BILL NUMBER: SB 1337 INTRODUCED
BILL TEXT
INTRODUCED BY Senator Speier
JANUARY 5, 2000
An act to add Division 1.2 (commencing with Section 4050) to the
Financial Code, relating to financial privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 1337, as introduced, Speier. Financial institutions:
confidential consumer information.
Existing law provides for regulation of banks, savings
associations, credit unions, and industrial loan companies by the
Department of Financial Institutions and by certain federal agencies,
as specified.
This bill would enact the Financial Information Privacy Act of
2000, which would require a financial institution to provide
specified notice to, and to obtain the consent of, a customer before
disclosing to or sharing confidential customer information, as
defined, with any 3rd party, subject to certain exceptions. This
bill would also require a financial institution, prior to using
confidential customer information provided by certain 3rd parties, to
take reasonable steps to ensure that the party providing the
information had previously followed similar notice and consent
procedures.
This bill would provide various civil and criminal remedies and
penalties for violations of these provisions. Because of the
inclusion of criminal penalties, this bill would impose a
state-mandated local program by creating a new crime.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Division 1.2 (commencing with Section 4050) is added to
the Financial Code, to read:
DIVISION 1.2. FINANCIAL INFORMATION PRIVACY ACT
4050. This division shall be known and may be cited as the
Financial Information Privacy Act of 2000.
4051. The Legislature intends for financial institutions to
provide their customers notice and choice about how customers'
personally identifiable sensitive financial information is shared or
sold by their financial institutions.
4052. For the purposes of this division:
(a) "Confidential customer information" means personally
identifiable data, including, but not limited to, names, addresses,
telephone numbers, social security account numbers, driver's license
numbers, account numbers, deposits, withdrawals, interest rates, fees
and other charges, transactions, account balances, maturity dates,
and payouts, with respect to the following:
(1) Deposit and trust accounts.
(2) Certificates of deposit.
(3) Securities holdings.
(4) Insurance policies.
(5) Any other account maintained by a customer at a financial
institution.
(b) "Financial institution" means a commercial bank, trust
company, savings association, industrial loan company, or credit
union doing business in this state.
4053. A financial institution shall not disclose to, or share a
customer's confidential customer information with, any third party,
including an affiliate or agent of that financial institution, or a
subsidiary, unless the financial institution has provided written
notice to the customer to whom the confidential customer information
relates and unless the financial institution has obtained a written
or electronic consent acknowledgement from the customer that
authorizes the financial institution to disclose or share the
confidential customer information.
4054. (a) A financial institution that proposes to disclose or
share a customer's confidential customer information shall provide a
written notice to the customer that describes (1) the specific types
of information that would be disclosed or shared, (2) the general
circumstances under which the information would be disclosed or
shared, (3) the specific types of persons or businesses that would
receive the information, and (4) the specific proposed types of uses
for the information.
(b) A financial institution shall provide notices and consent
acknowledgments to customers as separate documents that are easily
identifiable and distinguishable from other documents that otherwise
may be provided to a customer.
(c) A customer shall have access to his or her confidential
customer information that is proposed to be disclosed or shared in
order to have an opportunity to review that information for accuracy,
and to correct and supplement that information, if inaccurate.
4055. A financial institution that obtains confidential customer
information about one of its customers from a third party that is
engaged, directly or indirectly, in activities that are financial in
nature, shall, prior to using that confidential customer information,
take reasonable steps to ensure that the third party providing the
information, or an affiliate or agent of that third party, has
previously followed information privacy procedures that are
substantially similar to the procedures contained in this division.
4056. (a) This division shall not apply to information that is
not personally identifiable to a particular person.
(b) This division shall not prohibit the release of confidential
customer information under any of the following circumstances:
(1) If the information is essential to processing a specific
financial transaction that a customer has authorized.
(2) To a governmental or regulatory agency or to a self-regulatory
entity, with jurisdiction over the financial institution for
examination, compliance, or other authorized purposes.
(3) To a court of competent jurisdiction.
(4) To a consumer reporting agency, as defined in Section 603 of
the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681a), for
inclusion in a consumer report that may be released to a third party
only for a purpose permissible under Section 604 of that act (15
U.S.C. Sec. 1681b).
(5) To a state or local agency for purposes of child support
enforcement.
4057. (a) Any violation of this division that results in an
economic loss to a customer is punishable as a misdemeanor.
(b) In addition to any other remedies available at law, any
customer may bring an action against any financial institution that
negligently discloses or shares confidential customer information
concerning him or her in violation of this division, for either or
both of the following:
(1) Nominal damages of one thousand dollars ($1,000). In order to
recover under this paragraph, it shall not be necessary that the
plaintiff suffered or was threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
customer.
(c) (1) In addition, any financial institution that negligently
discloses or shares confidential customer information in violation of
this division shall be liable, irrespective of the amount of damages
suffered by the customer as a result of that violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation.
(2) (A) Any financial institution that knowingly and willfully
obtains, discloses, or uses confidential customer information in
violation of this division shall be liable for an administrative fine
or civil penalty not to exceed twenty-five thousand dollars
($25,000) per violation.
(B) Any financial institution that knowingly and willfully
obtains, discloses, or uses confidential customer information in
violation of this division shall be liable upon a first violation,
for an administrative fine or civil penalty not to exceed two
thousand five hundred dollars ($2,500) per violation, or upon a
second violation for an administrative fine or civil penalty not to
exceed ten thousand dollars ($10,000) per violation, or upon a third
or subsequent violation for an administrative fine or civil penalty
not to exceed twenty-five thousand dollars ($25,000) per violation.
(3) (A) Any financial institution that knowingly or willfully
obtains or uses confidential customer information in violation of
this division for the purpose of financial gain shall be liable for
an administrative fine or civil penalty not to exceed two hundred
fifty thousand dollars ($250,000) per violation and shall be subject
to disgorgement of any proceeds or other consideration obtained as a
result of the violation.
(B) Any financial institution that knowingly and willfully
obtains, discloses, or uses confidential customer information in
violation of this division for financial gain shall be liable upon a
first violation for an administrative fine or civil penalty not to
exceed five thousand dollars ($5,000) per violation, or upon a second
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation, or upon a third
or subsequent violation for an administrative fine or civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation and shall be subject to disgorgement of any proceeds or
other consideration obtained as a result of the violation.
(4) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (2) and
(3) for the same violation.
4058. This division shall not be construed in a manner that is
inconsistent with the federal Fair Credit Reporting Act (15 U.S.C.
Sec. 1681 et seq.).
SEC. 2. No reimbursement is required by this act pursuant to
Section 6 of Article XIIIB of the California Constitution because the
only costs that may be incurred by a local agency or school district
will be incurred because this act creates a new crime or infraction,
eliminates a crime or infraction, or changes the penalty for a crime
or infraction, within the meaning of Section 17556 of the Government
Code, or changes the definition of a crime within the meaning of
Section 6 of Article XIIIB of the California Constitution.