HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California Bill Seeks to Expand State Data Breach Notification Law

The data breach notification laws in California are already some of the toughest in the United States, although they could soon become even tougher if a new bill is signed into law.

Currently, California law requires data breach notifications to be issued to consumers when there has been a breach of financial/banking information, Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. The new bill seeks to expand that list to include passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data.

The bill – AB 1130 – was introduced by Assemblymember Marc Levine (D-San Rafael) and seeks to close a loophole in the current data breach notification law which could see breaches of highly sensitive information go unreported.

The massive data breach at Marriott in 2018 prompted the bill. A database containing the sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’ names, addresses, and more than 25 million passport numbers. In total, the personal information of 327 million guests was stolen by cybercriminals.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Current data breach notification laws in California would have allowed such a breach of passport numbers to go unreported and consumers would not have needed to be notified. While Marriott did issue notifications, other companies may not have been so forthcoming about such a breach.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Xavier Bercerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

If the bill is passed, California will join Alabama, Florida, and Oregon in requiring breach notifications to be issued for breaches of passport numbers and states such as Iowa and Nebraska, which already require breach notifications to be issued for the exposure of biometric data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.