Amended IN Senate August 17, 2018 Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1859Introduced by Assembly Member ChauJanuary 10, 2018 An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, to the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1859, as amended, Chau. Customer records.Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and a 3rd party that maintains personal information about a California resident on behalf of the for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability, and employing reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed as required, to institute a civil action to recover damages, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.SEC. 2.Section 1798.84 of the Civil Code is amended to read:1798.84.(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b)A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c)In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g)A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
Amended IN Senate August 17, 2018 Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1859Introduced by Assembly Member ChauJanuary 10, 2018 An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, to the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1859, as amended, Chau. Customer records.Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and a 3rd party that maintains personal information about a California resident on behalf of the for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability, and employing reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed as required, to institute a civil action to recover damages, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO
Amended IN Senate August 17, 2018 Amended IN Assembly May 03, 2018 Amended IN Assembly April 19, 2018
Amended IN Senate August 17, 2018
Amended IN Assembly May 03, 2018
Amended IN Assembly April 19, 2018
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 1859
Introduced by Assembly Member ChauJanuary 10, 2018
Introduced by Assembly Member Chau
January 10, 2018
An act to amend Section 1798.84 of, and to add Section 1798.81.6 to, to the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1859, as amended, Chau. Customer records.
Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and a 3rd party that maintains personal information about a California resident on behalf of the for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability, and employing reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed as required, to institute a civil action to recover damages, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.
Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.
This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and a 3rd party that maintains personal information about a California resident on behalf of the for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability, and employing reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified. The bill would authorize a resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as specified, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed as required, to institute a civil action to recover damages, civil penalties, and reasonable attorneys fees and costs for that injury. The bill would also authorize specified civil penalties to be recovered for a willful, intentional, or reckless violation of these provisions.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.SEC. 2.Section 1798.84 of the Civil Code is amended to read:1798.84.(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b)A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.(c)In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g)A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.
SECTION 1. Section 1798.81.6 is added to the Civil Code, to read:
### SECTION 1.
1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.
1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.
1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).(3)(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:(A)(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.(B)(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.(c)(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.(g) The Attorney General has exclusive authority to enforce this section.
1798.81.6. (a) A consumer credit reporting agency agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or an entity that has a contract with a consumer credit reporting agency and maintains personal information about a California resident on behalf of the consumer credit reporting agency, a third party that maintains personal information about a California resident for a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system data, as defined in subdivision(d), that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:
(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin to implement the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 30 90 days after becoming aware aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.
(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable mitigation measures compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).
(3)
(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do both all of the following:
(A)
(1) Identify, prioritize, and address the highest-risk highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.
(B)
(2) Test the impact of mitigation measures and software updates on its computer system and how they effect and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.
(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.
(c) A third party shall notify the consumer credit reporting agency of any known vulnerabilities as expeditiously as possible, but in any event, within two days.
(b)A resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, as described in subdivision (a) of Section 1798.82, as a result of a breach of the security of the system caused, in whole or in part, by a security vulnerability that was not addressed, as required, by subdivision (a) is deemed to have suffered an injury in fact, and, therefore, may recover a civil penalty for each breach of the security of the system, damages, and reasonable attorneys fees and costs pursuant to Section 1798.84 in addition to any other rights or remedies provided by law.
(c)
(d) As used in this section, significant risk means a vulnerability score, calculated using a standard measurement system used by industry, organization, and government information technology systems that is accepted as a best practice for the industry, to determine that the risk is elevated above the lowest level of risk. could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.
(e) As used in this section, compensating controls means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).
(f) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.
(g) The Attorney General has exclusive authority to enforce this section.
(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b)A customer or a resident, as described in subdivision (b) of Section 1798.81.6, injured by a violation of this title may institute a civil action to recover damages.
(c)In addition, for a willful, intentional, or reckless violation of Section 1798.81.6 or 1798.83, a customer or resident may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer or resident may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.81.6 or 1798.83.
(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).
(g)A prevailing plaintiff in any action commenced under Section 1798.81.6 or 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.
(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.