In brief: California is introducing new legislation that expands on current data breach notification requirements. The state's attorney general announced the proposal yesterday. It looks to add passports and biometric data to the list of "personal information" that is protected under current California law.
Drafted by Becerra an Assemblyman Marc Levine, the law will require companies to notify customers if their biometric data or passport numbers have been compromised. Existing legislation passed in 2003 only holds health insurance information, medical data, credit card, driver’s license, and social security card numbers as being “personal information.”
Becerra says the bill would expand the current protections. The proposal was prompted by the Marriott/Starwood breach last November in which hackers stole over 500 million customer records including 25 million passport numbers.
AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said the California AG. “We are grateful to Assemblymember Levine for introducing this bill to improve our state’s data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”
Becerra notes that while Marriott did notify customers of the Starwood breach as required by law, he is not so sure that would have been the case if it were only the 25 million passport numbers that went missing, which are not currently required to be reported.
Identity theft and fraud are on the rise with millions of records being sold on the dark web every day. With so many companies controlling consumers' digital fingerprints, both figuratively and literally, lawmakers view the disclosure of breaches to that information of the most vital importance. The public must be allowed to know there are real or potential bad actors accessing their data so they can take immediate action.