Assembly BillNo. 83

3

1798.81.5.  

(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.

8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12 the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.

14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.

20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.

27(d) For purposes of this section, the following terms have the
28 following meanings:

29(1) “Personal information” means either of the following:

30(A)  An individual’s first name or first initial and his or her last
31name in combination with any one or more of the following data
P3    1elements, when either the name or the data elements are not
2encrypted or redacted:

3(i) Social security number, tax identification number, passport
4number, or any other unique government-issued identification
5number.

6(ii) Driver’s license number or California identification card
7number.

8(iii) Account number, credit or debit card number, in
9combination with any required security code, access code, or
10password that would permit access to an individual’s financial
11account.

12(iv) Medical information.

begin insert

13(v) Health insurance information.

end insertbegin delete

11 14(v)

end delete

15begin insert(vi)end insert Geophysical location information.

begin delete

12 16(vi)

end delete

17begin insert(vii)end insert Biometric information.

begin delete

13 18(vii)

end delete

19begin insert(viii)end insert Signature.

20(B) Username or email address in combination with a password
21or security question and answer that would permit access to an
22online account.

23(2) “Geophysical location information” means any location data
24generated to assess the past or current location of, or travel by, an
25individual, including, but not limited to, geographic coordinates,
26street address, or WiFi positioning system.

27(3) “Biometric information” means data generated by automatic
28measurements of an individual’s biological characteristics that are
29used by the owner or licensee to authenticate an individual’s
30identity, such as a fingerprint, voice print, eye retinas or irises, or
31other unique biological characteristic.

32(4) “Medical information” means any individually identifiable
33 information, in electronic or physical form, regarding the
34individual’s medical history or medical treatment or diagnosis by
35a health care professional.

36(5) “Health insurance information” means an individual’s
37insurance policy number or subscribed identification number, any
38unique identifier used by a health insurer to identify the individual,
39or any information in an individual’s application and claims history,
40including any appeals records.

P4    1(6) “Personal information” does not include publicly available
2information that is lawfully made available to the general public
3from federal, state, or local government records.

4(e) The provisions of this section do not apply to any of the
5following:

6(1) A provider of health care, health care service plan, or
7contractor regulated by the Confidentiality of Medical Information
8Act (Part 2.6 (commencing with Section 56) of Division 1).

9(2) A financial institution as defined in Section 4052 of the
10Financial Code and subject to the California Financial Information
11Privacy Act (Division 1.2 (commencing with Section 4050) of the
12Financial Code).

13(3) A covered entity governed by the medical privacy and
14security rules issued by the federal Department of Health and
15Human Services, Parts 160 and 164 of Title 45 of the Code of
16Federal Regulations, established pursuant to the Health Insurance
17Portability and Availability Act of 1996 (HIPAA).

18(4) An entity that obtains information under an agreement
19pursuant to Article 3 (commencing with Section 1800) of Chapter
201 of Division 2 of the Vehicle Code and is subject to the
21confidentiality requirements of the Vehicle Code.

22(5) A business that is regulated by state or federal law providing
23greater protection to personal information than that provided by
24this section in regard to the subjects addressed by this section.
25Compliance with that state or federal law shall be deemed
26compliance with this section with regard to those subjects. This
27paragraph does not relieve a business from a duty to comply with
28any other requirements of other state and federal law regarding
29the protection and privacy of personal information.

30(f) For purposes of this section, “reasonable security procedures
31and practices” as they pertain to the storage and transmission of
32personal information shall require, at a minimum, the security of
33that information to the degree that any reasonably prudent business
34would provide. All of the following shall also apply:

35(1) At a minimum, the business shall:

36(A) Identify reasonably foreseeable internal and external risks
37to the privacy and security of personal information that could result
38in the unauthorized disclosure, misuse, alteration, destruction, or
39other compromise of the information.

P5    1(B) Establish, implement, and maintain safeguards reasonably
2designed to ensure the security of the personal information,
3including, but not limited to, protecting against unauthorized loss,
4misuse, alteration, destruction, access to, or use of the information.

5(C) Regularly assess the sufficiency of any safeguards in place
6to control reasonably foreseeable internal and external risks, and
7evaluate and adjust those safeguards in light of the assessment.

8(D) Evaluate and adjust any material changes in the operations
9or business arrangements of the business, or any other
10circumstances, that create a material impact on the privacy or
11security of personal information under control of the business.

12(2) The reasonableness of the security procedures and practices
13shall be determined in light of all of the following:

14(A) The type of personal information under the business’s
15control.

16(B) The foreseeability of threats to the security of the
17information.

18(C) The existence of widely accepted practices in administrative,
19technical, and physical safeguards for protecting personal
20information.

21(D) The cost of implementing and regularly reviewing the
22safeguards.