Senate BillNo. 570

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
P2    1of the breach in the security of the data to any resident of California
2whose unencrypted personal information was, or is reasonably
3believed to have been, acquired by an unauthorized person. The
4disclosure shall be made in the most expedient time possible and
5without unreasonable delay, consistent with the legitimate needs
6of law enforcement, as provided in subdivision (c), or any measures
7necessary to determine the scope of the breach and restore the
8reasonable integrity of the data system.

9(b) Any agency that maintains computerized data that includes
10personal information that the agency does not own shall notify the
11owner or licensee of the information of any breach of the security
12of the data immediately following discovery, if the personal
13information was, or is reasonably believed to have been, acquired
14by an unauthorized person.

15(c) The notification required by this section may be delayed if
16a law enforcement agency determines that the notification will
17impede a criminal investigation. The notification required by this
18section shall be made after the law enforcement agency determines
19that it will not compromise the investigation.

20(d) Any agency that is required to issue a security breach
21notification pursuant to this section shall meet all of the following
22requirements:

23(1) The security breach notification shall be written in plain
24begin delete language.end deletebegin insert language and shall include a one page notice titled
25“Notice of Data Breach,” in which the content is presented under
26the following headings: “What Happened,” “What Information
27Was Involved,” “What We Are Doing,” “What You Can Do,” and
28“For More Information.” Additional information may be provided
29as a supplement to the one page notice.end insert

begin insert

30(A) The format of the one page notice shall be designed to call
31attention to the nature and significance of the information it
32contains.

end insertbegin insert

33(B) The title and headings in the one page notice shall be clearly
34and conspicuously displayed.

end insertbegin insert

35(C) The text of the one page notice and any other notice provided
36pursuant to this section shall be no smaller than 10-point type.

end insert

37(2) The security breach notification shall include, at a minimum,
38the following information:

39(A) The name and contact information of the reporting agency
40subject to this section.

P3    1(B) A list of the types of personal information that were or are
2reasonably believed to have been the subject of a breach.

3(C) If the information is possible to determine at the time the
4notice is provided, then any of the following: (i) the date of the
5breach, (ii) the estimated date of the breach, or (iii) the date range
6within which the breach occurred. The notification shall also
7include the date of the notice.

8(D) Whether the notification was delayed as a result of a law
9enforcement investigation, if that information is possible to
10determine at the time the notice is provided.

11(E) A general description of the breach incident, if that
12information is possible to determine at the time the notice is
13provided.

14(F) The toll-free telephone numbers and addresses of the major
15credit reporting agencies, if the breach exposed a social security
16number or a driver’s license or California identification card
17number.

18(3) At the discretion of the agency, the security breach
19notification may also include any of the following:

20(A) Information about what the agency has done to protect
21individuals whose information has been breached.

22(B) Advice on steps that the person whose information has been
23breached may take to protect himself or herself.

24(4) In the case of a breach of the security of the system involving
25personal information defined in paragraph (2) of subdivision (g)
26for an online account, and no other personal information defined
27in paragraph (1) of subdivision (g), the agency may comply with
28this section by providing the security breach notification in
29electronic or other form that directs the person whose personal
30information has been breached to promptly change his or her
31password and security question or answer, as applicable, or to take
32other steps appropriate to protect the online account with the
33 agency and all other online accounts for which the person uses the
34same user name or email address and password or security question
35or answer.

36(5) In the case of a breach of the security of the system involving
37personal information defined in paragraph (2) of subdivision (g)
38for login credentials of an email account furnished by the agency,
39the agency shall not comply with this section by providing the
40security breach notification to that email address, but may, instead,
P4    1comply with this section by providing notice by another method
2described in subdivision (i) or by clear and conspicuous notice
3delivered to the resident online when the resident is connected to
4the online account from an Internet Protocol address or online
5location from which the agency knows the resident customarily
6accesses the account.

7(e) Any agency that is required to issue a security breach
8notification pursuant to this section to more than 500 California
9residents as a result of a single breach of the security system shall
10 electronically submit a single sample copy of that security breach
11notification, excluding any personally identifiable information, to
12the Attorney General. A single sample copy of a security breach
13notification shall not be deemed to be within subdivision (f) of
14Section 6254 of the Government Code.

15(f) For purposes of this section, “breach of the security of the
16system” means unauthorized acquisition of computerized data that
17compromises the security, confidentiality, or integrity of personal
18information maintained by the agency. Good faith acquisition of
19personal information by an employee or agent of the agency for
20the purposes of the agency is not a breach of the security of the
21system, provided that the personal information is not used or
22subject to further unauthorized disclosure.

23(g) For purposes of this section, “personal information” means
24either of the following:

25(1) An individual’s first name or first initial and last name in
26combination with any one or more of the following data elements,
27when either the name or the data elements are not encrypted:

28(A) Social security number.

29(B) Driver’s license number or California identification card
30number.

31(C) Account number, credit or debit card number, in
32combination with any required security code, access code, or
33password that would permit access to an individual’s financial
34account.

35(D) Medical information.

36(E) Health insurance information.

37(2) A user name or email address, in combination with a
38password or security question and answer that would permit access
39to an online account.

P5    1(h) (1) For purposes of this section, “personal information”
2does not include publicly available information that is lawfully
3made available to the general public from federal, state, or local
4government records.

5(2) For purposes of this section, “medical information” means
6any information regarding an individual’s medical history, mental
7or physical condition, or medical treatment or diagnosis by a health
8care professional.

9(3) For purposes of this section, “health insurance information”
10means an individual’s health insurance policy number or subscriber
11identification number, any unique identifier used by a health insurer
12to identify the individual, or any information in an individual’s
13 application and claims history, including any appeals records.

14(i) For purposes of this section, “notice” may be provided by
15one of the following methods:

16(1) Written notice.

17(2) Electronic notice, if the notice provided is consistent with
18the provisions regarding electronic records and signatures set forth
19in Section 7001 of Title 15 of the United States Code.

20(3) Substitute notice, if the agency demonstrates that the cost
21of providing notice would exceed two hundred fifty thousand
22dollars ($250,000), or that the affected class of subject persons to
23be notified exceeds 500,000, or the agency does not have sufficient
24contact information. Substitute notice shall consist of all of the
25following:

26(A) Email notice when the agency has an email address for the
27subject persons.

28(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
29the notice on the agency’s Internet Web site page, if the agency
30maintains one.begin insert For purposes of this subparagraph, conspicuous
31posting on the agency’s Internet Web site means providing a link
32to the notice on the home page that is in larger type than the
33surrounding text, or in contrasting type, font, or color to the
34surrounding text of the same size, or set off from the surrounding
35text of the same size by symbols or other marks that call attention
36to the link.end insert

37(C) Notification to major statewide media and the Office of
38Information Security within the Department of Technology.

39(j) Notwithstanding subdivision (i), an agency that maintains
40its own notification procedures as part of an information security
P6    1policy for the treatment of personal information and is otherwise
2consistent with the timing requirements of this part shall be deemed
3to be in compliance with the notification requirements of this
4section if it notifies subject persons in accordance with its policies
5in the event of a breach of security of the system.

6(k) Notwithstanding the exception specified in paragraph (4) of
7subdivision (b) of Section 1798.3, for purposes of this section,
8“agency” includes a local agency, as defined in subdivision (a) of
9Section 6252 of the Government Code.

12

1798.82.  

(a) A person or business that conducts business in
13California, and that owns or licenses computerized data that
14includes personal information, shall disclose a breach of the
15security of the system following discovery or notification of the
16breach in the security of the data to a resident of California whose
17unencrypted personal information was, or is reasonably believed
18to have been, acquired by an unauthorized person. The disclosure
19shall be made in the most expedient time possible and without
20unreasonable delay, consistent with the legitimate needs of law
21enforcement, as provided in subdivision (c), or any measures
22necessary to determine the scope of the breach and restore the
23reasonable integrity of the data system.

24(b) A person or business that maintains computerized data that
25includes personal information that the person or business does not
26own shall notify the owner or licensee of the information of the
27breach of the security of the data immediately following discovery,
28if the personal information was, or is reasonably believed to have
29been, acquired by an unauthorized person.

30(c) The notification required by this section may be delayed if
31a law enforcement agency determines that the notification will
32impede a criminal investigation. The notification required by this
33section shall be made promptly after the law enforcement agency
34determines that it will not compromise the investigation.

35(d) A person or business that is required to issue a security
36breach notification pursuant to this section shall meet all of the
37following requirements:

38(1) The security breach notification shall be written in plain
39begin delete language.end deletebegin insert language and shall include a one page notice titled
40“Notice of Data Breach,” in which the content is presented under
P7    1the following headings: “What Happened,” “What Information
2Was Involved,” “What We Are Doing,” “What You Can Do,” and
3“For More Information.” Additional information may be provided
4as a supplement to the one page notice.end insert

begin insert

5(A) The format of the one page notice shall be designed to call
6 attention to the nature and significance of the information it
7contains.

end insertbegin insert

8(B) The title and headings in the one page notice shall be clearly
9and conspicuously displayed.

end insertbegin insert

10(C) The text of the one page notice and any other notice provided
11pursuant to this section shall be no smaller than 10-point type.

end insert

12(2) The security breach notification shall include, at a minimum,
13the following information:

14(A) The name and contact information of the reporting person
15or business subject to this section.

16(B) A list of the types of personal information that were or are
17reasonably believed to have been the subject of a breach.

18(C) If the information is possible to determine at the time the
19notice is provided, then any of the following: (i) the date of the
20breach, (ii) the estimated date of the breach, or (iii) the date range
21within which the breach occurred. The notification shall also
22include the date of the notice.

23(D) Whether notification was delayed as a result of a law
24enforcement investigation, if that information is possible to
25determine at the time the notice is provided.

26(E) A general description of the breach incident, if that
27information is possible to determine at the time the notice is
28provided.

29(F) The toll-free telephone numbers and addresses of the major
30credit reporting agencies if the breach exposed a social security
31number or a driver’s license or California identification card
32number.

33(G) If the person or business providing the notification was the
34source of the breach, an offer to provide appropriate identity theft
35prevention and mitigationbegin delete services, if any,end deletebegin insert servicesend insert shall be
36provided at no cost to the affected person for not less thanbegin delete one
37year,end deletebegin insert 12 monthsend insert along with all information necessary to take
38advantage of the offer to any person whose information was or
39may have been breached if the breach exposed or may have
P8    1exposed personal information defined in subparagraphs (A) and
2(B) of paragraph (1) of subdivision (h).

3(3) At the discretion of the person or business, the security
4breach notification may also include any of the following:

5(A) Information about what the person or business has done to
6protect individuals whose information has been breached.

7(B) Advice on steps that the person whose information has been
8breached may take to protect himself or herself.

9(4) In the case of a breach of the security of the system involving
10personal information defined in paragraph (2) of subdivision (h)
11for an online account, and no other personal information defined
12in paragraph (1) of subdivision (h), the person or business may
13comply with this section by providing the security breach
14notification in electronic or other form that directs the person whose
15personal information has been breached promptly to change his
16or her password and security question or answer, as applicable, or
17to take other steps appropriate to protect the online account with
18the person or business and all other online accounts for which the
19person whose personal information has been breached uses the
20same user name or email address and password or security question
21or answer.

22(5) In the case of a breach of the security of the system involving
23personal information defined in paragraph (2) of subdivision (h)
24for login credentials of an email account furnished by the person
25or business, the person or business shall not comply with this
26section by providing the security breach notification to that email
27address, but may, instead, comply with this section by providing
28notice by another method described in subdivision (j) or by clear
29and conspicuous notice delivered to the resident online when the
30resident is connected to the online account from an Internet
31Protocol address or online location from which the person or
32business knows the resident customarily accesses the account.

33(e) A covered entity under the federal Health Insurance
34Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
35et seq.) will be deemed to have complied with the notice
36requirements in subdivision (d) if it has complied completely with
37Section 13402(f) of the federal Health Information Technology
38for Economic and Clinical Health Act (Public Law 111-5).
39However, nothing in this subdivision shall be construed to exempt
40a covered entity from any other provision of this section.

P9    1(f) A person or business that is required to issue a security breach
2notification pursuant to this section to more than 500 California
3residents as a result of a single breach of the security system shall
4electronically submit a single sample copy of that security breach
5notification, excluding any personally identifiable information, to
6the Attorney General. A single sample copy of a security breach
7notification shall not be deemed to be within subdivision (f) of
8Section 6254 of the Government Code.

9(g) For purposes of this section, “breach of the security of the
10system” means unauthorized acquisition of computerized data that
11compromises the security, confidentiality, or integrity of personal
12information maintained by the person or business. Good faith
13acquisition of personal information by an employee or agent of
14the person or business for the purposes of the person or business
15is not a breach of the security of the system, provided that the
16personal information is not used or subject to further unauthorized
17disclosure.

18(h) For purposes of this section, “personal information” means
19either of the following:

20(1) An individual’s first name or first initial and last name in
21combination with any one or more of the following data elements,
22when either the name or the data elements are not encrypted:

23(A) Social security number.

24(B) Driver’s license number or California identification card
25number.

26(C) Account number, credit or debit card number, in
27combination with any required security code, access code, or
28password that would permit access to an individual’s financial
29 account.

30(D) Medical information.

31(E) Health insurance information.

32(2) A user name or email address, in combination with a
33password or security question and answer that would permit access
34to an online account.

35(i) (1) For purposes of this section, “personal information” does
36not include publicly available information that is lawfully made
37available to the general public from federal, state, or local
38government records.

39(2) For purposes of this section, “medical information” means
40any information regarding an individual’s medical history, mental
P10   1or physical condition, or medical treatment or diagnosis by a health
2care professional.

3(3) For purposes of this section, “health insurance information”
4means an individual’s health insurance policy number or subscriber
5identification number, any unique identifier used by a health insurer
6to identify the individual, or any information in an individual’s
7application and claims history, including any appeals records.

8(j) For purposes of this section, “notice” may be provided by
9one of the following methods:

10(1) Written notice.

11(2) Electronic notice, if the notice provided is consistent with
12the provisions regarding electronic records and signatures set forth
13in Section 7001 of Title 15 of the United States Code.

14(3) Substitute notice, if the person or business demonstrates that
15 the cost of providing notice would exceed two hundred fifty
16thousand dollars ($250,000), or that the affected class of subject
17persons to be notified exceeds 500,000, or the person or business
18does not have sufficient contact information. Substitute notice
19shall consist of all of the following:

20(A) Email notice when the person or business has an email
21address for the subject persons.

22(B) Conspicuousbegin delete postingend deletebegin insert posting, for a minimum of 30 days,end insert of
23the notice on the Internet Web site page of the person or business,
24if the person or business maintains one.begin insert For purposes of this
25subparagraph, conspicuous posting on the agency’s Internet Web
26site means providing a link to the notice on the home page that is
27in larger type than the surrounding text, or in contrasting type,
28font, or color to the surrounding text of the same size, or set off
29from the surrounding text of the same size by symbols or other
30marks that call attention to the link.end insert

31(C) Notification to major statewide media.

32(k) Notwithstanding subdivision (j), a person or business that
33maintains its own notification procedures as part of an information
34security policy for the treatment of personal information and is
35 otherwise consistent with the timing requirements of this part, shall
36be deemed to be in compliance with the notification requirements
37of this section if the person or business notifies subject persons in
P11   1accordance with its policies in the event of a breach of security of
2the system.