California Updates its Data Breach Notification Law
On February 21, 2019, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) announced Assembly Bill 1130 which intended to strengthen and expand California’s existing data breach notification law. On September 11, 2019, the bill passed both houses of the legislature and was presented to Governor Gavin Newsom. Last Friday, October 11, 2019, the Governor signed AB 1130, together with 6 additional California Consumer Privacy Act of 2018 (“CCPA”) related bills into law.
Prior to AB 1130, California’s breach notification law defined personal information in Cal Civil Code Sec. 1798.81.5(d)(1)(A) to include a covered person’s first name (or first initial) and last name coupled with sensitive personal information such as Social Security numbers, driver’s license numbers, financial account numbers, and medical and health information. AB 1130 expands the types of personal information in that section to include biometric information (i.e. fingerprint, retina scan data, iris image) and government identifiers (i.e. tax identification number, passport number, military identification number).
In addition to expanding the elements of personal information that are subject to a notification obligation in the event of a data breach, the change also increases litigation risk following a data breach. This is because, under the CCPA, consumers affected by a data breach can bring an action for statutory damages when the breach is caused by the business’ failure to maintain reasonable safeguards. And, the CCPA specifically incorporates Civil Code Sec. 1798.81.5(d)(1)(A), which AB 1130 expanded. Now, a broader set of personal information that, if breached and not reasonably safeguarded, could expose businesses subject to the CCPA to substantial damages. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.
Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft resolution and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include biometric information and government identifiers only increases these risks. It would be prudent for businesses subject to the CCPA to ensure reasonable safeguards are in place to protect all of these elements of personal information, and make sure their third-party service providers are doing the same.