On February 21, 2019, California Assembly Bill 1130 came before the legislature. The bill would amend the state’s data breach notification law, which requires organizations to alert individuals after certain categories of data fall victim to a breach. Currently, the law applies to several categories of personal information, such as social security numbers, driver’s license numbers, and health data. If enacted, the bill would add other government-issued identification numbers (like passports) and biometric data (like fingerprints) to this list. Advocates of the bill have outlined the following benefits:
 

Current Consumer Data Breach Notification Protection

• All states have a data breach notification statute with varying degrees of protection. The amendment would place California among the top states regarding consumer data breach notification protection.

• Including other forms of IDs, like passports, helps ensure consumer notification when important personal information is compromised. Many people use their passports in addition to, or in lieu of, driver’s licenses/state ID cards in situations that require identification. The same goes for biometrics. Organizations are using biometric data more frequently as technology continues to evolve.

• Expanding the definition of personal information will stop organizations from avoiding disclosure of data breaches and penalize anyone that tries to do so.

Concerns for the Pending Amendment

On May 8, the Assembly appropriations committee released a report projecting costs around $359,000 each year to account for increased workload and prosecutions requiring additional staff. On May 29, the California Assembly passed the bill and sent it to the Senate for review. The Senate judiciary committee subsequently passed the bill on July 3 and referred it to the appropriations committee for a hearing on August 12. Throughout this process, some legislators have addressed the following concerns:

• The committee should narrow the definition of “government-issued identification numbers” since this could encompass several forms of IDs that carry little or no risk value. During review, the Assembly already addressed this concern and amended the bill to specify: “tax identification numbers, passport numbers, military identification numbers, unique identification number issued on a government document commonly used to verify the identity of a specific individual.”

• The reference to biometric data is too broad which makes it difficult to understand when notification is necessary. The Assembly amended the bill to remediate this concern. The original definition in the bill was “unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data.” Some argued that the “other” category could include many different things that are irrelevant to data breaches. Lawmakers amended the bill to reflect the following definition: “Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.”

  • The Assembly also added a section that states where there is a biometric data breach; the notifying organization may include instructions on how to notify other entities that used the same type of biometric data as an authenticator cease using that data for authentication purposes.

How Will the Amendment Affect the CCPA?

• The amendment could affect the California Consumer Privacy Act (“CCPA”) in several ways. The CCPA is a privacy law slated to take effect in 2020 and grants California residents significant control over their data. However, the CCPA was met with opposition from both sides and lawmakers have been working vigorously to clean up the language. Some examples of how the data breach amendment could affect the CCPA include the following:

  • The CCPA gives residents the right to sue after a data breach if an organization failed to implement appropriate security measures. By expanding the definition of personal information under the data breach notification law, consumer litigation could potentially increase under the CCPA.

  • The combined costs under the data breach notification law and CCPA can add up. Organizations that fail to safeguard data and experience a breach will face costs associated with data breach notification, litigation under the CCPA, and improving security to successfully achieve future compliance.

  • The definition of biometric data conflicts with the CCPA’s definition, which includes both physical characteristics and behavior. The amendment to the data breach notification statue does not explicitly reference behavior biometrics.

Conclusion

Legal professionals and organizations subject to the data breach notification statute should monitor the bill as it continues through the legislative process. As noted above, lawmakers have already addressed major concerns surrounding the bill and made changes to help provide clarification. Additionally, monitoring any changes to the CCPA and how it will inevitably interact with the data breach notification statute is important. One sure thing is that both the notification amendment and the CCPA will definitely have the greatest effect on organizations handling private consumer data by expanding their obligations and potential liability.

To Learn more about the CCPA download our latest whitepaper: An Overview of CCPA 2019

If you found this blog informative, you may enjoy reading CCPA Big Data Update Version 2.0 – Almost Ready to Install or The Epiq Blog.