A new bill would strengthen California’s data breach notification law by expanding businesses’ obligations to inform their customers in the event of a security incident.
On 21 February, California Attorney General Xavier Becerra and Assembly Member Marc Levine (D-San Rafael) revealed AB 1130. This bill would require businesses to notify customers of a security incident that exposed their passport numbers and/or their biometric information such as a fingerprint or retina image.
This bill builds upon the State’s existing data breach notification law, which requires businesses to inform consumers of the acquisition of their Social Security Number, driver’s license number, credit card number, medical and health insurance information as well as other personal data by an unauthorized individual.
California enacted this original legislation in 2003, thereby becoming the first U.S. State to put a data breach notification law in place. Since then, it’s passed additional laws designed to uphold consumer privacy. For instance, California adopted data privacy protections and requirements similar to GDPR on 18 June 2018 when it passed AB 375 (the California Consumer Privacy Act of 2018). Just a few months later, the State enacted SB-327 (the “Security of Connected Devices” law), which requires manufacturers of connected devices to equip their products with “reasonable” security features.
According to a statement published by California’s Office of the Attorney General, a significant force behind the proposal of AB 1130 was the 2018 data breach at Starwood Hotels that compromised 25 million passport numbers along with 327 million records including guests’ names and addresses.
Attorney General Becerra is confident that AB 1130 would help better protect consumers going forward. As quoted in the statement:
Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization. We are grateful to Assemblymember Levine for introducing this bill to improve our state’s data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.
While California’s Assembly considers AB 1130, the State as a whole continues its preparations for the newly passed Consumer Privacy Act of 2018 to take effect in 2020.