California Introduces New Data Breach Notification Law

California Attorney General Xavier Becerra and Assemblymember Marc Levine last week introduced a new piece of legislation that would require organizations to notify consumers if their passport or biometric information has been compromised in a data breach.

In 2003, California passed a data breach notification law requiring businesses to inform consumers if their personal data was or may have been stolen as a result of security breach. This data includes social security numbers, credit card numbers, driver’s license numbers, and medical and health insurance information.

Officials have now unveiled a new bill, AB 1130, which adds biometric information and passport numbers to that list in an effort to close what they have described as a “loophole” in existing legislation.

“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data, and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

The new bill comes in response to the massive data breach suffered recently by Marriott, which impacted hundreds of millions of individuals. Attackers reportedly accessed more than 25 million passport numbers, including over 5 million that had not been encrypted.

There have also been some security incidents in recent years that resulted in biometric data getting compromised. One example is the breach suffered in 2017 by micro markets solutions provider Avanti Markets, which revealed that a piece of malware had helped cybercriminals steal, among other types of information, biometric data associated with a fingerprint scanner.

When introducing the new bill, authorities in California mentioned not only fingerprints, but also retina or iris images.

“While the risk of hackers actually recreating your passport with just your number is relatively low, be aware hackers can use your passport number, combined with other information they might have acquired, like your name, date of birth, etc., to 'verify' your identity and attempt to access financial accounts or create new ones -- that’s why it’s vitally important for breaches like this to be disclosed as soon as possible, so users can take protective measures, like changing passwords, setting up two-factor authentication and keeping a close eye on financial records,” Francis Dinha, CEO of OpenVPN, told SecurityWeek.

Drew Lydecker, president and co-founder of AVANT Communications, commented, “Regardless of size or industry, all companies own some kind of intellectual property -- and they need to believe there’s someone out there trying to get a hold of this information. In the case of Marriott, a massive organization with thousands of properties and high transaction volume, it’s difficult to respond quickly to threats, especially as the cybersecurity talent crisis continues to intensify. Recent estimates indicate that there could be as many as 3.5 million unfilled cybersecurity positions by 2021.”

Related: California IoT Cybersecurity Bill Signed into Law

Related: California to Ban Weak Passwords

Related: Face Recognition Nabs Fake Passport User at US Airport

Related: Schumer Says Marriott Should Pay to Replace Hacked Passports

Original author: Eduard Kovacs