California Bill Would Further Amend Data Breach Notification Law


By Joseph J. Lazzarotti © Jackson Lewis March 6, 2019

​California Attorney General Xavier Becerra and Assemblymember Marc Levine, D-San Rafael, recently announced AB 1130, which is intended to strengthen California's existing data-breach notification law. In short, AB 1130 would amend the existing law to include passport numbers and biometric information (e.g., fingerprint and retina scan data) in the definition of personal information, so that, if breached under the law, notification to consumers would be required.

Currently, similar to most breach notification laws in other states, California's data breach notification law defines personal information to include a covered person's first name (or first initial) and last name coupled with sensitive information such as Social Security numbers, driver's license numbers, financial account numbers and health information.

The changes under AB 1130 would keep California out in front of other states, although a number of other states, such as Illinois, already include data such as biometric information as personal information under their breach notification laws. As many have observed, these state by state changes only add to the complexity businesses face when they experience a data breach affecting individuals in multiple states.

News reports concerning the announcement of AB 1130 note that Becerra "has promised to crack down on companies that try to hide data breaches from the public." And soon individuals in California affected by a data breach likely will have expanded rights to sue under the California Consumer Privacy Act (CCPA).

The CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The CCPA incorporates much of the definition of personal information under the California breach notification law. What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

Thus, in addition to the costs of notifications a covered business may have to incur under the state's breach notification law, which could include providing identity theft and credit monitoring services, class-action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include passport and biometric data only increases these risks.

Joseph J. Lazzarotti is an attorney with Jackson Lewis in Morristown, N.J. © 2019 Jackson Lewis. All rights reserved. Reposted with permission. 


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job

Earn a SHRM Talent Acquisition Specialty Credential.

Do you have what it takes to win the war for talent? Find out.

Do you have what it takes to win the war for talent? Find out.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect