Security Experts:

Connect with us

Hi, what are you looking for?



California Introduces New Data Breach Notification Law

California Attorney General Xavier Becerra and Assemblymember Marc Levine last week introduced a new piece of legislation that would require organizations to notify consumers if their passport or biometric information has been compromised in a data breach.

California Attorney General Xavier Becerra and Assemblymember Marc Levine last week introduced a new piece of legislation that would require organizations to notify consumers if their passport or biometric information has been compromised in a data breach.

In 2003, California passed a data breach notification law requiring businesses to inform consumers if their personal data was or may have been stolen as a result of security breach. This data includes social security numbers, credit card numbers, driver’s license numbers, and medical and health insurance information.

Officials have now unveiled a new bill, AB 1130, which adds biometric information and passport numbers to that list in an effort to close what they have described as a “loophole” in existing legislation.

“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

The new bill comes in response to the massive data breach suffered recently by Marriott, which impacted hundreds of millions of individuals. Attackers reportedly accessed more than 25 million passport numbers, including over 5 million that had not been encrypted.

There have also been some security incidents in recent years that resulted in biometric data getting compromised. One example is the breach suffered in 2017 by micro markets solutions provider Avanti Markets, which revealed that a piece of malware had helped cybercriminals steal, among other types of information, biometric data associated with a fingerprint scanner.

When introducing the new bill, authorities in California mentioned not only fingerprints, but also retina or iris images.

“While the risk of hackers actually recreating your passport with just your number is relatively low, be aware hackers can use your passport number, combined with other information they might have acquired, like your name, date of birth, etc., to ‘verify’ your identity and attempt to access financial accounts or create new ones — that’s why it’s vitally important for breaches like this to be disclosed as soon as possible, so users can take protective measures, like changing passwords, setting up two-factor authentication and keeping a close eye on financial records,” Francis Dinha, CEO of OpenVPN, told SecurityWeek.

Drew Lydecker, president and co-founder of AVANT Communications, commented, “Regardless of size or industry, all companies own some kind of intellectual property — and they need to believe there’s someone out there trying to get a hold of this information. In the case of Marriott, a massive organization with thousands of properties and high transaction volume, it’s difficult to respond quickly to threats, especially as the cybersecurity talent crisis continues to intensify. Recent estimates indicate that there could be as many as 3.5 million unfilled cybersecurity positions by 2021.”

Related: California IoT Cybersecurity Bill Signed into Law

Related: California to Ban Weak Passwords

Related: Face Recognition Nabs Fake Passport User at US Airport

Related: Schumer Says Marriott Should Pay to Replace Hacked Passports

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack