BILL NUMBER: AB 1710 ENROLLED
BILL TEXT
PASSED THE SENATE AUGUST 21, 2014
PASSED THE ASSEMBLY AUGUST 25, 2014
AMENDED IN SENATE AUGUST 19, 2014
AMENDED IN SENATE JULY 1, 2014
AMENDED IN SENATE JUNE 5, 2014
AMENDED IN ASSEMBLY MAY 8, 2014
AMENDED IN ASSEMBLY APRIL 24, 2014
AMENDED IN ASSEMBLY MARCH 28, 2014
INTRODUCED BY Assembly Members Dickinson and Wieckowski
FEBRUARY 13, 2014
An act to amend Sections 1798.81.5, 1798.82, and 1798.85 of the
Civil Code, relating to personal information privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 1710, Dickinson. Personal information: privacy.
Existing law requires a person or business conducting business in
California that owns or licenses computerized data that includes
personal information, as defined, to disclose, as specified, a breach
of the security of the system or data following discovery or
notification of the security breach to any California resident whose
unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. Existing law also
requires a person or business that maintains computerized data that
includes personal information that the person or business does not
own to notify the owner or licensee of the information of any breach
of the security of the data immediately following discovery, as
specified. Existing law requires a person or business required to
issue a security breach notification pursuant to these provisions to
meet various requirements, including that the security breach
notification provide specified information.
This bill would require, with respect to the information required
to be included in the notification, if the person or business
providing the notification was the source of the breach, that the
person or business offer to provide appropriate identity theft
prevention and mitigation services, if any, to the affected person at
no cost for not less than 12 months if the breach exposed or may
have exposed specified personal information.
Existing law requires a business that owns or licenses personal
information about a California resident to implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or disclosure.
This bill would expand these provisions to businesses that own,
license, or maintain personal information about a California
resident, as specified.
Existing law prohibits a person or entity, with specified
exceptions, from publicly posting or displaying an individual's
social security number or doing certain other acts that might
compromise the security of an individual's social security number,
unless otherwise required by federal or state law.
This bill would also, except as specified, prohibit the sale,
advertisement for sale, or offer to sell of an individual's social
security number.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.81.5 of the Civil Code is amended to read:
1798.81.5. (a) (1) It is the intent of the Legislature to ensure
that personal information about California residents is protected. To
that end, the purpose of this section is to encourage businesses
that own, license, or maintain personal information about
Californians to provide reasonable security for that information.
(2) For the purpose of this section, the terms "own" and "license"
include personal information that a business retains as part of the
business' internal customer account or for the purpose of using that
information in transactions with the person to whom the information
relates. The term "maintain" includes personal information that a
business maintains but does not own or license.
(b) A business that owns, licenses, or maintains personal
information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a
California resident pursuant to a contract with a nonaffiliated third
party that is not subject to subdivision (b) shall require by
contract that the third party implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.
(d) For purposes of this section, the following terms have the
following meanings:
(1) "Personal information" means an individual's first name or
first initial and his or her last name in combination with any one or
more of the following data elements, when either the name or the
data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card
number.
(C) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(D) Medical information.
(2) "Medical information" means any individually identifiable
information, in electronic or physical form, regarding the individual'
s medical history or medical treatment or diagnosis by a health care
professional.
(3) "Personal information" does not include publicly available
information that is lawfully made available to the general public
from federal, state, or local government records.
(e) The provisions of this section do not apply to any of the
following:
(1) A provider of health care, health care service plan, or
contractor regulated by the Confidentiality of Medical Information
Act (Part 2.6 (commencing with Section 56) of Division 1).
(2) A financial institution as defined in Section 4052 of the
Financial Code and subject to the California Financial Information
Privacy Act (Division 1.2 (commencing with Section 4050) of the
Financial Code).
(3) A covered entity governed by the medical privacy and security
rules issued by the federal Department of Health and Human Services,
Parts 160 and 164 of Title 45 of the Code of Federal Regulations,
established pursuant to the Health Insurance Portability and
Availability Act of 1996 (HIPAA).
(4) An entity that obtains information under an agreement pursuant
to Article 3 (commencing with Section 1800) of Chapter 1 of Division
2 of the Vehicle Code and is subject to the confidentiality
requirements of the Vehicle Code.
(5) A business that is regulated by state or federal law providing
greater protection to personal information than that provided by
this section in regard to the subjects addressed by this section.
Compliance with that state or federal law shall be deemed compliance
with this section with regard to those subjects. This paragraph does
not relieve a business from a duty to comply with any other
requirements of other state and federal law regarding the protection
and privacy of personal information.
SEC. 2. Section 1798.82 of the Civil Code is amended to read:
1798.82. (a) A person or business that conducts business in
California, and that owns or licenses computerized data that includes
personal information, shall disclose a breach of the security of the
system following discovery or notification of the breach in the
security of the data to a resident of California whose unencrypted
personal information was, or is reasonably believed to have been,
acquired by an unauthorized person. The disclosure shall be made in
the most expedient time possible and without unreasonable delay,
consistent with the legitimate needs of law enforcement, as provided
in subdivision (c), or any measures necessary to determine the scope
of the breach and restore the reasonable integrity of the data
system.
(b) A person or business that maintains computerized data that
includes personal information that the person or business does not
own shall notify the owner or licensee of the information of the
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made promptly after the law enforcement agency determines
that it will not compromise the investigation.
(d) A person or business that is required to issue a security
breach notification pursuant to this section shall meet all of the
following requirements:
(1) The security breach notification shall be written in plain
language.
(2) The security breach notification shall include, at a minimum,
the following information:
(A) The name and contact information of the reporting person or
business subject to this section.
(B) A list of the types of personal information that were or are
reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the
notice is provided, then any of the following: (i) the date of the
breach, (ii) the estimated date of the breach, or (iii) the date
range within which the breach occurred. The notification shall also
include the date of the notice.
(D) Whether notification was delayed as a result of a law
enforcement investigation, if that information is possible to
determine at the time the notice is provided.
(E) A general description of the breach incident, if that
information is possible to determine at the time the notice is
provided.
(F) The toll-free telephone numbers and addresses of the major
credit reporting agencies if the breach exposed a social security
number or a driver's license or California identification card
number.
(G) If the person or business providing the notification was the
source of the breach, an offer to provide appropriate identity theft
prevention and mitigation services, if any, shall be provided at no
cost to the affected person for not less than 12 months, along with
all information necessary to take advantage of the offer to any
person whose information was or may have been breached if the breach
exposed or may have exposed personal information defined in
subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
(3) At the discretion of the person or business, the security
breach notification may also include any of the following:
(A) Information about what the person or business has done to
protect individuals whose information has been breached.
(B) Advice on steps that the person whose information has been
breached may take to protect himself or herself.
(4) In the case of a breach of the security of the system
involving personal information defined in paragraph (2) of
subdivision (h) for an online account, and no other personal
information defined in paragraph (1) of subdivision (h), the person
or business may comply with this section by providing the security
breach notification in electronic or other form that directs the
person whose personal information has been breached promptly to
change his or her password and security question or answer, as
applicable, or to take other steps appropriate to protect the online
account with the person or business and all other online accounts for
which the person whose personal information has been breached uses
the same user name or email address and password or security question
or answer.
(5) In the case of a breach of the security of the system
involving personal information defined in paragraph (2) of
subdivision (h) for login credentials of an email account furnished
by the person or business, the person or business shall not comply
with this section by providing the security breach notification to
that email address, but may, instead, comply with this section by
providing notice by another method described in subdivision (j) or by
clear and conspicuous notice delivered to the resident online when
the resident is connected to the online account from an Internet
Protocol address or online location from which the person or business
knows the resident customarily accesses the account.
(e) A covered entity under the federal Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et
seq.) will be deemed to have complied with the notice requirements in
subdivision (d) if it has complied completely with Section 13402(f)
of the federal Health Information Technology for Economic and
Clinical Health Act (Public Law 111-5). However, nothing in this
subdivision shall be construed to exempt a covered entity from any
other provision of this section.
(f) A person or business that is required to issue a security
breach notification pursuant to this section to more than 500
California residents as a result of a single breach of the security
system shall electronically submit a single sample copy of that
security breach notification, excluding any personally identifiable
information, to the Attorney General. A single sample copy of a
security breach notification shall not be deemed to be within
subdivision (f) of Section 6254 of the Government Code.
(g) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not
a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(h) For purposes of this section, "personal information" means
either of the following:
(1) An individual's first name or first initial and last name in
combination with any one or more of the following data elements, when
either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver's license number or California identification card
number.
(C) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information.
(2) A user name or email address, in combination with a password
or security question and answer that would permit access to an online
account.
(i) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(j) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) Email notice when the person or business has an email address
for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
(C) Notification to major statewide media.
(k) Notwithstanding subdivision (j), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this part, shall
be deemed to be in compliance with the notification requirements of
this section if the person or business notifies subject persons in
accordance with its policies in the event of a breach of security of
the system.
SEC. 3. Section 1798.85 of the Civil Code is amended to read:
1798.85. (a) Except as provided in this section, a person or
entity may not do any of the following:
(1) Publicly post or publicly display in any manner an individual'
s social security number. "Publicly post" or "publicly display" means
to intentionally communicate or otherwise make available to the
general public.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social security
number over the Internet, unless the connection is secure or the
social security number is encrypted.
(4) Require an individual to use his or her social security number
to access an Internet Web site, unless a password or unique personal
identification number or other authentication device is also
required to access the Internet Web site.
(5) Print an individual's social security number on any materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the document to be
mailed. Notwithstanding this paragraph, social security numbers may
be included in applications and forms sent by mail, including
documents sent as part of an application or enrollment process, or to
establish, amend or terminate an account, contract or policy, or to
confirm the accuracy of the social security number. A social security
number that is permitted to be mailed under this section may not be
printed, in whole or in part, on a postcard or other mailer not
requiring an envelope, or visible on the envelope or without the
envelope having been opened.
(6) Sell, advertise for sale, or offer to sell an individual's
social security number. For purposes of this paragraph, the following
apply:
(A) "Sell" shall not include the release of an individual's
social security number if the release of the social security number
is incidental to a larger transaction and is necessary to identify
the individual in order to accomplish a legitimate business purpose.
Release of an individual's social security number for marketing
purposes is not permitted.
(B) "Sell" shall not include the release of an individual's social
security number for a purpose specifically authorized or
specifically allowed by federal or state law.
(b) This section does not prevent the collection, use, or release
of a social security number as required by state or federal law or
the use of a social security number for internal verification or
administrative purposes.
(c) This section does not prevent an adult state correctional
facility, an adult city jail, or an adult county jail from releasing
an inmate's social security number, with the inmate's consent and
upon request by the county veterans service officer or the United
States Department of Veterans Affairs, for the purposes of
determining the inmate's status as a military veteran and his or her
eligibility for federal, state, or local veterans' benefits or
services.
(d) This section does not apply to documents that are recorded or
required to be open to the public pursuant to Chapter 3.5 (commencing
with Section 6250), Chapter 14 (commencing with Section 7150) or
Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1
of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1
of Division 3 of Title 2 of, or Chapter 9 (commencing with Section
54950) of Part 1 of Division 2 of Title 5 of, the Government Code.
This section does not apply to records that are required by statute,
case law, or California Rule of Court, to be made available to the
public by entities provided for in Article VI of the California
Constitution.
(e) (1) In the case of a health care service plan, a provider of
health care, an insurer or a pharmacy benefits manager, a contractor
as defined in Section 56.05, or the provision by any person or entity
of administrative or other services relative to health care or
insurance products or services, including third-party administration
or administrative services only, this section shall become operative
in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph
(1) shall comply with paragraphs (1), (3), (4), and (5) of
subdivision (a) as these requirements pertain to individual
policyholders or individual contractholders.
(B) On or before January 1, 2004, the entities listed in paragraph
(1) shall comply with paragraphs (1) to (5), inclusive, of
subdivision (a) as these requirements pertain to new individual
policyholders or new individual contractholders and new groups,
including new groups administered or issued on or after January 1,
2004.
(C) On or before July 1, 2004, the entities listed in paragraph
(1) shall comply with paragraphs (1) to (5), inclusive, of
subdivision (a) for all individual policyholders and individual
contractholders, for all groups, and for all enrollees of the Healthy
Families and Medi-Cal programs, except that for individual
policyholders, individual contractholders and groups in existence
prior to January 1, 2004, the entities listed in paragraph (1) shall
comply upon the renewal date of the policy, contract, or group on or
after July 1, 2004, but no later than July 1, 2005.
(2) A health care service plan, a provider of health care, an
insurer or a pharmacy benefits manager, a contractor, or another
person or entity as described in paragraph (1) shall make reasonable
efforts to cooperate, through systems testing and other means, to
ensure that the requirements of this article are implemented on or
before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the Department
of Managed Health Care, pursuant to the authority granted under
Section 1346 of the Health and Safety Code, or the Insurance
Commissioner, pursuant to the authority granted under Section 12921
of the Insurance Code, and upon a determination of good cause, may
grant extensions not to exceed six months for compliance by health
care service plans and insurers with the requirements of this section
when requested by the health care service plan or insurer. Any
extension granted shall apply to the health care service plan or
insurer's affected providers, pharmacy benefits manager, and
contractors.
(f) If a federal law takes effect requiring the United States
Department of Health and Human Services to establish a national
unique patient health identifier program, a provider of health care,
a health care service plan, a licensed health care professional, or a
contractor, as those terms are defined in Section 56.05, that
complies with the federal law shall be deemed in compliance with this
section.
(g) A person or entity may not encode or embed a social security
number in or on a card or document, including, but not limited to,
using a barcode, chip, magnetic strip, or other technology, in place
of removing the social security number, as required by this section.
(h) This section shall become operative, with respect to the
University of California, in the following manner:
(1) On or before January 1, 2004, the University of California
shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the University of California
shall comply with paragraphs (4) and (5) of subdivision (a).
(i) This section shall become operative with respect to the
Franchise Tax Board on January 1, 2007.
(j) This section shall become operative with respect to the
California community college districts on January 1, 2007.
(k) This section shall become operative with respect to the
California State University system on July 1, 2005.
( l ) This section shall become operative, with respect
to the California Student Aid Commission and its auxiliary
organization, in the following manner:
(1) On or before January 1, 2004, the commission and its auxiliary
organization shall comply with paragraphs (1), (2), and (3) of
subdivision (a).
(2) On or before January 1, 2005, the commission and its auxiliary
organization shall comply with paragraphs (4) and (5) of subdivision
(a).