Amended in Assembly April 16, 2015

Amended in Assembly April 9, 2015

Amended in Assembly March 26, 2015

California Legislature—2015–16 Regular Session

Assembly BillNo. 739


Introduced by Assembly Member Irwin

February 25, 2015


An act to addbegin insert and repealend insert Section 43.99.1 to the Civil Code, relating to civil law.

LEGISLATIVE COUNSEL’S DIGEST

AB 739, as amended, Irwin. Civil law: liability: communication of cyber security: threat information.

Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted. Existing law also requires a person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, as specified.

This billbegin delete would require the Attorney General to create a registry of private entities that intend to engage in communication of cyber security-threat information, as defined. The bill would alsoend deletebegin insert would, until January 1, 2020,end insert provide that there shall be no civil or criminal liability for, and no cause of action shall arise against,begin delete a registeredend deletebegin insert anend insert entity based upon its communication of cyber security-threat information to another private entity, or to a statebegin delete entity.end deletebegin insert law enforcement agency.end insert The immunity from liability would only apply if the communication is made without the intent to injure, defraud, or to otherwise endanger any individual or public or private entity and is made to address a vulnerability in, or to prevent a threat to the integrity, confidentiality, or availability of, a system, network, or critical infrastructure component of a public or private entity, to provide support for cyber security crime investigation, or to protectbegin delete individualsend deletebegin insert individuals, entities,end insert or the state from harm, as specified. The bill would also prohibit a private entity that communicates cyber security-threat information from using that information to gain an unfair competitive advantage and require thatbegin delete itend deletebegin insert it, in good faith,end insert make reasonable efforts to safeguard communications, comply with any lawful restriction placed on the communication,begin delete andend delete transfer the cyber security-threat information as expediently as possible while upholding reasonable protections,begin insert and ensure that appropriate anonymization and minimization of the information contained in the communication,end insert as specified.

begin delete

The bill would also require the Attorney General to submit an annual report to the Legislature regarding the operation of these provisions that includes an assessment of the impact of these provisions on the privacy of the personal information of California residents.

end delete
begin insert

This bill would specify that a communication of cyber security-threat information made in compliance with this section and shared with a public agency is confidential and shall not be disclosed under the California Public Records Act.

end insert
begin insert

Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.

end insert
begin insert

This bill would make legislative findings to that effect.

end insert

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

Section 43.99.1 is added to the Civil Code, to
2read:

3

43.99.1.  

(a) There shall be no civil or criminal liability for,
4and no cause of action shall arise against, a private entity whose
5actions comply with subdivisionbegin delete (b), and that has registered with
6the Attorney General pursuant to subdivision (c),end delete
begin insert (b)end insert based upon
7its communication of cyber security-threat information to another
8private entity, or to a statebegin delete entity identified by the Attorney General.end delete
9begin insert law enforcement agency.end insert The immunity from liability granted by
10this section shall only apply if the communication is made without
11the intent to injure, defraud, or to otherwise endanger any
12individual or public or private entity and is made for one of the
13following purposes:

14(1) To address a vulnerability of a system, network, or critical
15infrastructure component of a public or private entity.

16(2) To prevent a threat to the integrity, confidentiality, or
17availability of a system, network, or critical infrastructure
18component of a public or private entity.

19(3) To provide support for cyber security crime investigation.

20(4) To protect individualsbegin insert and entitiesend insert from personal or
21economic harm.

22(5) To protect the state’s economic interests, including, but not
23limited to, networks, assets, and personal information.

24(b) A private entity that communicates cyber security-threat
25information shall not use that information to gain an unfair
26competitive advantage andbegin delete shallend deletebegin insert shall, in good faith,end insert do all of the
27following:

28(1) Make reasonable efforts to safeguard communications that
29can be used to identify specific persons from unauthorized access
30or acquisition.

31(2) Comply with any lawful restriction placed on the
32communication, including the removal of information that can be
33used to identify specific persons.

34(3) Transfer the cyber security-threat information as expediently
35as possible while upholding reasonable protections.

begin delete

P4    1(c) The Attorney General shall create a registry of private entities
2that intend to engage in communication of cyber security-threat
3information.

end delete
begin delete

4(d) The Attorney General shall submit an annual report to the
5Legislature regarding the operation of these provisions that includes
6an assessment of the impact of these provisions on the privacy of
7the personal information of California residents.

end delete
begin insert

8(4) Ensure, at a minimum, appropriate anonymization and
9minimization of the information contained in the communication.

end insert
begin delete

10(e)

end delete

11begin insert(c)end insert For purposes of this section, “cyber security-threat
12information” means information pertaining directly to one of the
13following:

14(1) A vulnerability of a system, network, or critical infrastructure
15component of a public or private entity.

16(2) A threat to the integrity, confidentiality, or availability of a
17 system, network, or critical infrastructure component of a public
18or private entity.

19(3) Efforts to deny access to, or to cause the degradation,
20disruption, or destruction of a system, network, or critical
21infrastructure component of a public or private entity.

22(4) Efforts to gain unauthorized access to a system, network, or
23critical infrastructure component of a public or private entity,
24including efforts to gain unauthorized access for the purpose of
25exfiltrating information stored on, processed on, or transitioning
26through, a system, network, or critical infrastructure component
27of a public or private entity.

begin delete

28(f) (1) The requirement for submitting a report imposed under
29subdivision (d) is inoperative on January 1, 2020, pursuant to
30Section 10231.5 of the Government Code.

end delete
begin delete

31(2) A report to be submitted pursuant to subdivision (d) shall
32be submitted in compliance with Section 9795 of the Government
33Code.

end delete
begin insert

34(d) A communication of cyber security-threat information made
35in compliance with this section and shared with a public agency
36is confidential and shall not be disclosed under the California
37Public Records Act (Chapter 3.5 (commencing with Section 6250)
38of Division 7 of Title 1 of the Government Code).

end insert
begin insert

39(e) This section shall become inoperative on January 1, 2020,
40and as of that date is repealed.

end insert
P5    1begin insert

begin insertSEC. 2.end insert  

end insert
begin insert

The Legislature finds and declares that Section 1 of
2this act, which adds Section 6254.32 to the Government Code,
3imposes a limitation on the public’s right of access to the meetings
4of public bodies or the writings of public officials and agencies
5within the meaning of Section 3 of Article I of the California
6Constitution. Pursuant to that constitutional provision, the
7Legislature makes the following findings to demonstrate the interest
8protected by this limitation and the need for protecting that
9interest:

end insert
begin insert

10The need to protect information regarding the specific
11 vulnerabilities of and threats to information technology systems
12to preclude use of that information to facilitate attacks on those
13systems outweighs the interest in the public disclosure of that
14information.

end insert


O

    96