Back 

2013 Security Breach Legislation635200257

2013 Security Breach Legislation

11/14/2013
 

At least 23 states introduced—and nine states enacted—security breach related legislation in 2013. States that enacted legislation amended existing security breach laws, for example, to expand the scope of definitions of "personal information," to cover medical or health insurance information, set additional requirements related to notification or to change penalties for those responsible for breaches.

Since 2002, 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

Related information:  Security breach overview (including legislation from 2002), data disposal laws and consumer report security freeze laws.


CALIFORNIA
A.B. 1149
Status: 09/27/2013; Chaptered by Secretary of State. Chapter No. 395
Relates to disclosure of any breach of an agency security to any resident whose unencrypted personal information was acquired by an unauthorized person. Expands disclosure requirements to apply to a breach of computerized data that is owned or licensed by a local agency.

S.B. 46
Status: 09/27/2013; Chaptered by Secretary of State. Chapter No. 396
Expands the definition of “Personal Information” under Cal. Civ. Code § 1798.82 to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

CONNECTICUT
H.B. 5046
Status: 03/19/2013; Failed Joint Favorable deadline
Prohibits the storage of driver's license information by retail establishments; protects consumers by preventing security breaches and identity theft of sensitive information.

DELAWARE
S.B. 101
Status: 06/04/2013; To Senate Committee on Judiciary.
Clarifies that a person who is a victim of a Digital Data Breach shall have seven years from the date the personal information is posted in which to bring a civil action for damages.

S.B. 102
Status: 06/04/2013; To Senate Committee on Judiciary.
Adds name, birth date and address to the definition of personal information. The bill also defines a "digital data breach" and describes specific damages.

ILLINOIS
H.B. 3024
Status: 03/22/2013 ; Rereferred to House Committee on Rules.
Amends the Personal Information Protection Act; expands the scope of the Act to cover private contact information; limits the transfer of private contact information.

INDIANA
H.B. 1396
Status: 01/22/2013; To House Committee on Judiciary.
Provides that a data base owner may not make a material misrepresentation to an Indiana resident regarding the data base owner's collection, use, storage, sharing, or destruction of the resident's personal information. Adds the definition of "data" for purposes of security breach disclosure laws to include information maintained: (1) in a computerized format; (2) on paper; (3) on microfilm; or (4) in or on a similar medium.

IOWA
S.S.B 1047
Status: 01/17/2013; In Senate Committee on Commerce: Subcommittee assignments: Bolkcom Chair, Petersen, and Bertrand.
Establishes data security compliance requirements in relation to payment card transactions; establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

H.S.B. 137
Status: 02/13/2013; In House Committee on Commerce: Subcommittee assignments: Grassley Chair, Hall, and Fisher.
Establishes data security compliance requirements in relation to payment card transactions; current provisions prescribe consumer notification requirements applicable to security breaches involving consumer personal information used in the course of a person's business, vocation, occupation, or volunteer activities; establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

MAINE
H.B. 133
Status: 05/29/2013; In Senate. Placed in Legislative File (Dead).
Requires that notice of a breach must be provided to state regulators no later than 10 days after discovery of the breach; clarifies that a notice to residents affected by a breach may be delayed only pursuant to a written request from a law enforcement agency.

MARYLAND
S.B. 676  
Status: 05/02/2013; Chapter No. 304
Requires, except under certain circumstances, a governmental unit or, under certain circumstances, a nonaffiliated third party to notify certain persons of a breach of the security of a system under certain circumstances; specifying the time at which notification.

H.B. 959
Status: 04/08/2013; From Senate Committee on Education, Health and Environmental Affairs: Reported favorably.
Requires state and local government units to destroy or arrange for the destruction of records that contain specified personal or private information in a specified manner; requires a government unit that collects, maintains, or makes available specified personal information of a state resident to implement and maintain specified security procedures and practices; requires specified government units to notify specified residents of a breach of the security of a system under specified circumstances.

S.B. 591
Status: 02/11/2013; Withdrawn from further consideration.
Requires government units to destroy or arrange for the destruction of records that contain specified personal or private information in a specified manner; requires a government unit that collects, maintains, or makes available specified personal or private information of a state resident to implement and maintain specified security procedures and practices; requires government units to notify specified residents of a breach of the security of a system under specified circumstances.

S.B. 859
Status: 04/01/2013; Withdrawn from further consideration.
Requires a specified business, when destroying a customer's records that contain specified personal or private information, to take specified steps to protect against unauthorized access to or use of the information; requires a specified business that owns or licenses specified personal or private information of an individual residing in the state to implement and maintain specified security procedures and practices.

MASSACHUSETTS
H.B. 298
Status: 02/18/2013; To Joint Committee on Consumer Protection and Professional Licensure. Dated 01/22/2013.
Relates to the protection of personal information in consumer transactions.

S.B. 132
Status: 02/15/2013; Filed as Senate Docket 521
Petition (accompanied by bill, Senate, No. 132) for legislation relative to the security of Personal Financial information. Consumer Protection and Professional Licensure.

MINNESOTA
H.B. 183
Status: 05/18/2013; In Senate. Second Reading.
Expands disclosure requirements and modifies penalties related to unauthorized access to government data classified as not public; permits an individual data subject to request the name of any persons who have obtained access to private data on the individual, unless the data would identify an undercover law enforcement officer or are active investigative data.

MONTANA
H.B. 400
Status: 04/24/2013; Died in committee
Requires business, governmental entity, or agency that collects data to adhere to the requirements of 30-14-1704 for any breach or suspected breach of the security of the data system that contains or may contain unencrypted personal information.

S.B. 211
Status: 05/18/2013; Indefinitely postponed.
Relates to data practices; enhances certain penalties and procedures related to unauthorized access to data by a public employee; relates to database breech; includes criminal penalties.

NEBRASKA
L.B. 61
Status: 06/11/2013; 103rd Legislature -- First Regular Session Adjourned - 06/05/2013 - Carried Over to Second Regular Session.
Changes provisions relating to the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

NEW HAMPSHIRE
H.B. 565
Status: 03/05/2013; Retained in Committee for Action in Second Year of Session.
Adds preliminary requirements for bringing certain actions under the consumer protection law.

NEW YORK
S.B. 2605-D
Status: 03/28/2013; Chapter No. 55
Amends the New York State Technology Law. Expands the functions of the Office of Information Technology to include establishing  statewide technology policies relating to the security of state government networks and geographic information systems and  provide for the protection of the state government's cyber security infrastructure. The Office of Information Technology replaces the state office of cyber security and critical infrastructure coordination in provisions related to notice of security  breaches by state entities.

NORTH DAKOTA
H.B. 1435
Status: 06/26/2013; Chapter Number 106
Adds two important items to the list of Personally Identifiable Information for non-HIPAA covered entities under the Data Breach Notification Law: medical information and health insurance information.

OKLAHOMA
H.B. 2031
Status: 02/06/2013; To House Committee on Rules.
Relates to schools; relates to the state student record system; requires the State Board of Education to adopt procedures for providing notice of a breach in the security of the state student record system; establishes time period for providing notice; specifies persons who are to be notified; provides for methods of notice; allows for a delay of notice under certain conditions; declares an emergency.

H.B. 2062
Status: 5/29/2013, Enacted, Chap. 358
For each security breach of a system for which notification may be required of any state agency pursuant to law, the state agency shall immediately notify the Chief Information Officer of the breach. Information related to each of these security breaches shall be posted on thesecurity.ok.gov website.

OREGON
H.B. 3411
Status: 07/08/2013; In committee upon adjournment.
Expands circumstances under which breach of security requires notification under Oregon Consumer Identity Theft Protection Act to include disclosure of written data that contains personal information; requires person that owns, maintains or possesses written data that contains personal information to implement safeguards.

S.B. 574
Status: 06/13/2013; Chaptered. Chapter No. 415
Amends the definition of security breach to exclude an inadvertent acquisition of personal information by an entity or that entity’s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information.

RHODE ISLAND
H.B. 5769
Status: 05/07/2013; In House Committee on Judiciary
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

S.B. 649
Status: 06/11/2013; In Senate Committee on Health and Human Services: Committee recommends measure to be held for further study.
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

PENNSYLVANIA
S.B. 114
Status: 05/06/2013; To House Committee on Judiciary.
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act; further provides for notification of breaches involving a state agency, county, school district or municipality; requires the development of a policy to govern proper storage of data which includes personally identifiable information.

SOUTH  CAROLINA
H.B. 3248
Status: 04/30/2013; Act No. 15
Revises definition of breach of security and business data. Revises definitions in the Financial Transaction Fraud Act of “personal identifying information” and “financial resources” to include pension plans, retirement plans, annuities and lines of credit.

H.B. 3710
Status: 8/1/2013; Act No. 101
Requires state agencies that own or license computerized data or other data that includes personal identifying information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to resident of the sate whose personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. Agencies must notify affected residents within 72 hours after discovering a breach.

TEXAS
S.B. 1610
Status: 07/30/2013; Filed with Secretary of State. Chapter No. 1368
Relates to the notification of individuals following a breach of security of computerized data using the last known address. Requires that if a breach involves information regarding a resident of a state other than Texas, and that state's law requires notice of the incident, a person conducting business in Texas may provide notice of the breach "under that state's law" or under the Texas law.

H.B. 1064
Status: 04/23/2013; Left pending in committee.
Relates to the prosecution of the offense of breach of computer security. Added to “ with the intent to obtain a benefit” to the definition of a data breach.

S.B. 249
Status: 04/15/2013; To House Committee on Criminal Jurisprudence.
Relates to the prosecution of the offense of breach of computer security. Added to “ with the intent to obtain a benefit” to the definition of a data breach.

UTAH
S.B. 227
Status: 03/14/2013; Enacting clause struck.
Amends the Health Code related to the Medicaid program; requires certain health care providers that enter into a provider agreement with the state Medicaid program to purchase insurance that would cover a health data breach; specifies certain coverage requirements that must be maintained by the provider.

VERMONT
H.B. 203
Status: 02/06/2013; To House Committee on Commerce and Economic Development.
Adds financial institutions and other entities regulated by the Department of Financial Regulation to entities required to report data breaches under the Security Breach Notice Act, 9 V.S.A. § 2435.

H.B. 513
Status: 05/17/2013; Act No. 0029
Adds financial institutions and other entities regulated by the Department of Financial Regulation to entities required to report data breaches under the Security Breach Notice Act, 9 V.S.A. § 2435.

H.B. 429
Status: 02/28/2013; To House Committee on Commerce and Economic Development.
Enhances and clarifies reporting requirements and protocols in the event of a breach of electronic consumer data.

Compiled by Cassandra Kirsch and Pam Greenberg. NCSL contact for additional information: Pam Greenberg.

Share this: 
New Members Welcome
We are the nation's most respected bipartisan organization providing states support, ideas, connections and a strong voice on Capitol Hill.

NCSL Member Toolbox

Denver

7700 East First Place
Denver, CO 80230
Tel: 303-364-7700 | Fax: 303-364-7800

Washington

444 North Capitol Street, N.W., Suite 515
Washington, D.C. 20001
Tel: 202-624-5400 | Fax: 202-737-1069

Copyright 2014 by National Conference of State Legislatures