Yesterday, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael)announced Assembly Bill 1130 which is intended to strengthen California’s existing data breach notification law. In short, AB 1130 would amend the existing law to include passport numbers and biometric information (e.g., fingerprint and retina scan data) in the definition of personal information, so that, if breached under the law, notification to consumers would be required.
Currently, similar to most breach notification laws in other states, California’s Data Protection Act defines personal information to include a covered person’s first name (or first initial) and last name coupled with sensitive information such as Social Security numbers, driver’s license numbers, financial account numbers and health information. The changes under AB 1130 would keep California out in front of other states, although a number of other states, such as Illinois, already include data such as biometric information as personal information under their breach notification laws. As many have observed, these state by state changes only add to the complexity businesses face when they experience a data breach affecting individuals in multiple states.
News reports concerning the announcement of AB 1130 note that Attorney General Xavier Becerra “has promised to crack down on companies that try to hide data breaches from the public.” And soon individuals in California affected by a data breach likely will have expanded rights to sue under the California Consumer Privacy Act (CCPA). As we reported earlier, the CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The CCPA incorporates much of the definition of personal information under the California breach notification law. What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include passport and biometric data only increases these risks.