California law would require breach notice if online account information is stolen
The state Senate in California unanimously has passed a law that would require organizations that are breached to alert victims when intruders access online account information belonging to consumers.
Existing state law only requires notification when unauthorized individuals obtain "unencrypted Social Security numbers, driver's license numbers, medical information, health insurance information and specific financial account information, such as credit card numbers with security codes," according to Senate Majority Leader Ellen Corbett, who introduced the measure.
The new legislation, passed last week, would amend the definition of "personal information" under the state's breach notification law to also include "a username or email address, in combination with a password or security question and answer that would permit access to an online account."
Many consumers use the same login information across several websites, so theft of this data from one entity could allow fraudsters to potentially raid other accounts, such as online banking. According to documents chronicling the bill's history, it appears the flurry of mega password breaches this year, affecting companies like Yahoo and LinkedIn, prompted the update to the breach notification law.
“Cyber criminals are becoming increasingly savvy, particularly now that more individuals are using laptops, smartphones and even tablets to conduct personal business and shop online," Corbett said in a statement. "It is critical that consumers are informed whenever their information is accessed or stolen to minimize potential theft and damages."
The bill, dubbed SB-46, now makes its way to the state Assembly.
In 2003, California was the first state to enact a data breach notification law. Since then, nearly all other states have followed suit. There is no federal law, though there are national notification guidelines related to health care breaches.