California officials proposed legislation that, if passed, would set stricter guidelines for when companies need to inform customers of a data breach.
The bill would require companies to notify California residents when their passport, passport card or green card numbers are compromised in data breaches. It would also require customers be notified of compromised biometric information such as fingerprints.
The legislation goes further than the state’s current consumer protections, which require companies to inform their customers of data breaches but provides an exception if only passport numbers were accessed.
Attorney General Xavier Becerra and State Assemblymember Marc Levine unveiled the new legislation at a press conference on Thursday.
“America doesn’t need a wall at our southern border,” Levine said. “What America needs is a firewall to protect American consumers from identify theft and fraud.”
The idea for the bill arose after Marriott revealed that it had suffered a breach exposing the personal information of roughly 500 million people. About 327 million of those people had information including their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information exposed.
While Marriott informed customers of the breach, it would not have had to alert people if only passport numbers had been exposed — under current legislation.
“We are the leaders, we are at the forefront of protecting the rights of the people of this country,” Becerra said during the media event. “This is an evolving area of law. Just as quickly as the industry and the sector continues to change, we’ll have to be prepared to make sure our policies and our laws adapt as well.”
In June, the state passed the California Consumer Privacy Act, which will give people more control over how their personal data is used when it takes effect in 2020. It will give people the right to know what data companies are collecting, why they’re doing so and with whom it’s being shared. People can request that companies not sell their information.
CCPA is the toughest data privacy law in the country, though still not as strict as the European Union’s General Data Protection Regulation. That law took effect in May and gives people more control over their personal information, and forces companies to make sure they’re collecting, processing and storing data safely.