(a) A covered deployer conducting business in this state shall have a duty to protect personal information held by the covered deployer as provided by this section. (b) A covered deployer whose high-risk artificial intelligence systems process personal information shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for all of the following: (1) The covered deployer's size, scope, and type of business. (2) The amount of resources available to the covered deployer. (3) The amount of data stored by the covered deployer. (4) The need for security and confidentiality of personal information stored by the covered deployer. (c) The comprehensive information security program required by subdivision (a) shall meet all of the following requirements: (1) The program shall incorporate safeguards that are consistent with the safeguards for the protection of personal information and information of a similar character under state or federal laws and regulations applicable to the covered deployer. (2) The program shall include the designation of one or more employees of the covered deployer to maintain the program. (10) The program shall require the regular review of the scope of the program's security measures that must occur subject to both of the following timeframes: (A) At least annually. (B) Whenever there is a material change in the covered deployer's business practices that may reasonably affect the security or integrity of records containing personal information.

(3) The program shall require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal information, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by all of the following: (A) Requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the covered deployer, on the proper use of security procedures and protocols and the importance of personal information security. (B) Mandating employee compliance with policies and procedures established under the program. (C) Providing a means for detecting and preventing security system failures. (4) The program shall include security policies for the covered deployer's employees relating to the storage, access, and transportation of records containing personal information outside of the covered deployer's physical business premises. (5) The program shall provide disciplinary measures for violations of a policy or procedure established under the program. (6) The program shall include measures for preventing a terminated employee from accessing records containing personal information. (8) The program shall provide reasonable restrictions on physical access to records containing personal information, including by requiring the records containing the data to be stored in a locked facility, storage area, or container. (9) The program shall include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal information. (11) The program shall require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory postincident review of each event and the actions taken, if any, in response to that event to make changes in business practices relating to protection of personal information.

(7) The program shall provide policies for the supervision of third-party service providers that include both of the following: (A) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with applicable law. (B) Requiring third-party service providers by contract to implement and maintain appropriate security measures for personal information.

(12) The program shall, to the extent feasible, include all of the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal information: (A) The use of secure user authentication protocols that include all of the following features: (i) The control of user login credentials and other identifiers. (ii) The use of a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices. (iii) The control of data security passwords to ensure that the passwords are kept in a location and a format that do not compromise the security of the data the passwords protect. (iv) The restriction of access to only active users and active user accounts. (v) The blocking of access to user credentials or identification after multiple unsuccessful attempts to gain access. (B) The use of secure access control measures that include both of the following: (i) The restriction of access to records and files containing personal information to only employees or contractors who need access to that personal information to perform the job duties of the employees or contractors. (ii) The assignment of a unique identification and a password to each employee or contractor with access to a computer containing personal information, that may not be a vendor-supplied default password, or the use of another protocol reasonably designed to maintain the integrity of the security of the access controls to personal information. (C) The encryption of both of the following: (i) Transmitted records and files containing personal information that will travel across public networks. (ii) Data containing personal information that is transmitted wirelessly. (D) The use of reasonable monitoring of systems for unauthorized use of or access to personal information. (E) The encryption of all personal information stored on laptop computers or other portable devices. (F) For files containing personal information on a system that is connected to the internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal information. (G) The use of both of the following: (i) A reasonably current version of system security agent software that shall include malware protection and reasonably current patches and virus definitions. (ii) A version of a system security agent software that is supportable with current patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(d) A violation of this section by a covered deployer constitutes a deceptive trade act or practice under the Unfair Competition Law (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

(a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title. (b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).