Subject: draft Calif. "Privacy [& Computer Crime] Act of 1992"
Date: Sun, 19 Jan 92 10:55:40 PST
Hi all,
The Chair of the Caliifornia State Senate, Bill Lockyer, is about to
introduce what he calls "The Privacy Act of 1992." It addresses computer
*crime* in a robust manner, but appears to be less concerned with many
of the privacy issues posed during public testimony in December. I
scanned it in, OCRed it, proofed it, and believe this is an accurate
copy of the original cover letter and content. The latter has already
been sent to Legislative Counsel (on 1/8/92). Please upload it and
circulate it to all others who might be interested. Note: Many consider
that computer legislation at the state level in major, "bellweather"
states may/can/will provide models for other states and for eventual
federal legislation. Thus, this deserves *early* and widespread
circulation, review and *public comment*. --jim warren [chair, First
Conference on Computers, Freedom & Privacy, 1991]
====== TEXT OF LETTER & DRAFT LEGISLATION RECEIVED JAN. 17, 1992 =====
California State Senate
Bill Lockyer, Tenth [California] Senatorial District [Chairman, California
State Senate Judiciary Committee]
Southern Alameda County
January 15, 1992
TO: Interested Parties
FROM: Ben Firschein, Senator Lockyer's Office
RE: Privacy legislation emerging from the interim hearing We have
drafted language reflecting some of the suggestions made at the privacy
hearing on December 10 [1991] and have sent it to Legislative Counsel.
It is likely that Senator Lockyer will introduce the language as a bill
when it comes back from Legislative Counsel. We welcome and encourage
your suggestions, comments and proposed amendments. This language should
be viewed as an initial proposal, and it is likely that it will be
amended as it proceeds through the legislature.
The bill as submitted to Legislative Counsel does the following:
1. Information obtained from driver's licenses: prohibit businesses from
selling or using for advertising purposes information obtained from
driver's licenses without the written consent of the consumer.
2. Automatic vehicle identification [AVI]: Require Caltrans to provide
an opportunity to pre-pay tolls and use the facility anonymously.
3. Violation of privacy of employees: language has been drafted based on
the Connecticut statute that Justice Grodin discussed at the hearing.
The proposed language goes further than the Connecticut statute in that
it also extends to prospective employees.
a) Extend existing law to allow recovery by any injured party, not just
the owner or lessee of the computer.
b) Allow recovery for any consequential or incidental damages, not just
for expenditures necessary to verify that a computer system was or was
not damaged.
c) Create civil penalty of $ 10,000 per injured party up to a maximum of
fifty thousand dollars for recklessly storing data in a manner which
enables a person to commit acts leading to a felony conviction. Failure
to report to law enforcement a previous violation under the statute
would be deemed to be possible evidence of recklessness
d) Require that owner or lessee of computer report to law enforcement
any known violations of the statute involving his/her system. Such
reports required within 60 days after they become known to owner or
lessee. Warrants for electronically stored materials: We are interested
in working with interested parties on some of the proposals made at the
hearing, for possible inclusion in the bill as amendments. Please direct
your comments to:
Ben Firschein
Administrative Assistant
Office of Senator Lockyer
Room 2032 State Capitol
Sacramento, CA 95814
(916) 445Q6671
[hand-written] The people of the State of California do enact as follows:
[hand-written] Section 1. This Act may be cited as the Privacy Act of 1992.
[hand-written] Section 2. Section 1799.4 is added to the Civil Code to
read:
1799.4. A business entity that obtains information from a consumer's
driver's license or identification card for its business records or for
other purposes shall not sell the information or use it to advertise
goods or services, without the written consent of the consumer.
[hand-written] Sent to Leg Counsel 1/8
[hand-written] Section 3. Section 502 of the Penal Code is amended to read:
502. (a) It is the intent of the Legislature in enacting this section to
expand the degree of protection afforded to individuals, businesses, and
governmental agencies from tampering, interference, damage, and
unauthorized access to lawfully created computer data and computer
systems. The Legislature finds and declares that the proliferation of
computer technology has resulted in a concomitant proliferation of
computer crime and other forms of unauthorized access to computers,
computer systems, and computer data.
The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers, computer
systems, and computer data is vital to the protection of the privacy of
individuals as well as to the well-being of financial institutions,
business concerns, governmental agencies, and others within this state
that lawfully utilize those computers, computer systems, and data.
(b) For the purposes of this section, the following terms have the
following meanings:
(l) "Access" means to gain entry to, instruct, or communicate with the
logical, arithmetical, or memory function resources of a computer,
computer system, or computer network.
(2) "Computer network" means any system which provides communications
between one or more computer systems and input/output devices including,
but not limited to, display terminals and printers connected by
telecommunication facilities.
(3) "Computer program or software" means a set of instructions or
statements, and related data, that when executed in actual or modified
form, cause a computer, computer system, or computer network to perform
specified functions.
(4) "Computer services" includes, but is not limited to, computer time,
data processing, or storage functions, or other uses of a computer,
computer system, or computer network.
(5) "Computer system" means a device or collection of devices, including
support devices and excluding calculators which are not programmable and
capable of being used in conjunction with external files, one or more of
which contain computer programs, electronic instructions, input data,
and output data, that performs functions including, but not limited to,
logic, arithmetic, data storage and retrieval, communication, and
control.
(6) "Data" means a representation of information, knowledge, facts,
concepts, computer software, computer programs or instructions. Data may
be in any form, in storage media, or as stored in the memory of the
computer or in transit or presented on a display device.
(7) "Supporting documentation" includes, but is not limited to, all
information, in any form, pertaining to the design, construction,
classification, implementation, use, or modification of a computer,
computer system, computer network, computer program, or computer
software, which information is not generally available to the public and
is necessary for the operation of a computer, computer system, computer
network, computer program, or computer software.
(8) "Injury" means any alteration, deletion, damage, or destruction of a
computer system, computer network, computer program, or data caused by
the access.
(9) "Victim expenditure" means any expenditure reasonably and
necessarily incurred by the owner or lessee to verify that a computer
system, computer network, computer program, or data was or was not
altered, deleted, damaged, or destroyed by the access.
(10) "Computer contaminant" means any set of computer instructions that
are designed to modify, damage, destroy, record, or transmit information
within a computer, computer system, or computer network without the
intent or permission of the owner of the information. They include, but
are not limited to, a group of computer instructions commonly called
viruses or worms, which are self-replicating or self-propagating and are
designed to contaminate other computer programs or computer data,
consume computer resources, modify, destroy, record, or transmit data,
or in some other fashion usurp the normal operation of the computer,
computer system, or computer network.
(c) Except as provided in subdivision (h), any person who commits any of
the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer, computer system, or
computer network in order to either (A) devise or execute any scheme or
artifice to defraud, deceive, or extort, or (B) wrongfully control or
obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes
use of any data from a computer, computer system, or computer network,
or takes or copies any supporting documentation, whether existing or
residing internal or external to a computer, computer system, or
computer network.
(3) Knowingly and without permission uses or causes to be used computer
services.
(4) Knowingly accesses and without permission adds, alters, damages,
deletes, or destroys any data, computer software, or computer programs
which reside or exist internal or external to a computer, computer
system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption
of computer services or denies or causes the denial of computer services
to an authorized user of a computer, computer system, or computer
network.
(6) Knowingly and without permission provides or assists in providing a
means of accessing a computer, computer system, or computer network in
violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed
any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any computer,
computer system, or computer network.
(d) (1) Any person who violates any of the provisions of paragraph (1),
(2), (4), or (5) of subdivision (c) is punishable by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment in the
state prison for 16 months, or two or three years, or by both that fine
and imprisonment, or by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in the county jail not exceeding one year,
or by both that fine and imprisonment.
(2) Any person who violates paragraph (3) of subdivision (c) is
punishable as follows:
(A) For the first violation which does not result in injury, and where
the value of the computer services used does not exceed four hundred
dollars ($400), by a fine not exceeding five thousand dollars ($5,000),
or by imprisonment in the county jail not exceeding one year, or by both
that fine and imprisonment.
(B) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000) or in an injury, or if the
value of the computer services used exceeds four hundred dollars ($400),
or for any second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for
16 months, or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding five thousand dollars ($5,000), or by
imprisonment in the county jail not exceeding one year, or by both that
fine and imprisonment.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision
(c) is punishable as follows:
(A) For a first violation which does not result in injury an infraction
punishable by a fine not exceeding two hundred fifty dollars ($250).
(B) For any violation which results in a victim expenditure in an amount
not greater than five thousand dollars ($5,000), or for a second or
subsequent violation, by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in the county jail not exceeding one year,
or by both that fine and imprisonment.
(C) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000), by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for
16 months, or two or three years, or by both that fine and imprisonment,
or by a fine not exceeding five thousand dollars ($5,000), or by
imprisonment in the county jail not exceeding one year, or by both that
fine and imprisonment.
(e) (1) In addition to any other civil remedy available, any injured
party. including but not limited to the owner or lessee of the computer,
computer system, computer network, computer program, or data, may bring
a civil action against any person convicted under this section for
compensatory damages, including any consequential or incidental damages.
In the case of the owner or lessee of the computer, computer system,
computer network, computer program, or data. such damages may include.
but are not limited to. any expenditure reasonably.and necessarily
incurred by the owner or lessee to verify that a computer system,
computer network, computer program, or data was or was not altered,
damaged, or deleted by the access.
(2) Whoever recklessly stores or maintains data in a manner which
enables a person to commit acts leading to a felony ["a felony"
hand-written] conviction under this section shall be liable for a civil
penalty of ten thousand dollars ($ 10,000) per injured party, up to a
maximum of fifty thousand dollars ($ 50.000). Failure to report to law
enforcement a previous violation under subsection (f) may constitute
evidence of recklessness.
(3) For the purposes of actions authorized by this subdivision, the
conduct of an unemancipated minor shall be imputed to the parent or
legal guardian having control or custody of the minor, pursuant to the
provisions of Section 1714.1 of the Civil Code.
(4) In any action brought pursuant to this subdivision the court may
award reasonable attorney's fees to a prevailing party.
(5) A community college, state university, or academic institution
accredited in this state is required to include computer-related crimes
as a specific violation of college or university student conduct
policies and regulations that may subject a student to disciplinary
sanctions up to and including dismissal from the academic institution.
This paragraph shall not apply to the University of California unless
the Board of Regents adopts a resolution to that effect.
(f) The owner or lesee of any computer, computer system, computer
network, computer program, or data shall report to law enforcement any
known violations of this section involving the owner or lesee's
computer, computer system, computer network, computer program, or data.
Such reports shall be made within 60 days after they become known to the
owner or lesee.
(g) This section shall not be construed to preclude the applicability of
any other provision of the criminal law of this state which applies or
may apply to any transaction, nor shall it make illegal any employee
labor relations activities that are within the scope and protection of
state or federal labor laws.
(h) Any computer, computer system, computer network, or any software or
data, owned by the defendant, which is used during the commission of any
public offense described in subdivision (c) or any computer, owned by
the defendant, which is used as a repository for the storage of software
or data illegally obtained in violation of subdivision (c) shall be
subject to forfeiture, as specified in Section 502.01.
(i) (1) Subdivision (c) does not apply to any person who accesses his or
her employer's computer system, computer network, computer program, or
data when acting within the scope of his or her lawful employment. (2)
Paragraph (3) of subdivision (c) does not apply to any employee who
accesses or uses his or her employer's computer system, computer
network, computer program, or data when acting outside the scope of his
or her lawful employment, so long as the employee's activities do not
cause an injury, as defined in paragraph (8) of subdivision of (b), to
the employer or another, or so long as the value of supplies and
computer services, as defined in paragraph (4) of subdivision (b), which
are used do not exceed an accumulated total of one hundred dollars
($100).
(j) No activity exempted from prosecution under paragraph (2) of
subdivision (h) which incidentally violates paragraph (2), (4), or (7)
of subdivision (c) shall be prosecuted under those paragraphs.
(k) For purposes of bringing a civil or a criminal action under this
section, a person who causes, by any means, the access of a computer,
computer system, or computer network in one jurisdiction from another
jurisdiction is deemed to have personally accessed the computer,
computer system, or computer network in each jurisdiction.
(l) In determining the terms and conditions applicable to a person
convicted of a violation of this section the court shall consider the
following:
(1) The court shall consider prohibitions on access to and use of
computers.
(2) Except as otherwise required by law, the court shall consider
alternate sentencing, including community service, if the defendant
shows remorse and recognition of the wrongdoing, and an inclination not
to repeat the offense
[hand-written] Section 4. Section 12940.3 is added to the Government Code
to read:
(a) Any employer, including the state and any instrumentality or
political subdivision thereof, shall be liable to an employee or
prospective employee for damages caused by either of the following:
(1) subjecting the employee to discipline or discharge on account of the
exercise by such employee of rights guaranteed by Section l of Article I
of the California Constitution, provided such activity does not
substantially interfere with the employee's bona fide job performance or
working relationship with the employer.
(2) Denying employment to a prospective employee on account of the
prospective employee's exercise of rights guaranteed by Section 1 of
Article I of the California Constitution.
(b) The damages awarded under this Section may include punitive damages,
and reasonable attorney's fees as part of the costs of any such action
for damages. If the court decides that such action for damages was
brought without substantial justification, the court may award costs and
reasonable attorney's fees to the employer.
[hand-written] Section 5. Section 27565 of the Streets and Highways Code
is amended to read:
27565. Automatic vehicle identification systems for toll collection (a)
The Department of Transportation in cooperation with the district and
all known entities planning to implement a toll facility in this state
shall develop and adopt functional specifications and standards for an
automatic vehicle identification system, in compliance with the
following objectives:
(1) In order to be detected, the driver shall not be required to reduce
speed below the applicable speed for the type of facility being used.
(2) The vehicle owner shall not be required to purchase or install more
than one device to use on all toll facilities, but may be required to
have a separate account or financial arrangement for the use of these
facilities.
(3) The facility operators shall have the ability to select from
different manufacturers and vendors. The specifications and standards
shall encourage multiple bidders and shall not have the effect of
limiting the facilIty operators to choosing a system which is able to be
supplied by only one or vendor.
(b) The vehicle owner shall have the choice of pre-paying tolls, or
being billed after using the facility. If the vehicle owner pre-pays
tolls:
(1) The facility or the Department shall issue an account number to the
vehicle owner. The account number shall not be derived from the vehicle
owner's name, address, social security number, or driver's license
number, or the vehicle's license number, vehicle identification number,
or registration.
(2) Once an account has been established and an account number has been
given to the vehicle owner, neither the facility nor the Department
shall keep any record of the vehicle owner's name, address, social
security number or driver's license number, or the vehicle's license
number. vehicle identification number, or registration.
(3) The vehicle owner may make additional pre-payments by specifying the
account number and furnishing payment.
(c) Any automatic vehicle identification system purchased or installed
after January 1, 1991, shall comply with the specifications and standards
adopted pursuant to subdivision (a).
(d) Any automatic vehicle identification system purchased or installed
after January 1, 1993. shall comply with the specifications and standards
adopted pursuant to subdivisions (a) and (b).
====== END ======
