AB 83, as amended, Gatto. Information Practices Act of 1977.
begin insertExisting law requires a person or business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
end insertbegin insertThis bill would define “reasonable security procedures and practices” for purposes of these provisions as requiring, at a minimum, the encryption of private data to the degree that any reasonably prudent business would provide, as specified. The bill would define “private data” to include specified types personally identifying medical, financial, and geophysical information. The bill would also authorize the Department of Justice to specify security procedures, practices, and technical standards that it deems to be presumptively reasonable within a particular industry.
end insertExisting law, the Information Practices Act of 1977, defines specified terms for its purposes.
end deleteThis bill would make nonsubstantive changes to those provisions.
end deleteVote: majority.
Appropriation: no.
Fiscal committee: begin deleteno end deletebegin insertyesend insert.
State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertSection 1798.81.5 of the end insertbegin insertCivil Codeend insertbegin insert is amended
2to read:end insert
(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.
8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.
14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.
20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.
27(d) For purposes of this section, the following terms have the
28
following meanings:
29(1) “Personal information” means an individual’s first name or
30first initial and his or her last name in combination with any one
31or more of the following data elements, when either the name or
32the data elements are not encrypted or redacted:
33(A) Social security number.
34(B) Driver’s license number or California identification card
35number.
36(C) Account number, credit or debit card number, in
37combination with any required security code, access code, or
P3 1password that would permit access to an individual’s financial
2account.
3(D) Medical information.
4(2) “Medical information” means any individually identifiable
5
information, in electronic or physical form, regarding the
6individual’s medical history or medical treatment or diagnosis by
7a health care professional.
8(3) “Personal information” does not include publicly available
9information that is lawfully made available to the general public
10from federal, state, or local government records.
11(4) “Private data” means any of the following information:
end insertbegin insert12(A) Medical information.
end insertbegin insert
13(B) Personally identifiable financial information, as that term
14is defined in subdivision (b) of Section 4052 of the Financial Code.
15(C) Geophysical location information.
end insertbegin insert
16(D) The combination of an individual’s first name or first initial
17and his or her last name, with any of the
following:
18(i) Mother’s maiden name.
end insertbegin insert19(ii) Social Security Number.
end insertbegin insert20(iii) Date of birth.
end insert
21(e) The provisions of this section do not apply to any of the
22following:
23(1) A provider of health care, health care service plan, or
24contractor regulated by the Confidentiality of Medical Information
25Act (Part 2.6 (commencing with Section 56) of Division 1).
26(2) A financial institution as defined in Section 4052 of the
27Financial Code and subject to the California Financial Information
28Privacy Act (Division 1.2 (commencing with Section 4050) of the
29Financial Code).
30(3) A covered entity governed by the medical privacy and
31security rules issued by the federal Department of Health and
32Human Services, Parts 160 and 164 of Title 45 of the Code of
33Federal Regulations, established pursuant to the Health Insurance
34Portability and Availability Act of 1996 (HIPAA).
35(4) An entity that obtains information under an agreement
36pursuant to Article 3 (commencing with Section 1800) of Chapter
371 of Division 2 of the Vehicle Code and is subject to the
38confidentiality requirements of the Vehicle Code.
39(5) A business that is regulated by state or federal law providing
40greater protection to personal information than that provided by
P4 1this section in regard to the subjects addressed by this section.
2Compliance with that state or federal law shall be deemed
3compliance with this section with regard to those subjects. This
4paragraph does not relieve a business from a duty to comply with
5any other requirements of other state and federal law regarding
6the protection and privacy of personal information.
7(f) For purposes of
this section, “reasonable security procedures
8and practices” as they pertain to the storage and transmission of
9private data shall require, at a minimum, the encryption of that
10information to the degree that any reasonably prudent business
11would provide, taking into account factors, including, but not
12limited to, the business’ size, available technology, publically
13available threat information, generally accepted standards, and
14the customs and practices of the specific industry within which the
15business operates, to the extent commercially reasonable.
16(g) The Department of Justice may, at its discretion, specify
17security procedures and practices, including related technical
18standards, that it deems to be presumptively reasonable
within a
19particular industry.
Section 1798.3 of the Civil Code is amended to
21read:
As used in this chapter:
23(a) “Personal information” means any information that is
24maintained by an agency that identifies or describes an individual,
25including, but not limited to, his or her name, social security
26number, physical description, home address, home telephone
27number, education, financial matters, and medical or employment
28history. It includes statements made by, or attributed to, the
29individual.
30(b) “Agency” means a state office, officer, department, division,
31bureau, board, commission, or other state agency, except that
32agency shall not include:
33(1) The California Legislature.
34(2) An agency established under Article VI of the California
35Constitution.
36(3) The State Compensation Insurance Fund, except as to any
37records which contain personal information about the employees
38of the State Compensation Insurance Fund.
39(4) A local agency, as defined in subdivision (a) of Section 6252
40of the Government Code.
P5 1(c) “Disclose” means to disclose, release, transfer, disseminate,
2or otherwise communicate all or any part of any record orally, in
3writing, or by electronic or any other means to any person or entity.
4(d) “Individual” means a natural person.
5(e) “Maintain” includes maintain, acquire, use, or disclose.
6(f) “Person” means any natural person, corporation, partnership,
7limited liability company, firm, or association.
8(g) “Record”
means any file or grouping of information about
9an individual that is maintained by an agency by reference to an
10identifying particular such as the individual’s name, photograph,
11finger or voice print, or a number or symbol assigned to the
12individual.
13(h) “System of records” means one or more records, which
14pertain to one or more individuals, which is maintained by any
15agency, from which information is retrieved by the name of an
16individual or by some identifying number, symbol or other
17identifying particular assigned to the individual.
18(i) “Governmental
entity” except as used in Section 1798.26,
19means any branch of the federal government or of the local
20government.
21(j) “Commercial purpose” means any purpose which has
22financial gain as a major objective. It does not include the gathering
23or dissemination of newsworthy facts by a publisher or broadcaster.
24(k) “Regulatory agency” means the Department of Business
25Oversight, the Department of Insurance, the Bureau of Real Estate,
26and agencies of the United States or of any other state responsible
27for regulating financial institutions.
O
98