We have talked about data breaches at length on Saintel Daily. Why? Because they’re bad for business. And because we want you to be aware of the dangers that are lurking on the internet. Some companies are attempting to get ahead of any possible breaches, but there are still some who attempt to cover up the breaches. The European Union has started to introduce laws that would penalize the company who is responsible for a data breach, usually by way of leveraging a fine. The big question is whether or not that will be enough? I think the short answer there is yes, because who wants to part with money? Both Facebook and Google have been accused of data breaches and are facing GDPR violation fines.
The other big question that we’ve been discussing is when or if these kinds of rules will ever come to the United States. We have seen lawmakers talking about it, and thinking about introducing legislation that would put them in the GDPR orbit, but nothing has come to fruition. While the fine system seems to be working in the EU, the United States is a bit different in terms of whether or not governments should oversee certain aspects of “private” life. Conservative governments are usually the first to say that less government oversight is necessary. GDPR style rules would mean that the government would be handing out such fines, and whether or not that would sit well with many conservative lawmakers remains to be seen.
That said, California is looking at introducing comprehensive data breach notification rules by way of a law. Attorney general, Xavier Becerra, and Assembly member Marc Levine want to require companies to notify customers if their passport numbers and biometric identification information have been compromised. This is in response to the massive Starwood Hotel data breach that took place in 2018. That particular security breach affected as many as 500 million guests. The hackers were able to steal around 327 million personal records – which included passport numbers.
California was the first state to pass a data breach notification law back in 2003. It required businesses to disclose if consumers’ personal information had been stolen. However, it only referred to social security numbers, drivers’ license numbers, credit card numbers and medical/health insurance data. All of this is very interesting. My question is – does the law apply to companies who are operating out of California? Thus requiring those companies to disclose these breaches to all their customers? Or does it only apply to people living in the state of California, who have been affected by a breach?
While Starwood Hotels disclosed the security breach, other companies might not be as forthcoming when they’re not legally required to divulge a hack based on what was stolen. That’s why this bill aims to update the law in order to add passport numbers and biometric information, such as fingerprints and iris scans, to the list of recognized personal information. Passport numbers are government-issued identifiers, after all, and a bad actor could use them to steal a person’s identity via social engineering or to commit fraud.
“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization. We are grateful to Assemblymember Levine for introducing this bill to improve our state’s data breach notification law and better protect the personal data of California consumers. AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”Xavier Becerra, California Attorney General