[BreachExchange] California adds biometric specs to data breach law

Destry Winant destry at riskbasedsecurity.com
Fri Oct 18 09:56:26 EDT 2019


https://securityboulevard.com/2019/10/california-adds-biometric-specs-to-data-breach-law/

California is changing its Information Practices Act of 1977 to expand
the definition of personal information with additional identifiers,
including biometric data of those affected. The amendment comes with
new instructions on how to notify affected parties by a breach.

The California Legislative Information website describes how the
existing law defines and regulates the use of personal information by
public agencies and businesses as follows:

“The Information Practices Act of 1977 requires a public agency, as
defined, that owns or licenses computerized data that includes
personal information to disclose any breach of the security of the
system following discovery or notification of the breach, as
specified. Existing law imposes the same duty on a person or business
in California that owns or licenses computerized data that includes
personal information and generally requires that such a business
implement and maintain reasonable security procedures and practices.
Existing law authorizes a person or business that is required to issue
a security breach notification to include in that notification
specified information.”

The legislation is old and uses a definition too broad to describe
personal information in all the shapes and forms found today. As such,
amendment AB 1130, approved by California Governor Gavin Newsom last
week, seeks to expand the definition of personal information to add
“specified unique biometric data and tax identification numbers,
passport numbers, military identification numbers, and unique
identification numbers issued on a government document in addition to
those for driver’s licenses and California identification cards to
these provisions.”

Breached entities must also notify other entities that used the same
type of biometric data as an authenticator to no longer rely on that
data for authentication if the data has been compromised.

Breached entities must also direct the party whose personal
information has been breached to promptly change their password and
security question or answer, or to take steps to protect the online
account associated with that person or business.

A template form is also included to outline how entities are to inform
affected parties after a data breach.


More information about the BreachExchange mailing list