Senate BillNo. 46


Introduced by Senator Corbett

December 14, 2012


An act to amend Sections 1798.29 and 1798.82 of the Civil Code, relating to personal information.

LEGISLATIVE COUNSEL’S DIGEST

SB 46, as introduced, Corbett. Personal information: privacy.

Existing law requires any agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the system or data, as defined, following discovery or notification of the security breach, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law defines “personal information” for these purposes, to include an individual’s first name and last name, or first initial and last name, in combination with one or more designated data elements relating to, among other things, social security numbers, driver’s license numbers, financial accounts, and medical information.

This bill would revise certain data elements included within the definition of personal information, by adding certain information relating to an account other than a financial account.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P1    1

SECTION 1.  

Section 1798.29 of the Civil Code is amended
2to read:

P2    1

1798.29.  

(a) Any agency that owns or licenses computerized
2data that includes personal information shall disclose any breach
3of the security of the system following discovery or notification
4of the breach in the security of the data to any resident of California
5whose unencrypted personal information was, or is reasonably
6believed to have been, acquired by an unauthorized person. The
7disclosure shall be made in the most expedient time possible and
8without unreasonable delay, consistent with the legitimate needs
9of law enforcement, as provided in subdivision (c), or any measures
10necessary to determine the scope of the breach and restore the
11reasonable integrity of the data system.

12(b) Any agency that maintains computerized data that includes
13personal information that the agency does not own shall notify the
14owner or licensee of the information of any breach of the security
15of the data immediately following discovery, if the personal
16information was, or is reasonably believed to have been, acquired
17by an unauthorized person.

18(c) The notification required by this section may be delayed if
19a law enforcement agency determines that the notification will
20impede a criminal investigation. The notification required by this
21section shall be made after the law enforcement agency determines
22that it will not compromise the investigation.

23(d) Any agency that is required to issue a security breach
24notification pursuant to this section shall meet all of the following
25requirements:

26(1) The security breach notification shall be written in plain
27language.

28(2) The security breach notification shall include, at a minimum,
29the following information:

30(A) The name and contact information of the reporting agency
31subject to this section.

32(B) A list of the types of personal information that were or are
33reasonably believed to have been the subject of a breach.

34(C) If the information is possible to determine at the time the
35notice is provided, then any of the following: (i) the date of the
36breach, (ii) the estimated date of the breach, or (iii) the date range
37within which the breach occurred. The notification shall also
38include the date of the notice.

P3    1(D) Whether the notification was delayed as a result of a law
2enforcement investigation, if that information is possible to
3determine at the time the notice is provided.

4(E) A general description of the breach incident, if that
5information is possible to determine at the time the notice is
6provided.

7(F) The toll-free telephone numbers and addresses of the major
8credit reporting agencies, if the breach exposed a social security
9number or a driver’s license or California identification card
10number.

11(3) At the discretion of the agency, the security breach
12notification may also include any of the following:

13(A) Information about what the agency has done to protect
14individuals whose information has been breached.

15(B) Advice on steps that the person whose information has been
16breached may take to protect himself or herself.

17(e) Any agency that is required to issue a security breach
18notification pursuant to this section to more than 500 California
19residents as a result of a single breach of the security system shall
20electronically submit a single sample copy of that security breach
21notification, excluding any personally identifiable information, to
22the Attorney General. A single sample copy of a security breach
23notification shall not be deemed to be within subdivision (f) of
24Section 6254 of the Government Code.

25(f) For purposes of this section, “breach of the security of the
26system” means unauthorized acquisition of computerized data that
27compromises the security, confidentiality, or integrity of personal
28information maintained by the agency. Good faith acquisition of
29personal information by an employee or agent of the agency for
30the purposes of the agency is not a breach of the security of the
31system, provided that the personal information is not used or
32subject to further unauthorized disclosure.

33(g) For purposes of this section, “personal information” means
34an individual’s first name or first initial and last name in
35combination with any one or more of the following data elements,
36when either the name or the data elements are not encrypted:

37(1) Social security number.

38(2) Driver’s license number or California Identification Card
39number.

P4    1(3) Account number, credit or debit card number, in combination
2with any required security code, access code, or password that
3would permit access to an individual’s financial account.

4(4) Medical information.

5(5) Health insurance information.

begin insert

6(6) Password, user name, or security question and answer for
7an account other than a financial account.

end insert

8(h) (1) For purposes of this section, “personal information”
9does not include publicly available information that is lawfully
10made available to the general public from federal, state, or local
11government records.

12(2) For purposes of this section, “medical information” means
13any information regarding an individual’s medical history, mental
14or physical condition, or medical treatment or diagnosis by a health
15care professional.

16(3) For purposes of this section, “health insurance information”
17means an individual’s health insurance policy number or subscriber
18identification number, any unique identifier used by a health insurer
19to identify the individual, or any information in an individual’s
20application and claims history, including any appeals records.

21(i) For purposes of this section, “notice” may be provided by
22one of the following methods:

23(1) Written notice.

24(2) Electronic notice, if the notice provided is consistent with
25the provisions regarding electronic records and signatures set forth
26in Section 7001 of Title 15 of the United States Code.

27(3) Substitute notice, if the agency demonstrates that the cost
28of providing notice would exceed two hundred fifty thousand
29dollars ($250,000), or that the affected class of subject persons to
30be notified exceeds 500,000, or the agency does not have sufficient
31contact information. Substitute notice shall consist of all of the
32following:

33(A) E-mail notice when the agency has an e-mail address for
34the subject persons.

35(B) Conspicuous posting of the notice on the agency’s Internet
36Web site page, if the agency maintains one.

37(C) Notification to major statewide media and the Office of
38Information Security within the California Technology Agency.

39(j) Notwithstanding subdivision (i), an agency that maintains
40its own notification procedures as part of an information security
P5    1policy for the treatment of personal information and is otherwise
2consistent with the timing requirements of this part shall be deemed
3to be in compliance with the notification requirements of this
4section if it notifies subject persons in accordance with its policies
5in the event of a breach of security of the system.

6

SEC. 2.  

Section 1798.82 of the Civil Code is amended to read:

7

1798.82.  

(a) Any person or business that conducts business
8in California, and that owns or licenses computerized data that
9includes personal information, shall disclose any breach of the
10security of the system following discovery or notification of the
11breach in the security of the data to any resident of California
12whose unencrypted personal information was, or is reasonably
13believed to have been, acquired by an unauthorized person. The
14disclosure shall be made in the most expedient time possible and
15without unreasonable delay, consistent with the legitimate needs
16of law enforcement, as provided in subdivision (c), or any measures
17necessary to determine the scope of the breach and restore the
18reasonable integrity of the data system.

19(b) Any person or business that maintains computerized data
20that includes personal information that the person or business does
21not own shall notify the owner or licensee of the information of
22any breach of the security of the data immediately following
23discovery, if the personal information was, or is reasonably
24believed to have been, acquired by an unauthorized person.

25(c) The notification required by this section may be delayed if
26a law enforcement agency determines that the notification will
27impede a criminal investigation. The notification required by this
28section shall be made after the law enforcement agency determines
29that it will not compromise the investigation.

30(d) Any person or business that is required to issue a security
31breach notification pursuant to this section shall meet all of the
32following requirements:

33(1) The security breach notification shall be written in plain
34language.

35(2) The security breach notification shall include, at a minimum,
36the following information:

37(A) The name and contact information of the reporting person
38or business subject to this section.

39(B) A list of the types of personal information that were or are
40reasonably believed to have been the subject of a breach.

P6    1(C) If the information is possible to determine at the time the
2notice is provided, then any of the following: (i) the date of the
3breach, (ii) the estimated date of the breach, or (iii) the date range
4within which the breach occurred. The notification shall also
5include the date of the notice.

6(D) Whether notification was delayed as a result of a law
7enforcement investigation, if that information is possible to
8determine at the time the notice is provided.

9(E) A general description of the breach incident, if that
10information is possible to determine at the time the notice is
11provided.

12(F) The toll-free telephone numbers and addresses of the major
13credit reporting agencies if the breach exposed a social security
14number or a driver’s license or California identification card
15number.

16(3) At the discretion of the person or business, the security
17breach notification may also include any of the following:

18(A) Information about what the person or business has done to
19protect individuals whose information has been breached.

20(B) Advice on steps that the person whose information has been
21breached may take to protect himself or herself.

22(e) A covered entity under the federal Health Insurance
23Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
24et seq.) will be deemed to have complied with the notice
25requirements in subdivision (d) if it has complied completely with
26Section 13402(f) of the federal Health Information Technology
27for Economic and Clinical Health Act (Public Law 111-5).
28However, nothing in this subdivision shall be construed to exempt
29a covered entity from any other provision of this section.

30(f) Any person or business that is required to issue a security
31breach notification pursuant to this section to more than 500
32California residents as a result of a single breach of the security
33system shall electronically submit a single sample copy of that
34security breach notification, excluding any personally identifiable
35information, to the Attorney General. A single sample copy of a
36security breach notification shall not be deemed to be within
37subdivision (f) of Section 6254 of the Government Code.

38(g) For purposes of this section, “breach of the security of the
39system” means unauthorized acquisition of computerized data that
40compromises the security, confidentiality, or integrity of personal
P7    1information maintained by the person or business. Good faith
2acquisition of personal information by an employee or agent of
3the person or business for the purposes of the person or business
4is not a breach of the security of the system, provided that the
5personal information is not used or subject to further unauthorized
6disclosure.

7(h) For purposes of this section, “personal information” means
8an individual’s first name or first initial and last name in
9 combination with any one or more of the following data elements,
10when either the name or the data elements are not encrypted:

11(1) Social security number.

12(2) Driver’s license number or California Identification Card
13number.

14(3) Account number, credit or debit card number, in combination
15with any required security code, access code, or password that
16would permit access to an individual’s financial account.

17(4) Medical information.

18(5) Health insurance information.

begin insert

19(6) Password, user name or security question and answer for
20an account other than a financial account.

end insert

21(i) (1) For purposes of this section, “personal information” does
22not include publicly available information that is lawfully made
23available to the general public from federal, state, or local
24government records.

25(2) For purposes of this section, “medical information” means
26any information regarding an individual’s medical history, mental
27or physical condition, or medical treatment or diagnosis by a health
28care professional.

29(3) For purposes of this section, “health insurance information”
30means an individual’s health insurance policy number or subscriber
31identification number, any unique identifier used by a health insurer
32to identify the individual, or any information in an individual’s
33application and claims history, including any appeals records.

34(j) For purposes of this section, “notice” may be provided by
35one of the following methods:

36(1) Written notice.

37(2) Electronic notice, if the notice provided is consistent with
38the provisions regarding electronic records and signatures set forth
39in Section 7001 of Title 15 of the United States Code.

P8    1(3) Substitute notice, if the person or business demonstrates that
2the cost of providing notice would exceed two hundred fifty
3thousand dollars ($250,000), or that the affected class of subject
4persons to be notified exceeds 500,000, or the person or business
5does not have sufficient contact information. Substitute notice
6shall consist of all of the following:

7(A) E-mail notice when the person or business has an e-mail
8address for the subject persons.

9(B) Conspicuous posting of the notice on the Internet Web site
10page of the person or business, if the person or business maintains
11one.

12(C) Notification to major statewide media and the Office of
13Privacy Protection within the State and Consumer Services Agency.

14(k) Notwithstanding subdivision (j), a person or business that
15maintains its own notification procedures as part of an information
16security policy for the treatment of personal information and is
17otherwise consistent with the timing requirements of this part, shall
18be deemed to be in compliance with the notification requirements
19of this section if the person or business notifies subject persons in
20accordance with its policies in the event of a breach of security of
21the system.



O

    99