2007 Breach of Information Legislation

Last update: December 2008

Summary:  Bills were introduced in at least 32 states in 2007.  See also Security Breach Laws and 2006, 2005, 2004, 2003, and 2002 legislation. 

(Links to state web sites for bill text and status information are available here.)

ALABAMA
S.B. 114
May 29, 2007; Indefinitely postponed.
Provides a procedure for notification of a Breach of security where there is a reasonable belief that computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person; provides limited exceptions to the procedure.

ALASKA
H.B. 31
January 16, 2007; To House Committee on Finance.
Relates to Breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amends Rule 60, Alaska Rules of Civil Procedure.

H.B. 65
June 18, 2008; Chapter No. 92
Relates to Breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amends Rule 60, Alaska Rules of Civil Procedure.

S.B. 21
January 16, 2007; To Senate Committee on Finance.
Relates to Breaches of security involving personal information, credit report and credit score security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, care of records, disposal of records, identity theft, furnishing consumer credit header information, credit cards, and debit cards, and to the jurisdiction of the office of administrative hearings; amends Rule 60, Alaska Rules of Civil Procedure.

ARKANSAS
H.B. 2477
May 1, 2007; Died on House Calendar at Sine Die adjournment.
Enhances the protection of personal information; requires notice to a consumer of an unauthorized breach of the consumer's personal information within the past five years.

CALIFORNIA
A.B. 779
October 13, 2007; Vetoed by Governor.
Amends existing law which imposes certain duties upon persons or businesses to destroy customer records, maintain security, disclose a Breach of security and provide information to a customer regarding disclosure of information to 3rd parties. Prohibits a person, business or public agency that sells goods or services to any state resident and accepts a credit card, debit card, or other payment device, from storing, retaining, sending or failing to limit access to related information. Requires notification.

A.B. 1298
October 14, 2007; Chaptered by Secretary of State. Chapter No. 699
Applies the prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information to allow an individual to manage his or her information or for treatment or diagnosis. Permits a consumer reporting agency to disclose public record information lawfully obtained from an open public record to the extent permitted by law. Adds medical and health insurance information to data that constitutes information that would require Breach disclosure.

A.B. 1656
September 30, 2008; Vetoed by Governor.
Prohibits a person or entity that sells goods or services to state residents and accepts payment in the form of a credit card, debit card, or other payment device, from storing, retaining, sending, or failing to limit access to payment-related data or retaining a primary account number or sensitive authentication data. Requires any person or entity that maintains computerized personal information to notify the owner or licensee of the information of any Breach of security of the data immediately.

A.B. 2505
August 30, 2006; In Senate. To Inactive File.
Relates to existing law permitting a state agency, or a person or business that conducts business to provide substitute notice, as defined, to any resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person because of a Breach of the security of the data. Defines substitute notice to include notification to the Office of Privacy Protection.

S.B. 364
September 30, 2008; Vetoed by Governor.
Amends existing law that requires agencies, persons, or businesses to report Breaches of security of computerized personal information. Requires that notification of those affected include a description of the information acquired and a toll-free number or e-mail address to contact the entity or a credit reporting agency. Provides that if the owner or licensee is the issuer of a credit or debit card or payment device or an agency required to give notice, they must disclose the information in plain language.

S.B. 751
February 4, 2008; In Senate.  Returned to Secretary of Senate pursuant to Joint Rule 56.
Amends existing law which provides that the jurisdiction of a criminal action for unauthorized use of another's personal identifying information is the county where the theft occurred or where the information was illegally used. Expands that provision to specify that the jurisdiction of a criminal action also includes the county where the victim resides.

S.B. 1512
March 9, 2006; To Senate Committee on Judiciary.
Relates to existing law requiring any person or business in the state that owns or licenses computerized data that includes personal information to disclose in specified ways, any Breach of the security of the data to any resident whose unencrypted personal information was acquired by an unauthorized person. Permits substitute notice of Breach to be provided if the person or business demonstrates that the cost would exceed a specified amount.

GEORGIA
H.B. 1518
March 6, 2006; To House Committee on Education.
Concerns the Local Board of Education; requires written notification of Breach of security.

S.B. 236
May 24, 2007; Act No. 241
Relates to the offense of identity theft; provides for notification by certain data collectors upon a Breach of security regarding personal information; changes certain provisions relating to the elements of the offense of identity fraud; creates the offense of identity fraud by receipt of fraudulent identification information; provides for a victim's right to file a report with a law enforcement agency; modifies certain penalties.

ILLINOIS
H.B. 605
March 23, 2007; Rereferred to House Committee on Rules.
Amends the Personal Information Protection Act. Defines Breach of the security of the system data or written material. Provides that the notice requirements of the Act apply to Breaches of written material containing personal information. Provides that a data collector shall notify the resident that there has been a Breach of the security of the system data or written material within a reasonable time after the discovery of the Breach of the system data or written material.

H.B. 4449
June 27, 2006; Public Act No. 94-947
Amends the Personal Information Protection Act. Provides that any state agency that collects personal data concerning a state resident and has a Breach of security of the system data shall submit an annual report to the General Assembly listing the Breaches and any corrective measures. Requires notification of the resident. Provides that the notification may be delayed if an appropriate law enforcement agency determines that such notification will interfere with a criminal investigation.

H.B. 5293
February 1, 2006; Tabled by Sponsor.
Creates the Financial Institution Credit Watch Services Act. Provides that any financial institution that has suffered a Breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit monitoring services for a period of not less than 6 months, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 1675
December 3, 2007; Rereferred to Senate Committee on Rules.
Amends the Consumer Fraud and Deceptive Business Practices Act and the Credit Card Liability Act. Provides that, in any transaction in which an individual authorizes a person or entity to make a debit from his or her bank account for the purpose of placing a hold on the account to ensure payment for future services, the person or entity must provide the individual with a written statement that includes a reasonable price quote for the transaction. Relates to identity theft, a security Breach and liability.

S.B. 3040
January 20, 2006; To Senate Committee on Rules.
Amends the Personal Information Protection Act. Adds written data to the definition of "Breach of security of the system". Provides that the notification requirements of the Act apply to Breaches of security concerning written data. Provides that any financial institution that has suffered a Breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit watch services for one year.

IOWA
H.B. 655
March 7, 2007; In House Committee on PUBLIC SAFETY
Relates to identity theft including providing for the notification of a Breach in the security of computerized data of personal information, allowing a security alert or block on a consumer report, allowing the issuance of an identity theft passport, requiring the deletion of certain records relating to dishonored checks, prohibiting the collection of certain unauthorized debt obligations, and providing for civil remedies and penalties.

H.B. 2107
January 24, 2006; To House Committee on Commerce, Regulation and Labor.
To require notification of a Breach of the security of a system of computerized data containing personal information and providing for civil remedies.

H.B. 2484
February 22, 2006; To House Committee on Commerce, Regulation and Labor.
Relates to identity theft including providing for the notification of a Breach in the security of computerized data of personal information, allowing a security alert or block on a consumer report, allowing the issuance of an identity theft passport, requiring the deletion of certain records relating to dishonored checks, prohibiting the collection of certain unauthorized debt obligations, requiring the protection and destruction of customer records.

H.S.B. 672
February 14, 2006; To House Committee on Commerce, Regulation and Labor.
Requires notice of a Breach of security of a computerized data system containing personal information; provides for civil remedies.

S.S.B. 3019
January 18, 2006; To Senate Committee on Judiciary.
Relates to offenses against identity; requires notice of Breach of security of computer data contain personal information; provides a procedure to secure credit information; provides a penalty.

KENTUCKY
H.B. 7
March 1, 2007; To Senate Committee on Judiciary.
Restricts the uses by businesses of a consumer's social security number and makes a violation subject to the Consumer Protection Act; requires agencies and businesses to give notice to a person whose personal information was acquired in a security Breach; provides the procedures for a right of action for victims; prohibits the use of a person's social security number in documents that are recorded or filed; provides a phishing crime for seeking personal information over the Internet.

MARYLAND
H.B. 90
March 20, 2007; From House Committee on ECONOMIC MATTERS: Reported unfavorably.
Requires a business to destroy records that contain specified personal information in a specified manner; requires a business that owns or licenses specified personal information to implement and maintain specified security procedures and practices; requires businesses that own or license specified data that include specified personal information to notify specified individuals of a Breach of the security of a system under specified circumstances.

H.B. 123
March 20, 2007; From House Committee on ECONOMIC MATTERS: Reported unfavorably.
Requires a business to destroy or arrange for the destruction of records that contain specified personal information in a specified manner; requires a business that compiles, maintains, or makes available specified personal information of an individual residing in the State to implement and maintain specified security procedures and practices; requires businesses to notify specified individuals of a Breach of security of a system.

H.B. 208
May 17, 2007; Chapter No. 532
Requires specified businesses, when destroying a customer's electronic records that contain personal information of the customer, to take specified steps to protect against unauthorized access to or use of the personal information; requires those businesses when they discover or are notified of a Breach of the security of the system to make an investigation related thereto and to notify the individual or individuals concerned thereof; provides exception to notification.

S.B. 194
May 17, 2007; Chapter No. 531
Requires specified businesses, when destroying a customer's records that contain personal information of the customer, to take specified steps to protect against unauthorized access to or use of the personal information under specified circumstances.

S.B. 514
March 12, 2007; From Senate Committee on Finance: Reported unfavorably.
Requires specified business and State entities that own, license, or maintain specified records that include specified personal information of an individual residing in the State to notify specified persons of a Breach of the security of a system under specified circumstances; specifies the time at which notification must be given; authorizes notification to be given in a specified manner.

MASSACHUSETTS
H.B. 4012
May 9, 2007; Amended on House floor by substitution of New Draft. For further action see H 4018.
Relates to security freezes and notification of data Breaches.

H.B. 4018
July 11, 2007; From Conference Committee: Reported by substitution of New Draft. For further action see H 4144.
Relates to security freezes and notification of data Breaches.

H.B. 4144
August 2, 2007; Chapter No. 82-2007
Relates to protection of personal information; relates to identity theft, security freezes and notification of data Breaches; relates to consumer report releases of information, personal identification numbers and an identity theft report; relates to the disposition and destruction of records and documents; relates to a Social Security number, medical record, driver license, financial account number, credit or debit card numbers and biometric indicators; provides for property identification.

H.B. 4181
July 26, 2007; Filed as House Docket 4501.(Governor Message)
Submits a message from the Governor returning with amendment to House bill 4144 which relates to the protection of personal information, identity theft, security freezes and notification of data Breaches, as well as, consumer report releases of information, personal identification numbers, identity theft reports, disposition and destruction of records, and includes, Social Security, medical record, driver license, financial account, credit or debit card numbers and biometric indicators.

H.B. 4775
March 20, 2006; To House Committee on Ways and Means.
Relates to the protection of personal information; defines personal data as any information concerning an individual which can be readily associated with a particular individual; defines security Breach and defines reasonable measures data receivers should take to protect against a Breach of security. Requires due diligence as relates to third parties and notice of Breach.

S.B. 208
May 7, 2007; From JOINT Committee on Consumer Protection AND PROFESSIONAL LICENSURE: Amended by substitution of New Draft. See H 4012.
Relates to security freezes and notification of data Breaches.

S.B. 2235
May 10, 2007; New Text of H 4018.
Contains the amended text of the House bill numbered 4018 which relates to security freezes and notification of data Breaches.

MICHIGAN
H.B. 6522
September 14, 2006; To House Committee on Judiciary.
Creates information privacy and protection act; requires certain notices regarding unauthorized access to personal identifying information; establishes procedures for notice and provides remedies and civil sanctions.

S.B. 1458
September 19, 2006; To Senate Committee on Judiciary.
Creates the information privacy and protection act; requires certain notices regarding unauthorized access to personal identifying information; establishes procedures for notice and provides remedies and civil sanctions.

MINNESOTA
H.B. 1758
May 21, 2007; Filed with Secretary of State. Chapter No. 108
Relates to commerce; regulates access devices; establishes liability for security Breaches; provides enforcement powers; defines access devices as a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but not limited to a credit, debit, or stored value card; relates to security Breaches to pin numbers.

S.B. 1574
May 10, 2007; Indefinitely postponed. See H. B. 1758.
Relates to commerce; regulates access devices; establishes liability for security Breaches; provides enforcement powers.

MISSOURI
H.B. 377
March 29, 2007; To House Special Committee on Financial Institutions.
Changes the laws regarding the release of personal information to unauthorized persons.

MONTANA
S.B. 33,
April 27, 2007; Died in committee.
Requires state and local government agencies to develop procedures regarding social security numbers and to provide notification of a computer security breach of a government agency or third party contracting with government.

NEBRASKA
L.B. 876
April 6, 2006; Signed by Governor.
Adopts the Financial Data Protection and Consumer Notification of Data Security Breach Act; relates to the Sale of Checks and Funds Transmission Act, the Mortgage Bankers Registration and Licensing Act, the Delayed Deposit Services Licensing Act, installment loans, state-chartered bank loan limits, reorganization of nationally-chartered banks, bankers banks, community development investment, registration under the Securities Act, and powers of banks, building and loan associations and credit unions.

L.B. 917
February 2, 2006; From Legislative Committee on Banking, Commerce, and Insurance: Placed on General File as amended.
Relates to financial information; adopts the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

NEW HAMPSHIRE
H.B. 1660
June 2, 2006; Chapter No. 242.
Requires a person engaged in business in this state to notify consumers of any security Breach that compromises the confidentiality of their personal information.

NEW JERSEY
A.B. 259,
January 10, 2006; To Assembly Committee on Consumer Affairs.
Requires businesses to disclose any Breach of security of computer systems to customers and to destroy certain personal information no longer retained.

A.B. 4413
June 18, 2007; To Assembly Committee on Financial Institutions and Insurance.
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to Breach of security.

NEW YORK
A.B. 2261
April 20, 2007; Enacting clause stricken.
Provides that any person, firm, partnership, association or corporation that collects, owns, maintains or uses personal information shall disclose a Breach of security related to personal information concerning 25 or more residents in the state; provides notification within two business days after learning of the Breach; provides methods for notification; provides steps to be taken to destroy or arrange for the destruction of such information; allows for injunctions and civil penalties for violations.

S.B. 2332
February 2, 2007; To Senate Committee on Consumer Protection.
Requires notice to residents when a computerized database security Breach releases personal information.

NORTH CAROLINA
H.B. 2883
July 23, 2006; Session Law Number 2006-158
Protects military service members and veterans from identity theft; prohibits a consumer reporting agency from charging any fee to a veteran who has received notification from the United States Department of Veterans Affairs indicating that the veteran's information is, or may be, included in the information involved in the Department of Veterans Affairs' data Breach, first announced on May 22, 2006.

OKLAHOMA
H.B. 1633
February 6, 2007; To House Committee on Rules.
Relates to technology; relates to disclosure of Breach of security of computerized personal information; expands scope of law; specifies time for notification of Breach of security; expands definition of Breach of security of the system; modifies definitions; adds definitions; provides exception for notification; establishes penalties for failure to provide notice; exempts agencies from penalty; authorizes the Attorney General to enforce the penalties.

OREGON
H.B. 2442
January 17, 2007; To House Committee on Consumer Protection.
Requires a business that owns, possesses or uses personal information to notify individual when Breach of security that may result in misuse of personal information occurs; requires Department of Consumer and Business Services to establish registry of businesses that own, possess or use personal information; requires business that owns, possesses or uses personal information to provide individual, upon request, with copy of personal information about individual maintained by business.

S.B. 583
August 6, 2007; Chaptered. Chapter No. 759
Requires a person that owns, maintains or possesses a consumers personal information and uses it in the person's business, vocation, occupation or volunteer activities to notify the consumer following discovery of a Breach of security wherein the security of the personal information was Breached; permits a consumer to place on, or remove from, their consumer report, a security freeze under specified circumstances; relates to the printing of a consumers Social Security number.

PENNSYLVANIA
H.R. 324
July 4, 2008; In House. Removed from table.
Memorializes the Congress of the United States to take appropriate action to establish a national baseline standard for the disclosure of security Breaches.

RHODE ISLAND
H.B. 5103
February 7, 2007; Scheduled for hearing and/or consideration.
Would establish rules of disclosure of personal information about insurers, by businesses to third- parties, rules of notification to consumers of Breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules. This act would take effect upon passage.

H.B. 5223
February 7, 2007; In House Committee on Corporations: Committee recommends measure to be held for further study.
Establishes rules of disclosure of personal information about insurers, by businesses to third- parties; concerns rules of notification to consumers of Breaches in the security protecting consumer identification information; concerns civil penalties and damages for violation of the disclosure and notification rules.

H.B. 6835
July 10, 2006; Vetoed by Governor.
Establishes rules of disclosure of personal information about insurers, by businesses to third- parties, rules of notification to consumers of Breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules.

S.B. 464
March 29, 2007; In Senate Committee on Judiciary: Committee recommends measure to be held for further study.
Would establish rules of disclosure of personal information about insurers, by businesses to third- parties, rules of notification to consumers of Breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules. This act would take effect upon passage.

S.B. 2225
April 6, 2006; In Senate Committee on Judiciary: Committee recommends measure to be held for further study.
Establishes rules of disclosure of personal information about insurers, by businesses to third- parties, rules of notification to consumers of Breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules.

S.B. 2998
April 4, 2006; Resolution No. 2006-177,  (Resolution)
Requests the Office of Drinking Water Quality to address the Breaches in security affecting the State's drinking water supplies.

SOUTH CAROLINA
H.B. 3035
January 9, 2007; To House Committee on Judiciary.
Enacts the Identity Theft Protection Act; provides for protections in connection with consumer credit- reporting agencies and with the use and communication of a consumer's social security number, imposition of a security freeze on a consumer's credit report and disclosure of unauthorized access; prohibits requiring the use of personal identifying information on a mortgage.

S.B. 8
January 9, 2007; To Senate Committee on Banking and Insurance.
Enacts the Financial Identity Fraud and Identity Theft Protection Act; relates to consumer credit- reporting agencies, social security numbers, security freezes, and disclosure of unauthorized access to personal identifying information; relates to attorney fees, mortgage records, household garbage, and credit or debit card receipts.

TENNESSEE
H.B. 3619
March 17, 2006; In House Committee on Consumer and Employee Affairs: Referred to Subcommittee on Consumer Affairs.
Concerns privacy and confidentiality; requires public and private entities to disclose any Breach of the security of personal consumer information.

S.B. 3425
February 22, 2006; To Senate Committee on Commerce, Labor and Agriculture.
Concerns Privacy, Confidentiality; requires public and private entities to disclose any Breach of the security of personal consumer information.

TEXAS
H.B. 1262
February 14, 2007; To House Committee on Business and Industry.
Relates to civil liability for the Breach of security of certain computerized data containing sensitive personal information.

S.B. 223
January 30, 2007; To Senate Committee on Business and Commerce.
Relates to a loss of computerized data or Breach of computer security involving sensitive personal information.

VERMONT
H.B. 261
February 8, 2007; To House Committee on Commerce.
Relates to commerce and trade, consumer protection and personal information; amends the security Breach law so that it applies to all acquisition of or access to personal information; does not include a person authorized by the data collector when the personal information is accessible only through use of an access code, password or other security measures.

H.B. 792
January 31, 2006; To House Committee on Commerce.
Requires any data collector of personal information of a Vermont resident to disclose to an individual if there was an unauthorized acquisition or access to the individual's personal information that the collector owns or is using. Notice would not be required if the data collector establishes that the misuse of the personal information is not reasonably possible and the data collector so notifies the attorney general or the department of banking, insurance, securities, and health care administration.

S.B. 240
May 9, 2008; Act No. 140
Repeals the sunset of the law enforcement exemption to the Social Security Breach Notice Act; amends the repeal date.

S.B. 284
May 18, 2006; Act No. 162
Requires any data collector of personal information to disclose to an individual if there was an unauthorized acquisition or access to the individual's personal information that the collector owns or is using; provides that notice would not be required if the data collector establishes that the misuse of the personal information is not reasonably possible, and the data collector notifies the attorney general or the department of banking, insurance, securities, and health care administration.

VIRGINIA
H.B. 3148
January 29, 2007; In House Committee on Science and Technology: Tabled.
Relates to the Compromised Data Disclosure Act.

S.B. 1224
February 6, 2007; Left in committee.
Relates to database breach notification.

H.B. 2140
February 1, 2007; In House Committee on Commerce and Labor: Tabled.
Requires an individual or a commercial entity that owns or licenses computerized data that includes personal information to conduct in good faith a reasonable and prompt investigation when it becomes aware of a Breach of the security of the system; contains alternative notification provisions.

H.B. 2600
January 25, 2007; In House Committee on Commerce and Labor: Tabled.
Relates to personal information privacy; relates to protection of disposed records; provides for penalty; requires businesses to take all reasonable measures to protect against unauthorized access to or use of personal information in connection with or after its disposal; refers to reasonable measures that include policies and procedures requiring the burning, pulverizing or shredding of papers containing personal information.

WASHINGTON
S.B. 5341
January 17, 2007; To Senate Committee on Consumer Protection and Housing.,
Specifies penalties for harm caused by Breaches of security that compromise personal information; provides that a court may award damages up to the actual amount of economic damages or five hundred dollars, whichever is greater; provides a violation constitutes an unfair or deceptive practice in violation of chapter 19.86 RCW.

S.B. 5853
February 22, 2007; From Senate Committee on Financial Institutions and Insurance: Do pass.
Clarifies that victims of identity theft who are notified of a security Breach are not required to submit a valid police report for the purposes of placing a security freeze.

S.B. 6665
January 18, 2006; To Senate Committee on Financial Institutions, Housing and Consumer Protection.
Aids victims of personal information security Breaches.

WEST VIRGINIA
H.B. 2175
January 16, 2007; To House Committee on Judiciary.
Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

WYOMING
S.B. 53
March 1, 2007; Chapter No. 162
Relates to consumer protection; provides for notice to consumers affected by breaches of consumer information databases; authorizes consumers to prohibit release of information maintained by credit rating agencies; provides definitions; provides exceptions.

S.B. 65
February 9, 2007; Died in Committee.
Relates to consumer protection; provides for notice to consumers affected by breaches of consumer information databases, as specified; authorizes consumers to prohibit release of information maintained by credit rating agencies, as specified; provides definitions; provides exceptions.

NCSL Contact: Pam Greenberg, NCSL Denver Office, pam.greenberg@ncsl.org, 303-364-7700, ext. 1413

  Security Breach Home