SB1447

   This includes the full text of legislation that was introduced Feb. 10th
in the California State Senate by a senior member of that body, the Chair of
the Senate Judiciary Committee, Senator Bill Lockyer of Southern Alameda
County.  This copy of the bill plus staff background comments is being
uploaded within days of its availability in Senate offices.

SB1447 TOPICS
   Sec.1:  "Privacy Act of 1992", Senate Bill 1447 (Lockyer, Privacy)
   Sec.2:  Driver's licenses: Use of human-readable and magstripe information
   Sec.3:  Privacy: Rights of employees and prospective employees
   Sec.4:  Computer crime laws: Modifications
   Sec.5:  Automatic vehicle identification [AVI] systems: Control of uses

CONTENTS OF THIS MESSAGE                                      [words/chars]
   Introductory comments and details of notation conventions     [757/5191]
   Reformatted verbatim text of the Feb. 10th bill             [3227/21285]
   Background notes prepared by Sen. Lockyer's assistant       [2465/15546]
If printed, this would take approximately 12 pages.

REPORTEDLY A LEGISLATIVE "FIRST"

   This effort in "electronic democracy" may be the first time that state
legislation has been distributed online, for access by the general public,
at the same time it becomes available to legislators and their staff.

   A senior member of the Senate computer system's technical staff reportedly
said they have never-before down-loaded a machine-readable copy of initial
legislation onto a personal computer for redistribution on public computer
networks.

  Furthermore, Sen. Lockyer's Legislative Assistant responsible for the bill
said he knows of no prior instance where legislative staff have gone online
on public nets to seek citizen input and discussion about new legislation.

SOURCES OF ORIGINAL DOCUMENTS & INFORMATION

   Mr. Ben Firschein is the Legislative Assistant to Sen. Lockyer who is
handling this bill:
      Office of Senator Bill Lockyer
      Room 2032, State Capitol
      Sacramento CA 95814
      Mr. Firschein/916-445-6671, main number/916-445-5957, email/**

   Formatted, binary, machine-readable versions of this text will be
available on the WELL, the Whole Earth 'Lectronic Link.  The WELL is a public
teleconferencing system located in Sausalito, California, accessible via the
Internet; voice/415-332-4335, 2400-baud data/7-E-1/415-332-6106.  For read-
only access instructions, SEND A REQUEST TO:  jwarren@well.sf.ca.us.
** -- Mr. Firscheitn will be online on the WELL within a week or so.  You may
request his email address, also, from  jwarren@well.sf.ca.us.

There will be four read-only files:

   A.  The original file that was down-loaded from the Senate's legislative
computer system in WordPerfect format on a PC-compatible diskette.

   B.  The above file, converted to a Word-5.0 Macintosh format, with
pagination approximating the printed copies of the bill available from the
legislative offices.

   C.  Background inftormation, explanations and mention of some alternatives,
prepared by Mr. Firschein, in original WordPerfect format for PC-compatibles.

   D.  That backgrounder file, converted to Word-5.0 Macintosh format.

REPRESENTING LEGISLATION-IN-PROGRESS: A NOTATION PROBLEM

   In the California Senate, printed legislation-in-progress uses the
following conventions:

  When stating new legislation, *plain-text* states PROPOSED law.

  When *amending* current law, *plain-text* states the CURRENT law, and
*strike-thru text* indicates current law to be deleted while *underscored* or
*italicized* text represents wording to be added to those current statutes. 
Deletions and additions represented by strike-thru and underlining or italics
*amend* current law.

  But, the basic ASCII character-set -- and a great many older terminals and
computer printers -- have no strike-thru, italics or underlining.  So, here
is how that unavailable notation is represented in this document:

    [[ annotation ]] -- explanatory comments by "uploader" Jim Warren

       all capitals  -- originally bold-face text; no legislative meaning

  Unless stated as amending current law:

       plain-text    -- text of new legislation, proposed to be new law

  When stated as amending current law:

       plain-text    -- text of current law to remain unchanged

    << strikethru >> -- text in current law, proposed for deletion

    {{ underscore }} -- text proposed to be added to current law.

THE BEGINNING ...

  The introduction of this legislation in the Senate is the beginning of
a lengthy process or review and revision by amendment, prior to its possible
passage into law.

  Please send your comments and suggestions about the legislation -- and
about the Senate staff's active cooperation in making it publicly available,
online -- to Mr. Firschein and Sen. Lockyer.

--Jim Warren, 345 Swett Rd., Woodside CA 94062; voice/415-851-7075,
  fax/415-851-2814, email/jwarren@well.sf.Eca.us -or- jwarren@autodesk.com
  [ for identification purposes, only: contributing editor, MicroTimes;
    Chair, First Conference on Computers, Freedom & Privacy (March, 1991);
    and member, Board of Directors, Autodesk, Inc.; blah blah blah ]

===================== verbatim text of the legislation =====================

    "THE PRIVACY ACT OF 1992"  --  CALIFORNIA STATE SENATE BILL No. 1447
                        Introduced by Senator Lockyer
                              February 10E, 1992


   An act to add Section 1799.4 to the Civil Code, to add Section 2805 to the
Labor Code, to amend Section 502 of the Penal Code, and to amend Section
27565 of the Streets and Highways Code, relating to privacy.



                      LEGISLATIVE COUNSEL'S DIGEST
[[**** The Legislative Counsel's Digest is NOT part of the bill.  It is
  only a summary prepared by the legislature's legal counsel. ****]]

   SB 1447, as introduced, Lockyer.  Privacy.

   (1) Existing law prohibits the disclosure of specified information by
business entities which perform bookkeeping services and by persons providing
video cassette sales or rental services.

   This bill would provide that a business entity that obtains information
from a consumer's driver's license or identification card shall not sell the
information or use it to advertise goods or services, without consent.

   (2) Existing law prohibits employers from making or enforcing rules or
policies forbidding or preventing employees from engaging or participating in
politics, and from controlling the political activities or affiliations of
employees.

   This bill would provide that any employer shall be liable to an employee
or prospective employee for damages caused by subjecting the employee to
discipline or discharge, or denying employment to a prospective employee, on
account of the exercise by that person of privacy rights guaranteed by the
California Constitution.

   (3) Existing law sets forth definitions and penalties for specified
computer-related crimes.

   This bill would require the owner or lessee of any computer, computer
system, computer network, computer program, or data, as specified, to report
to a local law enforcement agency any known violations of the provisions
described above.  The bill would also provide that any person who recklessly
stores or maintains data in a manner which enables a person to commit acts
leading to a felony conviction under the provisions described above, shall be
liable to each injured party for a specified civil penalty.  The bill would
make related changes.

   (4) Existing law requires the Department of Transportation to develop and
adopt functional specifications and standards for an automatic vehicle
identification system to be used in toll facilities, as specified.

   This bill would provide that a vehicle owner shall have the choice of
being billed after using the facility, or of prepaying tolls, in which case
the department or any privately owned entity operating a toll facility shall
issue an account number to the vehicle owner which is not derived from the
vehicle owner's name, address, social security number, or specified other
sources, and would prohibit the keeping of any record of this information.

   Vote:  majority.    Appropriation:  no.    Fiscal committee:  yes. 
State-mandated local program:  no.



 THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1. This act shall be known and may be cited as the Privacy Act of
1992.

  SEC. 2. Section 1799.4 is added to the Civil Code, to read:

   1799.4.  A business entity that obtains information from a consumer's
driver's license or identification card for its business records or for other
purposes shall not sell the information or use it to advertise goods or
services, without the written consent of the consumer.

  SEC. 3. Section 2805 is added to the Labor Code, to read:

   2805.  (a) Any employer, including any state or local governmental entity
or instrumentality thereof, shall be liable to an employee or prospective
employee for damages caused by either of the following:

   (1) Subjecting the employee to discipline or discharge on account of the
exercise by the employee of privacy rights guaranteed by Section 1 of Article
I of the California Constitution, provided the activity does not
substantially interfere with the employee's bona fide job performance or
working relationship with the employer.

   (2) Denying employment to a prospective employee on account of the
prospective employee's exercise of privacy rights guaranteed by Section 1 of
Article I of the California Constitution.

   (b) Damages awarded pursuant to this section may include punitive damages,
and reasonable attorney's fees as part of the costs of the action. If the
court decides that an action for damages was brought without substantial
justification, the court may award costs and reasonable attorney's fees to
the employer.

  SEC. 4. Section 502 of the Penal Code is amended to read:

[[**** Note that this would AMEND current law. ****]]

   502.  (a) It is the intent of the Legislature in enacting this section to
expand the degree of protection afforded to individuals, businesses, and
governmental agencies from tampering, interference, damage, and unauthorized
access to lawfully created computer data and computer systems.  The
Legislature finds and declares that the proliferation of computer technology
has resulted in a concomitant proliferation of computer crime and other forms
of unauthorized access to computers, computer systems, and computer data.

   The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers, computer
systems, and computer data is vital to the protection of the privacy of
individuals as well as to the well-being of financial institutions, business
concerns, governmental agencies, and others within this state that lawfully
utilize those computers, computer systems, and data.

   (b) For the purposes of this section, the following terms have the
following meanings:

   (1) "Access" means to gain entry to, instruct, or communicate with the
logical, arithmetical, or memory function resources of a computer, computer
system, or computer network.

   (2) "Computer network" means any system which provides communications
between one or more computer systems and input/output devices including, but
not limited to, display terminals and printers connected by telecommunication
facilities.

   (3) "Computer program or software" means a set of instructions or
statements, and related data, that when executed in actual or modified form,
cause a computer, computer system, or computer network to perform specified
functions.

   (4) "Computer services" includes, but is not limited to, computer time,
data processing, or storage functions, or other uses of a computer, computer
system, or computer network.

   (5) "Computer system" means a device or collection of devices, including
support devices and excluding calculators which are not programmable and
capable of being used in conjunction with external files, one or more of
which contain computer programs, electronic instructions, input data, and
output data, that performs functions including, but not limited to, logic,
arithmetic, data storage and retrieval, communication, and control.

   (6) "Data" means a representation of information, knowledge, facts,
concepts, computer software, computer programs or instructions.  Data may be
in any form, in storage media, or as stored in the memory of the computer or
in transit or presented on a display device.

   (7) "Supporting documentation" includes, but is not limited to, all
information, in any form, pertaining to the design, construction,
classification, implementation, use, or modification of a computer, computer
system, computer network, computer program, or computer software, which
information is not generally available to the public and is necessary for the
operation of a computer, computer system, computer network, computer program,
or computer software.

   (8) "Injury" means any alteration, deletion, damage, or destruction of a
computer system, computer network, computer program, or data caused by the
access.

   (9) "Victim expenditure" means any expenditure reasonably and necessarily
incurred by the owner or lessee to verify that a computer system, computer
network, computer program, or data was or was not altered, deleted, damaged,
or destroyed by the access.

   (10) "Computer contaminant" means any set of computer instructions that
are designed to modify, damage, destroy, record, or transmit information
within a computer, computer system, or computer network without the intent or
permission of the owner of the information.  They include, but are not
limited to, a group of computer instructions commonly called viruses or
worms, which are self-replicating or self-propagating and are designed to
contaminate other computer programs or computer data, consume computer
resources, modify, destroy, record, or transmit data, or in some other
fashion usurp the normal operation of the computer, computer system, or
computer network.

   (c) Except as provided in subdivision (h), any person who commits any of
the following acts is guilty of a public offense:

   (1) Knowingly accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer, computer system, or computer
network in order to either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control or obtain money,
property, or data.

   (2) Knowingly accesses and without permission takes, copies, or makes use
of any data from a computer, computer system, or computer network, or takes
or copies any supporting documentation, whether existing or residing internal
or external to a computer, computer system, or computer network.

   (3) Knowingly and without permission uses or causes to be used computer
services.

   (4) Knowingly accesses and without permission adds, alters, damages,
deletes, or destroys any data, computer software, or computer programs which
reside or exist internal or external to a computer, computer system, or
computer network.

   (5) Knowingly and without permission disrupts or causes the disruption of
computer services or denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer network.

   (6) Knowingly and without permission provides or assists in providing a
means of accessing a computer, computer system, or computer network in
violation of this section.

   (7) Knowingly and without permission accesses or causes to be accessed any
computer, computer system, or computer network.

   (8) Knowingly introduces any computer contaminant into any computer,
computer system, or computer network.

   (d) (1) Any person who violates any of the provisions of paragraph (1),
(2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for 16
months, or two or three years, or by both that fine and imprisonment, or by a
fine not exceeding five thousand dollars ($5,000), or by imprisonment in the
county jail not exceeding one year, or by both that fine and imprisonment.

   (2) Any person who violates paragraph (3) of subdivision (c) is punishable
as follows:

   (A) For the first violation which does not result in injury, and where the
value of the computer services used does not exceed four hundred dollars
($400), by a fine not exceeding five thousand dollars ($5,000), or by
imprisonment in the county jail not exceeding one year, or by both that fine
and imprisonment.

   (B) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000) or in an injury, or if the value
of the computer services used exceeds four hundred dollars ($400), or for any
second or subsequent violation, by a fine not exceeding ten thousand dollars
($10,000), or by imprisonment in the state prison for 16 months, or two or
three years, or by both that fine and imprisonment, or by a fine not
exceeding five thousand dollars ($5,000), or by imprisonment in the county
jail not exceeding one year, or by both that fine and imprisonment.

   (3) Any person who violates paragraph (6), (7), or (8) of subdivision (c)
is punishable as follows:

   (A) For a first violation which does not result in injury, an infraction
punishable by a fine not exceeding two hundred fifty dollars ($250).

   (B) For any violation which results in a victim expenditure in an amount
not greater than five thousand dollars ($5,000), or for a second or
subsequent violation, by a fine not exceeding five thousand dollars ($5,000),
or by imprisonment in the county jail not exceeding one year, or by both that
fine and imprisonment.

   (C) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000), by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for 16
months, or two or three years, or by both that fine and imprisonment, or by a
fine not exceeding five thousand dollars ($5,000), or by imprisonment in the
county jail not exceeding one year, or by both that fine and imprisonment.

[[**** Use of << STRIKETHRU >> and {{ UNDERSCORE }} begins, hereafter. ****]]

   (e) (1) In addition to any other civil remedy available, {{ any injured
party, including but not limited to }} the owner or lessee of the
computer, computer system, computer network, computer program, or data may
bring a civil action against any person convicted under this section for
compensatory damages, including {{ consequential or incidental damages.  In
the case of the owner or lessee of the computer, computer system, computer
network, computer program, or data, damages may include, but are not limited
to,}} any expenditure reasonably and necessarily incurred by the owner or
lessee to verify that a computer system, computer network, computer program,
or data was or was not altered, damaged, or deleted by the access.  << For >>
[[**** Yes, that was a struck-thru "For" ending that paragraph. ****]]

   {{ (2) Any person who recklessly stores or maintains data in a manner
which enables a person to commit acts leading to a felony conviction under
this section shall be liable to each injured party for a civil penalty of ten
thousand dollars ($10,000), up to a maximum of fifty thousand dollars
($50,000).  Failure to report a previous violation of this section to a local
law enforcement agency pursuant to subdivision (f) may constitute evidence of
recklessness }}

   {{ (3) For }} the purposes of actions authorized by this subdivision, the
conduct of an unemancipated minor shall be imputed to the parent or legal
guardian having control or custody of the minor, pursuant to the provisions
of Section 1714.1 of the Civil Code.

   << (2) >>

   {{ (4) }} In any action brought pursuant to this subdivision the court may
award reasonable attorney's fees to a prevailing party.

   << (3) >>

   {{ (5) }} A community college, state university, or academic institution
accredited in this state is required to include computer-related crimes as a
specific violation of college or university student conduct policies and
regulations that may subject a student to disciplinary sanctions up to and
including dismissal from the academic institution.  This paragraph shall not
apply to the University of California unless the Board of Regents adopts a
resolution to that effect.

   (f) {{ The owner or lessee of any computer, computer system, computer
network, computer program, or data shall report to a local law enforcement
agency, including the police, sheriff, or district attorney, any known
violations of this section involving the owner or lessee's computer, computer
system, computer network, computer program, or data.  The reports shall be
made within 60 days after the violations become known to the owner or
lessee. }}

   {{ (g) }} This section shall not be construed to preclude the
applicability of any other provision of the criminal law of this state which
applies or may apply to any transaction, nor shall it make illegal any
employee labor relations activities that are within the scope and protection
of state or federal labor laws.

   << (g) >>

   {{ (h) }} Any computer, computer system, computer network, or any software
or data, owned by the defendant, which is used during the commission of any
public offense described in subdivision (c) or any computer, owned by the
defendant, which is used as a repository for the storage of software or data
illegally obtained in violation of subdivision (c) shall be subject to
forfeiture, as specified in Section 502.01.

   << (h) >>

   {{ (i) }} (1) Subdivision (c) does not apply to any person who accesses
his or her employer's computer system, computer network, computer program, or
data when acting within the scope of his or her lawful employment.

   (2) Paragraph (3) of subdivision (c) does not apply to any employee who
accesses or uses his or her employer's computer system, computer network,
computer program, or data when acting outside the scope of his or her lawful
employment, so long as the employee's activities do not cause an injury, as
defined in paragraph (8) of subdivision (b), to the employer or another, or
so long as the value of  supplies and computer services, as defined in
paragraph (4) of subdivision (b), which are used do not exceed an accumulated
total of one hundred dollars ($100).

   << (i) >>

   {{ (j) }} No activity exempted from prosecution under paragraph (2) of
subdivision << (h) >> {{ (i) }} which incidentally violates paragraph (2),
(4), or (7) of subdivision (c) shall be prosecuted under those paragraphs.

   << (j) >>

   {{ (k) }} For purposes of bringing a civil or a criminal action under this
section, a person who causes, by any means, the access of a computer,
computer system, or computer network in one jurisdiction from another
jurisdiction is deemed to have personally accessed the computer, computer
system, or computer network in each jurisdiction.

   << (k) >>

   {{ (l) }} In determining the terms and conditions applicable to a person
convicted of a violation of this section the court shall consider the
following:

   (1) The court shall consider prohibitions on access to and use of
computers.

   (2) Except as otherwise required by law, the court shall consider
alternate sentencing, including community service, if the defendant shows
remorse and recognition of the wrongdoing, and an inclination not to repeat
the offense.

  SEC. 5. Section 27565 of the Streets and Highways Code is amended to read:

[[** NOTE: This is another amendment, with strikethrus and underscores. **]]

   27565.  (a) The Department of Transportation, in cooperation with the
district and all known entities planning to implement a toll facility in this
state, shall develop and adopt functional specifications and standards for an
automatic vehicle identification system, in compliance with the following
objectives:

   (1) In order to be detected, the driver shall not be required to reduce
speed below the applicable speed for the type of facility being used.

   (2) The vehicle owner shall not be required to purchase or install more
than one device to use on all toll facilities, but may be required to have a
separate account or financial arrangement for the use of these facilities.

   (3) The facility operators shall have the ability to select from different
manufacturers and vendors.   The specifications and standards shall encourage
multiple bidders, and shall not have the effect of limiting the facility
operators to choosing a system which is able to be supplied by only one
manufacturer or vendor.

   (b) {{ The vehicle owner shall have the choice of prepaying tolls, or
being billed after using the facility.  If the vehicle owner prepays tolls:

   (1) The department or any privately owned entity operating a toll facility
shall issue an account number to the vehicle owner. The account number shall
not be derived from the vehicle owner's name, address, social security
number, or driver's license number, or the vehicle's license number, vehicle
identification number, or registration.

   (2) Once an account has been established and an account number has been
given to the vehicle owner, neither the department nor the privately owned
facility shall keep any record of the vehicle owner's name, address, social
security number, or driver's license number, or the vehicle's license number,
vehicle identification number, or registration.

   (3) The vehicle owner may make additional prepayments by specifying the
account number and furnishing payment. }}

   {{ (c) }} Any automatic vehicle identification system purchased or
installed after January 1, 1991, shall comply with the specifications and
standards adopted pursuant to subdivision (a).

   {{ (d) Any automatic vehicle identification system purchased or installed
after January 1, 1993, shall comply with the specifications and standards
adopted pursuant to subdivisions (a) and (b). }}

           [[**** END OF SB 1447, DATED FEBRUARY 10, 1992 ****]]

=============== background comments by legislative assistant ===============


[[**** In this section, since underlining is for emphasis, only, and has no
legal meaning, I changed Mr. Firschein's underlined text to all-caps. ****]]

                       California State Senate
                            Bill Lockyer
                      Tenth Senatorial District
                       Southern Alameda County
                           State Capitol
                    Sacramento, California 95814
                           (916)445-6671

TO: Interested parties
FROM: Ben Firschein, Senator Lockyer's Office
DATE: February 14, 1992

RE: BACKGROUND INFORMATION ON SB 1447 (LOCKYER, PRIVACY)

   You should have received a copy of SB 1447 (Lockyer, Privacy) in the mail
recently.  Senator Lockyer introduced the bill in an effort to address some
of the concerns raised at the privacy hearing on December 10, 1991.

   This memorandum is intended to explain the intent of the various sections
of the bill, but it is not a committee analysis.

   (A committee analysis will be forthcoming at a later date, when the bill
is set for a hearing).  We welcome suggestions as to how to clarify the
language of the bill, or otherwise improve the bill.


SECTION 1: CITATION

   The bill may be cited as the "Privacy Act of 1992"

SECTION 2: INFORMATION OBTAINED FROM DRIVER'S LICENSES

   This section requires the written consent of a consumer for a business
entity to (1) sell information obtained from the consumer's driver's license
or (2) use such information to advertise goods or services.

   The section is intended to cover instances where a consumer presents a
driver's license or identification card for identification purposes during a
business transaction.  The section is not intended to prevent businesses from
using driver's license information for business record-keeping, or for other
purposes related to the transaction (i.e. authorizing a transaction).

   The section is not intended to change existing law with respect to the
ability of businesses to obtain driver's license information from other
sources (such as DMV records).

   The need for this section is heightened by the new "magstripe" drivers
license developed by the Department of Motor Vehicles.  This license has a
magnetic stripe on the back which contains much of the information on the
front of the license.  The stripe will enable a business entity to store
information contained on a driver's license simply by scanning the card
through a reader.

   A publication by the Department of Motor Vehicles dated May 1991
("Department of Motor Vehicles Magnetic Stripe Drivers License/Identification
Card") states that "using point of sale (POS) readers and printers, the
business community can electronically record the DL [driver's license] /ID
number on receipts and business records."  The publication notes that
"magnetic stripe readers are readily available, relatively low in cost, and
are already available in many retail outlets." 

   However, a merchant might access much more than the driver's license/ID
number; the publication notes that "readers have been produced, and market
available readers can be modified that will read the three tracks of
information contained on the California card."  According to the publication,
the tracks contain information such as license type, name, address, sex,
hair-color, eye-color, height, weight, restrictions, issue date.

SECTION 3:
DEPRIVATION OF THE RIGHT TO PRIVACY OF EMPLOYEES OR PROSPECTIVE EMPLOYEES

   This section provides that an employer shall be liable to an employee or
prospective employee for damages caused by subjecting an employee to
discipline or discharge or denying employment to a prospective employee, on
account of the exercise by that person of privacy rights guaranteed by the
California Constitution.

   This section is modeled after Connecticut Labor Code Section 31-51q.  The
Lockyer bill goes further than the Connecticut statute in that it applies to
prospective as well as current employees.

   The bill would allow punitive damages and reasonable attorney's fees to be
awarded pursuant to Section 3 (page 3 lines 10-12).

   The bill would specify that if the court decides that an action for
damages was brought by an employee or a prospective employee without
"substantial justification," the court may award costs and reasonable
attorney's fees to the employer (page 3, lines 12-15).

   As with the Connecticut statute, an employee's cause of action would only
exist if the activity for which the employee was disciplined or discharged
did not "substantially interfere with the employee's bona fide job
performance or working relationship with the employer." (Page 3, lines 4-5).

   POSSIBLE AMENDMENT: The language in the bill covering prospective
employees (page 3, lines 6-9) omits the "substantial interference" language
contained in the section covering existing employees.  Perhaps the bill
should specify that a prospective employee lacks a cause of action if the
prospective employer has a compelling business interest in rejecting someone
because they engaged in certain acts (even though those acts were protected
by the constitutional right to privacy).

   Such an amendment would be consistent with cases such SOROKA V. DAYTON
HUDSON CORPORATION, 91 Daily Journal D.A.R. 13204 (1st Appellate District). 
The court in SOROKA found that a psychological screening test administered to
Target Store security officer applicants violated the applicants' state
constitutional right to privacy when it inquired about their religious
beliefs and sexual orientation, because there was no compelling need for the
test.

   POSSIBLE AMENDMENT # 2: One of the participants in the privacy hearing
suggests language making it clear that the rights and remedies set forth in
the section are not exclusive and do not pre-empt or limit any other
available remedy.

   POTENTIAL ARGUMENTS AGAINST THIS SECTION: Some may argue that in light of
cases such as Soroka, this statute is unnecessary, because these rights are
already set forth in existing case law.

   They may also point out that the California Supreme Court held in WHITE V.
DAVIS that the right to privacy is self-executing, meaning that every
Californian has standing to sue directly under Article I, Section I of the
California Constitution for a privacy violation.  WHITE V. DAVIS (1975) 13
Cal.3d 757, 775.  Given that the right to privacy is self-executing, why is a
statute needed?

   The answer is that case law is in a state of flux, and there is no
guarantee that future courts will construe Article I in such a liberal
fashion.  Also, the bill is an improvement over existing case law in that it
specifically lists the types of damages that may be awarded, including
punitive damages, and reasonable attorney's fees.

SECTION 4. COMPUTER CRIMES

   Jim Warren (one of the witnesses at the hearing) posted the Leg Counsel
draft of the bill on one of the networks and showed me some of the responses.
This section generated most of the comments, some of which were quite vocal.

   First a word of caution to those uninitiated in the ways of the
Legislature: MOST OF THE LANGUAGE IN THIS SECTION IS EXISTING LAW.  Our
proposed additions are contained in language that is in italics or
underlined.  IF IT IS NOT IN ITALICS OR UNDERLINES, IT IS EXISTING LAW.

   PROPOSED ADDITION #1 (page 7, line 25): Extend the existing computer crime
statute [Penal Code Section 502] to allow civil recovery by any injured party
against someone convicted under Section 502 of breaking into a computer. (The
existing law just allows recovery by the owner or lessee of a computer
system). For example, if someone is convicted under Section 502 of breaking
into TRW's computers and altering credit records, the existing statute would
allow TRW to recover against the hacker in a civil suit, but the statute
would not allow someone whose credit history was injured by the hacker to sue
the hacker under statute.

   PROPOSED ADDITION #2 (page 7, lines 30-33): Extend Penal Code Section 502
to allow civil recovery against a convicted hacker for more than just the
cost of expenditures necessary to verify that a computer system was or was
not altered, damaged, or deleted by the access.  The proposed language would
allow civil recovery for ALL CONSEQUENTIAL OR INCIDENTAL DAMAGES resulting
from the intrusion.

   PROPOSED ADDITION #3 (page 7, lines 38-40 & page 8, lines 1-6): Create a
cause of action against those who "recklessly store or maintain data in a
manner which enables a person to commit acts leading to a felony conviction
under this section."

   The section is intended to address the situation where someone stores
information (e.g. credit data) in a manner which easily allows unauthorized
access, and the person who is able to access the information as a result of
the lack of safeguards injures a third party (e.g. a creditor, or a person
whose credit history is altered).

   The source of the section is the case of PEOPLE V. GENTRY 234 Cal.App.3d
131 (1991).  In that case, a hacker figured out that if he queried the credit
databases of TRW, CBI, or Trans Union, about a nonexistent person, each
system would create a new file for that non-existent person.  The non-
existent person would have an exemplary credit history, because there was no
negative credit information in the new file.  The hacker in the GENTRY case
went into the business of rehabilitating people's credit history by having
them change their name, and then creating credit files on these "new" people.

   The court stated in a footnote "we do not address the potential liability
to innocent third parties who might be harmed by this feature of the software
program.  Although Gentry found a weakness in the program and exploited it,
responsibility should not rest solely with the felon. Credit reporting
companies should recognize that this flaw is needlessly risky and remedy it."
(GENTRY, page 135, footnote 3).

   POTENTIAL CONCERNS:  some people who have seen the bill worry that section
4 would apply to someone (e.g. a computer bulletin board operator) who stores
information on a computer about how to commit a crime (e.g. information about
how to break into a computer, or how to build a bomb)

   The section is intended to be limited to reckless storage of data in a
manner which enables a person to commit acts LEADING TO A FELONY CONVICTION
UNDER SECTION 503 (not other types of criminal acts).  "Reckless storage" is
intended to mean maintaining a system that lacks appropriate security
safeguards; it is not intended to include storing information about how to
commit crimes. Hopefully any potential ambiguities can be clarified through
amendments.

   PROPOSED ADDITION #4: The bill requires the reporting to local law
enforcement of violations of the computer crime statute (Penal Code Section
503) within 60 days after such violations become known to the owner or lessee
of a computer system (page 8, lines 26-34).  The bill states that "failure to
report a previous violation of this section to a local law enforcement
agency...may constitute evidence of [reckless storage of data]."

   This is intended to ensure that people report such crimes to law
enforcement.  There are anecdotal reports that some of these crimes are not
being reported because people are concerned about bad publicity resulting
from reports that their systems were broken into.

   POSSIBLE AMENDMENT: it has been suggested that the reporting requirement
be limited to certain types of systems, or to a certain level of monetary
loss.  Objections have been raised that the bill would apply equally to
someone who operates a home computer and to a business that operates a large
mainframe.  One could argue that the reporting requirement is more essential
where a computer owner has a fiduciary or quasi-fiduciary duty to the people
whose records are stored on the system (e.g. accounting or credit records). 
An accountant's or a credit company's failure to report a computer break-in
is more serious than a computer game bulletin board operator's failure to
report a break in.

   One possible objection to restricting the reporting requirement to a
certain level of financial loss is that financial loss is hard to quantify.

   However, Section 503 already uses amount of financial loss to determine
the type of criminal penalty to apply, so one could argue that amount of
monetary loss could similarily be used as an indication of the need to
report.

SECTION 5. AUTOMATIC VEHICLE IDENTIFICATION SYSTEMS

   Existing law directs Caltrans to develop specifications for automatic
vehicle tracking systems for toll facilities, such as those on bridges
(Streets and Highways Code 27565).  People will soon be able have a device
installed in their car which allows them to drive through a toll facility
without stopping.  The device will send a signal to a computer,  which will
keep track of their use of the facility.  At the end of the month, they will
get a bill. Presumably there will continue to be booths that people can drive
through and pay cash.

   At the December 10 privacy hearing, concern was expressed that the device
offers potential for abuse.  For example, if you know a particular vehicle is
driving through the facility, why not program the system to:

   1.  Stop all people with outstanding warrants

   2.  Stop all people who have not paid their vehicle registration

   3.  Compile lists of all people who drove through the facility during a
given month and sell the lists to the private sector.

   One could argue that uses 1 and 2 are legitimate uses of this technology,
because people who have broken the law should expect to come into contact
with the police when they drive on public roads and highways.  But one could
also argue that people have an expectation of privacy when they drive and are
not breaking the law at the time they are stopped (e.g. they are not
speeding, driving under the influence, or otherwise doing anything to attract
the attention of the police).

   Use # 3 is harder to justify.  Why should people have to reveal their
personal lives to the private sector in order to use a device that will speed
up their commute?

   WHAT THE BILL DOES: The bill allows people the option of prepaying their
tolls, and then using the facility anonymously. People would continue to have
the option of being billed, rather than prepaying tolls. 

   Under the bill, people who prepaid their tolls would be given an
identification number unrelated to the vehicle owner's name, address, social
security number, or driver's license number, or the vehicle's license number,
vehicle identification number, or registration (page 10, lines 34-40).  When
they drive through the facility, the facility would look at their account,
and let them through if there was still money in the account.

   The bill provides that once a numbered account has been established,
neither Caltrans nor a private facility shall keep any record of the vehicle
owner's name, address, social security number, or driver's license number, or
the vehicle's license number, vehicle identification number, or registration
(Page 11, lines 1-7).

   The user could make additional prepayments under the bill by specifying
the account number and furnishing payment (Page 11, lines 8-10).

[[**** END OF MR. FIRSCHEIN'S BACKGROUNDER ON SB 1447 OF FEB. 14, 1992 ****]]

                  ==================================

[[**** Both of these documents were edited by word-processor, rather than
by retyping most of the text.  I believe it is faithful to the original.
Any errors are mine; not those of Mr. Firschein nor Sen. Lockyer. 
  --Jim Warren ****]]

Comments

Popular posts from this blog

BOTTOM LIVE script

Evidence supporting quantum information processing in animals

ARMIES OF CHAOS