2005 Enacted Financial Privacy Legislation
December 20, 2005
| State: |
Bill Summary: |
| Arkansas |
S.B. 1167
Signed by governor 4/4/05, Act 1526
Creates the Personal Information Protection Act; provides notice to consumers of the disclosure of their personal information. |
| California |
S.B. 460
Signed by governor 9/22/05, Chapter 259
Existing law prohibits offenders who are confined in county facilities, or the Department of Corrections and Rehabilitation for specified offenses, from performing work that would give them access to the personal information of private persons, as specified. This bill precludes any offender confined in a county facility, or the Department of Corrections from gaining access to personal information, as specified. |
| Colorado |
S.B. 137
Signed by governor 6/1/05, Chapter 226
Permits a consumer to put a security freeze on his or her credit report. Allows the consumer to temporarily lift the freeze to allow a particular entity access to the credit report for the purpose of issuing or extending credit to the consumer. Requires the freeze to be maintained until the consumer specifically requests its removal. Requires that a consumer be notified of the right to place a security freeze on his or her credit report each time the consumer receives a summary of the rights relating to credit reports. Compels a consumer reporting agency to notify the consumer within five days after releasing credit information that was in violation of a security freeze. Allows a consumer who had credit information released in violation of a security freeze to bring a private civil right of action against the consumer reporting agency that released the information in violation of the security freeze. Prohibits a consumer reporting agency from furnishing a consumer's credit header to someone who does not have a permissible basis to obtain the consumer credit header. |
| Connecticut |
H.B. 6831
Signed by governor 5/19/05, Act 05-62
Specifically provides that the state statutes concerning financial privacy do not prevent 1) the disclosure of information to information networks accessed by financial institutions, other commercial enterprises and law enforcement authorities for the purpose of detecting or preventing against fraud, and 2) disclosures made to a victim of identity theft pursuant to the federal Fair Credit Reporting Act. |
| Delaware |
H.B. 116
Signed by governor 7/12/05, Chapter 61
Helps ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information. Requires an individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information to notify a resident of Delaware of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the Delaware resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification must be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. Alternative notification procedures are provided in §12B-103. In a civil action to recover damages (for example, losses due to identity theft), the award is triple the amount of actual damages plus reasonable attorney fees. A violation of this Act falls under the enforcement duties and powers of the Consumer Protection Division of the Department of Justice, which may bring an action in law or equity to address violations of the Act and other appropriate relief. The provisions of this Act do not nullify or impair any common law or statutory right that a person may have in regard to violations under the Act. |
| Florida |
H.B. 481
Signed by governor 6/14/05, Chapter 229
S.B. 284
Laid on table 5/3/05
Relates to the unlawful use of personal identification information; includes other information within the definition of the term "personal identification information"; defines the term "counterfeit or fictitious personal identification information"; revises criminal penalties regarding the offense of fraudulently using, or possessing with intent to fraudulently use, said information; requires business persons maintaining computerized data that includes personal information to provide notice of breaches of system security. |
| Georgia |
H.B. 340
Signed by governor 5/9/05, Act 359
Relates to when public disclosure of records is not required, so as to provide that records maintained by public postsecondary educational institutions in this state and associated foundations of such institutions that contain certain personal information concerning donors or potential donors to such institutions or foundations shall not be subject to disclosure; provides definitions. |
| |
S.B. 230
Signed by governor 5/5/05, Act 163
Relates to selling and other trade practices, so as to provide definitions; requires investigative consumer reporting agencies to give notice to consumers of certain security breaches. |
| Hawaii |
H.B. 553
Signed by governor 5/31/05, Act 85
S.B. 662
Allows government agencies to withhold personal information contained in final opinions or orders made in the adjudication of cases where the disclosure of the information would be an unwarranted invasion of personal privacy. Excludes Social Security number information of an individual under contract with the government from disclosure. |
| Illinois |
H.B. 1633
Signed by governor 6/16/05, Public Act 94-0036
Creates the Personal Information Protection Act. Provides that any data collector that owns or uses personal information in any form, whether computerized, paper, or otherwise, that includes personal information concerning an Illinois resident shall notify the resident that there has been a breach of the security of the system data following discovery or notification of the breach, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that the notification required pursuant to the Act may be delayed if a law enforcement agency determines that the notification may impede a criminal investigation. Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that a violation of the Personal Information Protection Act is a violation of the Consumer Fraud and Deceptive Business Practices Act. |
| |
S.B. 1799
Signed by governor 6/16/05, Public Act 94-0041
Amends the Department of Revenue Law of the Civil Administrative Code of Illinois. Requires the Department of Revenue to notify an individual if the Department discovers or reasonably suspects that another person has used that individual's Social Security number. |
| Indiana |
S.B. 503
Signed by governor 4/26/05
Prohibits a state agency from releasing the Social Security number of an individual unless the release is: (1) required by state law, federal law, or court order; (2) authorized in writing by the individual; (3) made to comply with the USA Patriot Act or Presidential Executive Order 13224; or (4) made to a commercial entity for permissible uses set forth in the Drivers Privacy Protection Act, the Fair Credit Reporting Act, or the Financial Modernization Act of 1999. Provides that disclosure of the last four digits of a Social Security number is not considered a disclosure of the Social Security number. Requires a state agency to notify an individual of a security breach of the agency's computer system if the individual's unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Makes it a Class D felony to knowingly make a false representation to obtain a Social Security number or for an agency employee to knowingly disclose a Social Security number. Provides that an agency employee who negligently discloses a Social Security number commits a Class A infraction. Requires an individual who prepares a document for recording to certify that the individual reviewed the entire document and took reasonable care to redact Social Security numbers in the document. After December 31, 2007, requires a county recorder or an employee of a county recorder to search documents using redacting technology to redact Social Security numbers before the documents are release for public inspection. Authorizes establishment of a pilot project beginning July 1, 2005, to develop procedures and test technology and equipment for searching recorded documents and redacting Social Security numbers. Requires county recorders to seek federal grants, private funds, and other sources of money to implement redacting technology. |
| Louisiana |
S.B. 205
Signed by governor 7/12/05, Act 499
Creates the Database Security Breach Notification Law. |
| Maine |
L.D. 1671
Signed by governor 6/10/05, Chapter 379
Requires an entity engaged in business in Maine that is in possession of electronic data containing personal information to disclose any unauthorized acquisition or suspected unauthorized acquisition of that personal information to a person whose personal information may have been acquired. |
| Minnesota |
H.F. 225
Signed by governor 6/3/05, Chapter 163
S.F. 361
Makes technical, conforming, and clarifying changes to the Minnesota Government Data Practices Act; defines terms; classifies, regulating, and reviewing access to and dissemination of certain data; provides notice of breaches in security; regulates certain fees; provides for the conduct of certain board and council meetings; modifies provisions regulating motor vehicle and driver applications and records; regulates disclosure of nonidentifying sales tax returns; modifies vehicle accident reports and procedures; provides for treatment of data held by the comprehensive incident-based reporting system; regulates use of Social Security numbers; classifies certain animal health data; defining terms and regulates data privacy practices for wireless telecommunications; providing for a review of the handling of genetic information. |
| |
H.F. 2121
Signed by governor 6/3/05, Chapter 167
S.F. 2118
Requires businesses that possess personal data to notify persons whose personal information has been disclosed to unauthorized persons. |
| Montana |
H.B. 732
Signed by governor 4/28/05, Chapter 518
Adopts and revises laws to implement individual privacy and to prevent identity theft; requires a consumer reporting agency to block or expunge information on a report that results from a theft of identity; provides privacy protection provisions for credit card solicitations and renewals and telephone accounts; provides privacy protection for business records by requiring destruction of records; requires businesses to report a breach of computer security; requires a business that has an established business relationship with a customer and that has disclosed certain personal information to third parties to report that information to the customer; providing remedies and penalties for violation. |
| Nevada |
A.B. 1, Special Session
Signed by governor 6/17/05, Chapter 6
Changes the effective date for A.B. 334 and amends the definition of personal information in S.B. 347. |
| |
A.B. 334
Signed by governor 6/17/05, Chapter 486
Requires a governmental entity, except in certain circumstances, to ensure that Social Security numbers in its books and records are maintained in a confidential manner; prohibits the inclusion of Social Security numbers in certain documents that are recorded, filed or otherwise submitted to a governmental agency; requires a governmental agency or certain persons who do business in this state that own, license or maintain computerized data to notify certain persons if personal information included in that data was, or is reasonably believed to have been, acquired by an unauthorized person; expands the types of prohibited computer contaminants to include spyware. |
| |
S.B. 347
Signed by governor 6/17/05, Chapter 485
Relates to personal identifying information; prohibits the establishment or possession of a financial forgery laboratory; enhances the penalties for crimes involving personal identifying information that are committed against older persons and vulnerable persons; requires the issuer of a credit card to provide a notice including certain information concerning its policies regarding identity theft and the rights of cardholders when issuing a credit card to a cardholder; requires data collectors to provide notification concerning any breach of security involving system data; making various other changes concerning personal identifying information; provides penalties; and provides other matters properly relating thereto. |
| New Jersey |
A.B. 4001
Signed by governor 9/22/05, Chapter 226
S.B. 1914
Substituted 6/23/05
S.B. 2665
Allows victims of identity theft to obtain an official incident record from their local law enforcement agency if the victim has learned or reasonably suspects that he has been a victim of identity theft. The victim may contact their local law enforcement agency to make a complaint and provide the victim with a police report. Establishes a procedure whereby a victim of identity theft could obtain a factual determination of innocence and access a statewide identity theft registry. After an order has been issued, the court may order that the name and personal identifying information of the victim contained in court records, files and indexes be deleted, sealed or labeled to show that the data is impersonated and does not reflect the defendant's identity. Requires the Administrative Office of the Courts (AOC) to establish and maintain a data base of persons who have been victims of identity theft and that have received determinations of factual innocence. Access to the database would be limited to criminal justice agencies, victims of identity theft and any other persons and agencies authorized by the victims. The AOC would also be required to establish a toll-free number to provide access information to victims of identity theft. Amends and supplements the "New Jersey Fair Credit Reporting Act," to require that a consumer reporting agency place a security freeze on a consumer credit report within five business days of receiving a request to do so either in writing by certified mail or by a telephone request with certain accompanying personal identifying information; or within three business days of receiving a secure electronic mail request, and prohibits the release of information from the report while the freeze is in place, except as provided by the bill. Provides that the consumer reporting agency shall provide notice to a consumer of the availability and mechanics of the security freeze in a notice, the form of which is provided in the bill, at any time a consumer is required to receive a summary of rights under section 609 of the federal "Fair Credit Reporting Act." Requires a consumer reporting agency to provide a consumer with an identification number to be used for temporarily lifting a freeze upon a consumer credit report or authorizing the subsequent release of information from a consumer credit report that is subject to a security freeze. Further, the bill stipulates that a security freeze shall remain in place until either the consumer requests to have the security freeze removed, or upon discovery by the consumer reporting agency that the consumer's credit report was frozen due to a material misrepresentation by the consumer. Also, if a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other benefit, and the consumer does not allow the report to be accessed, the third party may treat the application as incomplete. A consumer reporting agency that negligently or willfully violates the security freeze sections of the bill shall notify the consumer of the misconduct within five business days and may be subject to civil and injunctive penalties. Any data collector that owns or uses personal information concerning a New Jersey resident shall notify the resident that there has been a security breach related to the data following discovery or notification of the breach. The disclosure notifications shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement. The disclosure may be delayed, however, if a law enforcement agency determines that notification will impede a criminal investigation. Any data collector that maintains computerized data that includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery. Any individual injured by a violation of the security breach section of the bill may institute a civil action to recover damages or injunctive relief. Requires any business that conducts business in New Jersey and any business that maintains or otherwise possesses personal information of New Jersey residents must take all reasonable measures to protect against unauthorized access to or use of that information in connection with or after its disposal. Further, the procedures used in the destruction and disposal of the personal records must be comprehensively described and classified as official policy in the writings of the business entity. A violation of the destruction of records provisions of the bill shall be punishable by a civil penalty not to exceed $3,000 for each violation, injunctive relief and actual damages, costs and reasonable attorney's fees. Prohibits any person, including a public or private entity from: (1) intentionally communicating or otherwise making available to the public an individual's Social Security number; (2) printing an individual's Social Security number on any card required for the individual to access products or services provided by the person; (3) requiring an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; (4) requiring an individual to use his Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site; (5) printing an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed; (6) selling, leasing, loaning, trading, renting, or otherwise disclosing an individual's Social Security number to a third party for any purpose without written consent to the disclosure from the individual; or (7) refusing to do business with an individual because the individual will not consent to the receipt by that person of the Social Security number of that individual, unless that person is expressly required under State or federal law, in connection with doing business with an individual, to submit to the state or federal government, as applicable, that individual's Social Security number. Unauthorized use of a Social Security number is punishable by a $3,000 fine for a negligent violation, and a $5,000 fine or up to 15 days imprisonment, or both, for knowingly violating this section. An aggrieved individual may recover actual damages or $5,000, whichever is greater, plus reasonable attorney's fees and court costs. |
| New York |
A.B. 4254
Signed by governor 8/9/05, Chapter 442
S.B. 3492
Substituted by A.B. 4254
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions. |
| North Carolina |
H.B. 1248
Passed House 5/23/05
S.B. 1048
Signed by governor 9/21/05, Session Law 414
Enacts the Identity Theft Protection Act of 2005, including consumer report security freezes and protections for Social Security numbers. |
| North Dakota |
S.B. 2251
Signed by governor 4/22/05
Relates to requiring disclosure to consumers of a breach in security by businesses maintaining personal information in electronic form; relates to the unauthorized use of personal identifying information, penalties, and prosecution of offenses in multiple counties; jurisdiction in offenses involving conduct outside this state; and provides a penalty. |
| Ohio |
H.B. 104
Signed by governor 11/17/05
Requires a state agency, person, or business to contact individuals if unencrypted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons. |
| Oregon |
S.B. 643
Signed by governor 6/29/05, Chapter 363
Allows a state institution of higher education to contract with a private contractor to provide the service of facilitating disbursement of funds to students. Imposes conditions if a student's personally identifiable information is necessary to administer disbursement. |
| |
S.B. 978
Signed by governor 7/15/05, Chapter 545
Prohibits disclosure of public records relating to criminal investigation or prosecution or to confinement of persons convicted of crimes unless personal identifiers have been deleted. Increases the punishment for identity theft if personal information transferred relates to specified persons. |
| Tennessee |
H.B. 2170
S.B. 2220
Signed by governor 6/18/05, Public Law Chapter 473
Requires persons, businesses or government agencies that discover a breach of information security resulting in disclosure of unencrypted personal information about persons to unauthorized third parties to provide notice of such disclosure. |
| Texas |
H.B. 698
Signed by governor 6/18/05, Chapter 935
Provides for the disposal of business records that contain personal identifying information as defined by this section. A business that does not properly dispose of a business record that contains personal identifying information of a customer is liable for a civil penalty of up to $500 for each record. A business that modifies a record in good faith is not liable for a civil penalty. Grants the attorney general authority to bring suit against the business to recover a civil penalty, obtain any other remedy, including injunctive relief, as well as costs and attorney’s fees. |
| Washington |
H.B. 1012
Signed by governor 5/17/05, Chapter 500
Declares that it is unlawful for a person who is not an owner or operator to transmit computer software to the owner or operator's computer with actual knowledge or with conscious avoidance of actual knowledge and to use such software to collect, through intentionally deceptive means, personally identifiable information: (a) Through the use of a keystroke-logging function that records all keystrokes made by an owner or operator and transfers that information from the computer to another person; (b) in a manner that correlates such information with data respecting all or substantially all of the Web sites visited by an owner or operator, other than web sites operated by the person collecting such information; and (c) described in section 1(10) (d), (e), or (f)(i) or (ii) of this act by extracting the information from the owner or operator's hard drive. |
| |
S.B. 6043
Signed by governor 5/10/05, Chapter 368
Requires any agency, person, or business that owns and licenses computerized data that includes personal information, to inform Washington consumers of any breach of their data security, following discovery or notification of the beach. The notification must be made without unreasonable delay, consistent with the needs of law enforcement. Notification may not impede a criminal investigation. "Personal information" covered by the duty to notify includes: Social Security numbers, driver's license, or ID card numbers; and credit and debit card numbers in combination with access codes. Personal information does not include publicly-available information from federal, state, and local government records. Notice of the security breach may be provided by written or electronic notice, or by a "substitute notice" by e-mail, conspicuous website posting, or major statewide media. As a matter of public policy, consumers cannot waive their right to notice. Remedies include a civil action to recover damages, or injunctive relief against a business that violates the notice requirements. |
NCSL Contact: Heather Morton, Denver
Financial Privacy Menu Page
Visitor counts for this page.
|
