2004, 2003, and 2002 Breach of Information Legislation

Last update: February 10, 2006

In February 2005, ChoicePoint, a corporation that collects and compiles information that includes personal and financial information on millions of consumers, disclosed that it been the victim of a security breach wherein it had sold personal information of almost 145,000 people to a criminal enterprise.  The company first disclosed the breach only to California residents, as required by California's Notice of Security Breach law, enacted in 2002.  However, the company later disclosed that residents in other states, the District of Columbia and three territories also may have been affected by the ChoicePoint breach. 

Since these disclosures, additional states have introduced legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information.  NCSL's Identity Theft Web page has additional information on related legislation.

Summary: Legislation was considered in at least 6 states in 2004.   (See also 2006, 2005, 2003, and 2002 legislation.)

 

2004 Legislation

California
S.B. 1279
(Did not pass)
Requires an agency, or a person or business conducting business in California, that possesses any data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified.

Florida
H.B. 1189
(Did not pass)
Requires certain persons who maintain computerized data that contains personal information to notify any state resident whose unencrypted personal information may have been obtained as result of security breach; provides for forms of notice; provides exceptions and alternative forms of notice; provides for delays in notification in certain circumstances.

S.B. 2684
(Did not pass)
Requires certain persons who maintain computerized data that contains personal information to notify any state resident whose unencrypted personal information may have been obtained as result of security breach; provides for forms of notice; provides for delays in notification in certain situations.

Idaho
H.B. 555
(Did not pass)
Adds to existing law to provide legislative intent relating to the protection of personal information; provides for disclosure upon breach in the security of personal information by certain agencies, persons and businesses; provides for delayed notification in the event of certain criminal investigations; provides for means of notice; provides an exception; and provides certain rights and remedies for breach in the security of personal information.

Louisiana
S.B. 417
(Did not pass)
Requires businesses to notify customers of a breach of security of their computerized data.

New Jersey
A.B. 1080
(Carried over to 2005)
Requires that a financial institution that discovers or reasonably should discover that a consumer’s nonpublic personal information maintained by the financial institution was compromised in any way shall promptly notify the consumer of the breach of the security or confidentiality of the information.  In addition to promptly notifying a consumer of the security compromise, a financial institution is required to provide assistance to the consumer to remedy any such compromise; to reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information; and to provide information concerning the manner in which the consumer can obtain assistance.  However, a financial institution may delay notifying a consumer of the compromise of the security or confidentiality of the information at the request of a law enforcement agency investigating such violation for a period determined by the law enforcement agency performing the investigation.  Additionally, if an issuer of credit receives a request for an additional credit card for an existing cardholder no later than 30 days after receiving a change of address for the cardholder, the issuer of credit is required to notify the cardholder of the request at the new address and former address no later than five days after sending the additional card to the new address.  The issuer of credit shall also provide the cardholder with a means of promptly reporting incorrect changes.  Any violation of this bill shall be punished under either N.J.S.A.56:11-38 or N.J.S.A.56:11-39, or both.

A.B. 2048
(Carried over to 2005)
Requires a business to take all reasonable steps to destroy customer records within its control containing personal information which is no longer to be retained by the business. The customer records shall be destroyed by shredding, erasing, or otherwise modifying the personal information to make them unreadable or undecipherable through any means. In addition, any business that conducts business in New Jersey and owns or licenses computerized data that includes personal information must disclose any breach of the security of the computer system within 15 days to any customer who is a resident of New Jersey whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the disclosure may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Any business that maintains computerized data that includes personal information that the business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. For purposes of this bill, notice may be written or electronic. If the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the business has an e-mail address; (2) conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and (3) notification to major statewide media. However, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of the bill, shall be deemed to be in compliance with the notification requirements of this bill if the business notifies subject persons in accordance with its policies in the event of a breach of security of the system. Finally, a violation of any provisions of this bill shall be an unlawful practice subject to the penalties applicable to a violation of the consumer fraud law pursuant to N.J.S.A. 56:8-13. Under N.J.S.A. 56:8-13, any business who violates any of the provisions of this bill, in addition to any other penalty provided by law, shall be liable to a penalty of not more that $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense.

New York
A.B. 9184 / S.B. 6517
(Did not pass)
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.

A.B. 9431 / S.B. 6615
(Did not pass)
Enacts the Personal Information Protection Act, requiring disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the Department of State; requires use of best available technology to detect breaches of security; provides for a private right of action.

A.B. 10295 / S.B. 7121
(Did not pass)
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security.

A.B. 11012 / S.B. 6739
(Did not pass)
Requires notice to residents when a computerized database security breach releases personal information.

2003 Legislation

New York
A.B. 9184 / S.B. 6517
(Carried over to 2004)
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.

2002 Legislation

California
A.B. 700
Enacted.  Chaptered by secretary of state 9/29/02, Chapter 1054
Operative July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Permits the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation.  Requires an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified.  States the intent of the Legislature to preempt all local regulation of the subject matter of the bill.  Makes a statement of legislative findings and declarations regarding privacy and financial security.

NCSL Contact: Pam Greenberg, pam.greenberg at ncsl.org, NCSL Denver Office, 303-364-7700