Security & Fraud

California To Strengthen Data Breach Laws, Close Loopholes

California To Strengthen Data Breach Laws

Lawmakers in California have proposed a new bill that would close some loopholes in data breach notification laws, according to reports.

Attorney General Xavier Becerra said the bill would increase the requirements where companies would have to notify people about stolen information, like their government ID numbers, passports and even biometric data like facial and iris recognition scans, or fingerprints.

The timing of the proposed bill comes after one of the biggest data breaches in history, by the Marriott-owned Starwood hotel chain. Becerra said that breach was the catalyst for the bill.

In September, Starwood revealed that 338 million guests’ data was stolen, including names, addresses, birth dates, email addresses, genders, phone numbers and even credit card info. Five million passport numbers were stolen, too.

By law, Starwood was not required to reveal that passport numbers or biometric data were stolen. California law only requires the disclosure of drivers’ license numbers, Social Security numbers, bank info, passwords, medical info and data collected through plate recognition software.

However, all of that would change under assembly bill 1130, Becerra said.

“We have an opportunity today to make our data breach law stronger, and that’s why we’re moving today to make it more difficult for hackers and cybercriminals to get your private information,” Becerra said. “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

Other states, but not all, require notification of data breaches, including Florida, Oregon and Alabama. Iowa and Nebraska are two of the few states that have biometric data as a requirement for disclosure.

The new bill follows the California Privacy Act by less than a year. That law gave consumers more privacy rights, and parallels the General Data Protection Regulation in Europe. It was passed in June and will go into effect in 2020. The law was met with fierce resistance by tech companies in California, and many lobbied against it, asking for a weaker federal law.


Featured PYMNTS Study:

More than 63 percent of merchant service providers (MSPs) want to overhaul their core payment processing systems so they can up their value-added services (VAS) game. It’s tough, though, since many of these systems date back to the pre-digital era. In the January 2020 Optimizing Merchant Services Playbook, PYMNTS unpacks what 200 MSPs say is key to delivering the VAS agenda that is critical to their success.