California Breach Law

California Seeks to Plug Data Breach Law Loopholes

California’s AG is proposing expanding the state’s Data Breach notification law to require businesses to notify consumers when their passport or biometric data such as fingerprint or retina information is exposed. This extends the list of protected data beyond SSN, driver’s license, medical and other personal records.

California AB 1130 a Response to Marriott Hotel Data Breach

California Attorney General Xavier Becerra and Assembly Member Marc Levine proposed bill AB 1130 which would require businesses to notify consumers of data breaches involving the government-issued identification such as social security numbers and biometric data. The expanded list of personal information is being covered in the wake of the last year’s Marriott Hotels data breach. The massive data breach MyProfyle wrote about in December 2018 affected half a billion consumers and exposed their passports and other personal information not covered by the current California data breach law.

The 2018 data breach affected guests at Starwood hotels and appeared to expose the identities of hundreds of millions of consumers as well as the passport information of 25 million hotel guests. Under current regulations, guests whose passports were exposed would not be subject to notification under existing data breach law unless other covered data such as social security numbers or driver’s licenses were also exposed.

California Launched the First State Data Breach Law

California enacted the first data breach law in 2003 and has led the way in many privacy initiatives. The state has passed additional legislation to protect consumers and businesses alike and has demonstrated foresight and a superior understanding of how technology is shaping society and the dangers it poses. In 2018, the State passed AB 375 (the, “California Consumer Privacy Act of 2018”). That same year, the State passed SB-327 (the, “Security of Connected Devices” law) which required manufactures of connected devices to equip their products with “reasonable” security features.

As is often the case, what is initiated in California is often duplicated in other States and at the Federal level of government. Many states follow California’s lead and mimic their legislation and many manufactures and services providers who are forced to comply with California regulations end up complying with those regulations across the entire country. For example, a company that needs to respond to this proposed data breach law by notifying California residents of exposed passports would undoubtedly notify the residents of other states as well lest they face a backlash from their residents for providing inferior notification or protection.

Expanded Private Right of Action

In addition to expanding the data covered by the new data breach regulation, California is proposing expanding the protections afforded consumers when businesses fail to protect their data. A new bill (SB 561) would amend key sections of CCPA to allow government to take immediate action against businesses that have violated the law.  Consumers would have the right to sue for damages not less than $100 and up to $750 per consumer per incident or actual damages, whichever is greater.

Under current regulations, consumers have limited rights to sue companies that fail to maintain reasonable security measures to protect personal information and must provide 30 days written notice of the provisions of the California Consumer Privacy Act (CCPA) being violated. No 30-day notification period would be required under these changes. It would also require that the Attorney General publish general guidance about how to comply with the law.

Next Steps

At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.


Trip Wire
Insurance Journal
Privacy Law

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you