2006 Legislation 

Alaska
S.B. 222
An act relating to breaches of security involving personal information, consumer report security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, filing police reports regarding identity theft, and furnishing consumer credit header information.

Alabama
S.B. 114
An act to provide a procedure for notification of a breach of security where there is a reasonable belief that computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person.

S.B. 220
An act to provide a procedure for notification of a breach of security where there is a reasonable belief that computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person.

Arizona
H.B. 2276
An act relating to disclosure of compromised personal identifying information.

H.B. 2331
An act relating to disclosure of compromised personal identifying information.

S.B. 1338
Requires a business or governmental entity conducting business in Arizona to notify state residents of a breach of their security system when personal information of the individuals has been compromised.

Hawaii
H.B. 3243
Requires persons, business, or government agencies who maintain personal information in computerized form to notify persons to whom the information relates of a breach of the security of the information. Authorizes attorney general to take legal action to enforce notice requirement.

Iowa
H.F. 2107
An act to require notification of a breach of the security of a system of computerized data containing personal information and providing for civil remedies.

S.S.B. 3019
An act requiring notice of a breach of security of computer data containing personal information, and providing a procedure to secure credit information, and providing a penalty.

Illinois
H.B. 4253
Amends the Personal Information Protection Act; provides that the notice requirements of the Act apply to breaches of written material containing personal information; and provides that any State agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material.

H.B. 4449
Amends the Personal Information Protection Act. Provides that any State agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Provides that any State agency that collects personal data that is no longer needed or stored at the agency shall dispose of the personal data or written material it has collected in such a manner as to ensure the security and confidentiality of the material.

H.B. 5293
Creates the Financial Institution Credit Watch Services Act. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit monitoring services, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 3040
Amends the Personal Information Protection Act. Provides that the notification requirements of the Act apply to breaches of security concerning written data. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit watch services for one year, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Indiana
H.B. 1101
01/26/06 Passed House
Provides that a person that owns or licenses computerized data base containing personal information concerning Indiana residents must disclose to those residents a security breach if the breach could cause the Indiana residents to become victims of identity theft, identity deception, or fraud.  Authorizes the attorney general to bring an action to enforce the disclosure requirements.  Requires a state agency to disclose a breach of security involving confidential information.  Provides that a person who disposes of a customer's unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction.  Makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit terroristic deception.

Kentucky
H.B. 175
Requires an agency or person or business that conducts business in the Commonwealth, and that owns or maintains computerized data that includes personal information, to disclose any breach of the security of the data to any resident of the Commonwealth whose personal information was acquired, or to any owner or licensee whose information was acquired, by an unauthorized person.

New Hampshire
H.B. 1374
Establishes a committee to study requiring personal information holders to disclose a security breach.

H.B. 1404
Requires an individual, agency, or commercial entity to notify a resident when there is a breach of computer security regarding the resident’s personal information.

H.B. 1414
Requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information.

New Jersey
A.B. 259
Requires businesses to disclose any breach of security of computer systems to customers and to destroy certain personal information no longer retained.

New York
A.B. 1525
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security; further allows for a consumer to elect for a security freeze on his or her consumer report to prevent identity theft; establishes procedures to allow consumers to put a "security freeze" on their consumer information; provides for enforcement by the attorney general.

A.B. 5487 / S.B. 3000
Enacts the "personal information protection act", requiring disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the department of state; requires use of best effective technology to detect breaches of security; provides for a private right of action.

S.B. 2161
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.

Rhode Island
H.B. 6835
An act relating to criminal offenses - identity theft protection.

Virginia
H.B. 1154
Requires an individual or a commercial entity that owns or licenses computerized data that includes personal information to notify a resident of Virginia of any breach of the security of the system immediately following the discovery of a breach in which unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill also contains alternative notification provisions. The Office of the Attorney General may also bring an action in law or equity to address violations of this section and other appropriate relief.

H.B. 1508
The measure requires data collectors that keep personal information on individuals to notify a Virginia resident when there has been a breach of the security of the data. The notice shall include a description of the categories of information that were acquired by an unauthorized person and a toll-free number that the individual may use to learn what types of information were maintained about the individual. An individual receiving such a notice may obtain, at no cost, consumer credit reports beginning two months following the breach of security and continuing on a quarterly basis for two years thereafter.

2005 Legislation

Summary: Legislation was introduced in at least 35 states in 2005.   Legislation was enacted in at least 22 states in 2005: Arkansas, Connecticut, Delaware,  Florida, Georgia, Illinois, Indiana (applies to state agencies only), Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas and Washington.  (See also 2004, 2003, and 2002 legislation.)

Alaska
H.B. 226
05/10/05 Legislature adjourned.
Relates to breaches of security involving personal information; and relating to credit report security freezes.

S.B. 148
05/10/05 Legislature adjourned.
Relates to breaches of security involving personal information; and relating to credit report security freezes.

 

S.B. 149
05/10/05 Legislature adjourned.
Relates to breaches of security involving personal information; and relating to credit report security freezes.

S.B. 180
05/10/05 Legislature adjourned.
Relates to breaches of security involving personal information, consumer report security freezes, protection of social security numbers, disposal of records, and the accuracy of reports on credit history, score, and ranking.

 

 

 

Arizona
H.B. 2575
05/13/05 Legislature adjourned
Requires that if personal identifying information is stolen from a person or entity, the person or entity shall send notice to its customers within 48 hours of the theft discovery that their personal identifying information has been stolen and shall provide information on what the customers may do to protect against the unauthorized use of their personal identifying information.

S.B. 1114
05/13/05 Legislature adjourned
Requires an entity disposing of records to take reasonable steps to ensure the destruction of personal financial and health information and personal identification numbers that are issued by governmental entities.  Directs an entity discovering that personal identifying information has been stolen or improperly obtained, the entity must, within the most expedient time possible and without unreasonable delay:  a) transmit notice to the person that there has been a breach of security regarding that person’s personal identifying information.  b) Provide information to that person regarding steps to be taken to protect against the unauthorized use of personal identifying information.  Immunizes the entity from liability if it returned custody and control of the records back to the individual to whom the records pertain.  Specifies that this legislation does not apply to the disposal of records by a transfer of the records to another entity.  Allows an individual, who believes he or she may be injured by an entity’s actions or failure to act, to request that a court stop an entity’s actions or failure to act pursuant to this legislation.  Permits the court to grant an injunction to stop an entity’s actions or failure to act.   Authorizes the attorney general to bring a civil action for damages and/or injunctive relief against an entity that fails to comply with this legislation.  Specifies that any bank, financial institution, health care organization or other entity subject to and in compliance with certain federal regulations regarding protecting identifying information is in compliance with this legislation.  Provides that the rights and remedies of this legislation are in addition to other rights or remedies provided by law.  Defines “destroy,” “entity,” “individual,” “personal identifying information” and “record.”

Arkansas
S.B. 1167
03/31/05 Signed by governor, Act 1526
Provides notice to consumers of the disclosure of their personal information.

California
A.B. 786
09/09/05 Legislature adjourned
Requires the California State University system to provide an employee, upon request, with four hours of time off with pay following a disclosure by the university that there is, or could have been, a breach of security of employee personal information data, as specified.

A.B. 1694
09/09/05 Legislature adjourned
This bill would require a consumer credit reporting agency, upon the request of a consumer whose personal information was breached by a computerized data system, to place a security freeze on the consumer's credit report without charge to the consumer for this service. The bill would authorize the consumer credit reporting agency to charge the agency responsible for the breach, and would require the consumer to submit a copy of notification of the breach to the consumer credit reporting agency, as a condition of receiving the security freeze. The bill would make related findings and declarations of the Legislature.  This bill would require a consumer credit reporting agency to notify each consumer who is the subject of a consumer credit report of each instance that a new account is entered on the consumer's report if the address on the credit application is different from the last address on record held by the consumer credit reporting agency.

S.B. 433
09/09/05 Legislature adjourned
Existing law contains two identical provisions of law requiring any person or business that conducts business in California and that owns or licenses computerized data that includes personal information to disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Repeals one of those two identical provisions, thereby making a technical, nonsubstantive change.

S.B. 550
05/19/05 Passed Senate
09/09/05 Legislature adjourned
Regulates a data broker, which would be defined as a commercial entity that collects, assembles, or maintains personally identifiable information about a California resident for the sale or transmission of, or provision of access to, that information to any third party.  The bill, among other things, authorizes a California resident to request that his or her personally identifiable information, as defined, be excluded from any report prepared by a data broker, and requires a data broker to inform that resident every time the broker issues a report containing that information.  Requires every data broker to allow every California resident the right to obtain disclosure of all personally identifiable information pertaining to that individual held by the broker, and to be informed of the identity of each person or entity that procures that information from the broker.  Requires the prompt correction of errors in any report, and, upon a breach of security of an individual's information, would require the data broker to pay for a security freeze of that individual's credit reports.  Provides for specified penalty provisions and injunctive relief.

S.B. 852
05/26/05 Passed Senate
09/09/05 Legislature adjourned
Requires an agency, or a person or business conducting business in California, that possesses any data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified. The bill also repeals duplicative provisions of law.

Colorado
S.B. 137
(Final version of bill does not include security breach provision)
06/01/05 Signed by governor
Permits a consumer to put a security freeze on his or her credit report. Allows the consumer to temporarily lift the freeze to allow a particular entity access to the credit report for the purpose of issuing or extending credit to the consumer. Requires the freeze to be maintained until the consumer specifically requests its removal. Requires that a consumer be notified of the right to place a security freeze on his or her credit report each time the consumer receives a summary of the rights relating to credit reports. Compels a consumer reporting agency to notify the consumer within 5 days after releasing credit information that was in violation of a security freeze. Allows a consumer who had credit information released in violation of a security freeze to bring a private civil right of action against the consumer reporting agency that released the information in violation of the security freeze. Prohibits a consumer reporting agency from furnishing a consumer's credit header to someone who does not have a permissible basis to obtain the consumer credit header. Requires a data collector that owns or uses personal information in any form concerning a Colorado resident to notify the resident that there has been a breach of the security of the system data following the discovery of the breach.

Connecticut
S.B. 650
06/08/05  Signed by governor, Public Act 05-148
Requires a business that has suffered a security breach involving personal information to disclose it to affected consumers, generally without unreasonable delay. It generally requires the notice to be given in writing, by telephone, or electronically. It allows a substitute form of notice when the cost of providing it is high or the number of affected people is large. It prescribes the form of the substitute notice.

Delaware
H.B. 116
06/28/05  Signed by governor
Helps ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information.  Requires an individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information to notify a resident of Delaware of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the Delaware resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Notification must be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.  Alternative notification procedures are provided in §12B-103.  In a civil action to recover damages (for example, losses due to identity theft), the award is triple the amount of actual damages plus reasonable attorney fees.  A violation of this Act falls under the enforcement duties and powers of the Consumer Protection Division of the Department of Justice, which may bring an action in law or equity to address violations of the Act and other appropriate relief.  The provisions of this Act do not nullify or impair any common law or statutory right that a person may have in regard to violations under the Act.

Florida
H.B. 129
05/06/05 Legislature adjourned
Requires business persons maintaining computerized data that includes personal information to provide notice of breaches of system security under certain circumstances; provides requirements; provides for administrative fines; provides exceptions and limitations; authorizes delays of such disclosures under certain circumstances; provides definitions; provides for alternative notice methods; specifies conditions of compliance for persons maintaining certain alternative notification procedures; specifies conditions under which notification is not required; provides requirements for documentation and maintenance of documentation; provides an administrative fine for failing to document certain failures to comply; provides for application of administrative sanctions to certain persons under certain circumstances; authorizes the Department of Legal Affairs to institute proceedings to assess and collect fines.

H.B. 481
06/014/05 Signed by governor, Chapter 229
Includes other information within the definition of the term "personal identification information"; defines the term "counterfeit or fictitious personal identification information"; revises criminal penalties relating to the offense of fraudulently using, or possessing with intent to fraudulently use, personal identification information; provides minimum mandatory terms of imprisonment; creates the offenses of willfully and fraudulently using, or possessing with intent to fraudulently use, personal identification information concerning a deceased individual; provides criminal penalties; provides for minimum mandatory terms of imprisonment; creates the offense of willfully and fraudulently creating or using, or possessing with intent to fraudulently use, counterfeit or fictitious personal identification information; provides criminal penalties; provides for reclassification of offenses; provides for reduction or suspension of sentences; requires business persons maintaining computerized data that includes personal information to provide notice of breaches of system security; provides for administrative fines; authorizes delays of such disclosures; provides for alternative notice methods; provides definitions; specifies conditions of compliance for persons maintaining alternative notification procedures; specifies conditions under which notification is not required; provides an administrative fine for failing to document failures to comply; provides requirements for such documentation and maintenance of documentation; authorizes the Department of Legal Affairs to institute proceedings to assess and collect fines; requires notification of consumer reporting agencies of breaches of system security.

S.B. 284
05/06/05 Legislature adjourned
Requires business persons maintaining computerized data that includes personal information to provide notice of breaches of system security under certain circumstances; revises criminal penalties re offense of fraudulently using, or possessing with intent to fraudulently use, personal identification information; provides minimum mandatory terms of imprisonment, etc.

 

S.B. 978
05/06/05 Legislature adjourned
Includes other information within definition of term "personal identification information"; defines term "counterfeit or fictitious personal identification information"; revises criminal penalties re offense of fraudulently using, or possessing with intent to fraudulently use, said info; requires business persons maintaining computerized data that includes personal info to disclose breaches of system security under certain circumstance, etc.

 

 

Georgia
H.B. 638
03/31/05 Legislature adjourned
Relates to selling and other trade practices, so as to provide definitions; to require investigative consumer reporting agencies to give notice to consumers of certain security breaches; to provide for a standard of care to be exercised by investigative consumer reporting agencies; to provide for rules, regulations, and guidelines; to provide for related matters; to provide an effective date; to repeal conflicting laws; and for other purposes.

H.B. 648
03/31/05 Legislature adjourned
Requires a person or business that conducts business in this state and that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; to permit notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; to require a person or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of the security of the data; to provide for certain civil actions.

S.B. 230
05/05/05 Signed by governor, Act 163
Relates to selling and other trade practices, so as to provide definitions; requires investigative consumer reporting agencies to give notice to consumers of certain security breaches.

S.B. 245
03/31/05 Legislature adjourned
Relates to business records, so as to require a person or business that conducts business in this state and that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires a person or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; provides for certain civil actions; defines certain terms; to amends Chapter 18 of Title 50 of the Official Code of Georgia Annotated, relating to state printing and documents, so as to require an agency that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires an agency that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; defines certain terms; provides for legislative findings and declarations.

S.B. 251
03/31/05 Legislature adjourned
Relates to selling and other trade practices; requires certain business entities to give notice to consumers of certain security breaches; to provide for causes of actions and damages for unauthorized or improper access of personal information of consumers; to provide for certain criminal penalties; to provide for related matters; to provide an effective date; to repeal conflicting laws; and for other purposes.

H.B. 649
03/31/05 Legislature adjourned
Provides that any person who is engaged in any business which involves the collection or maintenance of identifying information with respect to consumers shall have a duty to maintain such identifying information in a manner which is secure against unauthorized disclosure; requires prompt notification to a consumer if the security of that consumer’s identifying information is or may have been breached; provides for criminal penalties and civil and administrative remedies.

Illinois
H.B. 1633
06/16/05 Signed by governor, Public Act 94-36
Creates the Personal Information Protection Act.  Provides that any data collector that owns or uses personal information in any form, whether computerized, paper, or otherwise, that includes personal information concerning an Illinois resident shall notify the resident that there has been a breach of the security of the system data following discovery or notification of the breach, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes.  Provides that the notification required pursuant to the Act may be delayed if a law enforcement agency determines that the notification may impede a criminal investigation.  Amends the Consumer Fraud and Deceptive Business Practices Act.  Provides that a violation of the Personal Information Protection Act is a violation of the Consumer Fraud and Deceptive Business Practices Act.

 

H.B. 3743
Creates the Security Breach Notification Act. Requires any person or business conducting business in the State, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person or business that maintains computerized data that includes personal information that the person or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery of such breach, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.

H.B. 4198
Amends the Personal Information Protection Act.  Requires a data collector to disclose to a consumer, at no cost, the personal information obtained resulting in a breach of the security of the system data.

S.B. 209
Creates the Personal Information Protection Act.  Requires each financial institution to provide an annual disclosure statement to all persons for which the financial institution maintains unencrypted personal information concerning measures the financial institution has taken to prevent (i) a breach of the security system and (ii) any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the financial institution.  Requires each financial institution to maintain duplicate records of all computerized data at a back-up site located at least 90 miles from the primary site at which the data is stored.  Provides that the effectiveness of the back-up site shall be tested annually and requires the results o that test to be included in the annual disclosure statement.

S.B. 1479
04/08/05 Passed Senate
Creates the Identity Theft Notification Act. Requires any data collector that owns or uses personal information in any form that includes personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.

S.B. 1798
Creates the Personal Information Protection Act. Requires any person, business, or State agency conducting business in the State, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person, business, or State agency that maintains computerized data that includes vulnerable personal information that the person, business, or State agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.

S.B. 1799
06/16/05 Signed by governor, Public Act 94-0041
Amends the Department of Revenue Law of the Civil Administrative Code of Illinois. Requires the Department of Revenue to notify an individual if the Department discovers or reasonably suspects that another person has used that individual's Social Security number.

S.B. 1899
Creates the Identity Theft Notification Act. Requires any agency, person, or business that conducts business in Illinois and owns or licenses data that includes personal information concerning an Illinois resident to notify the resident that there has been a breach of the security of that data following discovery or notification of the breach. Requires any agency, person, or business that maintains data that includes personal information concerning an Illinois resident and that the agency, person, or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the agency, person, or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the agency, person, or business does not have sufficient contact information.

Indiana
S.B. 49
(Final version of bill does not include security breach provision)
05/23/05 Signed by governor, Public Law 115
Various computer issues. Prohibits certain uses of spyware. Authorizes a provider of computer software, a web site owner, or a trademark or copyright holder harmed by a prohibited use of spyware to bring a civil action against the person who committed the prohibited act. Allows a person who brings a cause of action for unlawful spyware installation to receive injunctive relief and the greater of actual damages or $100,000 per violation.

S.B. 503
04/26/05 Signed by governor, Act 503
Requires a state agency to notify: (1) an individual of a security breach of the agency's computer system if the individual's unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person; and (2) all consumer reporting agencies if notice is provided to more than 1,000 people.  Prohibits a state agency from releasing the Social Security number of an individual unless the release is: (1) required by state law, federal law, or court order; (2) authorized in writing by the individual; (3) made to comply with the USA Patriot Act or Presidential Executive Order 13224; or (4) made to a commercial entity for permissible uses set forth in the Drivers Privacy Protection Act, the Fair Credit Reporting Act, or the Financial Modernization Act of 1999.  Provides that disclosure of the last four digits of a Social Security number is not considered a disclosure of the Social Security number.  Makes it a Class D felony to knowingly make a false representation to obtain a Social Security number or for an agency employee to knowingly disclose a Social Security number.  Provides that an agency employee who negligently discloses a Social Security number commits a Class A infraction.  Requires an individual who prepares a document for recording to certify that the individual reviewed the entire document and took reasonable care to redact Social Security numbers in the document.  After December 31, 2007, requires a county recorder or an employee of a county recorder to search documents using the redacting technology to redact Social Security numbers before the documents are release for public inspection.  Establishes a pilot project beginning July 1, 2005, to develop procedures and test technology and equipment for searching recorded documents and redacting Social Security numbers.

Louisiana
S.B. 205
07/12/05  Signed by governor, Act 499
Provides for the Database Security Breach Notification Law.

Maine
L.D. 1671
06/10/05 Signed by governor, Chapter 379
Requires a business that owns or licenses electronic data containing personal information, following the discovery of a security breach, to notify the person whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

 

 

Maryland
H.B. 1588 / S.B. 1002
03/28/05 Withdrawn (SB 1002)
04/04/05 Withdrawn (HB 1588)
04/11/05 Legislature adjourned
Requiring a business to destroy or arrange for the destruction of a customer's records that contain specified personal information of the customer in a specified manner; requiring a business that owns or licenses specified personal information of an individual residing in the State to implement and maintain specified security procedures and practices; requiring businesses that own, license, or maintain specified records to notify specified persons of a breach of the security of a system.

Massachusetts
H.B. 2797
Requires companies that deal with nonpublic personal information to disclose any breach where said data was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 184
Prevents identity theft through security breach notices and establishes a victim's bill of rights.

S.B. 2058
Requires companies that collect personal information to disclose when said data has been compromised.

Michigan
H.B. 4525
Requires notification of unauthorized access to computer databases.

H.B. 4587
Requires notice of any breach of database security.

H.B. 4658
Consumer protection; requires notification of security breach of database containing personal identifying information.

 

S.B. 309
Requires notification of security breach of database containing personal identifying information.

Minnesota
H.F. 225 / S.F. 361
06/03/05 Signed by governor, Chapter 163
Relating to the classification and dissemination of government data; making certain technical, conforming and clarifying changes to certain provisions under the government data practices act, changing the terms state agency, political subdivision and statewide system to government entity; granting the legislative auditor access to classified data for inspection purposes.

H.F. 1410 / S.F. 1307 (Substituted by H.F. 2121)
05/23/05 Legislature adjourned
Requires businesses maintaining personal information in electronic form to disclose to consumers breaches in security.

H.F. 1943 / S.B. 2002 (§ 6)
05/23/05 Legislature adjourned
Consumer credit report security freeze authorized, identity theft and Social Security number protections, credit monitoring, personal record destruction, and civil and criminal penalties provided.

H.F. 1805 / S.F. 1805
05/23/05 Legislature adjourned
Requires businesses that possess personal data to notify persons whose information has been disclosed to unauthorized persons.

H.F. 2121 / S.F. 2118
06/02/05 Signed by governor, Chapter 167
Requires businesses that possess personal data to notify persons whose personal information has been disclosed to unauthorized persons.

Missouri
S.B. 506
05/26/05 Legislature adjourned
Prohibits the sharing of personal financial information with any unauthorized person unless the individual consents to the share.  Requires a business or person that conducts business in the state that owns or licenses computerized data, to disclose any breach of security of that data, to any citizen of this state whose information may, or may very well have been, acquired by an unauthorized person.  Allows for individuals to place security alerts and security freezes on their credit report, notifying any recipient of the report that the  individual may have been a victim of identity theft, and prohibiting the release of the individual's information without the express consent of the consumer. Details the obligations of consumer reporting agencies in response to this option.

Montana
H.B. 732
04/28/05 Signed by governor, Chapter 518
Adopts and revises laws to implement individual privacy and to prevent identity theft; requires a consumer reporting agency to block or expunge information on a report that results from a theft of identity; provides privacy protection provisions for credit card solicitations and renewals and telephone accounts; provides privacy protection for business records by requiring destruction of records; requires businesses to report a breach of computer security; requires a business that has an established business relationship with a customer and that has disclosed certain personal information to third parties to report that information to the customer; providing remedies and penalties for violation.

Nevada
A.B. 334
06/17/05 Signed by governor, Chapter 486
Requires a governmental agency that owns or licenses computerized data that includes personal information to notify any resident of the state whose personal information included in that data was, or is reasonably believed to have been, acquired by an unauthorized person.

A.B. 1 (22nd Special Session)
6/17/05 Signed by governor, Chapter 6
Makes technical corrections to certain legislative measures, including repeal of security breach provisions of A.B. 334.

 

S.B. 347
06/17/05 Signed by governor, Chapter 485
Relates to personal identifying information; prohibits the establishment or possession of a financial forgery laboratory; enhances the penalties for crimes involving personal identifying information that are committed against older persons and vulnerable persons; requires the issuer of a credit card to provide a notice including certain information concerning its policies regarding identity theft and the rights of cardholders when issuing a credit card to a cardholder; requires data collectors to provide notification concerning any breach of security involving system data; making various other changes concerning personal identifying information; provides penalties; and provides other matters properly relating thereto.

 

S.B. 435
06/07/05 Legislature adjourned
Relates to personal information; requires a business to implement reasonable measures to ensure security of records containing personal information; requires a business to take reasonable measures to destroy certain records containing personal information; requires data collectors to provide notification of any breach of the security of the system data to persons affected by the breach; and provides other matters properly relating thereto.

 

New Jersey
Assembly Committee Substitute for A.B. 4001 / S.B. 2665 / Senate Committee Substitute for Senate Bill Nos. 1914, 2154, 2155, 2440, 2441 and 2524 / A.B. 2048 
09/22/05 Signed by governor, Chapter 226
Requires any business that conducts business in New Jersey or any public entity that compiles or maintains computerized records that include personal information to  disclose any breach of security of those computerized records to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The substitute also provides that any business or public entity that compiles or maintains computerized records on behalf of another business or public entity shall notify that business or public entity, who must then notify its New Jersey customers of the breach; however disclosure is not required if the business or public entity establishes that misuse of the information is not reasonably possible, any such determinations to be documented in writing and retained for five years.  Furthermore, the disclosure may be delayed if a law enforcement agency determines that notification will impede a criminal investigation.  Notice may be written or electronic. If the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the business has an e-mail address; (2) conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and (3) notification to major statewide media.  However, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of the bill, shall be deemed to be in compliance with the notification requirements of this bill if the business notifies subject persons in accordance with its policies in the event of a breach of security of the system. Additionally, the bill requires a business to take all reasonable steps to destroy customer records within its control containing personal information which is no longer to be retained by the business. The customer records shall be destroyed by shredding, erasing, or otherwise modifying the personal information to make them unreadable or undecipherable through any means.

A.B. 1080
Requires that a financial institution that discovers or reasonably should discover that a consumer’s nonpublic personal information maintained by the financial institution was compromised in any way shall promptly notify the consumer of the breach of the security or confidentiality of the information.  In addition to promptly notifying a consumer of the security compromise, a financial institution is required to provide assistance to the consumer to remedy any such compromise; to reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information; and to provide information concerning the manner in which the consumer can obtain assistance.  However, a financial institution may delay notifying a consumer of the compromise of the security or confidentiality of the information at the request of a law enforcement agency investigating such violation for a period determined by the law enforcement agency performing the investigation.  Additionally, if an issuer of credit receives a request for an additional credit card for an existing cardholder no later than 30 days after receiving a change of address for the cardholder, the issuer of credit is required to notify the cardholder of the request at the new address and former address no later than five days after sending the additional card to the new address.  The issuer of credit shall also provide the cardholder with a means of promptly reporting incorrect changes.  Any violation of this bill shall be punished under either N.J.S.A.56:11-38 or N.J.S.A.56:11-39, or both.

New York
A.B. 1525
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security.

North Carolina
H.B. 1248 / S.B. 1048
09/21/05 Signed by governor, Chapter 414
Enacts the Identity Theft Protection Act of 2005, including consumer report security freezes, security breach notifications and protections for Social Security numbers.

S.B. 783
09/02/05 Legislature adjourned
Requires that data aggregators and other businesses immediately notify individuals of unauthorized or fraudulent access to personal information following information security breaches.

 

North Dakota
S.B. 2251
04/22/05 Signed by governor
Relating to requiring disclosure to consumers of a breach in security by businesses maintaining personal information in electronic form; relating to the unauthorized use of personal identifying information, penalties, and prosecution of offenses in multiple counties; to provide a penalty; declare an emergency.

Ohio
H.B. 104
11/17/05 Signed by governor
Requires a state agency, person, or business to contact individuals if unencrypted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons.

S.B. 89
Requires a state agency, person, or business to contact individuals if unencrypted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons.

Oregon
S.B. 626
Requires a person who owns or uses personal information to notify an individual when there is an unauthorized acquisition of personal information that compromises security of information.

S.B. 630
Requires person maintaining or possessing identifying information to take measures to protect against unauthorized access to or use of information prior to disposal or destruction of information.

S.B. 1057
Requires a person that owns or uses personal information to notify individual and consumer reporting agencies when there is breach of security that may result in misuse of personal information. Requires consumer reporting agency receiving notice of potential misuse of personal information to place security alert in relevant credit reports. Requires consumer reporting agency, at request of consumer, to place security freeze on consumer reports about consumer.  Creates exceptions to requirements. Prohibits disclosure of Social Security number of individual. Provides exceptions. Punishes violation by maximum of one year's imprisonment, $6,250 fine, or both. Requires person maintaining or possessing records containing personal information to take measures to protect against unauthorized access to or use of information prior to disposal or destruction of information. Allows private cause of action for damages.  Makes violation of provisions of Act unlawful trade practice.

 

Pennsylvania
H.B. 1023
Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and provides for penalties.

H.B. 1795
Providing for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposing penalties.

H.B. 2006
An act providing for breach of security of identifying information and for penalties.

S.B. 712
12/22/05 Signed by governor, Act 94
Providing for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposing penalties.

 

Rhode Island
H.B. 5893
07/01/05 Legislature adjourned
Establishes a duty to disclose any breach of security of a computerized data system.

H.B. 6191
07/10/05 Became law without governor's signature, Chapter 225
Requires any person or business that conducts business in Rhode Island, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Rhode Island whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

 

S.B. 880
07/01/05 Legislature adjourned
Establishes a duty to disclose any breach of security of a computerized data system.

South Carolina
S.B. 669
06/02/05 Legislature adjourned
Provides for notice to a South Carolina resident whose personal identifying information may have been accessed through a breach of the security of computerized data owned, licensed, or otherwise controlled by a state agency, provides definitions, specifies requirements of the notice, and provides penalties for noncompliance; and provides for notice to a South Carolina resident whose personal identifying information may have been accessed through a breach of the security of computerized data owned, licensed, or otherwise controlled by a person conducting business in this state, provides definitions, specifies requirements of the notice, and provides penalties for noncompliance.

Tennessee
H.B. 2170 / S.B. 2220
06/08/05 Signed by governor, Chapter 473
Requires persons, businesses or government agencies that discover a breach of information security resulting in disclosure of unencrypted personal information about persons to unauthorized third parties to provide notice of such disclosure.

Texas
H.B. 1527
05/30/05 Legislature adjourned
Requires those who own or license data that includes identifying information to promptly notify the resident of any alleged breach of the security of the person's data system, regardless of whether the resident's identifying information has been accessed by an unauthorized person.

H.B. 1682
05/09/05 Passed House
05/30/05 Legislature adjourned
Relates to a breach in the security of a computerized data system that includes personal identifying information; providing a civil penalty.

S.B. 122
6/17/05  Signed by governor
Requires a person that conducts business in this state and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Virginia
H.B. 2721
02/27/05 Legislature adjourned
Requires agencies and businesses that maintain computerized data that includes personal information to notify the subject of that information when a breach of the database containing that information is discovered.  No notice is required if an investigation determines that there is no reasonable belief that the information has been or will be used in an unlawful manner.  Provides for various means of notifying the owner or licensee of that information and requires the agency or business to coordinate notification with consumer reporting agencies if they indicated that the affected individual can obtain a credit report.  Damages for an agency violating this requirement are provided in the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.).  Damages for a business violating this requirement are provided in the Personal Information Privacy Act or PIPA (§ 59.1-442 et seq.).  Expands the damages available for violations of PIPA to include actual damages, if greater than $100 per violation, and injunctive relief.

Washington
S.B. 6043
05/10/05 Signed by governor, Chapter 368
Requires any agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires the disclosure to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in this act, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Requires any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in this act, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

West Virginia
H.B. 2772
04/09/05 Legislature adjourned
Requires commercial entities who maintain databases containing resident individuals' personal information, to notify a resident individual, in writing, whenever the individual's personal information has been compromised by unauthorized disclosure; and defines personal information.

Wisconsin
S.B. 164
11/09/05 Passed Senate
Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the individual has not authorized to do so (unauthorized access).  The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident.

A.B. 320
This bill requires a business (or other corporate entity) that knows of the unauthorized use of unencrypted personal identifying information that was obtained from the business to make reasonable efforts to notify the individual whose personal identifying information was used. Generally, a business must notify the individual within 30 days after the business learns of the unauthorized use.

Please contact Pam Greenberg, pam.greenberg at ncsl.org, NCSL Denver Office, 303-364-7700, with questions or with updates/additions to this information.

  

2004 Legislation

California
S.B. 1279
(Did not pass)
Requires an agency, or a person or business conducting business in California, that possesses any data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified.

Florida
H.B. 1189
(Did not pass)
Requires certain persons who maintain computerized data that contains personal information to notify any state resident whose unencrypted personal information may have been obtained as result of security breach; provides for forms of notice; provides exceptions and alternative forms of notice; provides for delays in notification in certain circumstances.

S.B. 2684
(Did not pass)
Requires certain persons who maintain computerized data that contains personal information to notify any state resident whose unencrypted personal information may have been obtained as result of security breach; provides for forms of notice; provides for delays in notification in certain situations.

Idaho
H.B. 555
(Did not pass)
Adds to existing law to provide legislative intent relating to the protection of personal information; provides for disclosure upon breach in the security of personal information by certain agencies, persons and businesses; provides for delayed notification in the event of certain criminal investigations; provides for means of notice; provides an exception; and provides certain rights and remedies for breach in the security of personal information.

Louisiana
S.B. 417
(Did not pass)
Requires businesses to notify customers of a breach of security of their computerized data.

New Jersey
A.B. 1080
(Carried over to 2005)
Requires that a financial institution that discovers or reasonably should discover that a consumer’s nonpublic personal information maintained by the financial institution was compromised in any way shall promptly notify the consumer of the breach of the security or confidentiality of the information.  In addition to promptly notifying a consumer of the security compromise, a financial institution is required to provide assistance to the consumer to remedy any such compromise; to reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information; and to provide information concerning the manner in which the consumer can obtain assistance.  However, a financial institution may delay notifying a consumer of the compromise of the security or confidentiality of the information at the request of a law enforcement agency investigating such violation for a period determined by the law enforcement agency performing the investigation.  Additionally, if an issuer of credit receives a request for an additional credit card for an existing cardholder no later than 30 days after receiving a change of address for the cardholder, the issuer of credit is required to notify the cardholder of the request at the new address and former address no later than five days after sending the additional card to the new address.  The issuer of credit shall also provide the cardholder with a means of promptly reporting incorrect changes.  Any violation of this bill shall be punished under either N.J.S.A.56:11-38 or N.J.S.A.56:11-39, or both.

A.B. 2048
(Carried over to 2005)
Requires a business to take all reasonable steps to destroy customer records within its control containing personal information which is no longer to be retained by the business. The customer records shall be destroyed by shredding, erasing, or otherwise modifying the personal information to make them unreadable or undecipherable through any means. In addition, any business that conducts business in New Jersey and owns or licenses computerized data that includes personal information must disclose any breach of the security of the computer system within 15 days to any customer who is a resident of New Jersey whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the disclosure may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Any business that maintains computerized data that includes personal information that the business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. For purposes of this bill, notice may be written or electronic. If the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the business has an e-mail address; (2) conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and (3) notification to major statewide media. However, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of the bill, shall be deemed to be in compliance with the notification requirements of this bill if the business notifies subject persons in accordance with its policies in the event of a breach of security of the system. Finally, a violation of any provisions of this bill shall be an unlawful practice subject to the penalties applicable to a violation of the consumer fraud law pursuant to N.J.S.A. 56:8-13. Under N.J.S.A. 56:8-13, any business who violates any of the provisions of this bill, in addition to any other penalty provided by law, shall be liable to a penalty of not more that $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.

New York
A.B. 9184 / S.B. 6517
(Did not pass)
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.

A.B. 9431 / S.B. 6615
(Did not pass)
Enacts the Personal Information Protection Act, requiring disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the Department of State; requires use of best available technology to detect breaches of security; provides for a private right of action.

A.B. 10295 / S.B. 7121
(Did not pass)
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security.

A.B. 11012 / S.B. 6739
(Did not pass)
Requires notice to residents when a computerized database security breach releases personal information.

2003 Legislation

New York
A.B. 9184 / S.B. 6517
(Carried over to 2004)
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.

2002 Legislation

California
A.B. 700
Enacted.  Chaptered by secretary of state 9/29/02, Chapter 1054
Operative July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Permits the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation.  Requires an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified.  States the intent of the Legislature to preempt all local regulation of the subject matter of the bill.  Makes a statement of legislative findings and declarations regarding privacy and financial security.

NCSL Contact: Pam Greenberg, pam.greenberg at ncsl.org, NCSL Denver Office, 303-364-7700