Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

California Bill Would Add Security Standards to Data Breach Law

Aug. 22, 2016, 9:34 PM

By Laura Mahoney, Bloomberg BNA

A California lawmaker has revived a bill to set a “reasonably prudent” standard for businesses to protect personal consumer data, including geolocation and biometric information, in the final two weeks of the legislative session.

Assemblyman Mike Gatto (D) amended A.B. 83, a bill that has been dormant for a year, setting new standards for businesses to use reasonable security procedures and practices if they hold or maintain personal information.

The amendments became public Aug. 20, and the session ends Aug. 31. The bill passed the Assembly in 2015, so now needs approval in the Senate and agreement from the Assembly on the amendments to reach the desk of Gov. Jerry Brown (D).

Although the bill hasn’t moved since July 2015 and has considered inactive since September 2015, Gatto told Bloomberg BNA Aug. 22 the new amendments reflect a compromise he negotiated for two years with business and privacy groups that still accomplishes his intent to set standards for protecting personal data where none now exist.

“The next frontier is to use facial recognition to track you when you walk into a mall,” he said. “People who store this information should have strong encryption and consumer protections.”

Foreseeable Risks

Under the bill, businesses that hold personal consumer information would be required to identify foreseeable internal and external risks that could compromise the information, and maintain reasonable safeguards.

The bill would expand the definition of personal information in California law beyond social security numbers, driver’s license numbers and medical information to include geolocation and biometric data, tax identification numbers, passport numbers, military identification numbers, and employment identification numbers.

Gatto said crafting the geolocation data provisions to cover consumer data without going too far has been tricky. For example, the bill would apply to data gathered by transportation network companies such as Uber Technologies Inc. and Lyft Inc., exercise trackers from Fitbit Inc., and the Internet of Things. It wouldn’t apply to data from key card readers for entering office buildings, or electronic receipts that indicate a person’s location.

“We’re not trying to subsume key card readers at different entrances on different floors at law firms,” he said.

Reasonably Prudent

The bill would require businesses to use reasonable security procedures and practices for the storage and transmission of data, which means “security of that information to the degree that any reasonably prudent business would provide.”

Businesses would regularly assess the sufficiency of their safeguards, which would be based on the type of information under their control, foreseeable threats, the existence of widely accepted practices, costs, and the size of the businesses.

Health care providers and plans, financial institutions, and entities covered by Health Insurance Portability and Availability Act would be exempt from the bill.

The bill doesn’t contain specific penalties, but Gatto said enforcement would happen in one of three ways: through the California Attorney General, through the civil suits under Business and Professions Code section 17200 that applies to unfair competition, and civil suits for negligence.

Gatto said he is expecting that the Senate Judiciary Committee, which approved the earlier version of the bill in July 2015, will consider the bill again this week because of the substantial amendments. If it passes the committee, it will need approval on the Senate floor and a final vote from the Assembly to concur in the Senate amendments before it can reach the governor’s desk.

To contact the reporter on this story: Laura Mahoney in Sacramento, Calif. at

To read more articles log in.

Learn more about a Bloomberg Law subscription.