Senate BillNo. 570

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorized person. The
9disclosure shall be made in the most expedient time possible and
10without unreasonable delay, consistent with the legitimate needs
11of law enforcement, as provided in subdivision (c), or any measures
12necessary to determine the scope of the breach and restore the
13reasonable integrity of the data system.

14(b) Any agency that maintains computerized data that includes
15personal information that the agency does not own shall notify the
16owner or licensee of the information of any breach of the security
17of the data immediately following discovery, if the personal
18information was, or is reasonably believed to have been, acquired
19by an unauthorized person.

20(c) The notification required by this section may be delayed if
21a law enforcement agency determines that the notification will
22impede a criminal investigation. The notification required by this
23section shall be made after the law enforcement agency determines
24that it will not compromise the investigation.

25(d) Any agency that is required to issue a security breach
26notification pursuant to this section shall meet all of the following
27requirements:

28(1) The security breach notification shall be written in plain
29begin delete language and shall include a one page noticeend deletebegin insert language, shall beend insert
30 titled “Notice of Data Breach,”begin delete in which the content is presentedend delete
31begin insert and shall present the contentend insert under the following headings: “What
32Happened,” “What Information Was Involved,” “What We Are
33Doing,” “What You Can Do,” and “For More Information.”begin insert In the
34case of written notices, as specified in paragraph (1) of subdivision
35(end insertbegin inserti), the information shall be presented on one page.end insert Additional
36information may be provided as a supplement to the one page
37notice.

P3    1(A) The format of the one page notice shall be designed to call
2attention to the nature and significance of the information it
3contains.

4(B) The title and headings in the one page notice shall be clearly
5and conspicuously displayed.

6(C) The text of the one page notice and any other notice provided
7pursuant to this section shall be no smaller than 10-point type.

begin insert

8(D) Use of the model security breach notification form
9prescribed below shall constitute compliance with this paragraph,
10although use of the model security breach notification form is not
11required.

end insert
12

20(2) The security breach notification shall include, at a minimum,
21the following information:

22(A) The name and contact information of the reporting agency
23subject to this section.

24(B) A list of the types of personal information that were or are
25reasonably believed to have been the subject of a breach.

26(C) If the information is possible to determine at the time the
27notice is provided, then any of the following: (i) the date of the
28breach, (ii) the estimated date of the breach, or (iii) the date range
29within which the breach occurred. The notification shall also
30include the date of the notice.

31(D) Whether the notification was delayed as a result of a law
32enforcement investigation, if that information is possible to
33determine at the time the notice is provided.

34(E) A general description of the breach incident, if that
35information is possible to determine at the time the notice is
36provided.

37(F) The toll-free telephone numbers and addresses of the major
38credit reporting agencies, if the breach exposed a social security
P5    1number or a driver’s license or California identification card
2number.

3(3) At the discretion of the agency, the security breach
4notification may also include any of the following:

5(A) Information about what the agency has done to protect
6individuals whose information has been breached.

7(B) Advice on steps that the person whose information has been
8breached may take to protect himself or herself.

begin delete

9(4) In the case of a breach of the security of the system involving
10personal information defined in paragraph (2) of subdivision (g)
11for an online account, and no other personal information defined
12in paragraph (1) of subdivision (g), the agency may comply with
13this section by providing the security breach notification in
14electronic or other form that directs the person whose personal
15information has been breached to promptly change his or her
16password and security question or answer, as applicable, or to take
17other steps appropriate to protect the online account with the
18agency and all other online accounts for which the person uses the
19same user name or email address and password or security question
20or answer.

21(5) In the case of a breach of the security of the system involving
22personal information defined in paragraph (2) of subdivision (g)
23for login credentials of an email account furnished by the agency,
24the agency shall not comply with this section by providing the
25security breach notification to that email address, but may, instead,
26comply with this section by providing notice by another method
27described in subdivision (i) or by clear and conspicuous notice
28delivered to the resident online when the resident is connected to
29the online account from an Internet Protocol address or online
30location from which the agency knows the resident customarily
31accesses the account.

end delete

32(e) Any agency that is required to issue a security breach
33notification pursuant to this section to more than 500 California
34residents as a result of a single breach of the security system shall
35 electronically submit a single sample copy of that security breach
36notification, excluding any personally identifiable information, to
37the Attorney General. A single sample copy of a security breach
38notification shall not be deemed to be within subdivision (f) of
39Section 6254 of the Government Code.

P6    1(f) For purposes of this section, “breach of the security of the
2system” means unauthorized acquisition of computerized data that
3compromises the security, confidentiality, or integrity of personal
4information maintained by the agency. Good faith acquisition of
5personal information by an employee or agent of the agency for
6the purposes of the agency is not a breach of the security of the
7system, provided that the personal information is not used or
8subject to further unauthorized disclosure.

9(g) For purposes of this section, “personal information” means
10either of the following:

11(1) An individual’s first name or first initial and last name in
12combination with any one or more of the following data elements,
13when either the name or the data elements are not encrypted:

14(A) Social security number.

15(B) Driver’s license number or California identification card
16number.

17(C) Account number, credit or debit card number, in
18combination with any required security code, access code, or
19password that would permit access to an individual’s financial
20account.

21(D) Medical information.

22(E) Health insurance information.

23(2) A user name or email address, in combination with a
24password or security question and answer that would permit access
25to an online account.

26(h) (1) For purposes of this section, “personal information”
27does not include publicly available information that is lawfully
28made available to the general public from federal, state, or local
29government records.

30(2) For purposes of this section, “medical information” means
31any information regarding an individual’s medical history, mental
32or physical condition, or medical treatment or diagnosis by a health
33care professional.

34(3) For purposes of this section, “health insurance information”
35means an individual’s health insurance policy number or subscriber
36identification number, any unique identifier used by a health insurer
37to identify the individual, or any information in an individual’s
38 application and claims history, including any appeals records.

39(i) For purposes of this section, “notice” may be provided by
40one of the following methods:

P7    1(1) Written notice.

2(2) Electronic notice, if the notice provided is consistent with
3the provisions regarding electronic records and signatures set forth
4in Section 7001 of Title 15 of the United States Code.

5(3) Substitute notice, if the agency demonstrates that the cost
6of providing notice would exceed two hundred fifty thousand
7dollars ($250,000), or that the affected class of subject persons to
8be notified exceeds 500,000, or the agency does not have sufficient
9contact information. Substitute notice shall consist of all of the
10following:

11(A) Email notice when the agency has an email address for the
12subject persons.

13(B) Conspicuous posting, for a minimum of 30 days, of the
14notice on the agency’s Internet Web site page, if the agency
15maintains one. For purposes of this subparagraph, conspicuous
16posting on the agency’s Internet Web site means providing a link
17to the notice on the home page that is in larger type than the
18surrounding text, or in contrasting type, font, or color to the
19surrounding text of the same size, or set off from the surrounding
20text of the same size by symbols or other marks that call attention
21to the link.

22(C) Notification to major statewide media and the Office of
23Information Security within the Department of Technology.

begin insert

24(4) In the case of a breach of the security of the system involving
25personal information defined in paragraph (2) of subdivision (g)
26for an online account, and no other personal information defined
27in paragraph (1) of subdivision (g), the agency may comply with
28this section by providing the security breach notification in
29electronic or other form that directs the person whose personal
30information has been breached to promptly change his or her
31password and security question or answer, as applicable, or to
32take other steps appropriate to protect the online account with the
33agency and all other online accounts for which the person uses
34the same user name or email address and password or security
35question or answer.

end insertbegin insert

36(5) In the case of a breach of the security of the system involving
37personal information defined in paragraph (2) of subdivision (g)
38for login credentials of an email account furnished by the agency,
39the agency shall not comply with this section by providing the
40security breach notification to that email address, but may, instead,
P8    1comply with this section by providing notice by another method
2described in this subdivision or by clear and conspicuous notice
3delivered to the resident online when the resident is connected to
4the online account from an Internet Protocol address or online
5location from which the agency knows the resident customarily
6accesses the account.

end insert

7(j) Notwithstanding subdivision (i), an agency that maintains
8its own notification procedures as part of an information security
9policy for the treatment of personal information and is otherwise
10consistent with the timing requirements of this part shall be deemed
11to be in compliance with the notification requirements of this
12section if it notifies subject persons in accordance with its policies
13in the event of a breach of security of the system.

14(k) Notwithstanding the exception specified in paragraph (4) of
15subdivision (b) of Section 1798.3, for purposes of this section,
16“agency” includes a local agency, as defined in subdivision (a) of
17Section 6252 of the Government Code.

19

1798.82.  

(a) A person or business that conducts business in
20California, and that owns or licenses computerized data that
21includes personal information, shall disclose a breach of the
22security of the system following discovery or notification of the
23breach in the security of the data to a resident of California whose
24unencrypted personal information was, or is reasonably believed
25to have been, acquired by an unauthorized person. The disclosure
26shall be made in the most expedient time possible and without
27unreasonable delay, consistent with the legitimate needs of law
28enforcement, as provided in subdivision (c), or any measures
29necessary to determine the scope of the breach and restore the
30reasonable integrity of the data system.

31(b) A person or business that maintains computerized data that
32includes personal information that the person or business does not
33own shall notify the owner or licensee of the information of the
34breach of the security of the data immediately following discovery,
35if the personal information was, or is reasonably believed to have
36been, acquired by an unauthorized person.

37(c) The notification required by this section may be delayed if
38a law enforcement agency determines that the notification will
39impede a criminal investigation. The notification required by this
P9    1section shall be made promptly after the law enforcement agency
2determines that it will not compromise the investigation.

3(d) A person or business that is required to issue a security
4breach notification pursuant to this section shall meet all of the
5following requirements:

6(1) The security breach notification shall be written in plain
7begin delete language and shall include a one page noticeend deletebegin insert language, shall beend insert
8 titled “Notice of Data Breach,”begin delete in which the content is presentedend delete
9begin insert and shall present the contentend insert under the following headings: “What
10Happened,” “What Information Was Involved,” “What We Are
11Doing,” “What You Can Do,” and “For More Information.”begin insert In the
12case of written notices, as specified in paragraph (1) of subdivision
13(j), the information shall be presented on one page.end insert Additional
14information may be provided as a supplement to the one page
15notice.

16(A) The format of the one page notice shall be designed to call
17 attention to the nature and significance of the information it
18contains.

19(B) The title and headings in the one page notice shall be clearly
20and conspicuously displayed.

21(C) The text of the one page notice and any other notice provided
22pursuant to this section shall be no smaller than 10-point type.

begin insert

23(D) Use of the model security breach notification form
24prescribed below shall constitute compliance with this paragraph,
25although use of the model security breach notification form is not
26required.

end insert
27

34(2) The security breach notification shall include, at a minimum,
35the following information:

36(A) The name and contact information of the reporting person
37or business subject to this section.

38(B) A list of the types of personal information that were or are
39reasonably believed to have been the subject of a breach.

P11   1(C) If the information is possible to determine at the time the
2notice is provided, then any of the following: (i) the date of the
3breach, (ii) the estimated date of the breach, or (iii) the date range
4within which the breach occurred. The notification shall also
5include the date of the notice.

6(D) Whether notification was delayed as a result of a law
7enforcement investigation, if that information is possible to
8determine at the time the notice is provided.

9(E) A general description of the breach incident, if that
10information is possible to determine at the time the notice is
11provided.

12(F) The toll-free telephone numbers and addresses of the major
13credit reporting agencies if the breach exposed a social security
14number or a driver’s license or California identification card
15number.

16(G) If the person or business providing the notification was the
17source of the breach, an offer to provide appropriate identity theft
18prevention and mitigation services shall be provided at no cost to
19the affected person for not less than 12 months along with all
20information necessary to take advantage of the offer to any person
21whose information was or may have been breached if the breach
22exposed or may have exposed personal information defined in
23subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

24(3) At the discretion of the person or business, the security
25breach notification may also include any of the following:

26(A) Information about what the person or business has done to
27protect individuals whose information has been breached.

28(B) Advice on steps that the person whose information has been
29breached may take to protect himself or herself.

begin delete

30(4) In the case of a breach of the security of the system involving
31personal information defined in paragraph (2) of subdivision (h)
32for an online account, and no other personal information defined
33in paragraph (1) of subdivision (h), the person or business may
34comply with this section by providing the security breach
35notification in electronic or other form that directs the person whose
36personal information has been breached promptly to change his
37or her password and security question or answer, as applicable, or
38to take other steps appropriate to protect the online account with
39the person or business and all other online accounts for which the
40person whose personal information has been breached uses the
P12   1same user name or email address and password or security question
2or answer.

3(5) In the case of a breach of the security of the system involving
4personal information defined in paragraph (2) of subdivision (h)
5for login credentials of an email account furnished by the person
6or business, the person or business shall not comply with this
7section by providing the security breach notification to that email
8address, but may, instead, comply with this section by providing
9notice by another method described in subdivision (j) or by clear
10and conspicuous notice delivered to the resident online when the
11resident is connected to the online account from an Internet
12Protocol address or online location from which the person or
13business knows the resident customarily accesses the account.

end delete

14(e) A covered entity under the federal Health Insurance
15Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
16et seq.) will be deemed to have complied with the notice
17requirements in subdivision (d) if it has complied completely with
18Section 13402(f) of the federal Health Information Technology
19for Economic and Clinical Health Act (Public Law 111-5).
20However, nothing in this subdivision shall be construed to exempt
21a covered entity from any other provision of this section.

22(f) A person or business that is required to issue a security breach
23notification pursuant to this section to more than 500 California
24residents as a result of a single breach of the security system shall
25electronically submit a single sample copy of that security breach
26notification, excluding any personally identifiable information, to
27the Attorney General. A single sample copy of a security breach
28notification shall not be deemed to be within subdivision (f) of
29Section 6254 of the Government Code.

30(g) For purposes of this section, “breach of the security of the
31system” means unauthorized acquisition of computerized data that
32compromises the security, confidentiality, or integrity of personal
33information maintained by the person or business. Good faith
34acquisition of personal information by an employee or agent of
35the person or business for the purposes of the person or business
36is not a breach of the security of the system, provided that the
37personal information is not used or subject to further unauthorized
38disclosure.

39(h) For purposes of this section, “personal information” means
40either of the following:

P13   1(1) An individual’s first name or first initial and last name in
2combination with any one or more of the following data elements,
3when either the name or the data elements are not encrypted:

4(A) Social security number.

5(B) Driver’s license number or California identification card
6number.

7(C) Account number, credit or debit card number, in
8combination with any required security code, access code, or
9password that would permit access to an individual’s financial
10 account.

11(D) Medical information.

12(E) Health insurance information.

13(2) A user name or email address, in combination with a
14password or security question and answer that would permit access
15to an online account.

16(i) (1) For purposes of this section, “personal information” does
17not include publicly available information that is lawfully made
18available to the general public from federal, state, or local
19government records.

20(2) For purposes of this section, “medical information” means
21any information regarding an individual’s medical history, mental
22or physical condition, or medical treatment or diagnosis by a health
23care professional.

24(3) For purposes of this section, “health insurance information”
25means an individual’s health insurance policy number or subscriber
26identification number, any unique identifier used by a health insurer
27to identify the individual, or any information in an individual’s
28application and claims history, including any appeals records.

29(j) For purposes of this section, “notice” may be provided by
30one of the following methods:

31(1) Written notice.

32(2) Electronic notice, if the notice provided is consistent with
33the provisions regarding electronic records and signatures set forth
34in Section 7001 of Title 15 of the United States Code.

35(3) Substitute notice, if the person or business demonstrates that
36 the cost of providing notice would exceed two hundred fifty
37thousand dollars ($250,000), or that the affected class of subject
38persons to be notified exceeds 500,000, or the person or business
39does not have sufficient contact information. Substitute notice
40shall consist of all of the following:

P14   1(A) Email notice when the person or business has an email
2address for the subject persons.

3(B) Conspicuous posting, for a minimum of 30 days, of the
4notice on the Internet Web site page of the person or business, if
5the person or business maintains one. For purposes of this
6subparagraph, conspicuous posting on the agency’s Internet Web
7site means providing a link to the notice on the home page that is
8in larger type than the surrounding text, or in contrasting type,
9font, or color to the surrounding text of the same size, or set off
10from the surrounding text of the same size by symbols or other
11marks that call attention to the link.

12(C) Notification to major statewide media.

begin insert

13(4) In the case of a breach of the security of the system involving
14personal information defined in paragraph (2) of subdivision (h)
15for an online account, and no other personal information defined
16in paragraph (1) of subdivision (h), the person or business may
17comply with this section by providing the security breach
18notification in electronic or other form that directs the person
19whose personal information has been breached promptly to change
20his or her password and security question or answer, as applicable,
21or to take other steps appropriate to protect the online account
22with the person or business and all other online accounts for which
23the person whose personal information has been breached uses
24the same user name or email address and password or security
25question or answer.

end insertbegin insert

26(5) In the case of a breach of the security of the system involving
27personal information defined in paragraph (2) of subdivision (h)
28for login credentials of an email account furnished by the person
29or business, the person or business shall not comply with this
30section by providing the security breach notification to that email
31address, but may, instead, comply with this section by providing
32notice by another method described in this subdivision or by clear
33and conspicuous notice delivered to the resident online when the
34resident is connected to the online account from an Internet
35Protocol address or online location from which the person or
36business knows the resident customarily accesses the account.

end insert

37(k) Notwithstanding subdivision (j), a person or business that
38maintains its own notification procedures as part of an information
39security policy for the treatment of personal information and is
40 otherwise consistent with the timing requirements of this part, shall
P15   1be deemed to be in compliance with the notification requirements
2of this section if the person or business notifies subject persons in
3accordance with its policies in the event of a breach of security of
4the system.