CA AB1859

Requires consumer credit reporting agencies and third parties maintaining personal information on their behalf to identify and address security vulnerabilities that pose significant risk to computerized data containing personal information.

Mandates agencies begin testing and planning for software updates within 3 business days of becoming aware of a vulnerability and available update, with completion required within 90 days, following industry best practices.

Requires agencies to implement reasonable compensating controls to reduce breach risk while software updates are being completed.

Obligates agencies to identify and prioritize the highest-risk security vulnerabilities for fastest remediation and to require third-party contractors to implement appropriate security measures by contract.

Grants the California Attorney General exclusive authority to enforce the requirements under this section.