California Legislature—2015–16 Regular Session

Assembly BillNo. 259


Introduced by Assembly Member Dababneh

February 9, 2015


An act to amend Section 1798.29 of the Civil Code, relating to personal information privacy.

LEGISLATIVE COUNSEL’S DIGEST

AB 259, as introduced, Dababneh. Personal information: privacy.

Existing law requires an agency that owns or licenses computerized data that includes personal information, as defined, to provide notification of any breach in the security of that data to any California resident whose personal information may have been compromised by the breach, as specified. Existing law requires the notification to be written in plain language and contain specified information, including, but not limited to, the agency’s contact information and a list of the types of personal information that were or are reasonably believed to have been the subject of the breach.

This bill would additionally require an agency, if the agency was the source of the breach and the breach compromised a person’s social security number, driver’s license number, or California identification card number, to offer to provide the person with identity theft prevention and mitigation services at no cost for not less than 12 months, as specified.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 1798.29 of the Civil Code is amended
2to read:

3

1798.29.  

(a) begin deleteAny end deletebegin insertAn end insertagency that owns or licenses
4computerized data that includes personal information shall disclose
5begin delete anyend deletebegin insert aend insert breach of the security of the system following discovery or
6notification of the breach in the security of the data tobegin delete anyend deletebegin insert aend insert
7 resident of California whose unencrypted personal information
8was, or is reasonably believed to have been, acquired by an
9unauthorized person. The disclosure shall be made in the most
10expedient time possible and without unreasonable delay, consistent
11with the legitimate needs of law enforcement, as provided in
12subdivision (c), or any measures necessary to determine the scope
13of the breach and restore the reasonable integrity of the data system.

14(b) begin deleteAny end deletebegin insertAn end insertagency that maintains computerized data that
15includes personal information that the agency does not own shall
16notify the owner or licensee of the information ofbegin delete anyend deletebegin insert theend insert breach
17of the security of the data immediately following discovery, if the
18personal information was, or is reasonably believed to have been,
19acquired by an unauthorized person.

20(c) The notification required by this section may be delayed if
21a law enforcement agency determines that the notification will
22impede a criminal investigation. The notification required by this
23section shall be madebegin insert promptlyend insert after the law enforcement agency
24determines that it will not compromise the investigation.

25(d) begin deleteAny end deletebegin insertAn end insertagency that is required to issue a security breach
26 notification pursuant to this section shall meet all of the following
27requirements:

28(1) The security breach notification shall be written in plain
29language.

30(2) The security breach notification shall include, at a minimum,
31the following information:

32(A) The name and contact information of the reporting agency
33subject to this section.

34(B) A list of the types of personal information that were or are
35reasonably believed to have been the subject of a breach.

36(C) If the information is possible to determine at the time the
37notice is provided, then any of the following: (i) the date of the
38breach, (ii) the estimated date of the breach, or (iii) the date range
P3    1within which the breach occurred. The notification shall also
2include the date of the notice.

3(D) Whether the notification was delayed as a result of a law
4enforcement investigation, if that information is possible to
5determine at the time the notice is provided.

6(E) A general description of the breach incident, if that
7information is possible to determine at the time the notice is
8provided.

9(F) The toll-free telephone numbers and addresses of the major
10credit reporting agencies, if the breach exposed a social security
11number or a driver’s license or California identification card
12number.

begin insert

13(G) If the agency providing the notification was the source of
14the breach, an offer to provide appropriate identity theft prevention
15and mitigation services, if any, shall be provided at no cost to the
16affected person for not less than 12 months, along with all
17information necessary to take advantage of the offer to any person
18whose information was or may have been breached if the breach
19exposed or may have exposed personal information defined in
20subparagraphs (A) and (B) of paragraph (1) of subdivision (g).

end insert

21(3) At the discretion of the agency, the security breach
22notification may also include any of the following:

23(A) Information about what the agency has done to protect
24individuals whose information has been breached.

25(B) Advice on steps that the person whose information has been
26breached may take to protect himself or herself.

27(4) In the case of a breach of the security of the system involving
28personal information defined in paragraph (2) of subdivision (g)
29for an online account, and no other personal information defined
30in paragraph (1) of subdivision (g), the agency may comply with
31this section by providing the security breach notification in
32electronic or other form that directs the person whose personal
33information has been breached to promptly change his or her
34password and security question or answer, as applicable, or to take
35other steps appropriate to protect the online account with the
36agency and all other online accounts for which the person uses the
37same user name or email address and password or security question
38or answer.

39(5) In the case of a breach of the security of the system involving
40personal information defined in paragraph (2) of subdivision (g)
P4    1for login credentials of an email account furnished by the agency,
2the agency shall not comply with this section by providing the
3security breach notification to that email address, but may, instead,
4comply with this section by providing notice by another method
5described in subdivision (i) or by clear and conspicuous notice
6delivered to the resident online when the resident is connected to
7the online account from an Internet Protocol address or online
8location from which the agency knows the resident customarily
9accesses the account.

10(e) begin deleteAny end deletebegin insertAn end insertagency that is required to issue a security breach
11notification pursuant to this section to more than 500 California
12residents as a result of a single breach of the security system shall
13electronically submit a single sample copy of that security breach
14notification, excluding any personally identifiable information, to
15the Attorney General. A single sample copy of a security breach
16notification shall not be deemed to be within subdivision (f) of
17Section 6254 of the Government Code.

18(f) For purposes of this section, “breach of the security of the
19system” means unauthorized acquisition of computerized data that
20compromises the security, confidentiality, or integrity of personal
21information maintained by the agency. Good faith acquisition of
22personal information by an employee or agent of the agency for
23the purposes of the agency is not a breach of the security of the
24system, provided that the personal information is not used or
25subject to further unauthorized disclosure.

26(g) For purposes of this section, “personal information” means
27either of the following:

28(1) An individual’s first name or first initial and last name in
29combination with any one or more of the following data elements,
30when either the name or the data elements are not encrypted:

31(A) Social security number.

32(B) Driver’s license number or California identification card
33number.

34(C) Account number, credit or debit card number, in
35combination with any required security code, access code, or
36password that would permit access to an individual’s financial
37account.

38(D) Medical information.

39(E) Health insurance information.

P5    1(2) A user name or email address, in combination with a
2password or security question and answer that would permit access
3to an online account.

4(h) (1) For purposes of this section, “personal information”
5does not include publicly available information that is lawfully
6made available to the general public from federal, state, or local
7government records.

8(2) For purposes of this section, “medical information” means
9any information regarding an individual’s medical history, mental
10or physical condition, or medical treatment or diagnosis by a health
11care professional.

12(3) For purposes of this section, “health insurance information”
13means an individual’s health insurance policy number or subscriber
14identification number, any unique identifier used by a health insurer
15to identify the individual, or any information in an individual’s
16application and claims history, including any appeals records.

17(i) For purposes of this section, “notice” may be provided by
18one of the following methods:

19(1) Written notice.

20(2) Electronic notice, if the notice provided is consistent with
21the provisions regarding electronic records and signatures set forth
22in Section 7001 of Title 15 of the United States Code.

23(3) Substitute notice, if the agency demonstrates that the cost
24of providing notice would exceed two hundred fifty thousand
25dollars ($250,000), or that the affected class of subject persons to
26be notified exceeds 500,000, or the agency does not have sufficient
27contact information. Substitute notice shall consist of all of the
28following:

29(A) Email notice when the agency has an email address for the
30subject persons.

31(B) Conspicuous posting of the notice on the agency’s Internet
32Web site page, if the agency maintains one.

33(C) Notification to major statewide media and the Office of
34Information Security within the Department of Technology.

35(j) Notwithstanding subdivision (i), an agency that maintains
36its own notification procedures as part of an information security
37policy for the treatment of personal information and is otherwise
38consistent with the timing requirements of this part shall be deemed
39to be in compliance with the notification requirements of this
P6    1section if it notifies subject persons in accordance with its policies
2in the event of a breach of security of the system.

3(k) Notwithstanding the exception specified in paragraph (4) of
4subdivision (b) of Section 1798.3, for purposes of this section,
5“agency” includes a local agency, as defined in subdivision (a) of
6Section 6252 of the Government Code.



O

    99