With data breaches occurring more frequently throughout the United States, many have pushed for the government to have better data protection laws. California is taking a step in the right direction by proposing a bill that would enhance data breach notification laws. The overarching goal of the new bill is to expand a business’ obligation to inform customers in the event of a data breach.
Current Laws in California and the U.S.A.
California was the first state to enact a data breach notification law in 2003. It requires businesses to inform consumers when their personal information has been acquired by an unauthorized party. The United States as a whole has no nationwide internet privacy laws and each state has created its own regulations for data breach notifications. The states each have their own definition of “personal information,” “breach,” “analysis of risk of harm,” and the “timing of notifications to individuals.” There are some exceptions to these laws such as:
- Compliance with other laws like HIPAA
- Good faith use of personally identifiable information (PII) for a legitimate purpose
- What constitutes PII and if the state has safe harbors for encrypted or public data
In June 2018, California passed legislation known as the California Consumer Privacy Act (CCPA). The CCPA offers several new consumer privacy rights including the right to know what information is being collected about you, the ability to say no to the sale of your information, the right to know the third parties with whom your personal data was shared, and the right to sue companies who have inadequate security measures to protect your data. These criteria follow in the footsteps of the EU’s GDPR The act protects California residents and applies to for-profit businesses who must meet one of the following requirements:
- Receive or share personal information of over 50,000 residents every year
- Generate annual gross revenue over $25 million
- Must obtain half of its annual revenue by selling personal information of residents
While this act was signed by California Governor Brown in 2018, it will not take effect until January 1, 2020.
New Bill for Private Rights and Breach Notification
The newly proposed Senate Bill, SB-561, would modify some of the elements of the CCPA to allow for citizens to have more private rights to take action against businesses who have misused their information. Currently, the law only allows for the California Attorney general to sue for violations of the CCPA. A consumer can only bring a private lawsuit to the court if they give the business in question a 30 day written notice detailing where they violated the act. If in the allotted time, the business fixes the problem that allowed the breach, then the lawsuit is null. The new bill would remove the 30 day period and allow for consumers to take action if any of their rights are violated. This would be more than rights involving unauthorized access, theft, or disclosure of information as previously written in the original act. In addition to these changes, the new bill would require the Attorney General to publish general public guidance about the law.
The new “notification bill” known as AB 1130, would broaden California’s definition of “personal information” under the data breach notification law. According to foley.com, their current definition includes:
- Social Security number
- Driver’s license number or California identification card number
- Account number, credit or debit card number
- Medical information and health insurance information
- Data collected through the use of an automated license plate recognition system
- A username or email address in combination with a password or security question allowing access to an online accountr
The new bill will classify government-issued identifying number such as passports, and biometric data as personal information. These biometric identifiers are fingerprints, retina or iris images, and other unique physical representation. If there is an identity theft involving these details, consumers must be made aware of the breach. These new layers of protection were enacted as a response to the Marriott-Starwood hack.
Keeping Data in the Hands of the Consumer
SecureDrives are the market’s first hardware encrypted storage solutions that are GDPR compliant and FIPS 140-2 level 3 validated. We take the consumer’s privacy seriously and offer devices that put them in control of their information. With the SecureDrive BT model, the drive can only be unlocked using the app on a mobile phone and can be remotely wiped if lost or stolen. The SecureDrive KP model requires a unique PIN and after 10 consecutive failed login attempts, the drive is wiped clean. Though the country as a whole may not have complete protection laws for your data, SecureData is taking strides in data protection.