Articles

CYBERSECURITY/DATA BREACH LAW: With AB 1130, California’s Data Breach Notification Law Might be Expanding

As Californians, we often pride ourselves for living in a state at the forefront of legal, social and technological issues. In 2002, California became the first U.S. state to pass a data breach notification law. Thereafter, all 50 U.S. states, the District of Columbia, Guam, Puerto Rico and the U.S Virgin Islands enacted similar, albeit distinguishable, data breach notification laws. That’s right, there are currently 54 different data breach notification laws throughout the United States and the U.S. Territories!

In a sense, California’s data breach notification law, which is codified at Cal. Civil Code §1798.80 et seq. (hereinafter “CDBNL”), served as the alluring appetizer to what would later become a veritable smorgasbord of varying, nuanced and often inconsistent data breach notification laws throughout the county—more on this below. Nevertheless, California was the pioneer in this now rapidly developing field of law.

While the CDBNL was once novel, and to this day remains fairly robust in comparison to other data breach notification laws, state legislators and officials increasingly appear to believe the CDBNL could use some updates.

As a result, California Attorney General Xavier Becerra and Assemblyman Marc Levine introduced legislation (AB 1130) on February 21, 2019 intended to bolster the CDBNL. AB 1130 seeks to require businesses to notify consumers if their unique biometric data(e.g., fingerprints, iris/retina or facial scans), among other things, were stolen as the result of a data breach.

Arguably, the CDBNL already, technically, covers the biometric data intended to be added by AB 1130; at least upon a fairly liberal reading of that law. Currently, the CDBNL requires businesses and persons to notify individuals, specifically California residents, whose unencrypted “personal information” was subject to unauthorized acquisition as the result of a data security incident affecting the systems or computerized data owned, licensed or otherwise maintained by such businesses or persons. Cal. Civil Code §1798.82(a). Specifically, the CDBNL defines “personal information” as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card , insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.” Cal. Civil Code §1798.80(e) (emphases added).

Thus, the existing law starts with a broad definition of personal information: “any information that identifies, relates to […] or is capable of being associated with, a particular individual.” It then goes further to give broad examples of “personal information” such as “physical characteristics.” This statute lastly makes clear that these examples are a part of a non-exhaustive list as it uses the phrase “including, but not limited to.” Accordingly, the existing CDBNL is quite broad in terms of its definition of “personal information,” particularly given the phrase “physical characteristics,” such that a court could interpret the law to include biometric information, among other sensitive information not explicitly listed.

Given this, the apparent focus of AB 1130 seems to provide clarity with additional examples of personal information to be protected under the law. Other states, such as Arizona, Colorado and Wisconsin, already include unique biometric data in the definition of personal information expressly covered under such states’ data breach notification laws. AB 1130 would simply allow California to catch up with such states in terms of what is explicitly stated in the CDBNL.

It also recognizes that we live in an ever-evolving digital world in which we can digitize vast portions of our lives by simply scanning our driver’s license, passport, credit card, medical card, fingerprint, retinal and facial images and/or information into our cell phones. In other words, some of our most valuable, sensitive and personal forms of information have become moving targets for potential hackers as we hop from hotspot to wi-fi portal to airport lounge to hotel lobby.

For example, Marriott Starwood Hotels suffered a data breach in 2018 involving at least 327 million guests’ information. Massive data breaches, such as those suffered by Marriott, appear to be somewhat of an impetus behind the movement for state legislators and officials to retool, expand and continually seek to improve existing data breach notification laws.

Given the challenge of preventing these breaches from occurring, the apparent goal of these laws is to broaden the types of personal information that, if misappropriated, would trigger the requirements of businesses to notify their consumers. This notification then ensures consumers are better informed and can take appropriate steps to protect their personal information from unauthorized use; since consumers must also know when they must take necessary remedial steps if that information has been potentially stolen.

While the intent behind AB 1130 may be lauded as a commendable effort to strengthen consumer protection in this state, businesses should be cautioned that it is merely an example of the continually developing, diverse set of data breach laws in our country. Again, there are 54 separate data breach notification laws in the United States and its territories; with each such law having its own set of nuances.

For example, compare just the time limits for notification between California and Florida. The CDBNL requires businesses to notify individuals affected by a data breach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement […] or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civil Code §1798.82(a).

On the other hand, Florida’s data breach notification law requires businesses to notify individuals affected by a data breach “as expeditiously as practicable and without unreasonable delay […] but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay[.]” Florida Stat. § 501.171(4)(a). The Florida data breach notification law goes on to specify they types of permissible “delay” to include if the notification would interfere with a criminal investigation or, if after reasonable inquiry and investigation, it is determined the breach is not likely to result in identity theft or financial harm. Florida Stat. § 501.171(4)(b)-(c).

In sum, Florida, unlike California, gives a specific 30-day timeline for businesses to notify consumers of a data breach affecting personal information. Furthermore, California, unlike Florida, permits delay in such notice in order for the business to determine the scope of the breach and essentially modify and better secure their data systems.

If a company does business in multiple states, and then suffers a data breach, that company will have to determine which data breach notification laws apply, how and when they must comply with each such law, and what updates in such laws have taken effect.

Rather than the individual states continually trying to fine-tune their existing data breach notification laws, it may be time for a federal data breach notification law to finally be enacted. This could potentially set clear guidelines for the states to follow as well as resolve inconsistences among the various data breach notification laws currently in existence. Until then, states like California will continually have to stay ahead of the curve, or at least try to not fall behind.

  • Extensive Business Knowledge
    Regardless of the complexity of your case, you can trust that your legal matters will be in competent hands when you turn to Poole Shaffery.
  • Proven Track Record
    Our team of accomplished business attorneys has consistently delivered positive outcomes for our clients, resolving complex business matters with skill and expertise.
  • Experience and Reputation
    Poole Shaffery boasts a team of Santa Clarita business attorneys with strong reputations among judges and fellow lawyers, including AV Preeminent® rated professionals and Super Lawyers® honorees.

Contact Our Firm

We’re Here to Listen
  • Please enter your first name.
  • Please enter your last name.
  • Please enter your phone number.
    This isn't a valid phone number.
  • Please enter your email address.
    This isn't a valid email address.
  • Please make a selection.
  • Please enter a message.
  • By submitting, you agree to be contacted about your request & other information using automated technology. Message frequency varies. Msg & data rates may apply. Text STOP to cancel. Acceptable Use Policy