Move may soon be echoed by more US states

Lawmakers in California have approved new legislation that serves to expand the state’s data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.

Championed by State Assembly member Marc Levine, the bill (AB 1130) is said to have been promoted by the Starwood Hotels data breach in 2018, in which more than 25 million passport numbers were taken over a four-year period.

Although the hotelier notified customers of the breach in this instance, Levine said the incident revealed a potential “loophole” in the legislation, where companies would not be required to report a breach if only passport numbers had been accessed.

In addition to requiring organizations to report a passport data breach, the bill also brings California’s breach notification law up-to-date with modern authentication technology, which makes increasing use of biometric data.

Under AB 1130, organizations will also be required to notify consumers if their unique biometric information – such as fingerprint, retina, or iris image – has been compromised.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed,” said California Attorney General Xavier Becerra, who sponsored the bill.

RELATED GDPR vs. CCPA: Which goes further to protect personal data?

For David Oberly, associate at US law firm Blank Rome, the amendment better aligns California’s data breach notification law with modern approaches to identity verification.

“At the time that many states’ original data breach notification laws were passed, biometric data was largely a thing of science fiction,” Oberly told The Daily Swig.

“However, as time and technology has progressed, biometric technologies have become mainstream today, with biometric data being commonly utilized across a broad range of different, diverse industries.”

Oberly noted that several other US states have also amended their breach notification laws this year to include biometric data, including Arkansas, New York, and Washington.

“Moving forward it is clear that state legislatures across the US will continue to look for ways to force companies to tighten up their biometric data practices, leading to greater regulation over the use of biometric data in the coming months and years.

“Ultimately, with more and more states seeking to enact biometric privacy laws of their own, it is imperative that all companies that utilize biometric data in the course of their business activities devote the necessary time, effort, and resources so that they can be ready to respond to the rapidly evolving legal landscape of biometric privacy law.”

AB 1130 takes effect on January 1, 2020 – the same day that a separate piece of legislation, the California Consumer Privacy Act, is scheduled to come into play.

YOU MIGHT ALSO LIKE The race for the right to privacy in the US