California to close data breach notification loopholes under new law

NelsonG · February 21, 2019

California, which has some of the strongest data breach notification laws in the U.S., thinks it can do even better.

The golden state’s attorney general Xavier Becerra announced a new bill Thursday that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen.

The updated draft legislation lands a few months after the Starwood hack, which Becerra and Democratic state assembly member Marc Levine, who introduced the bill, said prompted the law change.

Marriott-owned hotel chain Starwood said data on fewer than 383 million unique guests was stolen in the data breach, revealed in September, including guest names, postal addresses, phone numbers, dates of birth, genders, email addresses, some encrypted payment card data and other reservation information. Starwood also disclosed that five million passport numbers were stolen.

Although Starwood came clean and revealed the data breach, companies are not currently legally obligated to disclose that passport numbers or biometric data have been stolen. Under California state law, only Social Security numbers, driver’s license numbers, banking information, passwords, medical and health insurance information and data collected through automatic license plate recognition systems must be reported.

That’s set to change, under the new California assembly bill 1130, the state attorney general said.

“We have an opportunity today to make our data breach law stronger and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” said Becerra at a press conference in San Francisco. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection,” he said.

Several other states, like Alabama, Florida and Oregon, already require data breach notifications in the event of passport number breaches, and also biometric data in the case of Iowa and Nebraska, among others.

California remains, however, one of only a handful of states that require the provision of credit monitoring or identity theft protection after certain kinds of breaches.

Thursday’s bill comes less than a year after state lawmakers passed the California Privacy Act into law, greatly expanding privacy rights for consumers — similar to provisions provided to Europeans under the newly instituted General Data Protection Regulation. The state privacy law, passed in June and set to go into effect in 2020, was met with hostility by tech companies headquartered in the state, prompting a lobbying effort to push for a superseding but weaker federal privacy law.