Amended in Assembly April 9, 2015

Amended in Assembly March 26, 2015

California Legislature—2015–16 Regular Session

Assembly BillNo. 739


Introduced by Assembly Member Irwin

February 25, 2015


An act to add Section 43.99.1 to the Civil Code, relating to civil law.

LEGISLATIVE COUNSEL’S DIGEST

AB 739, as amended, Irwin. Civil law: liability: communication of cyber security: threat information.

Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted. Existing law also requires a person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, as specified.

This bill would require the Attorney General to create a registry of private entities that intend to engage in communication of cyber security-threat information, as defined. The bill would also provide that there shall be no civil or criminal liability for, and no cause of action shall arise against, a registered entity based upon its communication of cyber security-threat information to another private entity, or to a state entity. The immunity from liability would only apply if the communication is made without the intent to injure, defraud, or to otherwise endanger any individual or public or private entity and is made to address a vulnerability in, or to prevent a threat to the integrity, confidentiality, or availability of, a system, network, or critical infrastructure component of a public or private entity, to provide support for cyber security crime investigation, or to protect individuals or the state from harm, as specified.begin insert The bill would also prohibit a private entity that communicates cyber security-threat information from using that information to gain an unfair competitive advantage and require that it make reasonable efforts to safeguard communications, comply with any lawful restriction placed on the communication, and transfer the cyber security-threat information as expediently as possible while upholding reasonable protections, as specified.end insert

begin insert

The bill would also require the Attorney General to submit an annual report to the Legislature regarding the operation of these provisions that includes an assessment of the impact of these provisions on the privacy of the personal information of California residents.

end insert

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 43.99.1 is added to the Civil Code, to
2read:

3

43.99.1.  

(a) There shall be no civil or criminal liability for,
4and no cause of action shall arise against, a private entitybegin insert whose
5actions comply with subdivision (b), andend insert
that has registered with
6the Attorney General pursuant to subdivisionbegin delete (b),end deletebegin insert (c),end insert based upon
7its communication of cyber security-threat information to another
8private entity, or to a state entity identified by the Attorney General.
9The immunity from liability granted by this section shall only
10apply if the communication is made without the intent to injure,
P3    1defraud, or to otherwise endanger any individual or public or
2private entity and is made for one of the following purposes:

3(1) To address a vulnerability of a system, network, or critical
4infrastructure component of a public or private entity.

5(2) To prevent a threat to the integrity, confidentiality, or
6availability of a system, network, or critical infrastructure
7component of a public or private entity.

8(3) To provide support for cyber security crime investigation.

9(4) To protect individuals from personal or economic harm.

10(5) To protect the state’s economic interests, including, but not
11limited to, networks, assets, and personal information.

begin insert

12(b) A private entity that communicates cyber security-threat
13information shall not use that information to gain an unfair
14competitive advantage and shall do all of the following:

end insert
begin insert

15(1) Make reasonable efforts to safeguard communications that
16can be used to identify specific persons from unauthorized access
17or acquisition.

end insert
begin insert

18(2) Comply with any lawful restriction placed on the
19communication, including the removal of information that can be
20used to identify specific persons.

end insert
begin insert

21(3) Transfer the cyber security-threat information as expediently
22as possible while upholding reasonable protections.

end insert
begin delete

P3   1 23(b)

end delete

24begin insert(c)end insert The Attorney General shall create a registry of private entities
25that intend to engage in communication of cyber security-threat
26information.

begin insert

27(d) The Attorney General shall submit an annual report to the
28Legislature regarding the operation of these provisions that
29includes an assessment of the impact of these provisions on the
30privacy of the personal information of California residents.

end insert
begin delete

4 31(c)

end delete

32begin insert(e)end insert For purposes of this section, “cyber security-threat
33information” means information pertaining directly to one of the
34following:

35(1) A vulnerability of a system, network, or critical infrastructure
36component of a public or private entity.

37(2) A threat to the integrity, confidentiality, or availability of a
38 system, network, or critical infrastructure component of a public
39or private entity.

P4    1(3) Efforts to deny access to, or to cause the degradation,
2disruption, or destruction of a system, network, or critical
3infrastructure component of a public or private entity.

4(4) Efforts to gain unauthorized access to a system, network, or
5critical infrastructure component of a public or private entity,
6including efforts to gain unauthorized access for the purpose of
7exfiltrating information stored on, processed on, or transitioning
8through, a system, network, or critical infrastructure component
9of a public or private entity.

begin insert

10(f) (1) The requirement for submitting a report imposed under
11subdivision (d) is inoperative on January 1, 2020, pursuant to
12Section 10231.5 of the Government Code.

end insert
begin insert

13(2) A report to be submitted pursuant to subdivision (d) shall
14be submitted in compliance with Section 9795 of the Government
15Code.

end insert


O

    97