Breach Notification Law Adds Biometrics, Passport Data

Posted by Anna Kragie on Oct 25, 2019 7:00:00 AM

California has set a new precedent for breach notification laws that is continuing to gain ground nationwide. A bill was signed into law by Gov. Gavin Newsom that adds passports and biometric data ad part of the PII covered by California’s data breach notification law. 

California now joins15 additional states that require notification if a resident’s fingerprint or other biometric information is breached. The other states include: Arizona, Colorado, Delaware, Illinois, Iowa, Louisiana, Maryland, Nebraska, New Mexico, New York, North Carolina, South Dakota, Wisconsin, Wyoming and Washington.

“Now, California law will require companies to treat consumers’ passport numbers and unique biometric data with the same security that they would a credit card or Social Security number — if you collect it, you must protect it,” California Attorney General Xavier Becerra said.

This addition to the data breach notification law follows trends across the country that aim to crack down on how quickly businesses and government organizations must alert customers about their personal data being compromised. Conversations about how data breach legislation will impact how banks and credit unions approach consumer privacy and protecting personal credentials is an ongoing topic in Congress as well.

New York also recently signed into law the “Stop Hacks and Improve Electronic Data Security” Act (the “SHIELD Act”), aimed at a stricter data security and data breach notification requirements to include more personal data. This includes enhanced notification requirements for companies and government entities to follow when sensitive personal data has been breached and how that data is protected.

The previous data breach notification law in California was broader and didn't encompass the types of data that are increasingly being breached in today's digital ecosystem. This new bill aimed to be more targeted by including “specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions.”

“What we have seen as states have expanded this definition of personal information is that they are paying increased attention to protection of more information,” Lewis Brisbois Bisgaard & Smith data privacy and cybersecurity partner Elizabeth Dill told “There are a lot of different types of information that can be used to identify individuals and states are becoming more of an advocate to protect their citizens’ data.”

Besides consumer protection and privacy, the discussions around data security reform has brought the financial services industry into the fold. Specifically how more collaboration is needed across the fraud detection sector to implement solutions that act faster through the use of more sophisticated technology (like machine learning). The conversations in Congress has shifted to how financial institutions should be using data to better combat fraud.

Fears over consumer privacy protection have also sparked conversations about what banks and credit unions are doing to keep their own customers’ data protected. Knowing how to fully protect customers is about being able to proactively detect card fraud incidents quickly so they can be alerted before incidents spread. Minimizing customer impact is one goal that can be achieved with faster, better breach detection tools.

Closing the gap between fraudsters and FIs is one goal leaders across the financial services industry are constantly working toward. Striking a balance for financial institutions is a key point in these conversations. Determining how to protect consumers without an undue burden on corporations and organizations is a hot topic across the financial sector.

Want insight into what to do when a data breach occurs — including how you can help your customers?

Read our tips here.