In what appears to be yearly tradition, the California State Senate has again amended its Data Breach Notification Law. [Civ. Code § 1798.29.] On Sept. 11, 2019, the California State Senate voted in favor of AB-1130 Personal information: data breaches, which expands the existing definition of “personal information” under California’s Data Breach Notification Law. Assuming the governor signs AB-1130 before the Oct. 13, 2019 deadline, personal information under California’s Data Breach Notification Law will now include (1) unique biometric data, and (2) government-issued identification numbers, such as passport numbers.
Closing a Gap
AB-1130 seeks to close openings within California’s Data Breach Notification Law. The current law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. [Civ. Code. §§ 1798.29(a), (c); 1798.82(a), (c).] The current definition of “personal information” does not extend to passport numbers or unique biometric data, a gap that was highlighted in the wake of several high-profile data breaches.
Under AB-1130, a “government-issued identification card” is now defined to include (1) tax identification number, (2) passport number, (3) military identification number, or (4) other unique identification number issued on a government document commonly used to verify the identity of a specific individual. And “unique biometric data” is data “generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.” Unique biometric data does not include “a physical or digital photograph, unless used or stored for facial recognition purposes.”
These definitions reflect a compromise between proponents and opponents of the bill. Opponents of the bill believed earlier definitions of “government-issued identification cards” were too broad and would include any government-issued identification card, such as a fishing license, regardless of whether that card is commonly used to identify an individual. Similarly, earlier definitions of “unique biometric data” included the phrase “or other unique physical representation or digital representation of biometric data,” which opponents argued could include such things as photographs and clothes.
While on the surface AB-1130 may represent yet another amendment to the California Data Breach Notification Law, a seemingly annual occurrence, the expansion of the definition of “personal information” represents a significant increase in potential liability to businesses, especially considering the private right of action under the CCPA that goes into effect on Jan. 1, 2020.