Back 

2014 Security Breach Legislation

2014 Security Breach Legislation

6/5/2014

At least 19 states have introduced or are considering security breach legislation in 2014. Most of the bills would amend existing security breach laws. Kentucky, one of only four states without security breach legislation, enacted two bills in 2014, and Iowa enacted legislation amending its breach law. Only three states--Alabama, New Mexico and South Dakota--do not currently have a law requiring notification of security breaches involving personal information.

PLEASE NOTE: NCSL cannot provide assistance with individual cases. NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice. Please check individual legislative websites for the most current status, summaries and versions of bill text.

ARIZONA
H.B. 2645
Status: Failed - Adjourned
Requires the Department of Education to develop and implement a detailed security plan that includes planning for a possible breach of data security, including notification procedures to entities that own data that may be affected by the data breach.


The word SecurityCALIFORNIA
A.B. 1560
Status: Pending
Prohibits the State Health Benefit Exchange from disclosing an individual's personal information to third parties for the purpose of determining eligibility for, or enrolling the individual in health care coverage unless the Exchange obtains prior written consent. Requires the exchange to immediately notify the public of any breach of the security of personal information created, collected, or maintained, regardless of the severity of the breach.

A.B. 1710
Status: Pending
Requires any entity in the state that owns or licenses computerized data containing personal information to disclose a security breach of the system or data following discovery or notification of the security breach to any resident whose personal information was acquired by an unauthorized person unless the data was encrypted and to provide identity theft prevention and mitigation services. Relates to liability for failure to limit access to payment-related data. Prohibits selling social security numbers.

A.B. 1755
Status: Pending
Amends existing law that requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information. Requires those entities to prevent breaches of patients' medical information, as defined, and to report any breach of a patient's medical information to the department and to the affected patient or the patient's representative without unreasonable delay after a breach has been detected.

DELAWARE
S.B. 101
Status: Pending-carryover
Clarifies that a person who is a victim of a Digital Data Breach shall have seven years from the date the personal information is posted in which to bring a civil action for damages.

S.B. 102
Status: Pending-carryover
Adds name, birth date and address to the definition of personal information. The bill also defines a "digital data breach" and describes specific damages.

FLORIDA
H.B. 7085
Status: Failed
Relates to security of confidential personal information; designates act as Florida Information Protection Act of 2014; requires specified entities to take reasonable measures to protect and secure data containing personal information in electronic form and notify Department of Legal Affairs of data security breaches; requires DLA to report annually to Legislature; provides requirements for disposal of customer records; provides for enforcement actions by DLA; provides civil penalties.

H.B. 7087
Status: Failed
Relates to public records/notices of data breach and investigations/Department of Legal Affairs; provides exemptions from public records requirements for notice of data breach and information held by DLA pursuant to certain investigations; authorizes disclosure under certain circumstances; provides for future legislative review and repeal of exemption; provides statement of public necessity; provides for contingent effect.

S.B. 1524
Status: June 13, 2014; To Governor
Relates to the Florida Information Protection Act of 2014; requires third parties to take measures to protect and secure data containing personal information in electronic form; requires notification to the Department of Legal Affairs and individuals of data security breaches; requires notice to credit reporting agencies; relates to driver licenses, Social Security numbers, credit and debit card numbers, medical records and health insurance information; provides that no private cause of action is created.

S.B. 1526
Status: June 13, 2014; To Governor
Creates an exemption from public records for information received by the Department of Legal Affairs pursuant to a notification of a data breach or received pursuant to an investigation by the department or a law enforcement agency until the investigation is completed or ceases to be active; relates to proprietary information, trade secrets, Social Security numbers and finance, medical and health insurance information; includes improper disposal of customer records; relates to computer forensic reports.

IOWA

H.S.B. 137
Status: Pending - carryover
Establishes data security compliance requirements in relation to payment card transactions; current provisions prescribe consumer notification requirements applicable to security breaches involving consumer personal information used in the course of a person's business, vocation, occupation, or volunteer activities. Establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

H.B. 2116
Status: Failed
Prohibits the disclosure of personal information except under specified circumstances. Provides several definitions; defines a person or entity to mean any individual; business entity; nonprofit organization; governmental agency; health care office, network, or organization; employer; pharmacist; religious organization; or any other individual or entity which is in possession of another individual's personal information; defines personal information to mean the same that information as an individual's.

S.S.B. 1047
Status: Pending - carryover
Establishes data security compliance requirements in relation to payment card transactions. Establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

S.S.B. 3040
Status: Pending 
Relates to notification requirements applicable to security breaches involving consumer personal information modifies several definitions contained in the code chapter. Includes within the definition of a breach of security the unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person.

S.B. 2259
STATUS: April 3, 2014, Signed by Governor
Relates to notification requirements applicable to security breaches involving consumer personal information; includes within the definition of a breach of security the unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form.

KENTUCKY
H.B. 5
STATUS: April 11, 2014, Signed by Governor, Act No. 74
Relates to the safety and security of personal information held by public agencies; defines certain terms. Requires public agencies and nonaffiliated third parties to implement, maintain, and update security procedures and practices, including taking any appropriate corrective action to safeguard against security breaches. Establishes reasonable security and breach investigation procedures. Includes security and breach investigation procedures in contracts with nonaffiliated third parties.

H.B. 232
STATUS: April 11, 2014, Signed by Governor, Act No. 84
Relates to security breach notifications; requires consumer notification when a data breach reveals personally identifiable information.

LOUISIANA
H.B. 350
Status: June 2, 2014; To Governor.
Requires the Department of Health and Hospitals to maintain a computerized database of personal health information of consumers in a secure environment; requires the Department to notify each resident whose personal information was acquired within a specified period of time from the breach or suspected breach.

S.B. 176
Status: Failed
Relates to the Database Security Breach Notification Law.

S.B. 259
Status: Pending 
Relates to Louisiana health care consumers' right to know. In the event of a data breach or suspected data breach, requires the Department of Health and Hospitals to notify within thirty days any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

MASSACHUSETTS
H.B. 298
Status: Pending 
Relates to the security of personal financial information.

S.B. 132
Status: Pending 
Relates to the security of personal financial information.

MINNESOTA
H.B. 183
Status: May 21, 2014; Signed by Governor, Chapter 284
Relates to unauthorized access to data by public employees; requires security safeguards for ensuring that private data is only accessible to persons whose work assignment reasonably requires the data; includes government contractors; requires written notification to affected persons when such breach has taken place and the results of an investigation; provides criminal penalties for knowing authorizing acquisition of private data; requires coordination with consumer reporting agencies

H.B. 2253
Status: Failed - adjourned
Relates to consumer protection; regulates data breach notification.

H.B. 2795
Status: Failed 
Relates to data practices; modifies standards related to bulk transfer of certain driver's license and motor vehicle registration data; provides for collection and deposit of fees for certain requests for data in bulk form; provides for price for individual records or bulk orders.

MISSOURI

H.B. 1333
Changes the definition of personal information with regards to breaches of consumer information security.

NEBRASKA
L.B. 61
Status: Failed
Changes provisions relating to the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

NEW JERSEY
A.B. 1239
Status: Pending 
Prohibits retail sales establishment from storing certain magnetic-stripe data. Requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 1329
Status: Pending 
Revises penalties imposed on businesses for failure to report security breach of computer system.

A.B. 2480
Status: Pending 
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

A.B. 3146
Status: Pending
Requires disclosure of breach of security of online account.

S.B. 965
Status: Pending  
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

S.B. 2188
Status: Pending
Requires disclosure of breach of security of online account.

NEW MEXICO
H.B. 224
Status: Adjourned
Relates to consumer protection. Creates the data breach notification act. Requires notification to people affected by a security breach involving personal identifying information. Requires secure storage and disposal of data containing personal identifying information. Requires notification to consumer reporting agencies, the office of the attorney general and card processors in certain circumstances.

NEW YORK
A.B. 2069
Status: Pending 
Prohibits the release of personally identifiable student information where parent consent is not provided.

S.B. 5932
Status: Pending 
Prohibits the release of personally identifiable student information where parent consent is not provided.

OKLAHOMA
H.B. 2031
Relates to schools; relates to the state student record system. Requires the State Board of Education to adopt procedures for providing notice of a breach in the security of the state student record system. Establishes time period for providing notice. Specifies people who are to be notified. Provides for methods of notice. Allows for a delay of notice under certain conditions; declares an emergency.

PENNSYLVANIA
H.B. 2167
Status: Pending 
Amends the Breach of Personal Information Notification Act; provides for notification of breach to include state agencies and county, school districts and municipalities.

S.B. 114
Status: Pending 
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act; further provides for notification of breaches involving a state agency, county, school district or municipality. Requires the development of a policy to govern proper storage of data that includes personally identifiable information.

RHODE ISLAND
H.B. 5769
Status: Pending 
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

H.B. 7519
Status: Pending 
Would impose additional requirements upon a notice of breach and disclosure to affected Rhode Island residents of the contact information for consumer reporting agencies and the Federal Trade Commission; a statement that an individual can obtain information from these sources regarding fraud alerts and security freezes; and a statement that warns against possible imposters who attempt to fraudulently notify individuals of security breaches in an attempt to obtain personal identity information.

S.B. 649
Status: Pending 
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

S.B. 2640
Status: Pending 
Would impose additional requirements upon a notice of breach and disclosure to affected Rhode Island residents of the contact information for consumer reporting agencies and the Federal Trade Commission; a statement that an individual can obtain information from these sources regarding fraud alerts and security freezes; and a statement that warns against possible imposters who attempt to fraudulently notify individuals of security breaches in an attempt to obtain personal identity information.

SOUTH CAROLINA
H.B. 4701
Status: Pending
Provides for the operation of state government during this fiscal year and for other purposes. Requires state agencies to adopt and implement cyber security policies, guidelines and standards developed by the Budget and Control Board. The Budget and Control Board may conduct audits as necessary to monitor compliance with established cyber security policies, guidelines and standards. In addition, the Budget and Control Board shall oversee all incident responses to agency cyber security breaches. Upon request of the Budget and Control Board for information or data, agencies must fully cooperate with and furnish the Budget and Control Board with all documents, reports, assessments, and any other data and documentary information needed by the Board to perform its mission and to exercise its functions, powers and duties.

S.B. 334
Status: Pending 
Amends the code of laws. Relates to a protection plan to minimize the actual costs and effects of identity theft because of cyber security breach, a policy that ensures the safety of all personally identifiable information, an individual income tax credit for purchasing identity theft protection, officers being removed for cause, and adoption and annual review by technology investment council.

S.B. 1086
Status: Pending
Relates to providing notice of a breach of security of state agency data; requires that the notice describe the breach and provide contact information where assistance may be obtained, including the Department of Consumer Affairs; deletes a provision allowing an agency to adhere to its own policy; relates to providing notice of a breach of security of business data; provides the same notice requirements and to delete the same provision.

VERMONT
H.B. 203
Status: Pending
Adds financial institutions and other entities regulated by the Department of Financial Regulation to entities required to report data breaches under the Security Breach Notice Act, 9 V.S.A. § 2435.

H.B. 429
Status: Pending
Enhances and clarifies reporting requirements and protocols in the event of a breach of electronic consumer data.

S.B. 269
Status: Pending
Proposes to enhance the standards and requirements for a business to be notified of a possible data security breach and to be informed that it has legal duties under current law.; provides that a law enforcement agency may delay the notice to the consumer if it believes that notification may impede a law enforcement investigation, or a national or Homeland Security investigation or jeopardize public safety or national or Homeland Security interests.

Additional Information

Share this: 
We are the nation's most respected bipartisan organization providing states support, ideas, connections and a strong voice on Capitol Hill.

NCSL Member Toolbox

Denver

7700 East First Place
Denver, CO 80230
Tel: 303-364-7700 | Fax: 303-364-7800

Washington

444 North Capitol Street, N.W., Suite 515
Washington, D.C. 20001
Tel: 202-624-5400 | Fax: 202-737-1069

Copyright 2014 by National Conference of State Legislatures