BILL NUMBER: AB 739 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY APRIL 16, 2015
AMENDED IN ASSEMBLY APRIL 9, 2015
AMENDED IN ASSEMBLY MARCH 26, 2015
INTRODUCED BY Assembly Member Irwin
FEBRUARY 25, 2015
An act to add and repeal Section 43.99.1 to the Civil
Code, relating to civil law.
LEGISLATIVE COUNSEL'S DIGEST
AB 739, as amended, Irwin. Civil law: liability: communication of
cyber security: threat information.
Existing law requires a business that owns, licenses, or maintains
personal information about a California resident to implement and
maintain reasonable security procedures and practices appropriate to
the nature of the information to protect the personal information
from unauthorized access, destruction, use, modification, or
disclosure. Existing law requires a person or business conducting
business in California that owns or licenses computerized data that
includes personal information, as defined, to disclose, as specified,
a breach of the security of the system or data following discovery
or notification of the security breach to any California resident
whose personal information was, or is reasonably believed to have
been, acquired by an unauthorized person, unless the information was
encrypted. Existing law also requires a person or business that
maintains computerized data that includes personal information that
the person or business does not own to notify the owner or licensee
of the information of any breach of the security of the data
immediately following discovery, as specified.
This bill would require the Attorney General to create a
registry of private entities that intend to engage in communication
of cyber security-threat information, as defined. The bill would also
would, until January 1, 2020, provide that
there shall be no civil or criminal liability for, and no cause of
action shall arise against, a registered an
entity based upon its communication of cyber security-threat
information to another private entity, or to a state entity.
law enforcement agency. The immunity from
liability would only apply if the communication is made without the
intent to injure, defraud, or to otherwise endanger any individual or
public or private entity and is made to address a vulnerability in,
or to prevent a threat to the integrity, confidentiality, or
availability of, a system, network, or critical infrastructure
component of a public or private entity, to provide support for cyber
security crime investigation, or to protect individuals
individuals, entities, or the state from harm,
as specified. The bill would also prohibit a private entity that
communicates cyber security-threat information from using that
information to gain an unfair competitive advantage and require that
it it, in good faith, make reasonable
efforts to safeguard communications, comply with any lawful
restriction placed on the communication, and
transfer the cyber security-threat information as expediently as
possible while upholding reasonable protections, and ensure that
appropriate anonymization and minimization of the information
contained in the communication, as specified.
The bill would also require the Attorney General to submit an
annual report to the Legislature regarding the operation of these
provisions that includes an assessment of the impact of these
provisions on the privacy of the personal information of California
residents.
This bill would specify that a communication of cyber
security-threat information made in compliance with this section and
shared with a public agency is confidential and shall not be
disclosed under the California Public Records Act.
Existing constitutional provisions require that a statute that
limits the right of access to the meetings of public bodies or the
writings of public officials and agencies be adopted with findings
demonstrating the interest protected by the limitation and the need
for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 43.99.1 is added to the Civil Code, to read:
43.99.1. (a) There shall be no civil or criminal liability for,
and no cause of action shall arise against, a private entity whose
actions comply with subdivision (b), and that has registered
with the Attorney General pursuant to subdivision (c),
(b) based upon its communication of cyber security-threat
information to another private entity, or to a state entity
identified by the Attorney General. law enforcement
agency. The immunity from liability granted by this section
shall only apply if the communication is made without the intent to
injure, defraud, or to otherwise endanger any individual or public or
private entity and is made for one of the following purposes:
(1) To address a vulnerability of a system, network, or critical
infrastructure component of a public or private entity.
(2) To prevent a threat to the integrity, confidentiality, or
availability of a system, network, or critical infrastructure
component of a public or private entity.
(3) To provide support for cyber security crime investigation.
(4) To protect individuals and entities from personal
or economic harm.
(5) To protect the state's economic interests, including, but not
limited to, networks, assets, and personal information.
(b) A private entity that communicates cyber security-threat
information shall not use that information to gain an unfair
competitive advantage and shall shall, in
good faith, do all of the following:
(1) Make reasonable efforts to safeguard communications that can
be used to identify specific persons from unauthorized access or
acquisition.
(2) Comply with any lawful restriction placed on the
communication, including the removal of information that can be used
to identify specific persons.
(3) Transfer the cyber security-threat information as expediently
as possible while upholding reasonable protections.
(c) The Attorney General shall create a registry of private
entities that intend to engage in communication of cyber
security-threat information.
(d) The Attorney General shall submit an annual report to the
Legislature regarding the operation of these provisions that includes
an assessment of the impact of these provisions on the privacy of
the personal information of California residents.
(4) Ensure, at a minimum, appropriate anonymization and
minimization of the information contained in the communication.
(e)
(c) For purposes of this section, "cyber
security-threat information" means information pertaining directly to
one of the following:
(1) A vulnerability of a system, network, or critical
infrastructure component of a public or private entity.
(2) A threat to the integrity, confidentiality, or availability of
a system, network, or critical infrastructure component of a public
or private entity.
(3) Efforts to deny access to, or to cause the degradation,
disruption, or destruction of a system, network, or critical
infrastructure component of a public or private entity.
(4) Efforts to gain unauthorized access to a system, network, or
critical infrastructure component of a public or private entity,
including efforts to gain unauthorized access for the purpose of
exfiltrating information stored on, processed on, or transitioning
through, a system, network, or critical infrastructure component of a
public or private entity.
(f) (1) The requirement for submitting a report imposed under
subdivision (d) is inoperative on January 1, 2020, pursuant to
Section 10231.5 of the Government Code.
(2) A report to be submitted pursuant to subdivision (d) shall be
submitted in compliance with Section 9795 of the Government Code.
(d) A communication of cyber security-threat information made in
compliance with this section and shared with a public agency is
confidential and shall not be disclosed under the California Public
Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7
of Title 1 of the Government Code).
(e) This section shall become inoperative on January 1, 2020, and
as of that date is repealed.
SEC. 2. The Legislature finds and declares that
Section 1 of this act, which adds Section 6254.32 to the Government
Code, imposes a limitation on the public's right of access to the
meetings of public bodies or the writings of public officials and
agencies within the meaning of Section 3 of Article I of the
California Constitution. Pursuant to that constitutional provision,
the Legislature makes the following findings to demonstrate the
interest protected by this limitation and the need for protecting
that interest:
The need to protect information regarding the specific
vulnerabilities of and threats to information technology systems to
preclude use of that information to facilitate attacks on those
systems outweighs the interest in the public disclosure of that
information.