|
3220 M Street Telephone: (916) 492-6555 Facsimile: (916)
492-6556 www.theisonlawgroup.com |
Appendix 7 Civil Code §§ 1798.81.5
and 1798.84 |
CIVIL CODE
SECTIONS 1798.81.5 AND 1798.84
1798.81.5 (a) It is the intent of the
Legislature to ensure that personal information about
(b) A business that owns or
licenses personal information about a
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(d) For purposes of this section, the following terms have the following meanings:
(1) "Personal information" means an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.
(2) "Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual' s medical history or medical treatment or diagnosis by a health care professional.
(3) "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(e) The provisions of this section do not apply to any of the following:
(1) A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
(2) A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code.
(3) A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).
(4) An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.
(5) A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.
1798.84 (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.
(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorney's fees and costs.
(g) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.