California, the U.S. state with some of the strictest data breach notifications laws, has promised to make its existing data breach notification laws even stricter by closing several loopholes related to passport and biometric data.
On Thursday 21 February, California’s attorney general Xavier Becerra, announced a new bill that will expand the requirements for companies to notify their users and/or customers if their passport and government ID numbers, along with biometric data (examples of which include fingerprints, and iris and facial recognition scans) have been stolen.
This comes after a recent amendment to the California Consumer Privacy Act (CaCPA) from attorney general Becerra which stated that the CaCPA will not be enforced until 6 months after the issuing of implementation guidelines on 20 January 2020.
Becerra, and Democratic state assembly member Marc Levine introduced the new bill on Thursday, and said the stricter laws and closing of the existing loopholes, was in response to the Marriott-owned hotel chain Starwood hack, in which some 383 million unique guests had personal data stolen in the breach. This included names, postal addresses, gender, email addresses, encrypted payment data, and passport numbers.
Of the bill, Becerra had this to say: “We have an opportunity today to make our data breach law stronger and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” and that “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”