Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1859Introduced by Assembly Member ChauJanuary 10, 2018 An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1859, as amended, Chau. Customer records.Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address a the security vulnerability, and employing reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability that was not addressed as required, to institute a civil action to recover damages, a civil penalty, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.SEC. 2. Section 1798.84 of the Civil Code is amended to read:1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1859Introduced by Assembly Member ChauJanuary 10, 2018 An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1859, as amended, Chau. Customer records.Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address a the security vulnerability, and employing reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability that was not addressed as required, to institute a civil action to recover damages, a civil penalty, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018
Amended IN Assembly May 03, 2018
Amended IN Assembly April 19, 2018
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 1859
Introduced by Assembly Member ChauJanuary 10, 2018
Introduced by Assembly Member Chau
January 10, 2018
An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1859, as amended, Chau. Customer records.
Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address a the security vulnerability, and employing reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability that was not addressed as required, to institute a civil action to recover damages, a civil penalty, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.
Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.
This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address a the security vulnerability, and employing reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability that was not addressed as required, to institute a civil action to recover damages, a civil penalty, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.SEC. 2. Section 1798.84 of the Civil Code is amended to read:1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.
SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:
### SECTION 1.
1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.
1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.
1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.
1798.81.6. (a) A consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains is subject to a security vulnerability that could compromise poses a significant risk to the security of computerized data within the system that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do both all of the following:
(1) A If a consumer credit reporting agency that knows or reasonably should know that a software update is available to address a the vulnerability as described in subdivision (a), the agency shall begin to implement that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within 3 no later than three business days after becoming aware of the vulnerability and the available software update. The installation software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case within no later than 30 days after becoming aware of the vulnerability and the available software update.
(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).
(3) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both of the following:
(A) Identify, prioritize, and address the highest-risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.
(B) Test the impact of mitigation measures and software updates on its computer system and how they effect the vulnerability of the system to threats to the security of computerized data.
(b) A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by an unaddressed computer system a security vulnerability in violation of that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.
(c) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk.
SEC. 2. Section 1798.84 of the Civil Code is amended to read:1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
SEC. 2. Section 1798.84 of the Civil Code is amended to read:
### SEC. 2.
1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
1798.84. (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.
(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f) (1) A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(2) The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).
(g) A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.
(h) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.