25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

California Bill Seeks to Expand State Data Breach Notification Law

Posted By on Feb 22, 2019

The data breach notification laws in California are already some of the toughest in the United States, although they could soon become even tougher if a new bill is signed into law.

Currently, California law requires data breach notifications to be issued to consumers when there has been a breach of financial/banking information, Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. The new bill seeks to expand that list to include passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data.

The bill – AB 1130 – was introduced by Assemblymember Marc Levine (D-San Rafael) and seeks to close a loophole in the current data breach notification law which could see breaches of highly sensitive information go unreported.

The massive data breach at Marriott in 2018 prompted the bill. A database containing the sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’ names, addresses, and more than 25 million passport numbers. In total, the personal information of 327 million guests was stolen by cybercriminals.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Current data breach notification laws in California would have allowed such a breach of passport numbers to go unreported and consumers would not have needed to be notified. While Marriott did issue notifications, other companies may not have been so forthcoming about such a breach.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Xavier Bercerra. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

If the bill is passed, California will join Alabama, Florida, and Oregon in requiring breach notifications to be issued for breaches of passport numbers and states such as Iowa and Nebraska, which already require breach notifications to be issued for the exposure of biometric data.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist