Share this article on:
The data breach notification laws in California are already some of the toughest in the United States, although they could soon become even tougher if a new bill is signed into law.
Currently, California law requires data breach notifications to be issued to consumers when there has been a breach of financial/banking information, Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. The new bill seeks to expand that list to include passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data.
The bill – AB 1130 – was introduced by Assemblymember Marc Levine (D-San Rafael) and seeks to close a loophole in the current data breach notification law which could see breaches of highly sensitive information go unreported.
The massive data breach at Marriott in 2018 prompted the bill. A database containing the sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’ names, addresses, and more than 25 million passport numbers. In total, the personal information of 327 million guests was stolen by cybercriminals.
Current data breach notification laws in California would have allowed such a breach of passport numbers to go unreported and consumers would not have needed to be notified. While Marriott did issue notifications, other companies may not have been so forthcoming about such a breach.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Xavier Bercerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”
If the bill is passed, California will join Alabama, Florida, and Oregon in requiring breach notifications to be issued for breaches of passport numbers and states such as Iowa and Nebraska, which already require breach notifications to be issued for the exposure of biometric data.