Colossal Marriott Breach Inspires New California Bill That Would Require More of Companies That Get Pwned

Xavier Becerra, now California state attorney general, speaks as House Minority Leader Nancy Pelosi (D-CA) looks on during a news conference to discuss the rhetoric of presidential candidate Donald Trump, at the U.S. Capitol, May 11, 2016, in Washington, DC.
Photo: Getty / Alex Wong

Prompted by last year’s Marriott International data breach, which saw more than 25 million unencrypted passport numbers leaked among other sensitive info, the state of California may soon require companies to notify customers when passport information and biometric data are accessed by anyone without authorization.

This week, California State Attorney General Xavier Becerra and Assemblymember Marc Levine of San Rafael unveiled AB 1130, which aims to close a loophole in the state’s data breach laws, adding passport and biometric data to the list of personal information that requires notification when acquired by an unauthorized person.


“Knowledge is power, and all Californians deserve the power to take action if their passport numbers or biometric data have been accessed without authorization,” said Becerra in a statement, adding: “AB 1130 closes a gap in California law and ensures that our state remains the nation’s leader in data privacy and protection.”

Calling on businesses to “do more” to protect sensitive information, Levine said AB 1130 would “increase our efforts to protect consumers from fraud and affirms our commitment to demand the strongest consumer protections in the nation.”

California’s data breach notification law currently requires companies to notify customers whenever social security numbers, driver’s license numbers, credit card data, or medical and health insurance information is leaked.

Marriott International said earlier this year that its breach had included fewer than 383 million unique guests, “although the company is not able to quantify that lower number because of the nature of the data in the database.”


OpenVPN CEO Francis Dinha told Gizmodo that while the risk of hackers recreating a passport using only a number is relatively low, hackers could combine it with personal information, such as names, dates of birth, and so on, to access financial accounts or create new ones. “That’s why it’s vitally important for breaches like this to be disclosed as soon as possible, so users can take protective measures, like changing passwords, setting up two-factor authentication and keeping a close eye on financial records.”

Levine’s office expects the next step for AB 1130 would be consideration by the Assembly’s Committee on Privacy and Consumer Protection led by Chairman Ed Chau, a Democrat of the San Gabriel Valley. Tagged as a fiscal bill, it also requires review by lawmakers overseeing appropriations. From there, the bill would advance to a vote on the Assembly floor no later than early June and, if passed, be taken up by the State Senate in the following months.


Share This Story

Get our newsletter

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: | Send me encrypted texts using Signal: (202)556-0846

PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD