Assembly BillNo. 2828

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorizedbegin delete person.end deletebegin insert person,
9or, if the encryption key or security credential has, or is reasonably
10believed to have been, acquired by an unauthorized person at any
11time before or after the breach of security of the data, to a resident
12of California whose encrypted personal information was, or is
13reasonably believed to have been, acquired by an unauthorized
14person.end insert The disclosure shall be made in the most expedient time
15possible and without unreasonable delay, consistent with the
16legitimate needs of law enforcement, as provided in subdivision
17(c), or any measures necessary to determine the scope of the breach
18and restore the reasonable integrity of the data system.

19(b) Any agency that maintains computerized data that includes
20personal information that the agency does not own shall notify the
21owner or licensee of the information of any breach of the security
22of the data immediately following discovery, if the personal
23information was, or is reasonably believed to have been, acquired
24by an unauthorized person.

25(c) The notification required by this section may be delayed if
26a law enforcement agency determines that the notification will
27impede a criminal investigation. The notification required by this
28section shall be made after the law enforcement agency determines
29that it will not compromise the investigation.

30(d) Any agency that is required to issue a security breach
31notification pursuant to this section shall meet all of the following
32requirements:

33(1) The security breach notification shall be written in plain
34language, shall be titled “Notice of Data Breach,” and shall present
35the information described in paragraph (2) under the following
36headings: “What Happened,” “What Information Was Involved,”
37“What We Are Doing,” “What You Can Do,” and “For More
P3    1Information.” Additional information may be provided as a
2supplement to the notice.

3(A) The format of the notice shall be designed to call attention
4to the nature and significance of the information it contains.

5(B) The title and headings in the notice shall be clearly and
6conspicuously displayed.

7(C) The text of the notice and any other notice provided pursuant
8to this section shall be no smaller than 10-point type.

9(D) For a written notice described in paragraph (1) of
10subdivision (i), use of the model security breach notification form
11prescribed below or use of the headings described in this paragraph
12with the information described in paragraph (2), written in plain
13language, shall be deemed to be in compliance with this
14subdivision.

15

23(E) For an electronic notice described in paragraph (2) of
24subdivision (i), use of the headings described in this paragraph
25with the information described in paragraph (2), written in plain
26language, shall be deemed to be in compliance with this
27subdivision.

28(2) The security breach notification described in paragraph (1)
29shall include, at a minimum, the following information:

30(A) The name and contact information of the reporting agency
31subject to this section.

32(B) A list of the types of personal information that were or are
33reasonably believed to have been the subject of a breach.

34(C) If the information is possible to determine at the time the
35notice is provided, then any of the following: (i) the date of the
36breach, (ii) the estimated date of the breach, or (iii) the date range
37within which the breach occurred. The notification shall also
38include the date of the notice.

P5    1(D) Whether the notification was delayed as a result of a law
2enforcement investigation, if that information is possible to
3determine at the time the notice is provided.

4(E) A general description of the breach incident, if that
5information is possible to determine at the time the notice is
6provided.

7(F) The toll-free telephone numbers and addresses of the major
8credit reporting agencies, if the breach exposed a social security
9number or a driver’s license or California identification card
10number.

11(3) At the discretion of the agency, the security breach
12notification may also include any of the following:

13(A) Information about what the agency has done to protect
14individuals whose information has been breached.

15(B) Advice on steps that the person whose information has been
16breached may take to protect himself or herself.

17(e) Any agency that is required to issue a security breach
18notification pursuant to this section to more than 500 California
19residents as a result of a single breach of the security system shall
20electronically submit a single sample copy of that security breach
21notification, excluding any personally identifiable information, to
22the Attorney General. A single sample copy of a security breach
23notification shall not be deemed to be within subdivision (f) of
24Section 6254 of the Government Code.

25(f) For purposes of this section, “breach of the security of the
26system” means unauthorized acquisition of computerized data that
27compromises the security, confidentiality, or integrity of personal
28information maintained by the agency. Good faith acquisition of
29personal information by an employee or agent of the agency for
30the purposes of the agency is not a breach of the security of the
31system, provided that the personal information is not used or
32subject to further unauthorized disclosure.

33(g) For purposes of this section, “personal information” means
34either of the following:

35(1) An individual’s first name or first initial and last name in
36combination with any one or more of the following data elements,
37when either the name or the data elements are not encrypted:

38(A) Social security number.

39(B) Driver’s license number or California identification card
40number.

P6    1(C) Account number, credit or debit card number, in
2combination with any required security code, access code, or
3password that would permit access to an individual’s financial
4account.

5(D) Medical information.

6(E) Health insurance information.

7(F) Information or data collected through the use or operation
8of an automated license plate recognition system, as defined in
9Section 1798.90.5.

10(2) A user name or email address, in combination with a
11password or security question and answer that would permit access
12to an online account.

13(h) (1) For purposes of this section, “personal information”
14does not include publicly available information that is lawfully
15made available to the general public from federal, state, or local
16government records.

17(2) For purposes of this section, “medical information” means
18any information regarding an individual’s medical history, mental
19or physical condition, or medical treatment or diagnosis by a health
20care professional.

21(3) For purposes of this section, “health insurance information”
22means an individual’s health insurance policy number or subscriber
23identification number, any unique identifier used by a health insurer
24to identify the individual, or any information in an individual’s
25application and claims history, including any appeals records.

26(4) For purposes of this section, “encrypted” means rendered
27unusable, unreadable, or indecipherable to an unauthorized person
28through a security technology or methodology generally accepted
29in the field of information security.

30(i) For purposes of this section, “notice” may be provided by
31one of the following methods:

32(1) Written notice.

33(2) Electronic notice, if the notice provided is consistent with
34the provisions regarding electronic records and signatures set forth
35in Section 7001 of Title 15 of the United States Code.

36(3) Substitute notice, if the agency demonstrates that the cost
37of providing notice would exceed two hundred fifty thousand
38dollars ($250,000), or that the affected class of subject persons to
39be notified exceeds 500,000, or the agency does not have sufficient
P7    1contact information. Substitute notice shall consist of all of the
2following:

3(A) Email notice when the agency has an email address for the
4subject persons.

5(B) Conspicuous posting, for a minimum of 30 days, of the
6notice on the agency’s Internet Web site page, if the agency
7maintains one. For purposes of this subparagraph, conspicuous
8posting on the agency’s Internet Web site means providing a link
9to the notice on the home page or first significant page after
10entering the Internet Web site that is in larger type than the
11surrounding text, or in contrasting type, font, or color to the
12surrounding text of the same size, or set off from the surrounding
13text of the same size by symbols or other marks that call attention
14to the link.

15(C) Notification to major statewide media and the Office of
16Information Security within the Department of Technology.

17(4) In the case of a breach of the security of the system involving
18personal information defined in paragraph (2) of subdivision (g)
19for an online account, and no other personal information defined
20in paragraph (1) of subdivision (g), the agency may comply with
21this section by providing the security breach notification in
22electronic or other form that directs the person whose personal
23information has been breached to promptly change his or her
24password and security question or answer, as applicable, or to take
25other steps appropriate to protect the online account with the
26agency and all other online accounts for which the person uses the
27same user name or email address and password or security question
28or answer.

29(5) In the case of a breach of the security of the system involving
30personal information defined in paragraph (2) of subdivision (g)
31for login credentials of an email account furnished by the agency,
32the agency shall not comply with this section by providing the
33security breach notification to that email address, but may, instead,
34comply with this section by providing notice by another method
35described in this subdivision or by clear and conspicuous notice
36delivered to the resident online when the resident is connected to
37the online account from an Internet Protocol address or online
38location from which the agency knows the resident customarily
39accesses the account.

P8    1(j) Notwithstanding subdivision (i), an agency that maintains
2its own notification procedures as part of an information security
3policy for the treatment of personal information and is otherwise
4consistent with the timing requirements of this part shall be deemed
5to be in compliance with the notification requirements of this
6section if it notifies subject persons in accordance with its policies
7in the event of a breach of security of the system.

8(k) Notwithstanding the exception specified in paragraph (4) of
9subdivision (b) of Section 1798.3, for purposes of this section,
10“agency” includes a local agency, as defined in subdivision (a) of
11Section 6252 of the Government Code.

begin insert

12(l) For purposes of this section, “encryption key” and “security
13credential” mean any information that could be used by an
14unauthorized person to access or decrypt encrypted personal
15information contained in a data system.

end insert

17

1798.82.  

(a) A person or business that conducts business in
18California, and that owns or licenses computerized data that
19includes personal information, shall disclose a breach of the
20security of the system following discovery or notification of the
21breach in the security of the data to a resident of California whose
22unencrypted personal information was, or is reasonably believed
23to have been, acquired by an unauthorizedbegin delete person.end deletebegin insert person, or, if
24the encryption key or security credential has, or is reasonably
25believed to have been, acquired by an unauthorized person at any
26time before or after the breach of security of the data, to a resident
27of California whose encrypted personal information was, or is
28reasonably believed to have been, acquired by an unauthorized
29person.end insert The disclosure shall be made in the most expedient time
30possible and without unreasonable delay, consistent with the
31legitimate needs of law enforcement, as provided in subdivision
32(c), or any measures necessary to determine the scope of the breach
33and restore the reasonable integrity of the data system.

34(b) A person or business that maintains computerized data that
35includes personal information that the person or business does not
36own shall notify the owner or licensee of the information of the
37breach of the security of the data immediately following discovery,
38if the personal information was, or is reasonably believed to have
39been, acquired by an unauthorized person.

P9    1(c) The notification required by this section may be delayed if
2a law enforcement agency determines that the notification will
3impede a criminal investigation. The notification required by this
4section shall be made promptly after the law enforcement agency
5determines that it will not compromise the investigation.

6(d) A person or business that is required to issue a security
7breach notification pursuant to this section shall meet all of the
8following requirements:

9(1) The security breach notification shall be written in plain
10language, shall be titled “Notice of Data Breach,” and shall present
11the information described in paragraph (2) under the following
12headings: “What Happened,” “What Information Was Involved,”
13“What We Are Doing,” “What You Can Do,” and “For More
14Information.” Additional information may be provided as a
15supplement to the notice.

16(A) The format of the notice shall be designed to call attention
17to the nature and significance of the information it contains.

18(B) The title and headings in the notice shall be clearly and
19conspicuously displayed.

20(C) The text of the notice and any other notice provided pursuant
21to this section shall be no smaller than 10-point type.

22(D) For a written notice described in paragraph (1) of
23subdivision (j), use of the model security breach notification form
24prescribed below or use of the headings described in this paragraph
25with the information described in paragraph (2), written in plain
26language, shall be deemed to be in compliance with this
27subdivision.

28

36(E) For an electronic notice described in paragraph (2) of
37subdivision (j), use of the headings described in this paragraph
38with the information described in paragraph (2), written in plain
P11   1language, shall be deemed to be in compliance with this
2subdivision.

3(2) The security breach notification described in paragraph (1)
4shall include, at a minimum, the following information:

5(A) The name and contact information of the reporting person
6or business subject to this section.

7(B) A list of the types of personal information that were or are
8reasonably believed to have been the subject of a breach.

9(C) If the information is possible to determine at the time the
10notice is provided, then any of the following: (i) the date of the
11breach, (ii) the estimated date of the breach, or (iii) the date range
12within which the breach occurred. The notification shall also
13include the date of the notice.

14(D) Whether notification was delayed as a result of a law
15enforcement investigation, if that information is possible to
16determine at the time the notice is provided.

17(E) A general description of the breach incident, if that
18information is possible to determine at the time the notice is
19provided.

20(F) The toll-free telephone numbers and addresses of the major
21credit reporting agencies if the breach exposed a social security
22number or a driver’s license or California identification card
23number.

24(G) If the person or business providing the notification was the
25source of the breach, an offer to provide appropriate identity theft
26prevention and mitigation services, if any, shall be provided at no
27cost to the affected person for not less than 12 months along with
28all information necessary to take advantage of the offer to any
29person whose information was or may have been breached if the
30breach exposed or may have exposed personal information defined
31in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

32(3) At the discretion of the person or business, the security
33breach notification may also include any of the following:

34(A) Information about what the person or business has done to
35protect individuals whose information has been breached.

36(B) Advice on steps that the person whose information has been
37breached may take to protect himself or herself.

38(e) A covered entity under the federal Health Insurance
39Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
40et seq.) will be deemed to have complied with the notice
P12   1requirements in subdivision (d) if it has complied completely with
2Section 13402(f) of the federal Health Information Technology
3for Economic and Clinical Health Act (Public Law 111-5).
4However, nothing in this subdivision shall be construed to exempt
5a covered entity from any other provision of this section.

6(f) A person or business that is required to issue a security breach
7notification pursuant to this section to more than 500 California
8residents as a result of a single breach of the security system shall
9electronically submit a single sample copy of that security breach
10notification, excluding any personally identifiable information, to
11the Attorney General. A single sample copy of a security breach
12notification shall not be deemed to be within subdivision (f) of
13Section 6254 of the Government Code.

14(g) For purposes of this section, “breach of the security of the
15system” means unauthorized acquisition of computerized data that
16compromises the security, confidentiality, or integrity of personal
17information maintained by the person or business. Good faith
18acquisition of personal information by an employee or agent of
19the person or business for the purposes of the person or business
20is not a breach of the security of the system, provided that the
21personal information is not used or subject to further unauthorized
22disclosure.

23(h) For purposes of this section, “personal information” means
24either of the following:

25(1) An individual’s first name or first initial and last name in
26combination with any one or more of the following data elements,
27when either the name or the data elements are not encrypted:

28(A) Social security number.

29(B) Driver’s license number or California identification card
30number.

31(C) Account number, credit or debit card number, in
32combination with any required security code, access code, or
33password that would permit access to an individual’s financial
34account.

35(D) Medical information.

36(E) Health insurance information.

37(F) Information or data collected through the use or operation
38of an automated license plate recognition system, as defined in
39Section 1798.90.5.

P13   1(2) A user name or email address, in combination with a
2password or security question and answer that would permit access
3to an online account.

4(i) (1) For purposes of this section, “personal information” does
5not include publicly available information that is lawfully made
6available to the general public from federal, state, or local
7government records.

8(2) For purposes of this section, “medical information” means
9any information regarding an individual’s medical history, mental
10or physical condition, or medical treatment or diagnosis by a health
11care professional.

12(3) For purposes of this section, “health insurance information”
13means an individual’s health insurance policy number or subscriber
14identification number, any unique identifier used by a health insurer
15to identify the individual, or any information in an individual’s
16application and claims history, including any appeals records.

17(4) For purposes of this section, “encrypted” means rendered
18unusable, unreadable, or indecipherable to an unauthorized person
19through a security technology or methodology generally accepted
20in the field of information security.

21(j) For purposes of this section, “notice” may be provided by
22one of the following methods:

23(1) Written notice.

24(2) Electronic notice, if the notice provided is consistent with
25the provisions regarding electronic records and signatures set forth
26in Section 7001 of Title 15 of the United States Code.

27(3) Substitute notice, if the person or business demonstrates that
28the cost of providing notice would exceed two hundred fifty
29thousand dollars ($250,000), or that the affected class of subject
30persons to be notified exceeds 500,000, or the person or business
31does not have sufficient contact information. Substitute notice
32shall consist of all of the following:

33(A) Email notice when the person or business has an email
34address for the subject persons.

35(B) Conspicuous posting, for a minimum of 30 days, of the
36notice on the Internet Web site page of the person or business, if
37the person or business maintains one. For purposes of this
38subparagraph, conspicuous posting on the person’s or business’s
39Internet Web site means providing a link to the notice on the home
40page or first significant page after entering the Internet Web site
P14   1that is in larger type than the surrounding text, or in contrasting
2type, font, or color to the surrounding text of the same size, or set
3off from the surrounding text of the same size by symbols or other
4marks that call attention to the link.

5(C) Notification to major statewide media.

6(4) In the case of a breach of the security of the system involving
7personal information defined in paragraph (2) of subdivision (h)
8for an online account, and no other personal information defined
9in paragraph (1) of subdivision (h), the person or business may
10comply with this section by providing the security breach
11notification in electronic or other form that directs the person whose
12personal information has been breached promptly to change his
13or her password and security question or answer, as applicable, or
14to take other steps appropriate to protect the online account with
15the person or business and all other online accounts for which the
16person whose personal information has been breached uses the
17same user name or email address and password or security question
18or answer.

19(5) In the case of a breach of the security of the system involving
20personal information defined in paragraph (2) of subdivision (h)
21for login credentials of an email account furnished by the person
22or business, the person or business shall not comply with this
23section by providing the security breach notification to that email
24 address, but may, instead, comply with this section by providing
25notice by another method described in this subdivision or by clear
26and conspicuous notice delivered to the resident online when the
27resident is connected to the online account from an Internet
28Protocol address or online location from which the person or
29business knows the resident customarily accesses the account.

begin insert

30(k) For purposes of this section, “encryption key” and “security
31credential” mean any information that could be used by an
32unauthorized person to access or decrypt encrypted personal
33information contained in a data system.

end insertbegin delete

34(k)

end delete

35begin insert(l)end insert Notwithstanding subdivision (j), a person or business that
36maintains its own notification procedures as part of an information
37security policy for the treatment of personal information and is
38otherwise consistent with the timing requirements of this part, shall
39be deemed to be in compliance with the notification requirements
40of this section if the person or business notifies subject persons in
P15   1accordance with its policies in the event of a breach of security of
2the system.