AB 1859: Customer records.

Existing law regulating consumer credit reporting agencies provides as its purpose to require, among other things, that these agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit in a manner that is fair and equitable to the consumer with regard to the confidentiality of such information and in a manner that will best protect the interests of the people of the state. Existing law requires a person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. Existing law requires the disclosure to be made in the most expedient time possible and without unreasonable delay, as specified. Existing law authorizes any customer who is injured by a violation of these provisions to institute a civil action to recover damages.

This bill would require a consumer credit reporting agency that owns, licenses, or maintains personal information about a California resident, or a 3rd party that maintains personal information about a California resident on behalf of a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability, and employing reasonable compensating controls to reduce the risk of a breach caused by computer system vulnerability until the software update is complete, as specified.