California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) unveiled AB 1130, legislation to strengthen California’s data breach notification law to protect consumers. The bill closes a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.

“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Attorney General Becerra. “We are grateful to Assemblymember Levine for introducing this bill to improve our state’s data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

In 2003, California became the first state to pass a data breach notification law requiring companies to disclose breaches of personal information to California consumers whose personal information was, or was reasonably believed to have been, acquired by an unauthorized person. This personal information includes identifiers such as a person’s social security number, driver’s license number, credit card number, and medical and health insurance information. This bill would update that law to include passport numbers as personal information protected under the statute. Passport numbers are unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. AB 1130 would also update the statute to include protection for a person’s unique biometric information, such as a fingerprint, or image of a retina or iris. 

The legislation was prompted by the massive data breach of the guest database at Starwood Hotels — recently acquired by Marriott — in 2018. Marriott revealed that the massive breach exposed more than 327 million records containing guests’ names, addresses, and more than 25 million passport numbers, among other things. Though the company did notify consumers of the breach, current law does not require companies to report breaches if only consumers’ passport numbers have been improperly accessed.