Assembly BillNo. 83

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.

14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.

20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.

27(d) For purposes of this section, the following terms have the
28 following meanings:

29(1) “Personal information” means an individual’s first name or
30first initial and his or her last name in combination with any one
31or more of the following data elements, when either the name or
32the data elements are not encrypted or redacted:

33(A) Social security number.

34(B) Driver’s license number or California identification card
35number.

P3    1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

begin insert

6(E) Geophysical location information.

end insertbegin insert

7(2) “Geophysical location information” means any personally
8identifiable information describing or concerning the duration of
9a transportation service provided to an individual, the location
10and route of a transportation service provided to an individual,
11or, if applicable, the monetary exchange associated with a
12transportation service provided to an individual.

end insertbegin delete

4 13(2)

end delete

14begin insert(3)end insert “Medical information” means any individually identifiable
15 information, in electronic or physical form, regarding the
16individual’s medical history or medical treatment or diagnosis by
17a health care professional.

begin delete

8 18(3)

end delete

19begin insert(4)end insert “Personal information” does not include publicly available
20information that is lawfully made available to the general public
21from federal, state, or local government records.

begin delete

22(4) “Private data” means any of the following information:

23(A) Medical information.

24(B) Personally identifiable financial information, as that term
25is defined in subdivision (b) of Section 4052 of the Financial Code.

26(C) Geophysical location information.

27(D) The combination of an individual’s first name or first initial
28and his or her last name, with any of the following:

29(i) Mother’s maiden name.

30(ii) Social Security Number.

31(iii) Date of birth.

end delete

32(e) The provisions of this section do not apply to any of the
33following:

34(1) A provider of health care, health care service plan, or
35contractor regulated by the Confidentiality of Medical Information
36Act (Part 2.6 (commencing with Section 56) of Division 1).

37(2) A financial institution as defined in Section 4052 of the
38Financial Code and subject to the California Financial Information
39Privacy Act (Division 1.2 (commencing with Section 4050) of the
40Financial Code).

P4    1(3) A covered entity governed by the medical privacy and
2security rules issued by the federal Department of Health and
3Human Services, Parts 160 and 164 of Title 45 of the Code of
4Federal Regulations, established pursuant to the Health Insurance
5Portability and Availability Act of 1996 (HIPAA).

6(4) An entity that obtains information under an agreement
7pursuant to Article 3 (commencing with Section 1800) of Chapter
81 of Division 2 of the Vehicle Code and is subject to the
9confidentiality requirements of the Vehicle Code.

10(5) A business that is regulated by state or federal law providing
11greater protection to personal information than that provided by
12this section in regard to the subjects addressed by this section.
13Compliance with that state or federal law shall be deemed
14compliance with this section with regard to those subjects. This
15paragraph does not relieve a business from a duty to comply with
16any other requirements of other state and federal law regarding
17the protection and privacy of personal information.

18(f) For purposes of this section, “reasonable security procedures
19and practices” as they pertain to the storage and transmission of
20begin delete private dataend deletebegin insert personal informationend insert shall require, at a minimum, the
21begin delete encryptionend deletebegin insert securityend insert of that information to the degree that any
22reasonably prudent business wouldbegin delete provide, taking into account
23factors, including, but not limited to, the business’ size, available
24technology, publically available threat information, generally
25accepted standards, and the customs and practices of the specific
26industry within which the business operates, to the extent
27commercially reasonable.end deletebegin insert provide. All of the following shall also
28apply:end insert

begin insert

29(1) At a minimum, the business shall:

end insertbegin insert

30(A) Identify reasonably foreseeable internal and external risks
31to the privacy and security of personal information that could
32result in the unauthorized disclosure, misuse, alteration,
33destruction, or other compromise of the information.

end insertbegin insert

34(B) Establish, implement, and maintain safeguards reasonably
35designed to ensure the security of the personal information,
36including, but not limited to, protecting against unauthorized loss,
37misuse, alteration, destruction, access to, or use of the information.

end insertbegin insert

38(C) Regularly assess the sufficiency of any safeguards in place
39to control reasonably foreseeable internal and external risks, and
40evaluate and adjust those safeguards in light of the assessment.

end insertbegin insert

P5    1(D) Evaluate and adjust any material changes in the operations
2or business arrangements of the business, or any other
3circumstances, that create a material impact on the privacy or
4security of personal information under control of the business.

end insertbegin insert

5(2) The reasonableness of the security procedures and practices
6shall be determined in light of all of the following:

end insertbegin insert

7(A) The degree of the privacy risk associated with the personal
8information under the business’s control.

end insertbegin insert

9(B) The foreseeability of threats to the security of the
10information.

end insertbegin insert

11(C) The existence of widely accepted practices in administrative,
12technical, and physical safeguards for protecting personal
13information.

end insertbegin insert

14(D) The cost of implementing and regularly reviewing the
15safeguards.

end insert begin delete

16(g) The Department of Justice may, at its discretion, specify
17security procedures and practices, including related technical
18standards, that it deems to be presumptively reasonable within a
19particular industry.

end delete