California Attorney General Xavier Becerra (Photo: Jason Doiy/ALM)

Companies collecting California residents' information could face tighter breach disclosure rules under a new proposal that would expand the definition of personally identifiable data in the state.

California Attorney General Xavier Becerra announced proposed legislation Thursday that would increase California's data breach notification law. If AB 1130 passes, California's definition of personally identifiable data would grow to include government-issued passports and green card numbers and biometric information, including fingerprints and retina scans.

“Recognize you're asking people to turn over to you, as a company, some really precious information and valuable information. If you were to lose someone's jewels or safety deposit box stashed with cash, you've got a responsibility to make that person whole, having lost that valuable personal property,” Becerra said. “Personal data is no different. Maybe even more precious. Some might say priceless. So we hope the message to companies is: use every tool at your disposal to protect this very precious information.”

California already has some of the strictest data breach laws in the U.S. It became the first U.S. state to enact a data breach law in 2003. Under California's current rules, companies must notify state residents if their driver's license number, Social Security number, credit card number, health or banking information is breached.

But Becerra said the omission of other government-issued and biometric information provides a “loophole” in the law that the new bill aims to close. He pointed to a 2018 breach at the Starwood hotel chain, owned by Marriott International Inc., which exposed the unencrypted passport numbers of around 5 million people.

The breach ”underscores the importance of protecting passport numbers,” he said, because current law wouldn't require Starwood to disclose that aspect of the breach to impacted California residents.

“When we're trying to encourage businesses and Californians as consumers to engage in business where there is trust, that disclosure of the breach is something that should be coming with an apology for a breakdown in that trust,” said Marc Levine, a member of the California State Assembly who joined Becerra in announcing AB 1130 Thursday. “Customers should feel when they're working with a business that their information should be secure. Because their personally identifiable information has incredible value.”

Becerra did not offer a timeline for the proposed changes. Companies collecting California residents' data also have less than a year to comply with the California Consumer Privacy Act, the first data protection act passed in a U.S. state.

Read More:

Marriott Guests, Both Lawyers, File First Class Action Over Data Breach

The California Consumer Privacy Act: What You Need to Know