As Becerra noted, California was the first state to pass a data breach notification law back in 2003, requiring businesses to disclose if consumers' personal information had been stolen. However, only social security numbers, driver's license numbers, credit card numbers and medical and health insurance data are considered "personal information" under its rules.

While Starwood Hotels disclosed the security breach, other companies might not be as forthcoming when they're not legally required to divulge a hack based on what was stolen. That's why this bill aims to update the law in order to add passport numbers and biometric information, such as fingerprints and iris scans, to the list of recognized personal information. Passport numbers are government-issued identifiers, after all, and a bad actor could use them to steal a person's identity via social engineering or to commit fraud.

The Attorney General said in a statement: