The proposed legislation would close a loophole in the state’s existing data breach notification law, requiring breached organizations to report compromised biometrics and passports.
California Attorney General Xavier Becerra and Assembly member Marc Levine are seeking to strengthen the state’s data breach notification law, which aims to close a loophole and expand requirements to include compromised biometrics or passport numbers.
Introduced in 2003, California currently has one of the toughest data breach notification laws in the country. It was one of the first states to require companies to notify consumers when it was reasonably believed to have been acquired by an unauthorized party.
California is also one of the few states that require breached organizations to offer individuals credit monitoring and or identity theft protection for certain security incidents.
Data listed in those requirements include health data, personal identifiers, credit cards, insurance details, and other personal information. The proposed legislation would update the list to include passport numbers as protected personal information, as well as biometrics, like fingerprints or retina images.
California’s effort joins those of Florida, Alabama, and Oregon to require organizations to report breached passport numbers. Nebraska and others also include biometrics under breach reporting requirements. Most recently, Illinois ruled actual harm is not required in its biometric privacy law.
The proposal comes in response to the massive Marriot breach from 2018, which compromised over 327 million personal records – including more than 25 million passport numbers. Officials said that while the company notified consumers, the current law doesn’t require businesses to do so if only passport numbers were improperly accessed.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” Becerra said in a statement. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”
“There is a real danger when our personal information is not protected by those we trust,” said Levine, in a statement. “Businesses must do more to protect personal data… AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”
The bill comes a year after the state passed its highly publicized privacy law that expanded consumer privacy rights and mirrors EU’s General Data Protection Regulation. California and other states have also cracked down on auditing and fining organizations for security failures, including the Aetna breach caused by a mailing error.
While Aetna already settled a class-action lawsuit with the 12,000 patients impacted by the breach, Pennsylvania, Connecticut, Washington, New York, and Washington, D.C. also settled with the insurer in 2017. California settled with Aetna in January.
Although California has one of the toughest breach notification laws, it’s part of a larger movement among states attempting to bolster breach laws. Most recently, North Carolina reintroduced its data breach notification law, which would give organizations just 30 days to report a breach – half of the time as required by HIPAA.