California might have more comprehensive data breach notification rules if a new bill becomes law. The golden state's Attorney General, Xavier Becerra, and Assemblymember Marc Levine want to require companies to notify customers if their passport numbers and biometric information have been compromised. According to Becerra's announcement, the massive Starwood Hotels data breach in 2018 prompted them to conjure up the proposal. That security breach affected as many as 500 million guests, with the hackers managing to steal around 327 million personal records, including passport numbers.
As Becerra noted, California was the first state to pass a data breach notification law back in 2003, requiring businesses to disclose if consumers' personal information had been stolen. However, only social security numbers, driver's license numbers, credit card numbers and medical and health insurance data are considered "personal information" under its rules.
While Starwood Hotels disclosed the security breach, other companies might not be as forthcoming when they're not legally required to divulge a hack based on what was stolen. That's why this bill aims to update the law in order to add passport numbers and biometric information, such as fingerprints and iris scans, to the list of recognized personal information. Passport numbers are government-issued identifiers, after all, and a bad actor could use them to steal a person's identity via social engineering or to commit fraud.
The Attorney General said in a statement:
"Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization. We are grateful to Assemblymember Levine for introducing this bill to improve our state's data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation's leader in data privacy and protection."