Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-1859 Customer records.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 01/10/2018 09:00 PM
AB1859:v99#DOCUMENT


CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 1859


Introduced by Assembly Member Chau

January 10, 2018


An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, the Civil Code, relating to information privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 1859, as introduced, Chau. Customer records.
Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.
This bill would require a consumer credit reporting agency that conducts business in California, that owns, licenses, or maintains personal information about a California resident, that knows or reasonably should know, that a computer system it owns, operates, or maintains is subject to a vulnerability that could compromise the security of computerized data that contains personal information, and that also knows or reasonably should know that a software update is available to address that vulnerability, to apply that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 10 days after becoming aware of the vulnerability and the available software update. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system vulnerability to institute a civil action to recover damages, a civil penalty, and reasonable attorney’s fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.81.6 is added to the Civil Code, to read:

1798.81.6.
 (a) A consumer credit reporting agency that conducts business in California, that owns, licenses, or maintains personal information about a California resident, that knows or reasonably should know, that a computer system it owns, operates, or maintains is subject to a vulnerability that could compromise the security of computerized data that contains personal information, as defined in subdivision (h) of Section 1798.82, and that also knows or reasonably should know that a software update is available to address that vulnerability, shall apply that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 10 days after becoming aware of the vulnerability and the available software update.
(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system vulnerability in violation of subdivision (a) has suffered an injury in fact, and may recover a civil penalty and reasonable attorney’s fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.

SEC. 2.

 Section 1798.84 of the Civil Code is amended to read:

1798.84.
 (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) Any A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83. 1798.81.6 or 1798.83.
(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).
(g) A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorney’s fees and costs.
(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.