California adds biometric specs to data breach law

is changing its Information Practices Act of 1977 to expand the definition of
personal information with additional identifiers, including biometric data of
those affected. The amendment comes with new instructions on how to notify affected
parties by a breach.

The California Legislative Information website describes how the existing law defines and regulates the use of personal information by public agencies and businesses as follows:

“The Information
Practices Act of 1977 requires a public agency, as defined, that owns or
licenses computerized data that includes personal information to disclose any
breach of the security of the system following discovery or notification of the
breach, as specified. Existing law imposes the same duty on a person or
business in California that owns or licenses computerized data that includes
personal information and generally requires that such a business implement and
maintain reasonable security procedures and practices. Existing law authorizes
a person or business that is required to issue a security breach notification
to include in that notification specified information.”

The legislation
is old and uses a definition too broad to describe personal information in all
the shapes and forms found today. As such, amendment AB 1130, approved by
California Governor Gavin Newsom last week, seeks to expand the definition of
personal information to add “specified unique biometric data and tax
identification numbers, passport numbers, military identification numbers, and
unique identification numbers issued on a government document in addition to
those for driver’s licenses and California identification cards to these

entities must also notify other entities that used the same type of biometric
data as an authenticator to no longer rely on that data for authentication if
the data has been compromised.

entities must also direct the party whose personal information has been
breached to promptly change their password and security question or answer, or
to take steps to protect the online account associated with that person or

A template
form is also included to outline how entities are to inform affected parties after
a data breach.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top