Assembly BillNo. 83

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.

14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.

20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.

27(d) For purposes of this section, the following terms have the
28 following meanings:

29(1) “Personal information” meansbegin delete anend deletebegin insert either of the following:end insert

30begin insert(A)end insertbegin insert end insertbegin insert Anend insert individual’s first name or first initial and his or her last
31name in combination with any one or more of the following data
32elements, when either the name or the data elements are not
33encrypted or redacted:

begin delete

33 34(A)

end delete

35begin insert(i)end insert Social securitybegin delete number.end deletebegin insert number, tax identification number,
36passport number, or any other unique government-issued
37identification number.end insert

begin delete

34 38(B)

end delete

P3    1begin insert(ii)end insert Driver’s license number or California identification card
2number.

begin delete

P3   1 3(C)

end delete

4begin insert(iii)end insert Account number, credit or debit card number, in
5combination with any required security code, access code, or
6password that would permit access to an individual’s financial
7account.

begin delete

5 8(D)

end delete

9begin insert(iv)end insert Medical information.

begin delete

6 10(E)

end delete

11begin insert(v)end insert Geophysical location information.

begin insert

12(vi) Biometric information.

end insertbegin insert

13(vii) Signature.

end insertbegin insert

14(B) Username or email address in combination with a password
15or security question and answer that would permit access to an
16online account.

end insert

17(2) “Geophysical location information” means anybegin delete personally
18identifiable information describing or concerning the duration of
19a transportation service provided to an individual, the location and
20route of a transportation service provided to an individual, or, if
21applicable, the monetary exchange associated with a transportation
22service provided to an individual. end deletebegin insert location data generated to assess
23the past or current location of, or travel by, an individual,
24including, but not limited to, geographic coordinates, street
25address, or WiFi positioning system.end insert

begin insert

26(3) “Biometric information” means data generated by automatic
27measurements of an individual’s biological characteristics that
28are used by the owner or licensee to authenticate an individual’s
29identity, such as a fingerprint, voice print, eye retinas or irises, or
30other unique biological characteristic.

end insertbegin delete

14 31(3)

end delete

32begin insert(4)end insert “Medical information” means any individually identifiable
33 information, in electronic or physical form, regarding the
34individual’s medical history or medical treatment or diagnosis by
35a health care professional.

begin insert

36(5) “Health insurance information” means an individual’s
37insurance policy number or subscribed identification number, any
38unique identifier used by a health insurer to identify the individual,
39or any information in an individual’s application and claims
40history, including any appeals records.

end insertbegin delete

19 P4    1(4)

end delete

2begin insert(6)end insert “Personal information” does not include publicly available
3information that is lawfully made available to the general public
4from federal, state, or local government records.

5(e) The provisions of this section do not apply to any of the
6following:

7(1) A provider of health care, health care service plan, or
8contractor regulated by the Confidentiality of Medical Information
9Act (Part 2.6 (commencing with Section 56) of Division 1).

10(2) A financial institution as defined in Section 4052 of the
11Financial Code and subject to the California Financial Information
12Privacy Act (Division 1.2 (commencing with Section 4050) of the
13Financial Code).

14(3) A covered entity governed by the medical privacy and
15security rules issued by the federal Department of Health and
16Human Services, Parts 160 and 164 of Title 45 of the Code of
17Federal Regulations, established pursuant to the Health Insurance
18Portability and Availability Act of 1996 (HIPAA).

19(4) An entity that obtains information under an agreement
20pursuant to Article 3 (commencing with Section 1800) of Chapter
211 of Division 2 of the Vehicle Code and is subject to the
22confidentiality requirements of the Vehicle Code.

23(5) A business that is regulated by state or federal law providing
24greater protection to personal information than that provided by
25this section in regard to the subjects addressed by this section.
26Compliance with that state or federal law shall be deemed
27compliance with this section with regard to those subjects. This
28paragraph does not relieve a business from a duty to comply with
29any other requirements of other state and federal law regarding
30the protection and privacy of personal information.

31(f) For purposes of this section, “reasonable security procedures
32and practices” as they pertain to the storage and transmission of
33personal information shall require, at a minimum, the security of
34that information to the degree that any reasonably prudent business
35would provide. All of the following shall also apply:

36(1) At a minimum, the business shall:

37(A) Identify reasonably foreseeable internal and external risks
38to the privacy and security of personal information that could result
39in the unauthorized disclosure, misuse, alteration, destruction, or
40other compromise of the information.

P5    1(B) Establish, implement, and maintain safeguards reasonably
2designed to ensure the security of the personal information,
3including, but not limited to, protecting against unauthorized loss,
4misuse, alteration, destruction, access to, or use of the information.

5(C) Regularly assess the sufficiency of any safeguards in place
6to control reasonably foreseeable internal and external risks, and
7evaluate and adjust those safeguards in light of the assessment.

8(D) Evaluate and adjust any material changes in the operations
9or business arrangements of the business, or any other
10circumstances, that create a material impact on the privacy or
11security of personal information under control of the business.

12(2) The reasonableness of the security procedures and practices
13shall be determined in light of all of the following:

14(A) Thebegin delete degree of the privacy risk associated with theend deletebegin insert type ofend insert
15 personal information under the business’s control.

16(B) The foreseeability of threats to the security of the
17information.

18(C) The existence of widely accepted practices in administrative,
19technical, and physical safeguards for protecting personal
20information.

21(D) The cost of implementing and regularly reviewing the
22safeguards.