Data Breach Notification: California Targets 'Loopholes'Marriott's Starwood Mega-Breach Drives Data Protection Update
A proposed California law would expand the state's pioneering data breach notification requirements to include breaches of biometric data and passport numbers.
See Also: A Guide to Passwordless Anywhere
California Attorney General Xavier Becerra on Thursday announced the proposed law, AB 1130, saying it would close a loophole in the state's current breach notification law.
The state's current data breach law doesn't require organizations to notify individuals if their passport number has been exposed.
The bill was submitted by Assemblyman Marc Levine, D-San Rafael, who said it was driven by the recently announced mega-breach of Marriott's Starwood reservation database (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
"Businesses must do more to protect personal data," Levine says. "AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation."
In November 2018, Marriott said the breach had begun in 2014 and that hackers had stolen information pertaining to 327 million customers, including names and addresses. Other exposed information included 8.6 million encrypted payment cards as well as 25.6 million passport numbers, of which 5.25 million were unencrypted. Marriott acquired Starwood in September 2016 for $13 billion.
Although Marriott was not required to notify breach victims that their passport data had been exposed, it did do so.
Defined: 'Personal Information'
California's proposed data breach notification changes would add any government-issued identification number to the list of "personal information" that triggers a mandatory state data breach notification, beyond state driver's license or identification numbers, which are all that the current law explicitly mentions for IDs .
Also, for the first time, the bill would require a mandatory notification in the event that a breach exposed any unique biometric data, including fingerprint, retina, or iris images (see: Stolen OPM Fingerprints: What's the Risk?).
The bill would update California state's definition of personal information as constituting "an individual's first name or first initial and last name" in combination with any of the following, when either the name or these data elements have not been encrypted:
- Social Security number;
- Driver's license number, California identification card number or other government-issued identification number;
- Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account;
- Medical information;
- Health insurance information;
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
- Information or data collected through the use or operation of an automated license plate recognition system.
California's data breach notification law already requires breached organizations to disclose specific details, "written in plain language," under the following headings:
- What happened;
- What information was involved;
- What we are doing;
- What you can do;
- For more information.
But the Identity Theft Resource Center, a nonprofit organization based in San Diego that assists breach victims for free, says that many organizations still fail to offer specifics about their breaches. "Companies need to be more transparent and granular with their disclosures," the ITRC said in an analysis of 2018 U.S. data breaches, released last month (see: Fewer Breaches in 2018, But More Sensitive Data Spilled).
"When breach notification letters simply list the compromised data as 'Employee records,' 'XXXX' or even just 'Other' - these examples have been taken from actual notifications we reviewed this year - we cannot provide the affected consumers the action plans they need and deserve because we cannot assess what their true risk is," the ITRC report said.
All 50 States Have Notification Laws
When California State Bill 1386 went into effect in 2003, it was country's first data breach notification legislation. California's data breach notification rules continue to be among the strongest in the U.S. And in 2020, a new California law will bring even greater privacy protections.
Last year, California passed AB 375, a privacy measure that requires businesses to disclose the purpose for collecting or selling personal data they collect as well as the identity of the third-party organizations receiving the data. Consumers can also request data be deleted and initiate civil action if they believe that an organization has failed to protect their personal data (see: California's New Privacy Law: It's Almost GDPR in the US).
California hasn't shied away from cracking down on organizations that violate privacy rights.
Becerra's office recently announced that it would fine Aetna nearly $1 million - subject to court approval - after the health insurer exposed that 12,000 individuals were using medication for HIV. The state attorney general's office was also instrumental in reaching a $148 million settlement agreement in September 2018 with Uber for inadequate information security practices and its failure to report a massive data breach in a timely manner.
All states now have some type of notification requirement in place.
"Each of the 50 states now has its own breach notification laws, with nearly one-half adopting data security and/or data disposal requirements to protect consumers' personally identifiable information from unauthorized disclosure," privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, recently told Information Security Media Group (see: Privacy: Several States Consider New Laws).
Congress, however, has so far failed to pass any national data breach notification legislation, in part because previous bipartisan proposals were weaker than laws already on the books in some states, including California and Massachusetts.
Privacy in the GDPR Age
From a privacy standpoint, however, state laws pale in comparison to the EU's General Data Protection Regulation, which requires any organization that handles Europeans' personal data to ensure that it remains secure, to clearly communicate how they're processing personal data and to secure permission from individuals before doing so.
Since GDPR went into full effect on May 25, 2018, organizations have also been required to report to regulators any breaches involving Europeans' personal data (see: Data Breach Reports in Europe Under GDPR Exceed 59,000).
Before collecting or using Europeans' biometric details, for example, organizations must also ensure they have a lawful basis for doing so, according to the U.K. Information Commissioner's Office, which enforces the country's privacy laws. Organizations must also gain an individual's explicit consent for doing so, except in some cases where a country's laws allow the government to collect biometric data for very specific purposes.
Some U.S. state lawmakers are looking at GDPR as a way to improve their own approach to safeguarding residents' privacy.
"The European Union recently updated its privacy law through the passage and implementation of the General Data Protection Regulation, affording its residents the strongest privacy protections in the world," reads the text of a personal data security bill introduced in Washington state last month. "Washington residents deserve to enjoy the same level of robust privacy safeguards."