Committee hears SB 468 to require written security programs for high‑risk AI using personal data

Senate Judiciary took testimony on SB 468, which aims to require businesses that use “high‑risk” artificial intelligence systems to process Californians’ personal data to maintain a written information security program based on established industry standards.

Senator Becker told the committee AI systems can present unique vulnerabilities — for example, data‑poisoning or model inversion attacks — and said current law’s ‘‘reasonable security’’ standard lacks specificity for AI. The bill would treat violations as deceptive practices under the Unfair Competition Law and give the California Privacy Protection Agency authority to write implementing rules.

Supporters included Steve Wimmer of the Transparency Coalition, who testified that existing standards such as HIPAA and SOC 2 should inform protections for AI systems and that tests and monitoring are needed to catch “hallucinations” and data exfiltration. Cleveland‑area and consumer privacy advocates also registered support.

No witnesses formally opposed the bill during the hearing. Committee members asked questions about carve‑outs for health care systems subject to HIPAA and whether a private right of action would remain; Senator Becker said exemptions and enforcement design remain open to negotiation and emphasized administrative enforcement through the state privacy agency as the primary mechanism.

The committee did not record a final vote on SB 468 in the transcript provided. The author indicated willingness to refine the approach with regulators and stakeholders.