AB 739: Civil law: liability: communication of cyber security-threat information.

Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted. Existing law also requires a person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, as specified.

This bill would, until January 1, 2020, provide that there shall be no civil or criminal liability for, and no cause of action shall arise against, an lie or be maintained against any private entity based upon its communication of cyber security-threat information to another private entity, or to a state law enforcement agency. for the sharing or receiving of cyber security-threat information if the sharing or receiving is conducted, as specified. The immunity from liability would only apply if the communication is made without the intent to injure, defraud, or to otherwise endanger any individual or public or private entity and is made to address a vulnerability in, or to prevent a threat to the integrity, confidentiality, or availability of, a system, network, or critical infrastructure component of a public or private entity, to provide support for cyber security crime investigation, or to protect individuals, entities, or the state from harm, gross negligence, as specified. The bill would also prohibit a private entity that communicates is engaged in sharing or receiving cyber security-threat information from using that information to gain an unfair competitive advantage and require that it, in good faith, make reasonable efforts to safeguard communications, comply with any lawful restriction placed on the communication, transfer the cyber security-threat information as expediently as possible while upholding reasonable protections, and ensure that appropriate anonymization and minimization of the information contained in the communication, as specified.