AB 739,
as amended, Irwin. Civil law: liability: communication of cyberbegin delete security: threatend deletebegin insert security-threatend insert information.
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose, as specified, a breach of the security of the system or data following discovery or notification of the security breach to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted. Existing law also requires a person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, as specified.
This bill would, until January 1, 2020, provide that there shall be no civil or criminal liability for, and no cause of action shallbegin delete arise against, anend deletebegin insert lie or be maintained against any privateend insert entitybegin delete based upon its communication
of cyber security-threat information to another private entity, or to a state law enforcement agency.end deletebegin insert for the sharing or receiving of cyber security-threat information if the sharing or receiving is conducted, as specified.end insert The immunity from liability would only apply if the communication is made withoutbegin delete the intent to injure, defraud, or to otherwise endanger any individual or public or private entity and is made to address a vulnerability in, or to prevent a threat to the integrity, confidentiality, or availability of, a system, network, or critical infrastructure component of a public or private entity, to provide support for cyber security crime investigation, or to protect
individuals, entities, or the state from harm,end deletebegin insert gross negligence,end insert as specified. The bill would also prohibit a private entity thatbegin delete communicatesend deletebegin insert is engaged in sharing or receivingend insert cyber security-threat information from using that information to gain an unfair competitive advantage and require that it, in good faith, make reasonable efforts to safeguard communications, comply with any lawful restriction placed on the communication, transfer the cyber security-threat information as expediently as possible while upholding reasonable protections, and ensure that appropriate anonymization and minimization of the information contained in the communication, as specified.
This bill would specify that a communication of cyber security-threat information made in compliance with this section and shared with a public agency is confidential and shall not be disclosed under the California Public Records Act.
end deleteExisting constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
end deleteThis bill would make legislative findings to that effect.
end deleteVote: majority.
Appropriation: no.
Fiscal committee: begin deleteyes end deletebegin insertnoend insert.
State-mandated local program: no.
The people of the State of California do enact as follows:
Section 43.99.1 is added to the Civil Code, to
2read:
(a) begin deleteThere shall be no civil or criminal liability for, begin insert(1)end insertbegin insert end insertbegin insertNo end insertcause of action shall
4and no end deletebegin delete ariseend deletebegin insert lie, or be maintainedend insert
5 against,begin delete aend deletebegin insert
anyend insert private entitybegin delete whose actions complyend deletebegin insert for the sharing
6or receiving of cyber security-threat information if the sharing or
7receiving is conducted in accordanceend insert with subdivision (b) based
8upon its communication of cyber security-threat information to
9another privatebegin delete entity, or to a state
law enforcement agency.end delete
10public entity.end insert The immunity from liability granted by this section
11shall only apply if the communication is made withoutbegin delete the intent
12to injure, defraud, or to otherwise endanger any individual or public
13or private entity and is made for one of the following purposes:end delete
14begin insert gross negligence.end insert
15(1) To address a vulnerability of a system, network, or critical
16infrastructure component of a public or private entity.
17(2) To prevent a threat to the integrity, confidentiality, or
18availability of a system, network, or critical infrastructure
19component of a public or private entity.
20(3) To provide support for cyber security crime investigation.
21(4) To protect individuals and entities from personal or economic
22harm.
23(5) To protect the state’s economic interests, including, but not
24limited to, networks, assets, and personal information.
25(2) Nothing in this subdivision shall be construed to require
26dismissal of a cause of action against a private entity that has
27engaged in gross negligence in the course of sharing or receiving
28cyber security-threat information, or to undermine or limit the
29availability of otherwise applicable common law or statutory
30defenses.
31(3) In any action claiming that the immunity from liability
32described in paragraph (1) does not apply due to the defendant
33acting with gross negligence, the plaintiff shall have the burden
34of proving by substantial evidence the gross negligence and that
35the gross negligence caused injury to the plaintiff.
36(4) For purposes of this section, “gross negligence” includes
37actions that include all of the
following elements engaged in:
P4 1(A) To intentionally injure, defraud, or otherwise endanger any
2individual or public or private entity.
3(B) Knowingly without legal or factual justification.
end insertbegin insert
4(C) Without regard for a foreseeable risk that is so great as to
5make it highly probable that the harm will outweigh the benefit.
6(D) Involving information that serves as criminal evidence for
7matters unrelated to a cyber security-threat or the otherwise known
8business of the private entity.
9(b) A private entity thatbegin delete communicatesend deletebegin insert
is engaged in sharing
10or receivingend insert cyber security-threat information shall not use that
11information to gain an unfair competitive advantage and shall, in
12good faith, do all of the following:
13(1) Make reasonable efforts to safeguard communications that
14can be used to identify specific persons from unauthorized access
15or acquisition.
16(2) Comply with any lawful restriction placed on the
17communication, including the removal of information that can be
18used to identify specific persons.
19(3) Transfer the cyber security-threat information as expediently
20as possible while upholding reasonable protections.
21(4) Ensure,
at a minimum, appropriate anonymization and
22minimization of the information contained in the communication.
23(c) For purposes of this section, “cyber security-threat
24information” means information pertaining directly to one of the
25following:
26(1) A vulnerability of a system, network, or critical infrastructure
27component of a public or private entity.
28(2) A threat to the integrity, confidentiality, or availability of a
29
system, network, or critical infrastructure component of a public
30or private entity.
31(3) Efforts to deny access to, or to cause the degradation,
32disruption, or destruction of a system, network, or critical
33infrastructure component of a public or private entity.
34(4) Efforts to gain unauthorized access to a system, network, or
35critical infrastructure component of a public or private entity,
36including efforts to gain unauthorized access for the purpose of
37exfiltrating information stored on, processed on, or transitioning
38through, a system, network, or critical infrastructure component
39of a public or private entity.
P5 1(d) A communication of cyber security-threat information made
2in compliance with this section and shared with a public agency
3is confidential and shall not be disclosed under the California
4Public Records Act (Chapter 3.5 (commencing with Section 6250)
5of Division 7 of Title 1 of the Government Code).
39 6(e)
end delete
7begin insert(d)end insert This section shall become inoperative on January 1, 2020,
8and as of that date is repealed.
The Legislature finds and declares that Section 1 of
10this act, which adds Section 6254.32 to the Government Code,
11imposes a limitation on the public’s right of access to the meetings
12of public bodies or the writings of public officials and agencies
13within the meaning of Section 3 of Article I of the California
14Constitution. Pursuant to that constitutional provision, the
15Legislature makes the following findings to demonstrate the interest
16protected by this limitation and the need for protecting that interest:
17The need to protect information regarding the specific
18
vulnerabilities of and threats to information technology systems
19to preclude use of that information to facilitate attacks on those
20systems outweighs the interest in the public disclosure of that
21information.
O
95