Security & Fraud

California To Strengthen Data Breach Laws, Close Loopholes

California To Strengthen Data Breach Laws

Lawmakers in California have proposed a new bill that would close some loopholes in data breach notification laws, according to reports.

Attorney General Xavier Becerra said the bill would increase the requirements where companies would have to notify people about stolen information, like their government ID numbers, passports and even biometric data like facial and iris recognition scans, or fingerprints.

The timing of the proposed bill comes after one of the biggest data breaches in history, by the Marriott-owned Starwood hotel chain. Becerra said that breach was the catalyst for the bill.

In September, Starwood revealed that 338 million guests’ data was stolen, including names, addresses, birth dates, email addresses, genders, phone numbers and even credit card info. Five million passport numbers were stolen, too.

By law, Starwood was not required to reveal that passport numbers or biometric data were stolen. California law only requires the disclosure of drivers’ license numbers, Social Security numbers, bank info, passwords, medical info and data collected through plate recognition software.

However, all of that would change under assembly bill 1130, Becerra said.

“We have an opportunity today to make our data breach law stronger, and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” Becerra said. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

Other states, but not all, require notification of data breaches, including Florida, Oregon and Alabama. Iowa and Nebraska are two of the few states that have biometric data as a requirement for disclosure.

The new bill follows the California Privacy Act by less than a year. That law gave consumers more privacy rights, and parallels the General Data Protection Regulation in Europe. It was passed in June and will go into effect in 2020. The law was met with fierce resistance by tech companies in California, and many lobbied against it, asking for a weaker federal law.



B2B APIs aren’t just for large enterprises anymore — middle-market firms and SMBs now realize their potential for enabling low-cost access to real-time payments and account data. But those capabilities are only the tip of the API iceberg, says HSBC global head of liquidity and cash management Diane Reyes. In this month’s B2B API Tracker, Reyes explains how the next wave of banking APIs could fight payments fraud and proactively alert middle-market treasurers to investment opportunities.