(SACRAMENTO) – Legislation by Assemblymember Marc Levine (D – Marin County) to strengthen California’s data breach notification and consumer privacy protections has been signed into law by Governor Gavin Newsom. AB 1130 (Levine), sponsored by California Attorney General Xavier Becerra closes a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.
In 2003, California became the first state to pass a data breach notification law requiring companies to disclose breaches of personal information to California consumers whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person. This personal information includes identifiers such as a person’s social security number, driver’s license number, credit card number, and medical and health insurance information. AB 1130 would update that law to include passport numbers as personal information protected under the statute. Passport numbers are unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. This bill would also update the statute to include for protection a person’s unique biometric information, such as a fingerprint, and retina or iris image.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed,” said Attorney General Becerra. “We are grateful to Assemblymember Levine for introducing this bill to expand our state’s data breach notification law and better protect the personal data of California consumers. This legislation will close a gap in California law, and ensure that our state remains a leader in data privacy and protection.”
AB 1130 was prompted after Starwood Hotels - recently acquired by Marriott - revealed in 2018 that it had suffered a massive data breach of its guest database, exposing more than 327 million records, containing guests’ names, addresses, and more than 25 million passport numbers, among other things. Though the company did notify consumers of the breach, current law does not require companies to report breaches if only consumers’ passport numbers have been accessed.
“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”
AB 1130 takes effect on January 1, 2020.