【参议院第327号法案】
参议院于2018年8月29日通过
众议院于2018年8月28日通过
本法案就《民法典》有关隐私的第3部分第4编增加第1.81.26章(自1798.91.04节开始)。
立法建议摘要
SB327,Jackson,信息隐私:联网设备
现行法律要求企业采取一切合理措施,处置其保管或控制的客户记录。当企业不再保留这些信息记录时,应通过粉碎、删除或其他方式,使其记录中的个人信息不可读或不可辨认。现行法律还要求拥有、许可或维护有关加利福尼亚州居民个人信息的企业实施和维护与信息性质相适应的合理安全程序和做法,以保护个人信息不受未经授权的访问、销毁、使用、修改或披露。对于因违反这些规定而受损的消费者,现行法律授权其提起民事损害赔偿诉讼。
自2020年1月1日起,如其所规定,本法案将要求联网设备的制造商(如这些术语所定义的)为设备配备合理的安全特征或适合于设备的性质和功能的特征,以适合于它可能收集、保存或传输的信息,并旨在保护设备及其中包含的任何信息,使其免受未经授权的访问、销毁、使用、修改或披露。
只有当2017-2018年度例会的众议院第1906号法案通过并生效后,本法案才能实施。
加利福尼亚州人民制定如下法律:第1节 第1.81.26章(自第1798.91.04节开始)被添加到“民法典” 第3部分第4编,内容如下:
第1.81.26章 联网设备的安全性
1798.91.04 (a)联网设备的制造商应为设备配备合理的安全特征,包括:
(1)适合设备的性质和功能。
(2)适合于其可能收集、保存或传输的信息。
(3)旨在保护设备及其中包含的任何信息,防止未经授权的访问、销毁、使用、修改或披露。
(b)在符合(a)款所有要求的前提下,如果联网设备在局域网外配备了认证手段,当满足以下任何一种情形时,应视为符合(a)款所规定的合理安全特征要求:
(1)所制造的每一台设备的预设密码均是唯一的。
(2)该设备包含一个安全特征,即要求用户在首次被授予设备访问权限之前生成新的认证方法。
1798.91.05 就本章而言,下列术语定义如下:
(a)“认证”是指验证用户、流程或设备访问信息系统中资源的权限的方法。
(b)“联网设备”是指能够直接或间接连接到互联网,并被分配了互联网协议地址或蓝牙地址的任何设备或其他物体。
(c)“制造商”是指制造或与他人签订合同并代表该人制造联网设备,并在加利福尼亚州销售或邀约出售该联网设备的人。就本项而言,与他人签订的代表其进行制造的合同不包括仅购买联网设备,或仅购买和贴牌联网设备的合同。
(d)“安全特征”是指旨在为该设备提供安全性能的特征。
(e)“未经授权的访问、销毁、使用、修改或披露”是指未经消费者授权的访问、销毁、使用、修改或披露。
1798.91.06 (a)当用户选择在联网设备上增加独立第三方的软件或应用程序时,本章不得解释为对该联网设备的制造商施加任何义务。
(b)本章不得解释为对电子商店、门户、市场或者其他购买或下载软件、应用程序的提供商施加任何义务,以审查或强制遵守本章规定。
(c)本章不得解释为对联网设备的制造商施加任何义务,以防止用户完全控制联网设备,包括根据其判断自行修改设备上运行的软件或固件的能力。
(d)当联网设备的功能应遵守联邦法律、法规或联邦机构根据其监管执法权限颁布的指南所规定的安全要求时,本章不适用于该联网设备。
(e)本章不得解释为为私人诉讼权利提供依据。总检察长、市检察官、县检察官或区检察官应有排他性的权力执行本章的规定。
(f)本章规定的责任和义务,与其他法律规定的任何其他责任或义务进行累加,不得解释为免除任何一方在其他法律项下所应承担的任何责任或义务。
(g)本章不得解释为限制执法机构根据法律授权或有管辖权法院的命令,从制造商处获取联网设备信息的权力。
(h)受联邦《1996年健康保险流通与责任法》(HIPAA)(公法104-191)或者《医疗信息保密法》[第1部分第2.6编(从第56节开始)]规范的实体、医疗保健提供者、商业伙伴、医疗保健服务计划、承包商、雇主或任何其他人,对于其受上述法律规范的任何活动,不适用本章规定。
(i)本章将自2020年1月1日起实施。
第2节 只有当2017-2018年度例会的众议院第1906号议案通过并生效后,本法才能实施。
(翻译&编辑:张云丹 校对:谢永江)
附:英文原文
Senate Bill No. 327
Passed the Senate August 29, 2018
Passed the Assembly August 28, 2018
An act to add Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy.
legislative counsel’s digest
SB 327, Jackson. Information privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill, beginning onJanuary 1, 2020, would require a manufacturer of a connected device, as thoseterms are defined, to equip the device with a reasonable security feature orfeatures that are appropriate to the nature and function of the device,appropriate to the information it may collect, contain, or transmit, anddesigned to protect the device and any information contained therein fromunauthorized access, destruction, use, modification, or disclosure, asspecified.
This bill would becomeoperative only if AB 1906 of the 2017–18 Regular Session is enacted and becomeseffective.
Thepeople of the State of California do enact as follows:
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.04) isadded to Part 4 of Division 3 of the Civil Code, to read:
TITLE 1.81.26. SECURITY OF CONNECTED DEVICES
1798.91.04. (a) A manufacturer of a connected device shall equipthe device with a reasonable security feature or features that are all of thefollowing:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, ortransmit.
(3) Designed to protect the device and any information containedtherein from unauthorized access, destruction, use, modification, ordisclosure.
(b) Subject to all of the requirements ofsubdivision (a), if a connected device is equipped with a means forauthentication outside a local area network, it shall be deemed a reasonablesecurity feature under subdivision (a) if either of the following requirementsare met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user togenerate a new means of authentication before access is granted to the devicefor the first time.
1798.91.05. For the purposes of this title, the following termshave the following meanings:
(a) “Authentication” means a method ofverifying the authority of a user, process, or device to access resources in aninformation system.
(b) “Connected device” means any device, orother physical object that is capable of connecting to the Internet, directlyor indirectly, and that is assigned an Internet Protocol address or Bluetoothaddress.
(c) “Manufacturer” means the person whomanufactures, or contracts with another person to manufacture on the person’sbehalf, connected devices that are sold or offered for sale in California. Forthe purposes of this subdivision, a contract with another person to manufactureon the person’s behalf does not include a contract only to purchase a connecteddevice, or only to purchase and brand a connected device.
(d) “Security feature” means a feature of adevice designed to provide security for that device.
(e) “Unauthorized access, destruction, use,modification, or disclosure” means access, destruction, use, modification, ordisclosure thatis not authorized by the consumer.
1798.91.06. (a) This title shall not be construed to impose anyduty upon the manufacturer of a connected device related to unaffiliatedthird-party software or applications that a user chooses to add to a connecteddevice.
(b) This title shall not be construed toimpose any duty upon a provider of an electronic store, gateway, marketplace,or other means of purchasing or downloading software or applications, to reviewor enforce compliance with this title.
(c) This title shall not be construed toimpose any duty upon the manufacturer of a connected device to prevent a userfrom having full control over a connected device, including the ability tomodify the software or firmware running on the device at the user’s discretion.
(d) This title shall not apply to anyconnected device the functionality of which is subject to security requirementsunder federal law, regulations, or guidance promulgated by a federal agencypursuant to its regulatory enforcement authority.
(e) This title shall not be construed toprovide a basis for a private right of action. The Attorney General, a cityattorney, a county counsel, or a district attorney shall have the exclusiveauthority to enforce this title.
(f) The duties and obligations imposed bythis title are cumulative with any other duties or obligations imposed underother law, and shall not be construed to relieve any party from any duties orobligations imposed under other law.
(g) This title shall not be construed tolimit the authority of a law enforcement agency to obtain connected deviceinformation from a manufacturer as authorized by law or pursuant to an order ofa court of competent jurisdiction.
(h) A covered entity, provider of healthcare, business associate, health care service plan, contractor, employer, orany other person subject to the federal Health Insurance Portability andAccountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentialityof Medical Information Act (Part 2.6 (commencing with Section 56) of Division1) shall not be subject to this title with respect to any activity regulated bythose acts.
(i) This title shall become operative onJanuary 1, 2020.
SEC. 2. This act shall become operative only if Assembly Bill 1906 of the2017–18 Regular Session is also enacted and becomes effective.
声明:本文来自北邮互联网治理与法律研究中心,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。
