New Bill Seeks to Expand the Data Breach Notification Law in California

California already has tough data breach notification laws, but there is a loophole which could soon be closed.

At this time, California law call for data breach notifications to be sent to consumers whenever a breach has occurred involving financial/banking data, Social Security numbers, medical insurance data, health data, driver’s license numbers, passwords, and information collected via automated license plate recognition systems. This list will be expanded to include biometric data (i.e. iris/retina scans, fingerprints and facial recognition information) and passport numbers if a recently introduced bill is passed.

Assembly member Marc Levine (D-San Rafael) introduced bill AB 1130 which will address the loophole in the existing data breach notification legislation which could allow major breaches of highly sensitive data to go unreported.

The bill was prompted by the huge 2018 data breach at Marriott. The theft of database containing the sensitive data of Starwood Hotels guests saw hackers obtain guests’ names and addresses and more than 25 million passport numbers. The total number of guests affected by the breach was 327 million.

Present California data breach notification rules would have permitted the non-reporting of such a massive breach of passport numbers and customers may not have received notification letters. Marriott did issue breach notification letters, but some companies may not be as forthcoming about such a breach.

Attorney General Xavier Bercerra said that all Californians are entitled to know if their passport number or biometric information has been accessed by unauthorized persons. He explained that AB 1130 will help to ensure that California remains a leader in protecting privacy.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

If AB 1130 is passed, California will join Alabama, Oregon and Florida in mandating the issuance of breach notifications for breaches of passport numbers. Iowa and Nebraska already require notifications for breaches of biometric data.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: