California Introduces New Bill to Enhance Data Breach Notification Laws

California already has some of the strongest data breach laws in the U.S., but thinks it can do better.

• By Sydny Shepard
• Feb 25, 2019

California's attorney general Xavier Becerra announced a new bill last week that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen.

The updated draft legislation lands just a few months after the Marriott-owned hotel chain Starwood said data on sewer than 383 million unique guests was stolen in a data breach revealed last September. The hack prompted Becarra and Democratic state assembly member Marc Levine to introduce the change to engage stricter data breach laws.

Although Starwood came clean and revealed the data breach, companies are not currently legally obligated to disclose that passport numbers or biometric data have been stolen. Under California state law, only Social Security numbers, driver's license numbers, banking information, passwords, medical and health insurance information and data collected through automatic license plate recognition systems must be reported.

That is set to change under the new California assembly bill 1130.

“We have an opportunity today to make our data breach law stronger and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” said Becerra at a press conference in San Francisco. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection."