2008 Breach of Information Legislation
Last update: December 2, 2008
Summary: Bills were introduced in at least 26 states in 2008. See also Security Breach Laws and 2007, 2006, 2005, 2004, 2003, and 2002 legislation.
(Links to state web sites for bill text and status information are available here.)
ALABAMA
H.B. 542
February 21, 2008; To House Committee on Government Appropriations.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
H.B. 816
April 3, 2008; To House Committee on Commerce.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
S.B. 90A
May 27, 2008; To Senate Committee on Governmental Affairs.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
S.B. 382
February 19, 2008; To Senate Committee on Governmental Affairs.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
S.B. 489
March 25, 2008; To Senate Committee on Governmental Affairs.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
S.B. 544
March 27, 2008; To Senate Committee on Governmental Affairs.
Provides a procedure for notification of a breach of security where computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions; requires standards for the storage and protection of computer data containing personal information; provides for limited liability for breaches.
ALASKA
H.B. 65
June 18, 2008; Chapter No. 92
Relates to breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amends Rule 60, Alaska Rules of Civil Procedure.
S.C.R. 35
April 12, 2008; Passed House.
Suspends Rules 24(c), 35, 41(b), and 42(e), Uniform Rules of the Alaska State Legislature, concerning House Bill No. 65, relating to breaches of security involving personal information, credit report and credit score security freezes, protection of social security numbers, care of records, disposal of records, identity theft, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings.
ARIZONA
S.B. 1218
April 14, 2008; Chapter No. 28
Provides that any collection, maintenance or disclosure of pupil educational records compiled by the Department of Education in an educational database of pupil records shall comply with the Family Educational and Privacy Rights Act; provides rules for the manner in which the database shall be maintained to protect it from security breaches and identity theft.
CALIFORNIA
A.B. 779
October 13, 2007; Vetoed by Governor.
Amends existing law which imposes certain duties upon persons or businesses to destroy customer records, maintain security, disclose a breach of security and provide information to a customer regarding disclosure of information to 3rd parties. Prohibits a person, business or public agency that sells goods or services to any state resident and accepts a credit card, debit card, or other payment device, from storing, retaining, sending or failing to limit access to related information. Requires notification.
A.B. 1298
October 14, 2007; Chaptered by Secretary of State. Chapter No. 699
Applies the prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information to allow an individual to manage his or her information or for treatment or diagnosis. Permits a consumer reporting agency to disclose public record information lawfully obtained from an open public record to the extent permitted by law. Adds medical and health insurance information to data that constitutes information that would require breach disclosure.
A.B. 1656
September 30, 2008; Vetoed by Governor.
Prohibits a person or entity that sells goods or services to state residents and accepts payment in the form of a credit card, debit card, or other payment device, from storing, retaining, sending, or failing to limit access to payment-related data or retaining a primary account number or sensitive authentication data. Requires any person or entity that maintains computerized personal information to notify the owner or licensee of the information of any breach of security of the data immediately.
A.B. 1779
June 24, 2008; In Senate Committee on Judiciary: Not heard.
Prohibits a person or entity that sells goods or services and accepts as payment a credit card, debit card, or other payment device from storing or limiting the access to payment-related data, unless a specified exemption applies. Requires the notification by a person or entity to the owner or licensee of information that is subject to a security breach to including specified information. Requires the notice to be also provided to the Office of Information Security and Privacy Protection.
A.B. 2362
May 29, 2008; To Senate Committee on Judiciary.
Requires an agency, when collecting personal information from a resident to provide notice to the resident that his or her personal information is being handled in a secure manner that guards against unauthorized disclosure and in the event of a breach of the security of the system, to provide timely and appropriate notice.
S.B. 364
September 30, 2008; Vetoed by Governor.
Amends existing law that requires agencies, persons, or businesses to report breaches of security of computerized personal information. Requires that notification of those affected include a description of the information acquired and a toll-free number or e-mail address to contact the entity or a credit reporting agency. Provides that if the owner or licensee is the issuer of a credit or debit card or payment device or an agency required to give notice, they must disclose the information in plain language.
S.B. 751
February 4, 2008; In Senate. Returned to Secretary of Senate pursuant to Joint Rule 56.
Amends existing law which provides that the jurisdiction of a criminal action for unauthorized use of another's personal identifying information is the county where the theft occurred or where the information was illegally used. Expands that provision to specify that the jurisdiction of a criminal action also includes the county where the victim resides.
GEORGIA
S.B. 236
May 24, 2007; Act No. 241
Relates to the offense of identity theft; provides for notification by certain data collectors upon a breach of security regarding personal information; changes certain provisions relating to the elements of the offense of identity fraud; creates the offense of identity fraud by receipt of fraudulent identification information; provides for a victim's right to file a report with a law enforcement agency; modifies certain penalties.
HAWAII
S.B. 2803
July 8, 2008; Governor's veto overridden by House.
Implements recommendations of the report of the Identity Theft Task Force to protect the security of personal information collected and maintained by the State and county governments; requires agencies to designate an employee to have policy and oversight responsibilities for the protection of personal information; establishes the Information and Privacy Security Council; establishes policies related to social security numbers, security breaches, laptop security, and contracted third party information use.
ILLINOIS
H.B. 605
March 23, 2007; Rereferred to House Committee on Rules.
Amends the Personal Information Protection Act. Defines breach of the security of the system data or written material. Provides that the notice requirements of the Act apply to breaches of written material containing personal information. Provides that a data collector shall notify the resident that there has been a breach of the security of the system data or written material within a reasonable time after the discovery of the breach of the system data or written material.
H.B. 5311
April 16, 2008; In House. Tabled.
Amends the Electronic Funds Transfer Act. Relate to breaches of system security. Provides that an access device contains a magnetic stripe, microprocessor chip or other means of storing information on a credit card, debit card or stored value card. Prohibits a person from retaining card security code data, the PIN number or the full contents of electronic track data. Provides for reimbursement to the financial institution that issued the access devices when there is a breach of security.
S.B. 1675
December 3, 2007; Rereferred to Senate Committee on Rules.
Amends the Consumer Fraud and Deceptive Business Practices Act and the Credit Card Liability Act. Provides that, in any transaction in which an individual authorizes a person or entity to make a debit from his or her bank account for the purpose of placing a hold on the account to ensure payment for future services, the person or entity must provide the individual with a written statement that includes a reasonable price quote for the transaction. Relates to identity theft, a security breach and liability.
INDIANA
H.B. 1197
March 24, 2008; Public Law No. 136.
Authorizes the attorney general to initiate a program to educate consumers of risks posed by a security breach; provides, for purposes of the law requiring the disclosure of a breach of the security of a system, that the unauthorized acquisition of a portable electronic device on which personal information is stored does not constitute a breach of the security of a system if the contents of the portable electronic device are encrypted and if the encryption key is not compromised.
IOWA
H.B. 655
March 7, 2007; In House Committee on Public Safety
Relates to identity theft including providing for the notification of a breach in the security of computerized data of personal information, allowing a security alert or block on a consumer report, allowing the issuance of an identity theft passport, requiring the deletion of certain records relating to dishonored checks, prohibiting the collection of certain unauthorized debt obligations, and providing for civil remedies and penalties.
H.B. 2353
February 27, 2008; In House Committee on Judiciary
Relates to offenses against identity, by specifying a procedure to secure credit information, providing for the notification of a breach in the security of computerized data, and providing penalties.
H.B. 2517
March 13, 2008; In House Committee on State Government
Relates to the protection of personal information; specifies notice procedures following a breach of security, and providing a penalty.
S.B. 2308
September 10, 2008; Chapter No. 2007-1154
Requires any person who owns or licenses computerized data that includes a consumer's personal information that was subject to a breach of security to give notice of the breach of security following discovery of such breach; provides exceptions; requests the establishment of an interim study committee to assess and review the extent to which public officials, entities, and affiliated organizations in possession of personal information of a state resident are disclosing such information for compensation.
H.S.B. 617
February 6, 2008; In House Committee on State Government
Relates to protection of personal information and notice procedures following a breach of security.
H.S.B. 721
February 27, 2008; In House Committee on Commerce
Relates to identity theft; provides for the notification of a breach in the security of computerized data that includes personal information; establishes a business duty to safeguard personal information against a breach of security; provides penalties.
S.S.B. 3116
February 4, 2008; In Senate Committee on S State Government
Relates to protection of personal information and notice procedures following a breach of security.
S.S.B. 3183
February 15, 2008; In Senate Committee on Commerce
Concerns a study bill for an act relating to identity theft; provides for the notification of a breach in security of computerized data that includes personal information; establishes a business duty to safeguard personal information against a breach of security.
S.S.B. 3200
March 5, 2008; In Senate. Becomes Senate File 2308.
Relates to identity theft, including providing for the notification of a breach in the security of computerized data that includes personal information, establishing a business duty to safeguard personal information against a breach of security.
KENTUCKY
H.B. 553
March 26, 2008; To Senate Committee on Judiciary.
Requires a business to give specified notice to a person whose personal information was acquired in a security breach with certain exceptions; requires a business to take certain measures to safeguard against breaches; declares that provisions regarding business use of Social Security numbers, security breach notices and safeguarding against security breaches do not limit the power to enforce criminal or civil statutes or the right to bring civil actions.
H.B. 591
March 4, 2008; Posted in committee.
Restricts certain uses by agencies of a person's Social Security number; prohibits the inclusion of a person's Social Security number in documents filed or recorded with an agency; establishes a procedure to request redaction of a Social Security number shown in official records on an agency's Internet Web site to certain exceptions; delays the effective date to July 1, 2009; requires an agency to give notice to a person whose personal information was acquired in a security breach.
MAINE
H.B. 1479
April 16, 2008; Public Law No. 626
Revises the listing of the data elements that are considered personal information to be consistent with current state law concerning data breaches; allows an individual to request that that individual's personal information included in a document recorded with a register of deeds and available on the registry's publicly accessible website be redacted from the record available online.
H.B. 1519
March 14, 2008; Resolve No. 152
Directs the Department of Professional and Financial Regulation, Bureau of Financial Institutions to study the effect of data security breaches on banks and credit unions in the State; includes damages suffered as a result of these breaches, costs and the response of financial institutions to such breaches.
MASSACHUSETTS
H.B. 4930
July 24, 2008; In House. Ordered to third reading.
Relates to identity theft protection; amends provisions regarding encrypted information, the likelihood of fraud, personal information, inconvenience to any resident and terms related to unauthorized acquisition or use of personal information.
MICHIGAN
S.B. 1022
January 22, 2008; To Senate Committee on Banking and Financial Institutions.
Requires encryption of certain computerized data and provides remedy to depository institutions for security breaches.
MINNESOTA
H.B. 1758
May 21, 2007; Filed with Secretary of State. Chapter No. 108
Relates to commerce; regulates access devices; establishes liability for security breaches; provides enforcement powers; defines access devices as a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but not limited to a credit, debit, or stored value card; relates to security breaches to pin numbers.
S.B. 1574
May 10, 2007; Indefinitely postponed. See H. B. 1758.
Relates to commerce; regulates access devices; establishes liability for security breaches; provides enforcement powers.
MISSISSIPPI
H.B. 864
March 18, 2008; Died in committee.
Relates to breach of security when unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information such as social security numbers, credit or debit card numbers, drivers license numbers when access to the personal information has not been secured by encryption or by any other method or technology; requires notice unless it will impede a criminal investigation.
H.B. 1383
February 19, 2008; Died in committee.
Relates to electronic payments; provides that policies established for the handling of electronic payments by State Agencies, Counties and Municipalities must comply with the payment card industry data security standards, include appropriate measures for the disposal of personal information and provide protection from security breaches.
H.B. 1408
March 18, 2008; Died in committee.
Relates to computer crimes and identity theft; provides for destruction of personal information records and protection from security breaches.
S.B. 3005
February 19, 2008; Died in committee.
Relates to breach of security; requires notice.
MISSOURI
H.B. 2162
April 3, 2008; To House Special Committee on Financial Institutions.
Establishes laws for the prevention of and protection from security breaches.
NEW JERSEY
A.B. 2220
February 25, 2008; To Assembly Committee on Judiciary.
Creates offenses pertaining to unauthorized use of confidential information; relates to websites which fraudulently obtain and sell private information including telephone records; makes it a crime for a person to provide confidential information to a third party if such party is not authorized to request the information; requires a custodian of confidential information to notify a person if confidential information has been accessed by unauthorized persons or in the event of a security breach.
A.B. 2270
February 26, 2008; To Assembly Committee on Financial Institutions and Insurance.
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.
A.B. 2450
March 3, 2008; To Assembly Committee on Consumer Affairs.
Enhances duty and broadens liability concerning security of personal information; responses to breach of security, under Identity Theft Prevention Act.
A.B. 4413
June 18, 2007; To Assembly Committee on Financial Institutions and Insurance.
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.
NEW YORK
A.B. 2261
April 20, 2007; Enacting clause stricken.
Provides that any person, firm, partnership, association or corporation that collects, owns, maintains or uses personal information shall disclose a breach of security related to personal information concerning 25 or more residents in the state; provides notification within two business days after learning of the breach; provides methods for notification; provides steps to be taken to destroy or arrange for the destruction of such information; allows for injunctions and civil penalties for violations.
S.B. 2332
February 2, 2007; To Senate Committee on Consumer Protection.
Requires notice to residents when a computerized database security breach releases personal information.
S.B. 7355,
June 24, 2008; To Senate Committee on Rules.
Relates to the information security breach and notification act.
OKLAHOMA
H.B. 2245
May 28, 2008; Chapter No. 86
Relates to identity theft and Security Breach Notification Act; provides an individual or entity that owns or licenses computerized data that includes personal information shall disclose breach following discovery; provides breach must be disclosed if encrypted information is accessed and acquired in unencrypted form; provides notice may be delayed if a law enforcement agency determines that notice will impede a criminal or civil investigation or homeland or national security.
PENNSYLVANIA
H.R. 324
July 4, 2008; In House. Removed from table.
Memorializes the Congress of the United States to take appropriate action to establish a national baseline standard for the disclosure of security breaches.
TENNESSEE
H.B. 3860
March 25, 2008; From House Committee on Consumer and Employee Affairs: Recommend passage.
Prohibits fees for imposing or removing a credit freeze on a consumer when the consumer has been a victim of a breach of an information holder's security system.
S.B. 3269
January 23, 2008; To Senate Committee on Commerce, Labor and Agriculture.
Concerns Consumer Protection; prohibits fees for imposing or removing a credit freeze on a consumer when the consumer has been a victim of a breach of an information holder's security system.
UTAH
H.B. 468
March 5, 2008; Enacting clause struck.
Modifies the Consumer Credit Protection Act to address costs related to security breaches and access devices; requires that certain transactional information not be retained; requires the payment of costs of a security breach under certain circumstances; provides for a cause of action for failure to pay/
VERMONT
S.B. 240
May 9, 2008; Act No. 140
Repeals the sunset of the law enforcement exemption to the Social Security Breach Notice Act; amends the repeal date.
VIRGINIA
H.B. 1052
February 4, 2008; From House Committee on Science and Technology: Reported as substituted, see H 1469.
Requires any entity doing business in the state that owns or licenses personal information to conduct an investigation upon discovery of a security breach and to notify the Attorney General; allows recovery of direct economic damages.
H.B. 1504
February 4, 2008; From House Committee on Science and Technology: Reported as substituted, see H 1469.
Creates the Compromised Data Notification Act, which, following discovery or notification of a breach of security system, requires a state agency that owns or licenses computerized data that includes personal information to provide notice of the breach to all residents whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
S.B. 307
March 31, 2008; Acts of Assembly. Chapter No. 566.
Provides that if unencrypted or unredacted personal information was accessed and acquired by an unauthorized person and causes identity theft or another fraud to any resident of the state, an entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General; provides that the Attorney General may impose a civil penalty.
WASHINGTON
H.B. 2838
February 19, 2008; To Senate Committee on Financial Institutions and Insurance.
Regulates retention of personal information associated with access devices; requires any person or business that conducts business in this state or that owns or licenses computerized data that includes consumer personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to Washington state residents.
S.B. 6425
January 16, 2008; To Senate Committee on Financial Institutions and Insurance.
Requires any person or business including financial institutions that conduct business in this state or that owns or licenses computerized data that includes consumer personal information to disclose any breach of the security system following discovery or notification of the breach in the security of the data to state residents who unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
WEST VIRGINIA
H.B. 2175
January 9, 2008; To House Committee on Judiciary.
Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector; requires notification to a consumer of any breach of consumer information security; requires certain actions by data collectors with respect to breach of security; provides civil penalties for violations.
S.B. 241
January 17, 2008; To Senate Committee on Judiciary.
Requires consumers' notification of information security breach.
S.B. 340
April 8, 2008; Act No. 2008-37
Provides that any data collector that owns or uses personal information in any form, whether computerized, paper or otherwise, that includes personal information concerning a resident shall notify the resident that there has been a breach of the security; provides that the data collector shall provide free credit reports to the consumers; providing civil penalties for violations.
NCSL Contact: Pam Greenberg, NCSL Denver Office, pam.greenberg@ncsl.org, 303-364-7700, ext. 1413
Security Breach Home
|