The theft of data at businesses from banks to credit bureaus that has, so far, spurred only hearings in Congress has prompted a considerably more decisive response in California.
Now, one of the latest and largest cases — the pilfering of 327 million guest records including passport information from the Starwood Hotels chain acquired by Marriott — is motivating state lawmakers to tighten data-security laws even further.
A measure proposed by Attorney General Xavier Becerra, who succeeded Kamala Harris after her election to the Senate, and state Assemblyman Marc Levine, would add such numbers along with biometric data like fingerprints and retina images to the categories of personal identification information protected under a 2003 law.
That law, which already covers Social Security and driver’s license numbers as well as medical records, requires companies who keep such data to notify state residents as quickly as possible if it’s stolen.
“It’s a simple but essential measure to protect our data-breach law,” Becerra said in a Thursday afternoon news conference. “Hopefully, this is legislation that will swiftly pass in the legislature and get the approval of the governor.”
The cyberattack that Marriott disclosed in late November affects more people than the entire population of the United States, dwarfing even the theft discovered in 2017 at credit bureau Equifax, which sparked congressional scrutiny and the departure of then-CEO Richard Smith.
The Bethesda, Md.-based hotelier said it was alerted of a cyberintrusion into the Starwood reservation database on Sept. 8, then discovered that unauthorized access had been occurring since at least 2014. Starwood properties include W Hotels, St. Regis, Sheraton, Westin and Le Meridien; they’re located in cities from New York to Washington, D.C., and New Orleans.
In the aftermath, Sen. Mark Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus, called on Congress to pass a national data-security law, and Sens. Amy Klobuchar, D-Minn., and John Kennedy, R-La., reintroduced a bill that would require social media companies — a frequent tart of cyberthieves — to inform consumers of data breaches within three days.
And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.
— Mark Warner (@MarkWarner) November 30, 2018
“There is a real danger when our personal information is not protected by those we trust,” Levine, the California lawmaker, said Thursday. “While sharing some personal identification information can make e-commerce and travel more convenient, data breaches are becoming all too common in our nation.”
Since 2005, some 9,000 data breaches affecting 11.5 billion records have been reported in the U.S. alone, he said. Those include the 2017 hack of credit bureau Equifax, which exposed information for nearly half the country, and the disclosure a year later that a consultant for President Trump’s 2016 campaign improperly accessed files on some 87 million Facebook users.
Along with shoring up California’s breach-notification law, the measure Levine is proposing would add to protections under the state’s privacy protection act passed last year. That law, which takes effect on Jan. 1, 2020, includes provisions similar to those of the European Union, allowing Californians to review data companies hold on them and block the firms from selling that information.
