Choose Site


Tech & Sourcing @ Morgan Lewis


A recent bill passed in the California Assembly would provide companies with new standards to follow when complying with California law relating to personal information safeguards.

Assembly Bill No. 83 (A.B. 83) would amend California’s Information Practices Act of 1977 by defining “reasonable security procedures and practices” as requiring companies to provide, at a minimum, a level of security for personal information “to the degree that any reasonably prudent business would provide.” If passed, the new law would also add “geophysical location information” to the definition of personal information.

The Specifics of the “Reasonably Prudent Business” Standard

Existing California law requires businesses that own, license, or maintain personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” A.B. 83 is an effort to expand on the meaning of “reasonable security procedures and practices” in this context.

Fortunately, in clarifying the meaning of “reasonable security procedures and practices,” the bill goes beyond simply stating that a company must act like a “reasonably prudent business” when securing personal information. Instead, the proposed law lists a set of proactive measures that businesses must take, including:

  1. Identifying reasonably foreseeable internal and external risks that may result in unauthorized access, disclosure, or other compromise
  2. Establishing, implementing, and maintaining safeguards reasonably designed to ensure the security of the personal information
  3. Assessing, on a regular basis, the sufficiency of any safeguards that are in place to control reasonably foreseeable internal and external risks, and as a result of the assessments, evaluating and adjusting the safeguards as necessary
  4. Evaluating and adjusting any material changes in the business operations or arrangements of the company that create a material impact on the security or privacy of the personal information under the control of the business

If the bill passes, these four measures would provide valuable guidance to businesses that must comply with California’s Information Practices Act.

Addition of Geophysical Location Information to Definition of Personal Information

Another key aspect of the bill is the addition of “geophysical location information” to the definition of personal information. The current law defines personal information as an individual’s first name (or first initial) and last name when used in combination with any of four data elements and where either the person’s name or the data elements are not encrypted or redacted. The existing four data elements are an individual’s (1) social security number, (2) driver’s license or California identification number, (3) financial account numbers and codes or passwords that would provide access to such accounts, and (4) medical information.

Under the proposed bill, a person’s “geophysical location information” would be added as a fifth data element. The bill defines this as “any personally identifiable information describing or concerning the duration of a transportation service provided to an individual, the location and route of a transportation service provided to an individual, or, if applicable, the monetary exchange associated with a transportation service provided to an individual.”

This bill is certainly one to watch as the summer progresses. If it passes through the California Senate and is signed into law, California could become the first (or one of the first) jurisdictions (state or federal) to specifically lay out how companies are judged in their personal information security practices. We will keep our readers updated on the progress of the bill in the coming months.