Attorney General Becerra and Assemblymember Levine’s Data Breach Notification Bill Signed into Law

SACRAMENTO – California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) today applauded Governor Gavin Newsom for signing into law AB 1130, a bill that protects consumers by strengthening California’s data security laws. Effective January 1, 2020, AB 1130 will update the state’s existing data breach notification law by requiring businesses to maintain reasonable security measures to protect government-issued identification numbers and biometric information from breach, and to notify consumers when such information is compromised.

“With the passage of AB 1130, California has once again proven it deserves its reputation as the nation’s leader in data privacy and protection,” said Attorney General Becerra. “Consumers have a right to know if their personal data is compromised by an unauthorized source. Now, California law will require companies to treat consumers’ passport numbers and unique biometric data with the same security that they would a credit card or Social Security number — if you collect it, you must protect it.” 

“There is a real danger when our personal information is not protected by those we trust,” said Assemblymember Levine. “Businesses must do more to protect personal data and I am proud to stand with Attorney General Becerra in demanding greater disclosure by a company when a data breach has occurred. AB 1130 will increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

In 2003, California became the first state to pass a data breach notification law requiring companies to protect against the unauthorized access of consumers’ personal information, including identifiers such as a person’s Social Security number, driver’s license number, credit card number, and medical and health insurance information. AB 1130 will now update that law to include tax identification numbers, passport numbers, military identification numbers, A-numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual.  Because these numbers are unique, static identifiers of a person, they are valuable to criminals seeking to create or build fake profiles and commit sophisticated identity theft and fraud. AB 1130 also updates the statute to include protection for a person’s unique biometric information, such as a fingerprint, or image of a retina or iris. 

Assemblymember Levine introduced AB 1130 on February 21, 2019. The legislation was prompted by the massive data breach of the guest database at Starwood Hotels — recently acquired by Marriott — in 2018. Marriott revealed that the massive breach exposed more than 327 million records containing guests’ names, addresses, and more than 25 million passport numbers, among other things. Though the company did notify consumers of the breach, there was not previously any law requiring companies to protect such information or report breaches if only consumers’ passport numbers had been improperly accessed.

Attorney General Becerra is committed to protecting consumer and individual privacy. Since taking office in January 2017, he has announced a $600 million settlement with Equifax for improperly exposing the personal information of 147 million consumers; a $148 million settlement with Uber for failing to notify regulators and users of a data breach; an $18.5 million settlement with Target for failing to provide reasonable data security; a $9.8 million settlement with Walgreens for failing to adhere fully to requirements imposed by California law for the dispensing of certain prescriptions drugs under Medi‑Cal; and a $3.5 million settlement with Lenovo for illegally preinstalling software that compromised the security of its computers.