CALIFORNIA LEGISLATURE    2021   2022 REGULAR SESSION

Assembly Bill
No. 825


Introduced by Assembly Member Levine

February  16,  2021


An act to amend Sections 1798.81.5 and 1798.82 of the Civil Code, relating to information privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 825, as introduced, Levine. Personal information: data breaches: genetic information.
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices. Existing law requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach.
This bill would specify that personal information for these purposes includes genetic information, and would define genetic information to mean an individual   s genetic tests, the genetic tests of family members of an individual, or the manifestation of a disease or disorder in family members of the individual.
Vote: MAJORITY     Appropriation: NO     Fiscal Committee: NO     Local Program: NO    

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.81.5 of the Civil Code is amended to read:

1798.81.5.
 (a)  (1)  It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.
(2)  For the purpose of this section, the terms    own    and    license    include personal information that a business retains as part of the business    internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term    maintain    includes personal information that a business maintains but does not own or license.
(b)  A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c)  A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(d)  For purposes of this section, the following terms have the following meanings:
(1)     Personal information    means either of the following:
(A)   An individual   s first name or first initial and the individual   s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i)  Social security number.
(ii)  Driver   s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(iii)  Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual   s financial account.
(iv)  Medical information.
(v)  Health insurance information.
(vi)  Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
(vii)  Genetic information.
(B)  A username or email address in combination with a password or security question and answer that would permit access to an online account.
(2)     Medical information    means any individually identifiable information, in electronic or physical form, regarding the individual   s medical history or medical treatment or diagnosis by a health care professional.
(3)     Health insurance information    means an individual   s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual   s application and claims history, including any appeals records.
(4)     Personal information    does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(5)  (A)     Genetic information    means information about any of the following:
(i)  The individual   s genetic tests.
(ii)  The genetic tests of family members of the individual.
(iii)  The manifestation of a disease or disorder in family members of the individual.
(B)     Genetic information    includes any request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by the individual or any family member of the individual.
(C)     Genetic information    does not include information about the sex or age of the individual.
(e)  The provisions of this section do not apply to any of the following:
(1)  A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
(2)  A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 1.4 (commencing with Section 4050) of the Financial Code).
(3)  A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).
(4)  An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.
(5)  A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.

SEC. 2.

 Section 1798.82 of the Civil Code is amended to read:

1798.82.
 (a)  A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(b)  A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
(c)  The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.
(d)  A person or business that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements:
(1)  The security breach notification shall be written in plain language, shall be titled    Notice of Data Breach,    and shall present the information described in paragraph (2) under the following headings:    What Happened,       What Information Was Involved,       What We Are Doing,       What You Can Do,    and    For More Information.    Additional information may be provided as a supplement to the notice.
(A)  The format of the notice shall be designed to call attention to the nature and significance of the information it contains.
(B)  The title and headings in the notice shall be clearly and conspicuously displayed.
(C)  The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type.
(D)  For a written notice described in paragraph (1) of subdivision (j), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.
   
[NAME  OF  INSTITUTION  /  LOGO]     _____ _____    Date:  [insert  date]
   
   
NOTICE OF DATA BREACH
   


What Happened?



 


What Information Was Involved?





What We Are Doing.





What You Can Do.



 
Other Important Information.
[insert other important information]









For More Information.


Call  [telephone  number]  or  go  to [internet website]

(E)  For an electronic notice described in paragraph (2) of subdivision (j), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.
(2)  The security breach notification described in paragraph (1) shall include, at a minimum, the following information:
(A)  The name and contact information of the reporting person or business subject to this section.
(B)  A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(C)  If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.
(D)  Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(E)  A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(F)  The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver   s license or California identification card number.
(G)  If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).
(3)  At the discretion of the person or business, the security breach notification may also include any of the following:
(A)  Information about what the person or business has done to protect individuals whose information has been breached.
(B)  Advice on steps that people whose information has been breached may take to protect themselves.
(C)  In breaches involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.
(e)  A covered entity under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et seq.) will be deemed to have complied with the notice requirements in subdivision (d) if it has complied completely with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). However, nothing in this subdivision shall be construed to exempt a covered entity from any other provision of this section.
(f)  A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.
(g)  For purposes of this section,    breach of the security of the system    means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(h)  For purposes of this section,    personal information    means either of the f