination with any one or more of the following data elements,
32when either the name or the data elements are notbegin delete encrypted in
33conformance with the Advanced Encryption Standard of the
34National Institute of Standards and Technology, Federal
35Information Processing Standards Publication 197, as amended
36from time to time:end deletebegin insert encrypted:end insert

37(A) Social security number.

38(B) Driver’s license number or California identification card
39number.

P9    1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(E) Health insurance information.

7(2) A user name or email address, in combination with a
8password or security question and answer that would permit access
9to an online account.

10(i) (1) For purposes of this section, “personal information” does
11not include publicly available information that is lawfully made
12available to the general public from federal, state, or local
13government records.

14(2) For purposes of this section, “medical information” means
15any information regarding an individual’s medical history, mental
16or physical condition, or medical treatment or diagnosis by a health
17care professional.

18(3) For purposes of this section, “health insurance information”
19means an individual’s health insurance policy number or subscriber
20identification number, any unique identifier used by a health insurer
21to identify the individual, or any information in an individual’s
22application and claims history, including any appeals records.

23(j) For purposes of this section, “notice” may be provided by
24one of the following methods:

25(1) Written notice.

26(2) Electronic notice, if the notice provided is consistent with
27the provisions regarding electronic records and signatures set forth
28in Section 7001 of Title 15 of the United States Code.

29(3) Substitute notice, if the person or business demonstrates that
30the cost of providing notice would exceed two hundred fifty
31thousand dollars ($250,000), or that the affected class of subject
32persons to be notified exceeds 500,000, or the person or business
33does not have sufficient contact information. Substitute notice
34 shall consist of all of the following:

35(A) Email notice when the person or business has an email
36address for the subject persons.

37(B) Conspicuous posting of the notice on the Internet Web site
38page of the person or business, if the person or business maintains
39one.

40(C) Notification to major statewide media.

P10   1(k) Notwithstanding subdivision (j), a person or business that
2maintains its own notification procedures as part of an information
3security policy for the treatment of personal information and is
4otherwise consistent with the timing requirements of this part, shall
5be deemed to be in compliance with the notification requirements
6of this section if the person or business notifies subject persons in
7accordance with its policies in the event of a breach of security of
8the system.

10

1798.85.  

(a) Except as provided in this section, a person or
11entity may not do any of the following:

12(1) Publicly post or publicly display in any manner an
13individual’s social security number. “Publicly post” or “publicly
14display” means to intentionally communicate or otherwise make
15available to the general public.

16(2) Print an individual’s social security number on any card
17required for the individual to access products or services provided
18by the person or entity.

19(3) Require an individual to transmit his or her social security
20number over the Internet, unless the connection is secure or the
21social security number is encrypted.

22(4) Require an individual to use his or her social security number
23to access an Internet Web site, unless a password or unique
24personal identification number or other authentication device is
25also required to access the Internet Web site.

26(5) Print an individual’s social security number on any materials
27that are mailed to the individual, unless state or federal law requires
28the social security number to be on the document to be mailed.
29Notwithstanding this paragraph, social security numbers may be
30included in applications and forms sent by mail, including
31documents sent as part of an application or enrollment process, or
32to establish, amend or terminate an account, contract or policy, or
33to confirm the accuracy of the social security number. A social
34security number that is permitted to be mailed under this section
35may not be printed, in whole or in part, on a postcard or other
36 mailer not requiring an envelope, or visible on the envelope or
37without the envelope having been opened.

38(6) Sell, advertise for sale, or offer to sell an individual’s social
39security number. For purposes of this paragraph, the following
40apply:

P11   1 (A) “Sell” shall not include the release of an individual’s social
2security number if the release of the social security number is
3incidental to a larger transaction and is necessary to identify the
4individual in order to accomplish a legitimate business purpose.

5(B) The release of a social security number for the purpose of
6marketing is not a legitimate business purpose.

7(C) “Sell” shall not include the release of an individual’s social
8security number for a purpose specifically authorized or specifically
9allowed by federal or state law.

10(b) This section does not prevent the collection, use, or release
11of a social security number as required by state or federal law or
12the use of a social security number for internal verification or
13administrative purposes.

14(c) This section does not prevent an adult state correctional
15facility, an adult city jail, or an adult county jail from releasing an
16inmate’s social security number, with the inmate’s consent and
17upon request by the county veterans service officer or the United
18States Department of Veterans Affairs, for the purposes of
19determining the inmate’s status as a military veteran and his or her
20eligibility for federal, state, or local veterans’ benefits or services.

21(d) This section does not apply to documents that are recorded
22or required to be open to the public pursuant to Chapter 3.5
23(commencing with Section 6250), Chapter 14 (commencing with
24Section 7150) or Chapter 14.5 (commencing with Section 7220)
25of Division 7 of Title 1 of, Article 9 (commencing with Section
2611120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
279 (commencing with Section 54950) of Part 1 of Division 2 of
28Title 5 of, the Government Code. This section does not apply to
29records that are required by statute, case law, or California Rule
30of Court, to be made available to the public by entities provided
31for in Article VI of the California Constitution.

32(e) (1) In the case of a health care service plan, a provider of
33health care, an insurer or a pharmacy benefits manager, a contractor
34as defined in Section 56.05, or the provision by any person or
35entity of administrative or other services relative to health care or
36insurance products or services, including third-party administration
37or administrative services only, this section shall become operative
38in the following manner:

39(A) On or before January 1, 2003, the entities listed in paragraph
40(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
P12   1(a) as these requirements pertain to individual policyholders or
2individual contractholders.

3(B) On or before January 1, 2004, the entities listed in paragraph
4(1) shall comply with paragraphs (1) to (5), inclusive, of
5subdivision (a) as these requirements pertain to new individual
6policyholders or new individual contractholders and new groups,
7including new groups administered or issued on or after January
81, 2004.

9(C) On or before July 1, 2004, the entities listed in paragraph
10(1) shall comply with paragraphs (1) to (5), inclusive, of
11subdivision (a) for all individual policyholders and individual
12contractholders, for all groups, and for all enrollees of the Healthy
13Families and Medi-Cal programs, except that for individual
14policyholders, individual contractholders and groups in existence
15prior to January 1, 2004, the entities listed in paragraph (1) shall
16comply upon the renewal date of the policy, contract, or group on
17or after July 1, 2004, but no later than July 1, 2005.

18(2) A health care service plan, a provider of health care, an
19insurer or a pharmacy benefits manager, a contractor, or another
20person or entity as described in paragraph (1) shall make reasonable
21efforts to cooperate, through systems testing and other means, to
22ensure that the requirements of this article are implemented on or
23before the dates specified in this section.

24(3) Notwithstanding paragraph (2), the Director of the
25Department of Managed Health Care, pursuant to the authority
26granted under Section 1346 of the Health and Safety Code, or the
27Insurance Commissioner, pursuant to the authority granted under
28Section 12921 of the Insurance Code, and upon a determination
29of good cause, may grant extensions not to exceed six months for
30compliance by health care service plans and insurers with the
31requirements of this section when requested by the health care
32service plan or insurer. Any extension granted shall apply to the
33health care service plan or insurer’s affected providers, pharmacy
34benefits manager, and contractors.

35(f) If a federal law takes effect requiring the United States
36Department of Health and Human Services to establish a national
37unique patient health identifier program, a provider of health care,
38a health care service plan, a licensed health care professional, or
39a contractor, as those terms are defined in Section 56.05, that
P13   1complies with the federal law shall be deemed in compliance with
2this section.

3(g) A person or entity may not encode or embed a social security
4number in or on a card or document, including, but not limited to,
5using a barcode, chip, magnetic strip, or other technology, in place
6of removing the social security number, as required by this section.

7(h) This section shall become operative, with respect to the
8University of California, in the following manner:

9(1) On or before January 1, 2004, the University of California
10shall comply with paragraphs (1), (2), and (3) of subdivision (a).

11(2) On or before January 1, 2005, the University of California
12shall comply with paragraphs (4) and (5) of subdivision (a).

13(i) This section shall become operative with respect to the
14Franchise Tax Board on January 1, 2007.

15(j) This section shall become operative with respect to the
16California community college districts on January 1, 2007.

17(k) This section shall become operative with respect to the
18California State University system on July 1, 2005.

19(l) This section shall become operative, with respect to the
20California Student Aid Commission and its auxiliary organization,
21in the following manner:

22(1) On or before January 1, 2004, the commission and its
23auxiliary organization shall comply with paragraphs (1), (2), and
24(3) of subdivision (a).

25(2) On or before January 1, 2005, the commission and its
26auxiliary organization shall comply with paragraphs (4) and (5)
27of subdivision (a).