BILL NUMBER: AB 2455	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  MARCH 21, 2012

INTRODUCED BY   Assembly Member Campos

                        FEBRUARY 24, 2012

   An act to  add Section 1798.98 to   amend
Section 1798.29 of  the Civil Code, relating to identity theft.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 2455, as amended, Campos. Identity theft: local agencies.
   Existing law requires any state  office, officer, or 
executive agency that owns or licenses computerized data that
includes personal information to disclose any breach of the security
of the system following discovery or notification of the breach in
the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person.  Existing law
also permits a person to bring an action against a claimant to
establish that the person is a victim of identify theft in connection
with the claimant's claim against that person for money or an
interest in property in connection with a transaction procured
through identity theft. 
   This bill would  require any local agency in possession or
control of personal identifying information that is known, or
reasonably suspected, to have been the target of identity theft, to
notify the person who is the subject of the personal identifying
information that an unauthorized access of that information has
occurred, and that the person may be the victim of identity theft
  expand this disclosure requirement to apply to a
breach of computerized data that is owned or licensed by a local
agency  . The bill would create a state-mandated local program
by imposing new duties on local agencies.
   The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
   This bill would provide that, if the Commission on State Mandates
determines that the bill contains costs mandated by the state,
reimbursement for those costs shall be made pursuant to these
statutory provisions.
   Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
   
  SECTION 1.    Section 1798.98 is added to the
Civil Code, to read:
   1798.98.  Any local agency, as defined in subdivision (a) of
Section 6252 of the Government Code, in possession or control of
personal identifying information that is known, or reasonably
suspected, to have been the target of identity theft, shall notify
the person who is the subject of the personal identifying information
that an unauthorized access of that information has occurred, and
that the person may be the victim of identity theft. 
   SECTION 1.    Section 1798.29 of the   Civil
Code   is amended to read: 
   1798.29.  (a) Any agency that owns or licenses computerized data
that includes personal information shall disclose any breach of the
security of the system following discovery or notification of the
breach in the security of the data to any resident of California
whose unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The disclosure
shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures
necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
   (b) Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery, if the personal
information was, or is reasonably believed to have been, acquired by
an unauthorized person.
   (c) The notification required by this section may be delayed if a
law enforcement agency determines that the notification will impede a
criminal investigation. The notification required by this section
shall be made after the law enforcement agency determines that it
will not compromise the investigation.
   (d) Any agency that is required to issue a security breach
notification pursuant to this section shall meet all of the following
requirements:
   (1) The security breach notification shall be written in plain
language.
   (2) The security breach notification shall include, at a minimum,
the following information:
   (A) The name and contact information of the reporting agency
subject to this section.
   (B) A list of the types of personal information that were or are
reasonably believed to have been the subject of a breach.
   (C) If the information is possible to determine at the time the
notice is provided, then any of the following: (i) the date of the
breach, (ii) the estimated date of the breach, or (iii) the date
range within which the breach occurred. The notification shall also
include the date of the notice.
   (D) Whether the notification was delayed as a result of a law
enforcement investigation, if that information is possible to
determine at the time the notice is provided.
   (E) A general description of the breach incident, if that
information is possible to determine at the time the notice is
provided.
   (F) The toll-free telephone numbers and addresses of the major
credit reporting agencies, if the breach exposed a social security
number or a driver's license or California identification card
number.
   (3) At the discretion of the agency, the security breach
notification may also include any of the following:
   (A) Information about what the agency has done to protect
individuals whose information has been breached.
   (B) Advice on steps that the person whose information has been
breached may take to protect himself or herself.
   (e) Any agency that is required to issue a security breach
notification pursuant to this section to more than 500 California
residents as a result of a single breach of the security system shall
electronically submit a single sample copy of that security breach
notification, excluding any personally identifiable information, to
the Attorney General. A single sample copy of a security breach
notification shall not be deemed to be within subdivision (f) of
Section 6254 of the Government Code.
   (f) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the agency. Good faith acquisition of
personal information by an employee or agent of the agency for the
purposes of the agency is not a breach of the security of the system,
provided that the personal information is not used or subject to
further unauthorized disclosure.
   (g) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
   (1) Social security number.
   (2) Driver's license number or California  Identification
Card   identification card  number.
   (3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
   (4) Medical information.
   (5) Health insurance information.
   (h) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
   (2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
   (3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
   (i) For purposes of this section, "notice" may be provided by one
of the following methods:
   (1) Written notice.
   (2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
   (3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
   (A) E-mail notice when the agency has an e-mail address for the
subject persons.
   (B) Conspicuous posting of the notice on the agency's Internet Web
site page, if the agency maintains one.
   (C) Notification to major statewide media and the Office of
Information Security within the California Technology Agency.
   (j) Notwithstanding subdivision (i), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system. 
   (k) Notwithstanding the exception specified in paragraph (4) of
subdivision (b) of Section 1798.3, for purposes of this section,
"agency" includes a local agency, as defined in subdivision (a) of
Section 6252 of the Government Code. 
  SEC. 2.  If the Commission on State Mandates determines that this
act contains costs mandated by the state, reimbursement to local
agencies and school districts for those costs shall be made pursuant
to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of
the Government Code.