Breach of Information

Last update: April 9, 2007

In February 2005, ChoicePoint, a corporation that collects and compiles information that includes personal and financial information on millions of consumers, disclosed that it been the victim of a security breach wherein it had sold personal information of almost 145,000 people to a criminal enterprise.  The company first disclosed the breach only to California residents, as required by California's Notice of Security Breach law (Cal. Civil Code §1798.29), enacted in 2002.  However, the company later disclosed that residents in other states, the District of Columbia and three territories also may have been affected by the ChoicePoint breach.  Numerous other breaches of security at corporations, government agencies, and educational institutions have since been reported.

Thirty-five states have enacted legislation requiring companies and/or state agencies to disclose security breaches involving personal information.  For summaries of legislation and links to the text of statutes and bills, click on the links below.

Security Breach Notification Legislation/Laws

• Security Breach Laws
• 2007 Legislation
• 2006 Legislation
• 2005 Legislation
• 2004, 2003, and 2002 Legislation

Related NCSL Links

• NCSL Identity Theft Web page
• NCSL Financial Privacy Legislation Page
• NCSL Computer Crime Page
• State Legislatures Address Security Breaches, News From the States, Summer 2005
• States Consider Center to Protect IT Infrastructure, News From the States, Fall 2001

Selected External Reports & Resources

• () Recommended Practices on Notice of Security Breach Involving Personal Information by the California Office of Privacy Protection, February 2007

NCSL Contact: Pam Greenberg, pam.greenberg at ncsl.org, NCSL Denver Office, 303-364-7700

     Privacy Home