Assembly BillNo. 1710

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.

14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.

20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.

27(d) For purposes of this section, the following terms have the
28following meanings:

29(1) “Personal information” means an individual’s first name or
30first initial and his or her last name in combination with any one
31or more of the following data elements, when either the name or
32the data elements are not encrypted or redacted:

33(A) Social security number.

34(B) Driver’s license number or California identification card
35number.

36(C) Account number, credit or debit card number, in
37combination with any required security code, access code, or
P4    1password that would permit access to an individual’s financial
2account.

3(D) Medical information.

4(2) “Medical information” means any individually identifiable
5information, in electronic or physical form, regarding the
6individual’s medical history or medical treatment or diagnosis by
7a health care professional.

8(3) “Personal information” does not include publicly available
9information that is lawfully made available to the general public
10from federal, state, or local government records.

11(e) The provisions of this section do not apply to any of the
12following:

13(1) A provider of health care, health care service plan, or
14 contractor regulated by the Confidentiality of Medical Information
15Act (Part 2.6 (commencing with Section 56) of Division 1).

16(2) A financial institution as defined in Section 4052 of the
17Financial Code and subject to the California Financial Information
18Privacy Act (Division 1.2 (commencing with Section 4050) of the
19Financial Code).

20(3) A covered entity governed by the medical privacy and
21security rules issued by the federal Department of Health and
22Human Services, Parts 160 and 164 of Title 45 of the Code of
23Federal Regulations, established pursuant to the Health Insurance
24Portability and Availability Act of 1996 (HIPAA).

25(4) An entity that obtains information under an agreement
26pursuant to Article 3 (commencing with Section 1800) of Chapter
271 of Division 2 of the Vehicle Code and is subject to the
28confidentiality requirements of the Vehicle Code.

29(5) A business that is regulated by state or federal law providing
30greater protection to personal information than that provided by
31this section in regard to the subjects addressed by this section.
32Compliance with that state or federal law shall be deemed
33compliance with this section with regard to those subjects. This
34paragraph does not relieve a business from a duty to comply with
35any other requirements of other state and federal law regarding
36the protection and privacy of personal information.

38

1798.82.  

(a) A person or business that conducts business in
39California, and that owns or licenses computerized data that
40includes personal information, shall disclose a breach of the
P5    1security of the system following discovery or notification of the
2breach in the security of the data to a resident of California whose
3unencrypted personal information was, or is reasonably believed
4to have been, acquired by an unauthorized person. The disclosure
5shall be made in the most expedient time possible and without
6unreasonable delay, consistent with the legitimate needs of law
7enforcement, as provided in subdivision (c), or any measures
8necessary to determine the scope of the breach and restore the
9reasonable integrity of the data system.

10(b) begin delete(1)end deletebegin delete end deleteA person or business that maintains computerized data
11that includes personal information that the person or business does
12not own shall notify the owner or licensee of the information of
13the breach of the security of the data immediately following
14discovery, if the personal information was, or is reasonably
15believed to have been, acquired by an unauthorized person.

begin delete

16(2)  Except as provided in paragraph (3), if 500 or more subject
17persons are affected, a person or business that maintains
18computerized data that includes personal information shall notify
19those subject persons of the breach of the security when a credit
20or debit card number was, or is reasonably believed to have been,
21acquired by an unauthorized person at the same time that the notice
22is given to the owner or licensee by United States mail if the person
23or business has a mailing address for the subject persons or email
24notice if the person or business has an email address for the subject
25persons. If the subject persons cannot be notified by mail or email,
26the person or business shall provide notice by the following
27methods:

28(A) Conspicuous posting of the notice on the Internet Web site
29page of the person or business, if the person or business maintains
30an Internet Web site page, for at least 30 days.

31(B) Notification to major statewide media.

32(3) Notwithstanding paragraph (2), the owner or licensee of
33computerized data that includes personal information and a person
34or business that maintains computerized data that includes personal
35information may agree, based on a written contractual agreement,
36to make the owner or licensee responsible for the requirement in
37paragraph (2).

end delete

38(c) The notification required by this section may be delayed if
39a law enforcement agency determines that the notification will
40impede a criminal investigation. The notification required by this
P6    1section shall be made promptly after the law enforcement agency
2determines that it will not compromise the investigation.

3(d) A person or business that is required to issue a security
4breach notification pursuant to this section shall meet all of the
5following requirements:

6(1) The security breach notification shall be written in plain
7language.

8(2) The security breach notification shall include, at a minimum,
9the following information:

10(A) The name and contact information of the reporting person
11or business subject to this section.

12(B) A list of the types of personal information that were or are
13reasonably believed to have been the subject of a breach.

14(C) If the information is possible to determine at the time the
15notice is provided, then any of the following: (i) the date of the
16breach, (ii) the estimated date of the breach, or (iii) the date range
17within which the breach occurred. The notification shall also
18include the date of the notice.

19(D) Whether notification was delayed as a result of a law
20enforcement investigation, if that information is possible to
21determine at the time the notice is provided.

22(E) A general description of the breach incident, if that
23information is possible to determine at the time the notice is
24provided.

25(F) The toll-free telephone numbers and addresses of the major
26credit reporting agencies if the breach exposed a social security
27number or a driver’s license or California identification card
28number.

29(G) If the person or business providing the notification was the
30source of the breach, an offer to provide appropriate identity theft
31prevention and mitigation services, if any, shall be provided at no
32cost to the affected person for not less than 12 months, along with
33all information necessary to take advantage of the offer to any
34person whose information was or may have been breached if the
35breach exposed or may have exposed personal information defined
36in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

37(3) At the discretion of the person or business, the security
38breach notification may also include any of the following:

39(A) Information about what the person or business has done to
40protect individuals whose information has been breached.

P7    1(B) Advice on steps that the person whose information has been
2breached may take to protect himself or herself.

3(4) In the case of a breach of the security of the system involving
4personal information defined in paragraph (2) of subdivision (h)
5for an online account, and no other personal information defined
6in paragraph (1) of subdivision (h), the person or business may
7comply with this section by providing the security breach
8notification in electronic or other form that directs the person whose
9personal information has been breached promptly to change his
10or her password and security question or answer, as applicable, or
11to take other steps appropriate to protect the online account with
12the person or business and all other online accounts for which the
13person whose personal information has been breached uses the
14same user name or email address and password or security question
15or answer.

16(5) In the case of a breach of the security of the system involving
17personal information defined in paragraph (2) of subdivision (h)
18for login credentials of an email account furnished by the person
19or business, the person or business shall not comply with this
20section by providing the security breach notification to that email
21address, but may, instead, comply with this section by providing
22notice by another method described in subdivision (j) or by clear
23and conspicuous notice delivered to the resident online when the
24resident is connected to the online account from an Internet
25Protocol address or online location from which the person or
26business knows the resident customarily accesses the account.

27(e) A covered entity under the federal Health Insurance
28Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
29et seq.) will be deemed to have complied with the notice
30requirements in subdivision (d) if it has complied completely with
31Section 13402(f) of the federal Health Information Technology
32for Economic and Clinical Health Act (Public Law 111-5).
33However, nothing in this subdivision shall be construed to exempt
34a covered entity from any other provision of this section.

35(f) A person or business that is required to issue a security breach
36notification pursuant to this section to more than 500 California
37residents as a result of a single breach of the security system shall
38electronically submit a single sample copy of that security breach
39notification, excluding any personally identifiable information, to
40the Attorney General. A single sample copy of a security breach
P8    1notification shall not be deemed to be within subdivision (f) of
2Section 6254 of the Government Code.

3(g) For purposes of this section, “breach of the security of the
4system” means unauthorized acquisition of computerized data that
5compromises the security, confidentiality, or integrity of personal
6information maintained by the person or business. Good faith
7acquisition of personal information by an employee or agent of
8the person or business for the purposes of the person or business
9is not a breach of the security of the system, provided that the
10personal information is not used or subject to further unauthorized
11disclosure.

12(h) For purposes of this section, “personal information” means
13either of the following:

14(1) An individual’s first name or first initial and last name in
15combination with any one or more of the following data elements,
16when either the name or the data elements are not encrypted:

17(A) Social security number.

18(B) Driver’s license number or California identification card
19number.

20(C) Account number, credit or debit card number, in
21combination with any required security code, access code, or
22password that would permit access to an individual’s financial
23account.

24(D) Medical information.

25(E) Health insurance information.

26(2) A user name or email address, in combination with a
27password or security question and answer that would permit access
28to an online account.

29(i) (1) For purposes of this section, “personal information” does
30not include publicly available information that is lawfully made
31available to the general public from federal, state, or local
32government records.

33(2) For purposes of this section, “medical information” means
34any information regarding an individual’s medical history, mental
35or physical condition, or medical treatment or diagnosis by a health
36care professional.

37(3) For purposes of this section, “health insurance information”
38means an individual’s health insurance policy number or subscriber
39identification number, any unique identifier used by a health insurer
P9    1to identify the individual, or any information in an individual’s
2application and claims history, including any appeals records.

3(j) For purposes of this section, “notice” may be provided by
4one of the following methods:

5(1) Written notice.

6(2) Electronic notice, if the notice provided is consistent with
7the provisions regarding electronic records and signatures set forth
8in Section 7001 of Title 15 of the United States Code.

9(3) Substitute notice, if the person or business demonstrates that
10the cost of providing notice would exceed two hundred fifty
11thousand dollars ($250,000), or that the affected class of subject
12persons to be notified exceeds 500,000, or the person or business
13does not have sufficient contact information. Substitute notice
14 shall consist of all of the following:

15(A) Email notice when the person or business has an email
16address for the subject persons.

17(B) Conspicuous posting of the notice on the Internet Web site
18page of the person or business, if the person or business maintains
19one.

20(C) Notification to major statewide media.

21(k) Notwithstanding subdivision (j), a person or business that
22maintains its own notification procedures as part of an information
23security policy for the treatment of personal information and is
24otherwise consistent with the timing requirements of this part, shall
25be deemed to be in compliance with the notification requirements
26of this section if the person or business notifies subject persons in
27accordance with its policies in the event of a breach of security of
28the system.

30

1798.85.  

(a) Except as provided in this section, a person or
31entity may not do any of the following:

32(1) Publicly post or publicly display in any manner an
33individual’s social security number. “Publicly post” or “publicly
34display” means to intentionally communicate or otherwise make
35available to the general public.

36(2) Print an individual’s social security number on any card
37required for the individual to access products or services provided
38by the person or entity.

P10   1(3) Require an individual to transmit his or her social security
2number over the Internet, unless the connection is secure or the
3social security number is encrypted.

4(4) Require an individual to use his or her social security number
5to access an Internet Web site, unless a password or unique
6personal identification number or other authentication device is
7also required to access the Internet Web site.

8(5) Print an individual’s social security number on any materials
9that are mailed to the individual, unless state or federal law requires
10the social security number to be on the document to be mailed.
11Notwithstanding this paragraph, social security numbers may be
12included in applications and forms sent by mail, including
13documents sent as part of an application or enrollment process, or
14to establish, amend or terminate an account, contract or policy, or
15to confirm the accuracy of the social security number. A social
16security number that is permitted to be mailed under this section
17may not be printed, in whole or in part, on a postcard or other
18 mailer not requiring an envelope, or visible on the envelope or
19without the envelope having been opened.

20(6) Sell, advertise for sale, or offer to sell an individual’s social
21security number. For purposes of this paragraph, the following
22apply:

23 (A) “Sell” shall not include the release of an individual’s social
24security number if the release of the social security number is
25incidental to a larger transaction and is necessary to identify the
26individual in order to accomplish a legitimate business purpose.
27begin insert Release of an individual’s social security number for marketing
28purposes is not permitted.end insert

begin delete

29(B) The release of a social security number for the purpose of
30marketing is not a legitimate business purpose.

end deletebegin delete

31(C)

end delete

32begin insert(B)end insert “Sell” shall not include the release of an individual’s social
33security number for a purpose specifically authorized or specifically
34allowed by federal or state law.

35(b) This section does not prevent the collection, use, or release
36of a social security number as required by state or federal law or
37the use of a social security number for internal verification or
38administrative purposes.

39(c) This section does not prevent an adult state correctional
40facility, an adult city jail, or an adult county jail from releasing an
P11   1inmate’s social security number, with the inmate’s consent and
2upon request by the county veterans service officer or the United
3States Department of Veterans Affairs, for the purposes of
4determining the inmate’s status as a military veteran and his or her
5eligibility for federal, state, or local veterans’ benefits or services.

6(d) This section does not apply to documents that are recorded
7or required to be open to the public pursuant to Chapter 3.5
8(commencing with Section 6250), Chapter 14 (commencing with
9Section 7150) or Chapter 14.5 (commencing with Section 7220)
10of Division 7 of Title 1 of, Article 9 (commencing with Section
1111120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
129 (commencing with Section 54950) of Part 1 of Division 2 of
13Title 5 of, the Government Code. This section does not apply to
14records that are required by statute, case law, or California Rule
15of Court, to be made available to the public by entities provided
16for in Article VI of the California Constitution.

17(e) (1) In the case of a health care service plan, a provider of
18health care, an insurer or a pharmacy benefits manager, a contractor
19as defined in Section 56.05, or the provision by any person or
20entity of administrative or other services relative to health care or
21insurance products or services, including third-party administration
22or administrative services only, this section shall become operative
23in the following manner:

24(A) On or before January 1, 2003, the entities listed in paragraph
25(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
26(a) as these requirements pertain to individual policyholders or
27individual contractholders.

28(B) On or before January 1, 2004, the entities listed in paragraph
29(1) shall comply with paragraphs (1) to (5), inclusive, of
30subdivision (a) as these requirements pertain to new individual
31policyholders or new individual contractholders and new groups,
32including new groups administered or issued on or after January
331, 2004.

34(C) On or before July 1, 2004, the entities listed in paragraph
35(1) shall comply with paragraphs (1) to (5), inclusive, of
36subdivision (a) for all individual policyholders and individual
37contractholders, for all groups, and for all enrollees of the Healthy
38Families and Medi-Cal programs, except that for individual
39policyholders, individual contractholders and groups in existence
40prior to January 1, 2004, the entities listed in paragraph (1) shall
P12   1comply upon the renewal date of the policy, contract, or group on
2or after July 1, 2004, but no later than July 1, 2005.

3(2) A health care service plan, a provider of health care, an
4insurer or a pharmacy benefits manager, a contractor, or another
5person or entity as described in paragraph (1) shall make reasonable
6efforts to cooperate, through systems testing and other means, to
7ensure that the requirements of this article are implemented on or
8before the dates specified in this section.

9(3) Notwithstanding paragraph (2), the Director of the
10Department of Managed Health Care, pursuant to the authority
11granted under Section 1346 of the Health and Safety Code, or the
12Insurance Commissioner, pursuant to the authority granted under
13Section 12921 of the Insurance Code, and upon a determination
14of good cause, may grant extensions not to exceed six months for
15compliance by health care service plans and insurers with the
16requirements of this section when requested by the health care
17service plan or insurer. Any extension granted shall apply to the
18health care service plan or insurer’s affected providers, pharmacy
19benefits manager, and contractors.

20(f) If a federal law takes effect requiring the United States
21Department of Health and Human Services to establish a national
22unique patient health identifier program, a provider of health care,
23a health care service plan, a licensed health care professional, or
24a contractor, as those terms are defined in Section 56.05, that
25complies with the federal law shall be deemed in compliance with
26this section.

27(g) A person or entity may not encode or embed a social security
28number in or on a card or document, including, but not limited to,
29using a barcode, chip, magnetic strip, or other technology, in place
30of removing the social security number, as required by this section.

31(h) This section shall become operative, with respect to the
32University of California, in the following manner:

33(1) On or before January 1, 2004, the University of California
34shall comply with paragraphs (1), (2), and (3) of subdivision (a).

35(2) On or before January 1, 2005, the University of California
36shall comply with paragraphs (4) and (5) of subdivision (a).

37(i) This section shall become operative with respect to the
38Franchise Tax Board on January 1, 2007.

39(j) This section shall become operative with respect to the
40California community college districts on January 1, 2007.

P13   1(k) This section shall become operative with respect to the
2California State University system on July 1, 2005.

3(l) This section shall become operative, with respect to the
4California Student Aid Commission and its auxiliary organization,
5in the following manner:

6(1) On or before January 1, 2004, the commission and its
7auxiliary organization shall comply with paragraphs (1), (2), and
8(3) of subdivision (a).

9(2) On or before January 1, 2005, the commission and its
10auxiliary organization shall comply with paragraphs (4) and (5)
11of subdivision (a).