BILL NUMBER: AB 83	AMENDED
	BILL TEXT

	AMENDED IN SENATE  AUGUST 19, 2016
	AMENDED IN SENATE  JULY 15, 2015
	AMENDED IN SENATE  JUNE 25, 2015
	AMENDED IN ASSEMBLY  APRIL 27, 2015
	AMENDED IN ASSEMBLY  MARCH 26, 2015

INTRODUCED BY   Assembly Member Gatto

                        JANUARY 6, 2015

   An act to amend Section 1798.81.5 of the Civil Code, relating to
personal data.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 83, as amended, Gatto. Personal data.
   Existing law requires a person or business that owns, licenses, or
maintains personal information, as defined, about a California
resident to implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to protect
the personal information from unauthorized access, destruction, use,
modification, or disclosure.
   This bill would expand the definition of "personal information"
for purposes of these provisions to include  any unique
  an individual tax identification number, passport
number, military identification, number  government-issued 
employment  identification number, an individual's 
geophysical location, health insurance,   geolocation
information,  or biometric  information, or an
individual's signature.   information.  The bill
would also define "reasonable security procedures and practices" for
purposes of these provisions as  requiring, at a minimum,
  requiring  security of personal information to
the degree that any reasonably prudent business would provide, as
specified.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1.    Section 1798.81.5 of the  
Civil Code   is amended to read: 
   1798.81.5.  (a) (1) It is the intent of the Legislature to ensure
that personal information about California residents is protected. To
that end, the purpose of this section is to encourage businesses
that own, license, or maintain personal information about
Californians to provide reasonable security for that information.
   (2) For the purpose of this section, the terms "own" and "license"
include personal information that a business retains as part of the
business' internal customer account or for the purpose of using that
information in transactions with the person to whom the information
relates. The term "maintain" includes personal information that a
business maintains but does not own or license.
   (b) A business that owns, licenses, or maintains personal
information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or disclosure.
   (c) A business that discloses personal information about a
California resident pursuant to a contract with a nonaffiliated third
party that is not subject to subdivision (b) shall require by
contract that the third party implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.
   (d) For purposes of this section, the following terms have the
following meanings:
   (1) "Personal information" means either of the following:
   (A)  An individual's first name or first initial and his or her
last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted
or redacted:
   (i) Social security  number.   number,
individual tax identification number, passport number, military
identification number, or government issued employment identification
number. 
   (ii) Driver's license number or California identification card
number.
   (iii) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
   (iv) Medical information.
   (v) Health insurance information. 
   (vi) Geolocation information.  
   (vii) Biometric information. 
   (B) A username or email address in combination with a password or
security question and answer that would permit access to an online
account. 
   (2) "Geolocation information" means location data generated by a
consumer device capable of connecting to the Internet that directly
identifies the precise physical location of the identified individual
at particular times and that is compiled and retained. "Geolocation
information" does not include the contents of a communication or
information used solely for 911 emergency purposes.  
   (3) "Biometric information" means data generated by automatic
measurements of an individual's fingerprint, voice print, eye retinas
or irises, identifying DNA information, or unique facial
characteristics, which are used by the owner or licensee to uniquely
authenticate an individual's identity.  
   (2) 
    (4)  "Medical information" means any individually
identifiable information, in electronic or physical form, regarding
the individual's medical history or medical treatment or diagnosis by
a health care professional. 
   (3) 
    (5)  "Health insurance information" means an individual'
s  health  insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any  medical  information in
an individual's  insurance  application and claims history,
including any appeals records. 
   (4) 
    (6)  "Personal information" does not include publicly
available information that is lawfully made available to the general
 public from federal, state, or local government records.
  public. 
   (e) The provisions of this section do not apply to any of the
following:
   (1) A provider of health care, health care service plan, or
contractor regulated by the Confidentiality of Medical Information
Act (Part 2.6 (commencing with Section 56) of Division 1).
   (2) A financial institution as defined in Section 4052 of the
Financial Code and subject to the California Financial Information
Privacy Act (Division 1.2 (commencing with Section 4050) of the
Financial Code).
   (3) A covered entity governed by the medical privacy and security
rules issued by the federal Department of Health and Human Services,
Parts 160 and 164 of Title 45 of the Code of Federal Regulations,
established pursuant to the Health Insurance Portability and
Availability Act of 1996 (HIPAA).
   (4) An entity that obtains information under an agreement pursuant
to Article 3 (commencing with Section 1800) of Chapter 1 of Division
2 of the Vehicle Code and is subject to the confidentiality
requirements of the Vehicle Code.
   (5) A business that is regulated by state or federal law providing
greater protection to personal information than that provided by
this section in regard to the subjects addressed by this section.
Compliance with that state or federal law shall be deemed compliance
with this section with regard to those subjects. This paragraph does
not relieve a business from a duty to comply with any other
requirements of other state and federal law regarding the protection
and privacy of personal information. 
   (f) For purposes of this section, "reasonable security procedures
and practices" as they pertain to the storage and transmission of
personal information shall require the security of that information
to the degree that any reasonably prudent business would provide. All
of the following shall also apply:  
   (1) The business shall undertake reasonable efforts, appropriate
to the nature of the information, to do the following:  
   (A) Identify reasonably foreseeable internal and external risks to
the security of personal information that could result in the
unauthorized disclosure, misuse, alteration, destruction, or other
compromise of the information.  
   (B) Establish, implement, and maintain safeguards reasonably
designed to secure the personal information, including, but not
limited to, protecting against unauthorized access, acquisition,
destruction, use, modification, or disclosure of the information.
 
   (C) Regularly assess the sufficiency of the safeguards required
pursuant to subparagraph (B) to control reasonably foreseeable
internal and external risks, and evaluate and adjust those safeguards
in light of the assessment.  
   (2) The reasonableness of the security procedures and practices
appropriate to the nature of the information shall be determined in
light of all of the following:  
   (A) The type of personal information under the business's control.
 
   (B) The foreseeability of threats to the security of the
information.  
   (C) The existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information.  
   (D) The cost of implementing and regularly assessing the
safeguards.  
   (E) The size of the business.  
  SECTION 1.    Section 1798.81.5 of the Civil Code
is amended to read:
   1798.81.5.  (a) (1) It is the intent of the Legislature to ensure
that personal information about California residents is protected. To
that end, the purpose of this section is to encourage businesses
that own, license, or maintain personal information about
Californians to provide reasonable security for that information.
   (2) For the purpose of this section, the terms "own" and "license"
include personal information that a business retains as part of the
business' internal customer account or for the purpose of using that
information in transactions with the person to whom the information
relates. The term "maintain" includes personal information that a
business maintains but does not own or license.
   (b) A business that owns, licenses, or maintains personal
information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, to protect the personal information from
unauthorized access, destruction, use, modification, or disclosure.
   (c) A business that discloses personal information about a
California resident pursuant to a contract with a nonaffiliated third
party that is not subject to subdivision (b) shall require by
contract that the third party implement and maintain reasonable
security procedures and practices appropriate to the nature of the
information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.
   (d) For purposes of this section, the following terms have the
following meanings:
   (1) "Personal information" means either of the following:
   (A)  An individual's first name or first initial and his or her
last name in combination with any one or more of the following data
elements, when either the name or the data elements are not encrypted
or redacted:
   (i) Social security number, tax identification number, passport
number, or any other unique government-issued identification number.
   (ii) Driver's license number or California identification card
number.
   (iii) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
   (iv) Medical information.
   (v) Health insurance information.
   (vi) Geophysical location information.
   (vii) Biometric information.
   (viii) Signature.
   (B) Username or email address in combination with a password or
security question and answer that would permit access to an online
account.
   (2) "Geophysical location information" means any location data
generated to assess the past or current location of, or travel by, an
individual, including, but not limited to, geographic coordinates,
street address, or WiFi positioning system.
   (3) "Biometric information" means data generated by automatic
measurements of an individual's biological characteristics that are
used by the owner or licensee to authenticate an individual's
identity, such as a fingerprint, voice print, eye retinas or irises,
or other unique biological characteristic.
   (4) "Medical information" means any individually identifiable
information, in electronic or physical form, regarding the individual'
s medical history or medical treatment or diagnosis by a health care
professional.
   (5) "Health insurance information" means an individual's insurance
policy number or subscribed identification number, any unique
identifier used by a health insurer to identify the individual, or
any information in an individual's application and claims history,
including any appeals records.
   (6) "Personal information" does not include publicly available
information that is lawfully made available to the general public
from federal, state, or local government records.
   (e) The provisions of this section do not apply to any of the
following:
   (1) A provider of health care, health care service plan, or
contractor regulated by the Confidentiality of Medical Information
Act (Part 2.6 (commencing with Section 56) of Division 1).
   (2) A financial institution as defined in Section 4052 of the
Financial Code and subject to the California Financial Information
Privacy Act (Division 1.2 (commencing with Section 4050) of the
Financial Code).
   (3) A covered entity governed by the medical privacy and security
rules issued by the federal Department of Health and Human Services,
Parts 160 and 164 of Title 45 of the Code of Federal Regulations,
established pursuant to the Health Insurance Portability and
Availability Act of 1996 (HIPAA).
   (4) An entity that obtains information under an agreement pursuant
to Article 3 (commencing with Section 1800) of Chapter 1 of Division
2 of the Vehicle Code and is subject to the confidentiality
requirements of the Vehicle Code.
   (5) A business that is regulated by state or federal law providing
greater protection to personal information than that provided by
this section in regard to the subjects addressed by this section.
Compliance with that state or federal law shall be deemed compliance
with this section with regard to those subjects. This paragraph does
not relieve a business from a duty to comply with any other
requirements of other state and federal law regarding the protection
and privacy of personal information.
   (f) For purposes of this section, "reasonable security procedures
and practices" as they pertain to the storage and transmission of
personal information shall require, at a minimum, the security of
that information to the degree that any reasonably prudent business
would provide. All of the following shall also apply:
   (1) At a minimum, the business shall:
   (A) Identify reasonably foreseeable internal and external risks to
the privacy and security of personal information that could result
in the unauthorized disclosure, misuse, alteration, destruction, or
other compromise of the information.
   (B) Establish, implement, and maintain safeguards reasonably
designed to ensure the security of the personal information,
including, but not limited to, protecting against unauthorized loss,
misuse, alteration, destruction, access to, or use of the
information.
   (C) Regularly assess the sufficiency of any safeguards in place to
control reasonably foreseeable internal and external risks, and
evaluate and adjust those safeguards in light of the assessment.
   (D) Evaluate and adjust any material changes in the operations or
business arrangements of the business, or any other circumstances,
that create a material impact on the privacy or security of personal
information under control of the business.
   (2) The reasonableness of the security procedures and practices
shall be determined in light of all of the following:
   (A) The type of personal information under the business's control.

   (B) The foreseeability of threats to the security of the
information.
   (C) The existence of widely accepted practices in administrative,
technical, and physical safeguards for protecting personal
information.
   (D) The cost of implementing and regularly reviewing the
safeguards.