BILL NUMBER: AB 779 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY MAY 14, 2007
AMENDED IN ASSEMBLY MAY 1, 2007
AMENDED IN ASSEMBLY APRIL 10, 2007
INTRODUCED BY Assembly Member Jones
(Coauthors: Assembly Members DeSaulnier and Huffman)
( Coauthor: Senator Migden
)
FEBRUARY 22, 2007
An act to add Section 1724 to, and to repeal and amend Sections
1798.29 and 1798.82 of, the Civil Code, relating to personal
information.
LEGISLATIVE COUNSEL'S DIGEST
AB 779, as amended, Jones. Personal information: state agencies
and businesses.
(1) Existing law imposes specified duties upon certain persons or
businesses that conduct business in California to, among other
things, take reasonable steps to destroy customer records, implement
and maintain reasonable security measures, disclose a breach of
computerized data, and, upon request, provide specified information
to a customer in relation to the disclosure of personal information
to 3rd parties. For a violation of any of the above-described
provisions, existing law allows an injured customer to institute a
civil action to recover damages or for injunctive relief.
This bill would subject a retail seller to the above-described
provisions. The bill would also prohibit a retail seller from
retaining personal information for longer than 90 days after the date
of an original transaction or as specified.
This bill would prohibit a person, business, or public agency that
sells goods or services to any resident of California and accepts as
payment a credit card, debit card, or other payment device, from
storing, retaining, sending, or failing to limit access to payment
related data, as defined, retaining a primary account number, or
storing sensitive authentication data subsequent to the
authorization, as specified and unless a specified exception applies.
(2) Existing law requires any state agency, or a person or
business that conducts business in California, that owns or licenses
computerized data that includes personal information, as defined, to
disclose any breach of the security of that data to any resident of
California whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized person.
This bill would require that notification to include, among other
things, a description of the categories of personal information that
was, or may have been, acquired, a toll-free telephone number or
electronic mail address an individual may use to contact the agency
or person or business, and the telephone numbers and addresses of the
major credit reporting agencies, and would require a copy of
the notice to be provided to the Office of Privacy Protection.
The bill would also allow a person or business subject to the
above-described provisions to, if applicable, be reimbursed by
whomever maintains the personal information for all reasonable costs
of providing notice regarding a breach. The bill would also repeal
duplicative provisions of law.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1724 is added to the Civil
Code, to read:
1724. (a) For purposes of this section, "personal information"
has the same meaning as in subdivision (e) of Section 1798.80.
(b) Any retail seller that sells goods or services to any resident
of California that collects or maintains personal information for
any purpose shall be subject to the provisions of Title 1.81
(commencing with Section 1798.80) of Part 4.
(c) A retail seller that sells goods or services to any resident
of California shall not retain personal information for longer than
90 days after the date of the original transaction, or the period of
time during which goods may be returned for a refund or exchange,
whichever is shorter.
SECTION 1. Section 1724 is added to the
Civil Code , to read:
1724. (a) For purposes of this section, "payment related data"
means any information described in paragraph (3) of subdivision (e)
of Section 1798.82, whether individually or in combination with any
other information described in paragraph (3) of subdivision (e) of
Section 1798.82.
(b) In addition to being subject to the provisions of Title 1.81
(commencing with Section 1798.80) of Part 4, a person, business, or
public agency that sells goods or services to any resident of
California and accepts as payment a credit card, debit card, or other
payment device shall not do any of the following:
(1) Store payment related data, except when the person, business,
or public agency has a payment data retention and disposal policy,
which limits the amount of payment related data and the time that
data is retained to the amount and time that is required for
business, legal, or regulatory purposes as documented in the payment
data retention policy, and payment related data is stored only for a
time period and in a matter that is permitted by the policy.
(2) Store sensitive authentication data subsequent to
authorization, even if that data is encrypted. Sensitive
authentication data includes, but is not limited to, all of the
following:
(A) The full contents of any data track from a payment card or
other payment device.
(B) The card verification code or any value used to verify
transactions when the payment device is not present.
(C) The personal identification number (PIN) or the encrypted PIN
block.
(3) Store any payment related data that is not needed for business
purposes.
(4) Store any of the following data elements:
(A) Payment verification code.
(B) Payment verification value.
(C) PIN verification value.
(5) Retain the primary account number unless retained in a manner
consistent with the other requirements of this subdivision and in a
form that is expected to be indecipherable by unauthorized persons.
(6) Send payment related data across any network unless the data
is encrypted using strong cryptography and security protocols.
(7) Fail to limit access to payment related data only to those
individuals whose job requires that access.
(c) This section shall not apply to any person or business who is
in compliance with Sections 6801 to 6809, inclusive, of Title 15 of
the United States Code and who is subject to compliance oversight by
a state or federal regulatory agency with respect to those sections.
SEC. 2. Section 1798.29 of the Civil Code, as added by Section 2
of Chapter 915 of the Statutes of 2002, is repealed.
SEC. 3. Section 1798.29 of the Civil Code, as added by Section 2
of Chapter 1054 of the Statutes of 2002, is amended to read:
1798.29. (a) (1) Any agency that owns or
licenses computerized data that includes personal information shall
disclose any breach of the security of the system following discovery
or notification of the breach in the security of the data to any
resident of California whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person. The disclosure shall be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subdivision (c),
or any measures necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.
(2) Notification to California residents pursuant to this
subdivision shall be written in plain language and shall include, at
a minimum, all of the following information if that information is
available at the time the notice is provided:
(A) The date of the notice.
(B) The name of the agency that maintained the computerized data
at the time of the breach.
(C) The date, or estimated date, that the breach occurred, if the
breach is possible to determine.
(D) A description of the categories of personal information that
was, or is reasonably believed to have been, acquired by an
unauthorized person.
(E) A toll-free telephone number for the agency subject to the
breach of the security of that agency's system or, if the primary
method used by that agency to communicate with the individual is by
electronic means, an electronic mail address that the individual may
use to contact the agency so that the individual may learn what types
of personal information that agency maintained about the individual
was subject to the security breach. If the agency that experienced
the breach does not have a toll-free telephone number, a local
telephone number may be provided to the California resident to
contact the agency.
(F) The-toll free telephone numbers and addresses for the major
credit reporting agencies.
(3) A copy of the notice sent to California residents pursuant to
this section shall be provided to the Office of Privacy Protection.
(b) (1) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
(2) A copy of the notice sent pursuant to this section shall be
provided to the Office of Privacy Protection. Notification pursuant
to this section shall be written in plain English and shall include,
at a minimum, all of the following:
(A) The date of the notice.
(B) The name of the agency that maintained the computerized data
at the time of the breach.
(C) The date on which the breach, if it is possible to determine.
(D) A description of the categories of personal information that
was, or is reasonably believed to have been, acquired by an
unauthorized person.
(E) A toll-free telephone number or, if the primary method used by
the agency to communicate with the individual is by electronic
means, an electronic mail address that the individual may use to
contact the agency, so that the individual may learn what types of
personal information the agency maintained about that individual that
was subject to the security breach.
(F) The toll-free telephone numbers and addresses for the major
credit reporting agencies.
(2) Notification pursuant to this subdivision shall include, at a
minimum, all of the information described in subparagraphs (B) to
(E), inclusive, of paragraph (2) of subdivision (a), and information
sufficient to identify the person or persons whose encrypted personal
information was, or may have been, acquired by an unauthorized
person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
(e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California identification card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Internet Web
site page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
(i) If notice is required to be provided pursuant to this section,
the owner or licensee of the personal information shall be entitled
to reimbursement from the agency that maintains the computerized data
for all reasonable and actual costs of providing notice to consumers
regarding the breach of the security of the system as required by
this section. Reasonable and actual costs shall include, but are not
limited to, the cost of card replacement as a result of the breach of
the security of the system.
SEC. 4. Section 1798.82 of the Civil Code, as added by Section 4
of Chapter 915 of the Statutes of 2002, is repealed.
SEC. 5. Section 1798.82 of the Civil Code, as added by Section 4
of Chapter 1054 of the Statutes of 2002, is amended to read:
1798.82. (a) (1) Any person or business
that conducts business in California, and that owns or licenses
computerized data that includes personal information, shall disclose
any breach of the security of the system following discovery or
notification of the breach in the security of the data to any
resident of California whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person. The disclosure shall be made in the most expedient time
possible and without unreasonable delay, consistent with the
legitimate needs of law enforcement, as provided in subdivision (c),
or any measures necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.
(2) Notification to California residents pursuant to this
subdivision shall be written in plain language and shall include, at
a minimum, all of the following information if that information is
available at the time the notice is provided:
(A) The date of the notice.
(B) The name of the person or business that maintained the
computerized data at the time of the breach.
(C) The date, or estimated date, that the breach occurred, if the
breach is possible to determine.
(D) A description of the categories of personal information that
was, or is reasonably believed to have been, acquired by an
unauthorized person.
(E) A toll-free telephone number for the person or business
subject to the breach of the security of the system of that person or
business or, if the primary method used by that person or business
to communicate with the individual is by electronic means, an
electronic mail address that the individual may use to contact the
person or business so that the individual may learn what types of
personal information that person or business maintained about the
individual was subject to the security breach. If the person or
business that experienced the breach does not have a toll-free
telephone number, a local telephone number may be provided to the
California resident to contact the person or business.
(F) The toll-free telephone numbers and addresses for the major
credit reporting agencies.
(3) A copy of the notice sent to California residents pursuant to
this section shall be provided to the Office of Privacy Protection.
(b) (1) Any person or business that maintains computerized data
that includes personal information that the person or business does
not own shall notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
(2) A copy of the notice sent pursuant to this section shall be
provided to the Office of Privacy Protection. Notification pursuant
to this section shall be written in plain English and shall include,
at a minimum, all of the following:
(A) The date of the notice.
(B) The name of the person or business that maintained the
computerized data at the time of the breach.
(C) The date on which the breach occurred, if it is possible to
determine.
(D) A description of the categories of personal information that
was, or is reasonably believed to have been, acquired by an
unauthorized person.
(E) A toll-free telephone number or, if the primary method used by
the person or business to communicate with the individual is by
electronic means, an electronic mail address that the individual may
use to contact the person or business or their agent, so that the
individual may learn what types of personal information the person or
business maintained about that individual that was subject to the
security breach.
(F) The toll-free telephone numbers and addresses for the major
credit reporting agencies.
(2) Notification pursuant to this subdivision shall include, at a
minimum, all of the information described in subparagraphs (B) to
(E), inclusive, of paragraph (2) of subdivision (a), and information
sufficient to identify the person or persons whose encrypted personal
information was, or may have been, acquired by an unauthorized
person.
(c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
(d) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not
a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(e) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California identification card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this part, shall
be deemed to be in compliance with the notification requirements of
this section if the person or business notifies subject persons in
accordance with its policies in the event of a breach of security of
the system.
(i) If notice is required to be provided pursuant to this section,
the owner or licensee of the personal information shall be entitled
to reimbursement from the person or business that maintains the
computerized data for all reasonable and actual costs of providing
notice to consumers regarding the breach of the security of the
system as required by this section. Reasonable and actual costs
shall include, but are not limited to, the cost of card replacement
as a result of the breach of the security of the system.