Bill Text: CA AB2677 | 2021-2022 | Regular Session | Introduced

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Information Practices Act of 1977.

Spectrum: Bipartisan Bill

Status: (Vetoed) 2022-09-19 - Vetoed by Governor. [AB2677 Detail]

Download: California-2021-AB2677-Introduced.html


CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 2677


Introduced by Assembly Member Gabriel

February 18, 2022


An act to amend Sections 1798.3, 1798.16, 1798.17, 1798.19, 1798.20, 1798.24, 1798.24b, 1798.25, 1798.26, 1798.27, 1798.29, 1798.44, 1798.55, 1798.57, and 1798.68 of the Civil Code, relating to information privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 2677, as introduced, Gabriel. Information Practices Act of 1977.
Existing law, the Information Practices Act of 1977, prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. Existing law exempts from the provisions of the act counties, cities, any city and county, school districts, municipal corporations, districts, political subdivisions, and other local public agencies, as specified.
This bill would recast those provisions to remove that exemption for local agencies and include, among other things, genetic information, IP address, online browsing history, and location information within the definition of “personal information” for the act’s purposes. The bill would make other technical, nonsubstantive, and conforming changes. Because the bill would expand the duties of local officials, this bill would impose a state-mandated local program.
Existing law requires an agency to establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct those persons with respect to specified rules relevant to the act.
This bill would require that those rules established by the agency be consistent with applicable provisions of the State Administrative Manual and the State Information Management Manual. The bill would prohibit an agency from using records containing personal information for any purpose or purposes other than the purpose or purposes for which that personal information was collected, except as required by state or federal law.
Existing law prohibits an agency from disclosing any personal information in a manner that would link the information disclosed to the individual to whom it pertains, except under specified circumstances.
This bill would revise the circumstances that may allow the disclosure of personal information in a manner that could link the information disclosed to the individual to whom it pertains, and would make conforming changes.
Existing law makes an intentional violation of any provision of the act, or of any rules or regulations adopted under the act, by an officer or employee of any agency a cause for discipline, including termination of employment.
This bill would also make a negligent violation of the act a cause for discipline.
Existing law provides that the intentional disclosure of medical, psychiatric, or psychological information in violation of the disclosure provisions of the act, that is not otherwise permitted by law, is punishable as a misdemeanor if the wrongful disclosure results in economic loss or personal injury to the individual to whom the information pertains.
This bill would remove the requirement that the wrongful disclosure result in economic loss or personal injury. Because the bill would expand the scope of an existing crime by deleting this condition, the bill would impose a state-mandated local program.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that with regard to certain mandates no reimbursement is required by this act for a specified reason.
With regard to any other mandates, this bill would provide that, if the Commission on State Mandates determines that the bill contains costs so mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.3 of the Civil Code is amended to read:

1798.3.
 As used in this chapter:
(a) The term “personal information” means any information that is maintained by an agency that identifies or describes is reasonably capable of identifying or describing an individual, including, but not limited to, his or her the individual’s name, social security number, physical description, home genetic information, address, home telephone number, IP address, online browsing history, location information, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
(b) The term “agency” means every state and local office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include:
(1) The California Legislature.
(2) Any agency established under Article VI of the California Constitution.
(3) The State Compensation Insurance Fund, except as to any records which contain personal information about the employees of the State Compensation Insurance Fund.

(4)A local agency, as defined in subdivision (a) of Section 6252 of the Government Code.

(c) The term “disclose” means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
(d) The term “individual” means a natural person.
(e) The term “maintain” includes maintain, acquire, use, or disclose.
(f) The term “person” means any natural person, corporation, partnership, limited liability company, firm, or association.
(g) The term “record” means any file or grouping of personal information about an individual that is maintained by an agency by reference to an identifying particular such as the individual’s name, photograph, finger or voice print, or a number or symbol assigned to the individual. agency.

(h)The term “system of records” means one or more records, which pertain to one or more individuals, which is maintained by any agency, from which information is retrieved by the name of an individual or by some identifying number, symbol or other identifying particular assigned to the individual.

(i)The term “governmental entity,” except as used in Section 1798.26, means any branch of the federal government or of the local government.

(j)

(h) The term “commercial purpose” means any purpose which has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster.

(k)

(i) The term “regulatory agency” means the Department of Business Oversight, Department of Financial Protection and Innovation, the Department of Insurance, the Bureau of Real Estate, and agencies of the United States or of any other state responsible for regulating financial institutions.

SEC. 2.

 Section 1798.3 of the Civil Code, as amended by Section 43 of Chapter 615 of the Statutes of 2021, is amended to read:

1798.3.
 As used in this chapter:
(a) The term “personal information” means any information that is maintained by an agency that identifies or describes is reasonably capable of identifying or describing an individual, including, but not limited to, the individual’s name, social security number, physical description, home genetic information, address, home telephone number, IP address, online browsing history, location information, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
(b) The term “agency” means every state and local office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include:
(1) The California Legislature.
(2) Any agency established under Article VI of the California Constitution.
(3) The State Compensation Insurance Fund, except as to any records that contain personal information about the employees of the State Compensation Insurance Fund.

(4)A local agency, as defined in Section 7920.510 of the Government Code.

(c) The term “disclose” means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
(d) The term “individual” means a natural person.
(e) The term “maintain” includes maintain, acquire, use, or disclose.
(f) The term “person” means any natural person, corporation, partnership, limited liability company, firm, or association.
(g) The term “record” means any file or grouping of personal information about an individual that is maintained by an agency by reference to an identifying particular such as the individual’s name, photograph, finger or voice print, or a number or symbol assigned to the individual. agency.

(h)The term “system of records” means one or more records, which pertain to one or more individuals, which is maintained by any agency, from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

(i)The term “governmental entity,” except as used in Section 1798.26, means any branch of the federal government or of the local government.

(j)

(h) The term “commercial purpose” means any purpose that has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster.

(k)

(i) The term “regulatory agency” means the Department of Business Oversight, Financial Protection and Innovation, the Department of Insurance, the Bureau of Real Estate, and agencies of the United States or of any other state responsible for regulating financial institutions.

SEC. 3.

 Section 1798.16 of the Civil Code is amended to read:

1798.16.
 (a) Whenever an agency collects personal information, the agency shall maintain the source or sources of the information, unless the source is the data subject or he or she has received a copy of the source document, including, but not limited to, the name of any source who is an individual acting in his or her their own private or individual capacity. If the source is an agency, governmental entity branch of the federal government, or other organization, such as a corporation or association, this requirement can be met by maintaining the name of the agency, governmental entity, branch of the federal government, or organization, as long as the smallest reasonably identifiable unit of that agency, governmental entity, branch of the federal government, or organization is named.
(b) On or after July 1, 2001, unless otherwise authorized by the Department of Information Technology pursuant to Executive Order D-3-99, whenever an agency electronically collects personal information, as defined by Section 11015.5 of the Government Code, the agency shall retain the source or sources or any intermediate form of the information, if either are created or possessed by the agency, unless the source is the data subject that has requested that the information be discarded or the data subject has received a copy of the source document.
(c) The agency shall maintain the source or sources of the information in a readily accessible form so as to be able to provide it to the data subject when they inspect any record pursuant to Section 1798.34. This section shall not apply if the source or sources are exempt from disclosure under the provisions of this chapter.

SEC. 4.

 Section 1798.17 of the Civil Code is amended to read:

1798.17.
 Each agency shall provide on or with any form used to collect personal information from individuals the notice specified in this section. When contact with the individual is of a regularly recurring nature, an initial notice followed by a periodic notice of not more than one-year intervals shall satisfy this requirement. This requirement is also satisfied by notification to individuals of the availability of the notice in annual tax-related pamphlets or booklets provided for them. The notice shall include all of the following:
(a) The name of the agency and the division within the agency that is requesting the information.
(b) The title, business address, and telephone number of the agency official who is responsible for the system of records and who shall, upon request, inform an individual regarding the location of his or her the individual’s records and the categories of any persons who use the information in those records.
(c) The authority, whether granted by statute, regulation, or executive order which authorizes the maintenance of the information.
(d) With respect to each item of information, whether submission of such information is mandatory or voluntary.
(e) The consequences, if any, of not providing all or any part of the requested information.
(f) The principal purpose or purposes within the agency for which the information is to be used.
(g) Any known or foreseeable disclosures which may be made of the information pursuant to subdivision (e) or (f) of Section 1798.24.
(h) The individual’s right of access to records containing personal information which are maintained by the agency.
This section does not apply to any enforcement document issued by an employee of a law enforcement agency in the performance of his or her the employee’s duties wherein the violator is provided an exact copy of the document, or to accident reports whereby the parties of interest may obtain a copy of the report pursuant to Section 20012 of the Vehicle Code.
The notice required by this section does not apply to agency requirements for an individual to provide his or her the individual’s name, identifying number, photograph, address, or similar identifying information, if this information is used only for the purpose of identification and communication with the individual by the agency, except that requirements for an individual’s social security number shall conform with the provisions of the Federal Privacy Act of 1974 (Public Law 93-579).

SEC. 5.

 Section 1798.19 of the Civil Code is amended to read:

1798.19.
 Each agency when it provides by contract for the operation or maintenance of records containing personal information to accomplish an agency function, shall cause, consistent with its authority, the requirements of this chapter to be applied to those records. For purposes of Article 10 (commencing with Section 1798.55), any contractor and any employee of the contractor, if the contract is agreed to on or after July 1, 1978, shall be considered to be an employee of an agency. Local government functions mandated by the state are not deemed agency functions within the meaning of this section.

SEC. 6.

 Section 1798.20 of the Civil Code is amended to read:

1798.20.
 Each (a) Consistent with applicable provisions of the State Administrative Manual and the State Information Management Manual, each agency shall establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each such person with respect to such rules and the requirements of this chapter, including any other rules and procedures adopted pursuant to this chapter and the remedies and penalties for noncompliance.
(b) An agency shall not use records containing personal information for any purpose or purposes other than the purpose or purposes for which that personal information was collected, except as required by federal law, or as authorized or required by state law.

SEC. 7.

 Section 1798.24 of the Civil Code is amended to read:

1798.24.
 An agency shall not disclose any personal information in a manner that would could link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to furthers the purpose for which the information was acquired.
(e) To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a furthers the purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity branch of the federal government if required by state or federal law.
(g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that will not cannot identify any individual. individual, and the written assurance includes a statement that the person will not attempt to reidentify the information.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at the individual’s last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or the director’s designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.

(l)To any person pursuant to a search warrant.

(m)

(l) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.

(n)

(m) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.

(o)To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.

(p)

(n) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.

(q)

(o) To an adopted person and disclosure is limited to general background information pertaining to the adopted person’s biological parents, if the information does not include or reveal the identity of the biological parents.

(r)

(p) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person’s biological parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the biological parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.

(s)

(q) To a committee of the Legislature or to a Member of the Legislature, or the member’s staff if authorized in writing by the member, if the member has permission to obtain the information from the individual to whom it pertains or if the member provides reasonable assurance that the member is acting on behalf of the individual.

(t)

(r) (1) To the University of California, a nonprofit educational institution, an established nonprofit research institution performing health or social services research, the Cradle-to-Career Data System, for purposes consistent with the creation and execution of the Cradle-to-Career Data System Act pursuant to Article 2 (commencing with Section 10860) of Chapter 8.5 of Part 7 of Division 1 of Title 1 of the Education Code, or, in the case of education-related data, another nonprofit entity, conducting scientific research, if the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (5) and (6). The approval shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable reasonably anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS shall enter into a written agreement with the Office of Cradle-to-Career Data, as defined in Section 10862 of the Education Code, to assist the managing entity of that office in its role as the institutional review board for the Cradle-to-Career Data System.
(3) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(4) Reasonable costs to the agency associated with the agency’s process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency’s costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(5) The CPHS may enter into written agreements to enable other institutional review boards to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision are satisfied.
(6) Pursuant to paragraph (5), the CPHS shall enter into a written agreement with the institutional review board established pursuant to former Section 49079.6 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision and the act specified in subdivision (a) of Section 49079.5 of the Education Code are satisfied.

(u)

(s) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.

(v)

(t) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.

(w)

(u) For the sole purpose of participation in interstate data sharing of prescription drug monitoring program information pursuant to the California Uniform Controlled Substances Act (Division 10 (commencing with Section 11000) of the Health and Safety Code), if disclosure is limited to prescription drug monitoring program information.
This article does not require the disclosure of personal information to the individual to whom the information pertains if that information may otherwise be withheld as set forth in Section 1798.40.

SEC. 8.

 Section 1798.24b of the Civil Code is amended to read:

1798.24b.
 (a) Notwithstanding Section 1798.24, except subdivision (v) (t) thereof, information shall be disclosed to the protection and advocacy agency designated by the Governor in this state pursuant to federal law to protect and advocate for the rights of people with disabilities, as described in Division 4.7 (commencing with Section 4900) of the Welfare and Institutions Code.
(b) Information that shall be disclosed pursuant to this section includes all of the following information:
(1) Name.
(2) Address.
(3) Telephone number.
(4) Any other information necessary to identify that person whose consent is necessary for either of the following purposes:
(A) To enable the protection and advocacy agency to exercise its authority and investigate incidents of abuse or neglect of people with disabilities.
(B) To obtain access to records pursuant to Section 4903 of the Welfare and Institutions Code.

SEC. 9.

 Section 1798.25 of the Civil Code is amended to read:

1798.25.
 (a) Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (i), (k), (l), (o), or (p) (n) of Section 1798.24. This accounting shall also be required for disclosures made pursuant to subdivision (e) or (f) of Section 1798.24 unless notice of the type of disclosure has been provided pursuant to Sections 1798.9 and 1798.10. The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made. For the purpose of an accounting of a disclosure made under subdivision (o) of Section 1798.24, it shall be sufficient for a law enforcement or regulatory agency to record the date of disclosure, the law enforcement or regulatory agency requesting the disclosure, and whether the purpose of the disclosure is for an investigation of unlawful activity under the jurisdiction of the requesting agency, or for licensing, certification, or regulatory purposes by that agency.
(b) Routine disclosures of information pertaining to crimes, offenders, and suspected offenders to law enforcement or regulatory agencies of federal, state, and local government shall be deemed to be disclosures pursuant to subdivision (e) of Section 1798.24 for the purpose of meeting this requirement.

SEC. 10.

 Section 1798.26 of the Civil Code is amended to read:

1798.26.
 With respect to the sale of information concerning the registration of any vehicle or the sale of information from the files of drivers’ licenses, the Department of Motor Vehicles shall, by regulation, establish administrative procedures under which any person making a request for information shall be required to identify himself or herself themselves and state the reason for making the request. These procedures shall provide for the verification of the name and address of the person making a request for the information and the department may require the person to produce the information as it determines is necessary in order to ensure that the name and address of the person are his or her their true name and address. These procedures may provide for a 10-day delay in the release of the requested information. These procedures shall also provide for notification to the person to whom the information primarily relates, as to what information was provided and to whom it was provided. The department shall, by regulation, establish a reasonable period of time for which a record of all the foregoing shall be maintained.
The procedures required by this subdivision do not apply to any governmental entity, any person who has applied for and has been issued a requester code by the department, or any court of competent jurisdiction.

SEC. 11.

 Section 1798.27 of the Civil Code is amended to read:

1798.27.
 Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made, or until the record is destroyed, whichever is shorter. made.
Nothing in this section shall be construed to require retention of the original documents for a three-year period, providing that the agency can otherwise comply with the requirements of this section.

SEC. 12.

 Section 1798.29 of the Civil Code is amended to read:

1798.29.
 (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.
(d) Any agency that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements:
(1) The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
(A) The format of the notice shall be designed to call attention to the nature and significance of the information it contains.
(B) The title and headings in the notice shall be clearly and conspicuously displayed.
(C) The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type.
(D) For a written notice described in paragraph (1) of subdivision (i), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.
[NAME OF INSTITUTION / LOGO]   _____ _____  Date: [insert date]
NOTICE OF DATA BREACH


What Happened?



 


What Information Was Involved?





What We Are Doing.





What You Can Do.



 
Other Important Information.
[insert other important information]









For More Information.


Call [telephone number] or go to [internet website]

(E) For an electronic notice described in paragraph (2) of subdivision (i), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.
(2) The security breach notification described in paragraph (1) shall include, at a minimum, the following information:
(A) The name and contact information of the reporting agency subject to this section.
(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.
(D) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(F) The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver’s license or California identification card number.
(3) At the discretion of the agency, the security breach notification may also include any of the following:
(A) Information about what the agency has done to protect individuals whose information has been breached.
(B) Advice on steps that people whose information has been breached may take to protect themselves.
(e) Any agency that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.
(f) For purposes of this section, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(g) For purposes of this section, “personal information” means either of the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
(G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(H) Genetic data.
(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.
(h) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
(4) For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
(5) For purposes of this section, “genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.
(i) For purposes of this section, “notice” may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:
(A) Email notice when the agency has an email address for the subject persons.
(B) Conspicuous posting, for a minimum of 30 days, of the notice on the agency’s internet website page, if the agency maintains one. For purposes of this subparagraph, conspicuous posting on the agency’s internet website means providing a link to the notice on the home page or first significant page after entering the internet website that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link.
(C) Notification to major statewide media and the Office of Information Security within the Department of Technology.
(4) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (g) for an online account, and no other personal information defined in paragraph (1) of subdivision (g), the agency may comply with this section by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the agency and all other online accounts for which the person uses the same username or email address and password or security question or answer.
(5) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (g) for login credentials of an email account furnished by the agency, the agency shall not comply with this section by providing the security breach notification to that email address, but may, instead, comply with this section by providing notice by another method described in this subdivision or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account.
(j) Notwithstanding subdivision (i), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(k)Notwithstanding the exception specified in paragraph (4) of subdivision (b) of Section 1798.3, for purposes of this section, “agency” includes a local agency, as defined in subdivision (a) of Section 6252 of the Government Code.

(l)

(k) For purposes of this section, “encryption key” and “security credential” mean the confidential key or process designed to render the data usable, readable, and decipherable.

SEC. 13.

 Section 1798.44 of the Civil Code is amended to read:

1798.44.
 This article applies to the rights of an individual to whom personal information pertains and not to the authority or right of any other person, agency, other state governmental entity, agency of another state, or governmental entity branch of the federal government to obtain this information.

SEC. 14.

 Section 1798.55 of the Civil Code is amended to read:

1798.55.
 The intentional or negligent violation of any provision of this chapter or of any rules or regulations adopted thereunder, by an officer or employee of any agency shall constitute a cause for discipline, including termination of employment.

SEC. 15.

 Section 1798.57 of the Civil Code is amended to read:

1798.57.
 Except for disclosures which are otherwise required or permitted by law, the intentional disclosure of medical, psychiatric, or psychological information in violation of the disclosure provisions of this chapter is punishable as a misdemeanor if the wrongful disclosure results in economic loss or personal injury to the individual to whom the information pertains. misdemeanor.

SEC. 16.

 Section 1798.68 of the Civil Code is amended to read:

1798.68.
 (a) Information which is permitted to be disclosed under the provisions of subdivision (e), (f), or (o), (e) or (f) of Section 1798.24 shall be provided when requested by a district attorney.
A district attorney may petition a court of competent jurisdiction to require disclosure of information when an agency fails or refuses to provide the requested information within 10 working days of a request. The court may require the agency to permit inspection unless the public interest or good cause in withholding such records clearly outweighs the public interest in disclosure.
(b) Disclosure of information to a district attorney under the provisions of this chapter shall effect no change in the status of the records under any other provision of law.

SEC. 17.

 The Legislature finds and declares that Sections 1, 2, and 7 of this act, which amend Sections 1798.3 and 1798.24 of the Civil Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
By modernizing provisions of the Information Practices Act of 1977 to address the effects of advances in information technology on the scope and sensitivity of personal information collected, maintained, and disseminated by state agencies, this act balances the right to access information concerning the conduct of the people’s business with the individual right to privacy.

SEC. 18.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution for certain costs that may be incurred by a local agency or school district because, in that regard, this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.
However, if the Commission on State Mandates determines that this act contains other costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
feedback