(a) A consumer credit reporting agency, as defined in 15 U.S.C. Sec. 1681a(p), that owns, licenses, or maintains personal information about a California resident, or a third party that maintains personal information about a California resident on behalf of a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains, and for which it controls the security protocols, is subject to a security vulnerability that poses a significant risk, as defined in subdivision (c), to the security of computerized data that contains personal information, as defined in subdivision (h) of Section 1798.82, shall do all of the following:
(1) If a consumer credit reporting agency knows or reasonably should know that a software update is available to address the vulnerability as described in subdivision (a), the agency shall begin the necessary testing, planning, and assessment of its systems for implementation of that software update in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than three business days after becoming aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update. The software update shall be completed in the most expedient time possible and without unreasonable delay, in keeping with industry best practices, but in any case no later than 90 days after becoming aware, or after the point at which it reasonably should have become aware, of the vulnerability and the available software update.
(2) Until the software update described in paragraph (1) is complete, the consumer credit reporting agency shall, in keeping with industry best practices, employ reasonable compensating controls to reduce the risk of a breach caused by computer system vulnerability as described in subdivision (a).
(b) Notwithstanding whether a software update is available, the consumer credit reporting agency, in keeping with industry best practices, shall do all of the following:
(1) Identify, prioritize, and address the highest risk security vulnerabilities most quickly in order to reduce the likelihood that the vulnerabilities that pose the greatest security risk will be exploited.
(2) Test and evaluate the impact of compensating controls and software updates and how they affect the vulnerability of the system to threats to the security of computerized data.
(3) Require, by contract, that the third party implement and maintain appropriate security measures for personal information. Contracting with a third party to maintain personal information about California residents shall not relieve the consumer credit agency of the requirements of this section.
(c) As used in this section, “significant risk” means a vulnerability score, calculated using a standard measurement system that is accepted as a best practice for the industry, to determine that the risk could reasonably result in a breach of the security of the system, as defined in subdivision (g) of Section 1798.82, of personal information, as defined in subdivision (h) of Section 1798.82.
(d) As used in this section, “compensating controls” means controls that the agency reasonably believes will prevent the computer system vulnerability as described in subdivision (a) from being exploited while the software update is being tested, assessed, and a plan for implementation is being developed, and have been adequately tested and confirmed to sufficiently offset the risk of breach caused by computer system vulnerability as described in subdivision (a).
(e) Nothing in this section shall reduce the responsibilities and obligations of a consumer credit reporting agency or third party under this title, including, but not limited to, Section 1798.81.5.
(f) The Attorney General has exclusive authority to enforce this section.
(Added by Stats. 2018, Ch. 532, Sec. 1. (AB 1859) Effective January 1, 2019.)