December 1, 2021

Volume XI, Number 335

Advertisement
Advertisement

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis

California AG Seeks to Further Amend State’s Data Breach Notification Law

Yesterday, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael)announced Assembly Bill 1130 which is intended to strengthen California’s existing data breach notification law. In short, AB 1130 would amend the existing law to include passport numbers and biometric information (e.g., fingerprint and retina scan data) in the definition of personal information, so that, if breached under the law, notification to consumers would be required.

Currently, similar to most breach notification laws in other states, California’s Data Protection Act defines personal information to include a covered person’s first name (or first initial) and last name coupled with sensitive information such as Social Security numbers, driver’s license numbers, financial account numbers and health information. The changes under AB 1130 would keep California out in front of other states, although a number of other states, such as Illinois, already include data such as biometric information as personal information under their breach notification laws. As many have observed, these state by state changes only add to the complexity businesses face when they experience a data breach affecting individuals in multiple states.

News reports concerning the announcement of AB 1130 note that Attorney General Xavier Becerra “has promised to crack down on companies that try to hide data breaches from the public.” And soon individuals in California affected by a data breach likely will have expanded rights to sue under the California Consumer Privacy Act (CCPA). As we reported earlier, the CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The CCPA incorporates much of the definition of personal information under the California breach notification law. What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include passport and biometric data only increases these risks.

Jackson Lewis P.C. © 2021National Law Review, Volume IX, Number 53
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement