California Bills Would Add More Punch to Consumer Data Protection Law

By | March 6, 2019

Professionals in the cyber arena could find themselves quite busy in the near future with the possibility of California consumers gaining even more power to sue corporations for mishandling personal data under two recently introduced bills in state Legislature.

California is already on track to have what may be considered the nation’s most far-reaching data privacy law with the passage last year of the California Consumer Privacy Act of 2018.

Two recently introduced bills promise to make data privacy laws in California even tougher.

California Attorney General Xavier Becerra and Assemblyman Marc Levine, D-San Rafael, in late February unveiled Assembly Bill 1130, legislation to strengthen California’s data breach notification law to protect consumers. The bill closes a loophole in the state’s existing data breach notification law by requiring businesses to notify consumers of compromised passport numbers and biometric information.

Around the same time as Becerra and Levine were introducing AB 1130, state Sen. State Sen. Hannah-Beth Jackson, D-Santa Barbara, introduced Senate Bill 561. Her bill would expand a consumer’s rights to bring a civil action for damages.

Companies that collect personal information should be paying close attention to SB 561, according to Anne Kelley, a partner in the Walnut Creek, Calif. law office of Newmeyer & Dillion, who practices in construction litigation and insurance coverage matters.

“It would really open the doors for litigation under the CCPA,” Kelley said.

The current version of the CCPA, set to go into effect in 2020, enables a limited private right of action. Individuals can bring a lawsuit if there’s been a data breach and a company isn’t using reasonable security measures to protect information being gathered. If SB 561 passes as it’s currently worded, then any violation of CCPA will give individuals a private right of action.

That’s on top of the $7,500 per record fine that can be assessed by the Attorney General under CCPA as it stands now.

“We’re watching it and we’re helping our clients understand what they need to do under data beach notification laws and what they need to do under the CCPA,” Kelley said. “It really changes their obligations around all of that.”

Companies doing business internationally have probably already taken strides to enact stronger data protection measures following the establishment of the European Union’s General Data Protection Regulation in May.

GDPR, the biggest shake-up of data privacy laws in decades, enables users to better control their personal data and gives regulators the power to impose fines of up to 4 percent of global revenue for violations.

France’s data protection watchdog fined Google 50 million euros ($57 million) earlier this year for breaching EU online privacy rules. The French regulator charged that search engine lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.

Broad adherence to GDPR rules is why Shawn Ram, head of insurance for Coalition Inc., a San Francisco-based cyber insurance provider, believes many of his clients can be ready to deal with CCPA and the proposed changes.

“These laws continue the efforts of other regulatory bodies around the world to codify privacy requirements and penalize companies who do not comply with privacy policies internally,” Ram said. “Companies that have not appropriately addressed liability associated with GDPR – likely due to an exclusive U.S.-focused customer base – now need to take significant measures to ensure compliance with these new laws.”

For that haven’t been faced with complying with GDPR?

“I think this is going to come as a big, big surprise if you’re not prepared,” he added.

Ram expects the immediate impact on the insurance community to include a pressing need for insurers, brokers, and clients to become educated on the new laws, increased exposure to limits of liability resulting from fines and penalties, as well as greater coverage scrutiny to ensure appropriate policies are in place to protect insureds.

Coalition in late February announced it will broaden its coverage for GDPR violations to include coverage for “failure to comply” issues associated with GDPR. The coverage is intended to help businesses comply with regulations, protect against alleged violations and pay resulting expenses and penalties.

Ram declined to comment on whether that product will be offered to help companies comply with CCPA regulations when they take effect.

Based on discussions that he has had with his clients, brokers and service providers, even those companies that have taken steps to become GDPR compliant will have changes to make.

“The general consensus is there’s still a lot of work to be done,” Ram said. “If you prepared for GDPR, I don’t think that this is that difficult.”

Regardless of how difficult compliance is for companies that are, or are not prepared, SB 561 would greatly expand what already is the nation’s most far-reaching law protecting personal information, according to David Reischer, an attorney and CEO of

“Very few states recognize a broad interpretation of an individual’s right to privacy with a notable exception being California,” Reischer said.

CCPA applies to any for-profit company doing business in California that has revenues greater than $25 million that receives more than 50,000 unique personal records per year or that derives more than 50 percent of its annual revenue from selling personal information. It also creates a Consumer Privacy Fund with in the state’s General Fund to be used to support the purposes of the bill and its enforcement.

The CCPA lays out numerous consumer rights, including that consumers will have the right to request that a business that collects personal information about them must disclose to the consumer the following:

  • The categories of personal information it has collected about that consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting or selling personal information.
  • The categories of third parties with whom the business shares personal information.
  • The specific pieces of personal information it has collected about that consumer.

The law also requires a business that collects personal information about consumers to disclose the categories of personal information it has collected about them, the categories of sources from which the personal information is collected, the purpose for collecting or selling personal information, the categories of third parties with which the business shares personal information and the specific pieces of personal information the business has collected about that consumer.

SB 561 would expand a consumer’s right to sue for damages in an amount not greater than $750 per consumer per incident or actual damages, whichever is greater.

“SB 561 not only grants consumers recourse in the event of a data breach, but would give consumers the right to know specifically what information businesses have collected on them,” Reischer said. “Consumers would have a right to demand to have the data deleted.”

The other half of beefing up the yet-to-be enacted CCPA would come from AB 1130, which would put biometric information, such as a fingerprint, or retinal image, and passport information, in the realm of personal data that consumers can sue a company for when it’s breached.

That legislation was prompted by the massive data breach of the guest database at Starwood Hotels in 2018. Marriott, which has acquired Starwood, revealed that the massive breach exposed more than 327 million records containing guest names, addresses and more than 25 million passport numbers. The company notified consumers of the breach, but current law does not require companies to report breaches if only passport numbers have been improperly accessed.

Backers of the bill argue that passport numbers are unique, government-issued identifiers of a person, making them valuable to criminals looking to create fake profiles and commit sophisticated identity theft and fraud.

Kelley said she believes this could only be the start of questions being raised as to what is and isn’t personal information, and then more lawsuits could follow when breaches do occur.

“I think we’re going to be seeing more and more of these lawsuits as the definition of what’s personal information is expanded,” Kelley said.

California may not be alone as a state with tough data protection laws. Other states may follow suit with the CCPA and the GDPR.

The National Association of Insurance Commissioners in 2017 began encouraging states to adopt its cyber security model law. The NAIC’s Insurance Data Security Model Law creates a legal framework for requiring insurance companies to operate cybersecurity programs. The law outlines planned cybersecurity testing, involvement with a company’s information security program and incident response plans for breach notification procedures.

The NAIC model law is only a guideline until adopted by individual states, but the NAIC is hoping a majority of states will adopt its model law over the next few years. South Carolina in 2017 became the first state to adopt the model law. The South Carolina Department of Insurance Data Security Act was drafted by the NAIC’s Cybersecurity Working Group, chaired by South Carolina Insurance Director Raymond G. Farmer.


Was this article valuable?

Here are more articles you may enjoy.