By Maria Dinzeo
SAN FRANCISCO – California Attorney General Xavier Becerra and Assemblymember Marc Levine, D-San Rafael, are seeking to bolster California’s consumer privacy laws with new legislation requiring businesses to notify customers when their passport numbers and biometric information have been compromised.
“We’ve learned some things over the years. We’ve seen what’s happened with some of these breaches and we have more information now to help guide us,” Becerra said Thursday at a press conference at the Justice Department’s San Francisco office.
Assembly Bill 1130 would expand on California’s 2003 Data Protection Act, the first data breach notification statute in the nation. The Data Protection Act requires companies to inform consumers about disclosure of their health information, social security, credit card and driver’s license numbers.
AB 1130 adds passport numbers, green card numbers, fingerprint and retina scan data to the list of protected personal information covered by the law.
Becerra and Levine introduced the bill in response to a 2018 attack on Marriott’s Starwood Hotels’ guest reservation database that exposed guests’ names and addresses along with more than 5 million unencrypted passport numbers.
“If it had only been passport information, Starwood Hotels would not have had to report that data breach information to those 5 million customers who had their passport numbers disclosed,” Becerra said.
“There is a real danger when our personal information is not protected by those we trust,” Levine said. He added that passport numbers are especially valuable to hackers as they are “unique, government-issued, static identifiers of a person, which makes them valuable to criminals seeking to build fake profiles and commit sophisticated identity theft, consumer fraud or immigration fraud.”
Levine and Becerra said the law would apply to any company that obtains information from a California consumer, and should also cover facial recognition databases like those controlled by Google and Facebook.
“The intention is pretty clear that biometric information is going to be covered. We will be working to define that as we move forward and capture as much of that information as we can to protect Californians, and that will likely include facial recognition,” Levine said.
Becerra has promised to crack down on companies that try to hide data breaches from the public.
Last September, Becerra’s office obtained a $148 million settlement with Uber over its coverup of a 2016 breach that resulted in hackers stealing personal information from 57 million riders and drivers.
“Uber not only failed to report to Californians that breach in a timely way – it actually tried to pay the hackers to cover up the breach. That’s where you end up having to pay $148 million for what you did,” Becerra said Thursday. “We have an opportunity today to make that data breach law stronger. And that’s why we’re moving today to make [sure] those hackers and those cyber criminals do not win this game of getting your private information.”
Since 2005, 9,071 data breaches have been reported in the U.S. alone, affecting more than 11.5 billion records, according to Privacy Rights Clearinghouse’s online chronology.
“Recognize you’re asking people to turn over to you as a company some very precious, valuable information. If you were to lose someone’s jewels or safe deposit box stashed with cash, you have a responsibility to make that person whole. Personal data is no different; maybe even more precious,” Becerra said. “We hope the message to companies is use every tool at your disposal to protect this very precious information. You do that and you’re less likely to face financial consequences if a breach does occur.”
Levine said that customers have come to rely on companies to keep their data safe, even while hackers find more advanced ways of acquiring the personal information casually relinquished for the convenience of online shopping.
“You would think in 2019 that people would understand the value of their personal data,” Levine said. “Customers should feel as though when they’re working with a business that their information will be secure.”