AB 83, as amended, Gatto. Personal data.
Existing law requires a person or business that owns, licenses, or maintains personal information, as defined, about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
This bill would expand the definition of “personal information” for purposes of these provisions to includebegin delete any uniqueend deletebegin insert an individual tax identification number, passport number, military identification, numberend insert government-issuedbegin insert
employmentend insert identification number, an individual’sbegin delete geophysical location,
health insurance,end deletebegin insert geolocation information,end insert or biometricbegin delete information, or an individual’s signature.end deletebegin insert information.end insert The bill would also define “reasonable security procedures and practices” for purposes of these provisions asbegin delete requiring, at a minimum,end deletebegin insert requiringend insert security of personal information to the degree that any reasonably prudent business would provide, as specified.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertSection 1798.81.5 of the end insertbegin insertCivil Codeend insertbegin insert is amended
2to read:end insert
(a) (1) It is the intent of the Legislature to ensure
4that personal information about California residents is protected.
5To that end, the purpose of this section is to encourage businesses
6that own, license, or maintain personal information about
7Californians to provide reasonable security for that information.
8(2) For the purpose of this section, the terms “own” and
9“license” include personal information that a business retains as
10part of the business’ internal customer account or for the purpose
11of using that information in transactions with the person to whom
12the information relates. The term “maintain” includes personal
13information that a business maintains but does not own or license.
14(b) A business that owns, licenses, or maintains personal
15information about a California resident shall implement and
16maintain reasonable security procedures and practices appropriate
17to the nature of the information, to protect the personal information
18from unauthorized access, destruction, use, modification, or
19disclosure.
20(c) A business that discloses personal information about a
21California resident pursuant to a contract with a nonaffiliated third
22party that is not subject to subdivision (b) shall require by contract
23that the third party implement and maintain reasonable security
24procedures and practices appropriate to the nature of the
25information, to protect the personal information from unauthorized
26access, destruction, use, modification, or disclosure.
27(d) For purposes of this section, the following terms have the
28
following meanings:
29(1) “Personal information” means either of the following:
30(A) An individual’s first name or first initial and his or her last
31name in combination with any one or more of the following data
P3 1elements, when either the name or the data elements are not
2encrypted or redacted:
3(i) Social securitybegin delete number.end deletebegin insert number, individual tax identification
4number, passport number, military identification number, or
5government issued employment identification number.end insert
6(ii) Driver’s license number or California identification card
7number.
8(iii) Account number, credit or debit card number, in
9combination with any required security code, access code, or
10password that would permit access to an individual’s financial
11account.
12(iv) Medical information.
13(v) Health insurance information.
begin insert
14
(vi) Geolocation information.
15
(vii) Biometric information.
16(B) A
username or email address in combination with a
17password or security question and answer that would permit access
18to an online account.
19
(2) “Geolocation information” means location data generated
20by a consumer device capable of connecting to the Internet that
21directly identifies the precise physical location of the identified
22individual at particular times and that is compiled and retained.
23“Geolocation information” does not include the contents of a
24communication or information used solely for 911 emergency
25purposes.
26
(3) “Biometric information” means data generated by automatic
27
measurements of an individual’s fingerprint, voice print, eye retinas
28or irises, identifying DNA information, or unique facial
29characteristics, which are used by the owner or licensee to uniquely
30authenticate an individual’s identity.
31(2)
end delete
32begin insert(4)end insert “Medical information” means any individually identifiable
33information, in electronic or physical form, regarding the
34individual’s medical history or medical treatment or diagnosis by
35a health care professional.
36(3)
end delete
37begin insert(5)end insert “Health insurance information” means an individual’sbegin insert healthend insert
38 insurance policy number or subscriber identification number, any
39unique identifier used by a health insurer to identify the individual,
P4 1or anybegin insert medicalend insert information in an individual’sbegin insert insuranceend insert application
2and claims history, including any appeals records.
3(4)
end delete
4begin insert(6)end insert “Personal information” does not include publicly available
5information that is lawfully made available to the generalbegin delete public begin insert public.end insert
6from federal, state, or local government records.end delete
7(e) The provisions of this section do not apply to any of the
8following:
9(1) A provider of health care, health care service plan, or
10contractor regulated by the Confidentiality of Medical Information
11Act (Part 2.6 (commencing with Section 56) of Division 1).
12(2) A financial
institution as defined in Section 4052 of the
13Financial Code and subject to the California Financial Information
14Privacy Act (Division 1.2 (commencing with Section 4050) of the
15Financial Code).
16(3) A covered entity governed by the medical privacy and
17security rules issued by the federal Department of Health and
18Human Services, Parts 160 and 164 of Title 45 of the Code of
19Federal Regulations, established pursuant to the Health Insurance
20Portability and Availability Act of 1996 (HIPAA).
21(4) An entity that obtains information under an agreement
22pursuant to Article 3 (commencing with Section 1800) of Chapter
231 of Division 2 of the Vehicle Code and is subject to the
24confidentiality requirements of the Vehicle Code.
25(5) A business that is regulated by state or federal law providing
26greater protection to personal
information than that provided by
27this section in regard to the subjects addressed by this section.
28Compliance with that state or federal law shall be deemed
29compliance with this section with regard to those subjects. This
30paragraph does not relieve a business from a duty to comply with
31any other requirements of other state and federal law regarding
32the protection and privacy of personal information.
33
(f) For purposes of this section, “reasonable security procedures
34and practices” as they pertain to the storage and transmission of
35personal information shall require the security of that information
36to the degree that any reasonably prudent business would provide.
37All of the following shall also apply:
38
(1) The business shall undertake reasonable efforts, appropriate
39to the nature of the information, to
do the following:
P5 1
(A) Identify reasonably foreseeable internal and external risks
2to the security of personal information that could result in the
3unauthorized disclosure, misuse, alteration, destruction, or other
4compromise of the information.
5
(B) Establish, implement, and maintain safeguards reasonably
6designed to secure the personal information, including, but not
7limited to, protecting against unauthorized access, acquisition,
8destruction, use, modification, or disclosure of the information.
9
(C) Regularly assess the sufficiency of the safeguards required
10pursuant to subparagraph (B) to control reasonably foreseeable
11internal and external risks, and evaluate and adjust those
12safeguards in light of the assessment.
13
(2) The reasonableness of the
security procedures and practices
14appropriate to the nature of the information shall be determined
15in light of all of the following:
16
(A) The type of personal information under the business’s
17control.
18
(B) The foreseeability of threats to the security of the
19information.
20
(C) The existence of widely accepted practices in administrative,
21technical, and physical safeguards for protecting personal
22information.
23
(D) The cost of implementing and regularly assessing the
24safeguards.
25
(E) The size of the business.
Section 1798.81.5 of the Civil Code is amended
27to read:
(a) (1) It is the intent of the Legislature to ensure
29that personal information about California residents is protected.
30To that end, the purpose of this section is to encourage businesses
31that own, license, or maintain personal information about
32Californians to provide reasonable security for that information.
33(2) For the purpose of this section, the terms “own” and
34“license” include personal information that a business retains as
35part of the business’ internal customer account or for the purpose
36of using that information in transactions with the person to whom
37the information relates. The term “maintain” includes personal
38information that a business maintains but does
not own or license.
39(b) A business that owns, licenses, or maintains personal
40information about a California resident shall implement and
P6 1maintain reasonable security procedures and practices appropriate
2to the nature of the information, to protect the personal information
3from unauthorized access, destruction, use, modification, or
4disclosure.
5(c) A business that discloses personal information about a
6California resident pursuant to a contract with a nonaffiliated third
7party that is not subject to subdivision (b) shall require by contract
8that the third party implement and maintain reasonable security
9procedures and practices appropriate to the nature of the
10information, to protect the personal information from unauthorized
11access, destruction, use, modification, or
disclosure.
12(d) For purposes of this section, the following terms have the
13
following meanings:
14(1) “Personal information” means either of the following:
15(A) An individual’s first name or first initial and his or her last
16name in combination with any one or more of the following data
17elements, when either the name or the data elements are not
18encrypted or redacted:
19(i) Social security number, tax identification number, passport
20number, or any other unique government-issued identification
21number.
22(ii) Driver’s license number or California identification card
23number.
24(iii) Account number, credit or debit card number, in
25combination with any required security code, access code, or
26password that would permit access to an individual’s financial
27account.
28(iv) Medical information.
29(v) Health insurance information.
30(vi) Geophysical location information.
31(vii) Biometric information.
32(viii) Signature.
33(B) Username or email address in combination with a password
34or security question and answer that would permit access to an
35online account.
36(2) “Geophysical location information” means any
location data
37generated to assess the past or current location of, or travel by, an
38individual, including, but not limited to, geographic coordinates,
39street address, or WiFi positioning system.
P7 1(3) “Biometric information” means data generated by automatic
2measurements of an individual’s biological characteristics that are
3used by the owner or licensee to authenticate an individual’s
4identity, such as a fingerprint, voice print, eye retinas or irises, or
5other unique biological characteristic.
6(4) “Medical information” means any individually identifiable
7
information, in electronic or physical form, regarding the
8individual’s medical history or medical treatment or diagnosis by
9a health care professional.
10(5) “Health insurance information” means an individual’s
11insurance policy number or subscribed identification number, any
12unique identifier used by a health insurer to identify the individual,
13or any information in an individual’s application and claims history,
14including any appeals records.
15(6) “Personal information” does not include publicly available
16information that is lawfully made available to the general public
17from federal, state, or local government records.
18(e) The provisions of this section do not apply to any of the
19following:
20(1) A provider of health care, health care service plan, or
21contractor regulated by the Confidentiality of Medical Information
22Act (Part 2.6 (commencing with Section 56) of Division 1).
23(2) A financial institution as defined in Section 4052 of the
24Financial Code and subject to the California
Financial Information
25Privacy Act (Division 1.2 (commencing with Section 4050) of the
26Financial Code).
27(3) A covered entity governed by the medical privacy and
28security rules issued by the federal Department of Health and
29Human Services, Parts 160 and 164 of Title 45 of the Code of
30Federal Regulations, established pursuant to the Health Insurance
31Portability and Availability Act of 1996 (HIPAA).
32(4) An entity that obtains information under an agreement
33pursuant to Article 3 (commencing with Section 1800) of Chapter
341 of Division 2 of the Vehicle Code and is subject to the
35confidentiality requirements of the Vehicle Code.
36(5) A business that is regulated by state or federal law providing
37greater protection to
personal information than that provided by
38this section in regard to the subjects addressed by this section.
39Compliance with that state or federal law shall be deemed
40compliance with this section with regard to those subjects. This
P8 1paragraph does not relieve a business from a duty to comply with
2any other requirements of other state and federal law regarding
3the protection and privacy of personal information.
4(f) For purposes of this section, “reasonable security procedures
5and practices” as they pertain to the storage and transmission of
6personal information shall require, at a minimum, the security of
7that information to the degree that any reasonably prudent business
8would provide. All of the following shall also apply:
9(1) At a minimum, the business shall:
10(A) Identify reasonably foreseeable internal and external risks
11to the privacy and security of personal information that could result
12in the unauthorized disclosure, misuse, alteration, destruction, or
13other compromise of the information.
14(B) Establish, implement, and maintain safeguards
reasonably
15designed to ensure the security of the personal information,
16including, but not limited to, protecting against unauthorized loss,
17misuse, alteration, destruction, access to, or use of the information.
18(C) Regularly assess the sufficiency of any
safeguards in place
19to control reasonably foreseeable internal and external risks, and
20evaluate and adjust those safeguards in light of the assessment.
21(D) Evaluate and adjust any material changes in the operations
22or business arrangements of the business, or any other
23circumstances, that create a material impact on the privacy or
24security of personal information under control of the business.
25(2) The reasonableness of
the security procedures and practices
26shall be determined in light of all of the following:
27(A) The type of personal information under the business’s
28control.
29(B) The foreseeability of threats to the security of the
30information.
31(C) The existence of widely accepted practices in administrative,
32technical, and physical safeguards for protecting personal
33information.
34(D) The cost of implementing and regularly reviewing the
35safeguards.
O
94