California already has tough data breach notification laws, but there is a loophole which could soon be closed.
At this time, California law call for data breach notifications to be sent to consumers whenever a breach has occurred involving financial/banking data, Social Security numbers, medical insurance data, health data, driver’s license numbers, passwords, and information collected via automated license plate recognition systems. This list will be expanded to include biometric data (i.e. iris/retina scans, fingerprints and facial recognition information) and passport numbers if a recently introduced bill is passed.
Assembly member Marc Levine (D-San Rafael) introduced bill AB 1130 which will address the loophole in the existing data breach notification legislation which could allow major breaches of highly sensitive data to go unreported.
The bill was prompted by the huge 2018 data breach at Marriott. The theft of database containing the sensitive data of Starwood Hotels guests saw hackers obtain guests’ names and addresses and more than 25 million passport numbers. The total number of guests affected by the breach was 327 million.
Present California data breach notification rules would have permitted the non-reporting of such a massive breach of passport numbers and customers may not have received notification letters. Marriott did issue breach notification letters, but some companies may not be as forthcoming about such a breach.
Attorney General Xavier Bercerra said that all Californians are entitled to know if their passport number or biometric information has been accessed by unauthorized persons. He explained that AB 1130 will help to ensure that California remains a leader in protecting privacy.
If AB 1130 is passed, California will join Alabama, Oregon and Florida in mandating the issuance of breach notifications for breaches of passport numbers. Iowa and Nebraska already require notifications for breaches of biometric data.