BILL ANALYSIS �Ó
AB 83
Page 1
ASSEMBLY THIRD READING
AB
83 (Gatto)
As Amended April 27, 2015
Majority vote
-------------------------------------------------------------------
|Committee |Votes |Ayes |Noes |
|----------------+------+---------------------+---------------------|
|Privacy |9-1 |Gatto, Baker, |Wilk |
| | |Calderon, Chang, | |
| | |Chau, Cooper, | |
| | |Dababneh, Gordon, | |
| | |Low | |
-------------------------------------------------------------------
SUMMARY: Requires businesses that own or maintain personal
information to secure that data to the extent that any "reasonably
prudent business" would provide, adds "geophysical location
information" to the definition of personal information, and
specifies certain requirements and considerations that must be
part of any set of reasonable security procedures and practices.
Specifically, this bill:
1)Defines, for purposes of the existing requirement that
businesses implement and maintain reasonable security procedures
and practices to protect personal information, "reasonable
security procedures and practices" as they pertain to the
storage and transmission of personal information to require, at
a minimum, the security of that information to the degree that
�
AB 83
Page 2
any reasonably prudent business would provide.
2)Requires, as part of "reasonable security procedures and
practices", a business to do, at a minimum, the following:
a) Identify reasonably foreseeable internal and external
risks to the privacy and security of personal information
that could result in the unauthorized disclosure, misuse,
alteration, destruction, or other compromise of such
information;
b) Establish, implement, and maintain safeguards reasonably
designed to ensure the security of such personal information,
including but not limited to, protecting against unauthorized
loss, misuse, alteration, destruction, access to, or use of
such information;
c) Regularly assess the sufficiency of any safeguards in
place to control reasonably foreseeable internal and external
risks; and,
d) Evaluate and adjust such safeguards in response to regular
sufficiency assessments, any material changes in the
operations or business arrangements of the business, or any
other circumstances that create a material impact on the
privacy or security of personal information under control of
the business.
3)Provides that the reasonableness of the security procedures and
practices shall be determined in light of:
a) The degree of the privacy risk associated with the
personal information under the business's control;
b) The foreseeability of threats to the security of such
information;
c) Widely accepted practices in administrative, technical,
�
AB 83
Page 3
and physical safeguards for protecting personal information;
and,
d) The cost of implementing and regularly reviewing such
safeguards.
4)Adds "geophysical location information" to the definition of
"personal information" for purposes of existing data security
requirements for businesses that own, license or maintain such
personal information.
5)Defines "geophysical location information" to mean "any
personally identifiable information describing or concerning the
duration of the transportation service provided to an
individual, the location and route of a transportation service
provided to an individual, or, if applicable, the monetary
exchange associated with a transportation service provided to an
individual."
FISCAL EFFECT: None. This bill is keyed non-fiscal by the
Legislative Counsel.
COMMENTS:
1)Purpose of this bill. This bill is intended to clarify the
existing standard for the security of personal information held
by businesses by explicitly imposing a "reasonably prudent
business" standard, and specifying certain practices and
procedures that are inherently reasonable. This bill also adds
geophysical location information to the definition of personal
information as it applies to existing data security requirements
for businesses. This bill is author-sponsored.
2)The "reasonably prudent business" standard. The core concept of
�
AB 83
Page 4
this bill is that "reasonable security procedures and practices"
for the maintenance and transmission of personal information are
those that a "reasonably prudent business" would apply. This
bill would import this standard and all relevant case law to
apply to the data protection efforts of businesses holding the
personal information of Californians, as well as specify certain
practices and considerations that must be part of any set of
"reasonable security practices and procedures."
3)Related legislation . AB 964 (Chau), of the current legislative
session, would require data breach notifications made by
businesses and public agencies to include the date of discovery
of the breach in their notice to the Attorney General. AB 964
is currently pending in the Assembly Appropriations Committee.
Analysis Prepared by:
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0000266