Back 

2014 Security Breach Legislation

2014 Security Breach Legislation

4/11/2014

At least 19 states have introduced or are considering security breach legislation in 2014. Most of the bills would amend existing security breach laws. Kentucky, one of only four states without security breach legislation, enacted two bills in 2014, and Iowa enacted legislation amending its breach law. Only three states--Alabama, New Mexico and South Dakota--do not currently have a law requiring notification of security breaches involving personal information.

ARIZONA
H.B. 2645
Requires the Department of Education to develop and implement a detailed security plan that includes planning for a possible breach of data security, including notification procedures to entities that own data that may be affected by the data breach.

The word SecurityCALIFORNIA
A.B. 1560
Prohibits the State Health Benefit Exchange from disclosing an individual's personal information to third parties for the purpose of determining eligibility for, or enrolling the individual in health care coverage unless the Exchange obtains prior written consent. Requires the exchange to immediately notify the public of any breach of the security of personal information created, collected, or maintained, regardless of the severity of the breach.

A.B. 1710
Makes nonsubstantive, technical changes to existing law that requires a person or business that owns or licenses computerized data that includes information to disclose a breach of security of the system or data to any state resident whose unencrypted personal information was acquired by an unauthorized person.

A.B. 1755
Amends existing law that requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information. Requires those entities to prevent breaches of patients' medical information, as defined, and to report any breach of a patient's medical information to the department and to the affected patient or the patient's representative without unreasonable delay after a breach has been detected.

DELAWARE
S.B. 101
Clarifies that a person who is a victim of a Digital Data Breach shall have seven years from the date the personal information is posted in which to bring a civil action for damages.

S.B. 102
Adds name, birth date and address to the definition of personal information. The bill also defines a "digital data breach" and describes specific damages.

FLORIDA
H.B. 7085
Relates to security of confidential personal information; designates act as Florida Information Protection Act of 2014; requires specified entities to take reasonable measures to protect and secure data containing personal information in electronic form and notify Department of Legal Affairs of data security breaches; requires DLA to report annually to Legislature; provides requirements for disposal of customer records; provides for enforcement actions by DLA; provides civil penalties.

H.B. 7087
Relates to public records/notices of data breach and investigations/Department of Legal Affairs; provides exemptions from public records requirements for notice of data breach and information held by DLA pursuant to certain investigations; authorizes disclosure under certain circumstances; provides for future legislative review and repeal of exemption; provides statement of public necessity; provides for contingent effect.

S.B. 1524
Relates to security of confidential personal information; CITs this act as the Florida Information Protection Act of 2014; repeals provisions relating to a breach of security concerning confidential personal information in third party possession; requires specified entities to take reasonable measures to protect and secure data containing personal information in electronic form; requires notice to individuals of data security breaches in certain circumstances.

S.B. 1526
Relates to public records/department of legal affairs; provides exemptions from public records requirements for the notice of a data breach and information held by the Department of Legal Affairs pursuant to certain investigations; authorizes disclosure under certain circumstances; provides for future review and repeal of the exemption under the Open Government Sunset Review Act; provides a statement of public necessity.

IOWA

H.S.B. 137
Establishes data security compliance requirements in relation to payment card transactions; current provisions prescribe consumer notification requirements applicable to security breaches involving consumer personal information used in the course of a person's business, vocation, occupation, or volunteer activities. Establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

H.B. 2116
Prohibits the disclosure of personal information except under specified circumstances. Provides several definitions; defines a person or entity to mean any individual; business entity; nonprofit organization; governmental agency; health care office, network, or organization; employer; pharmacist; religious organization; or any other individual or entity which is in possession of another individual's personal information; defines personal information to mean the same that information as an individual's.

S.S.B. 1047
Establishes data security compliance requirements in relation to payment card transactions. Establishes requirements and remedies available to a financial institution in the event a security breach occurs and a person who accepts a payment card in connection with transactions.

S.S.B. 3040
Relates to notification requirements applicable to security breaches involving consumer personal information modifies several definitions contained in the code chapter. Includes within the definition of a breach of security the unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person.

S.B. 2259
STATUS: April 3, 2014, Signed by Governor
Relates to notification requirements applicable to security breaches involving consumer personal information; includes within the definition of a breach of security the unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form.

KENTUCKY
H.B. 5
STATUS: April 11, 2014, Signed by Governor, Act No. 74
Relates to the safety and security of personal information held by public agencies; defines certain terms. Requires public agencies and nonaffiliated third parties to implement, maintain, and update security procedures and practices, including taking any appropriate corrective action to safeguard against security breaches. Establishes reasonable security and breach investigation procedures. Includes security and breach investigation procedures in contracts with nonaffiliated third parties.

H.B. 232
STATUS: April 11, 2014, Signed by Governor, Act No. 84
Relates to security breach notifications; requires consumer notification when a data breach reveals personally identifiable information.

LOUISIANA
S.B. 176
Relates to the Database Security Breach Notification Law.

S 259
Relates to Louisiana health care consumers' right to know. In the event of a data breach or suspected data breach, requires the Department of Health and Hospitals to notify within thirty days any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

MASSACHUSETTS
H.B. 298
Relates to the security of personal financial information.

S.B. 132
Relates to the security of personal financial information.

MINNESOTA
H.B. 183
Expands disclosure requirements and modifies penalties related to unauthorized access to government data classified as not public; permits an individual data subject to request the name of any persons who have obtained access to private data on the individual, unless the data would identify an undercover law enforcement officer or are active investigative data.

H.B. 2253
Relates to consumer protection; regulates data breach notification.

H.B. 2795
Relates to data practices; modifies standards related to bulk transfer of certain driver's license and motor vehicle registration data; provides for collection and deposit of fees for certain requests for data in bulk form; provides for price for individual records or bulk orders.

MISSOURI

H.B. 1333
Changes the definition of personal information with regards to breaches of consumer information security.

NEBRASKA
L.B. 61
Changes provisions relating to the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

NEW JERSEY
A.B. 1239
Prohibits retail sales establishment from storing certain magnetic-stripe data. Requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 1329
Revises penalties imposed on businesses for failure to report security breach of computer system.

A.B. 2480
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

S.B. 965
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

NEW MEXICO
H.B. 224
Relates to consumer protection. Creates the data breach notification act. Requires notification to people affected by a security breach involving personal identifying information. Requires secure storage and disposal of data containing personal identifying information. Requires notification to consumer reporting agencies, the office of the attorney general and card processors in certain circumstances.

NEW YORK
A.B. 2069
Prohibits the release of personally identifiable student information where parent consent is not provided.

S.B. 5932
Prohibits the release of personally identifiable student information where parent consent is not provided.

OKLAHOMA
H.B. 2031
Relates to schools; relates to the state student record system. Requires the State Board of Education to adopt procedures for providing notice of a breach in the security of the state student record system. Establishes time period for providing notice. Specifies people who are to be notified. Provides for methods of notice. Allows for a delay of notice under certain conditions; declares an emergency.

PENNSYLVANIA

H 2167
Amends the Breach of Personal Information Notification Act; provides for notification of breach to include state agencies and county, school districts and municipalities.

S.B. 114
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act; further provides for notification of breaches involving a state agency, county, school district or municipality. Requires the development of a policy to govern proper storage of data that includes personally identifiable information.

RHODE ISLAND
H.B. 5769
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

H.B. 7519
Would impose additional requirements upon a notice of breach and disclosure to affected Rhode Island residents of the contact information for consumer reporting agencies and the Federal Trade Commission; a statement that an individual can obtain information from these sources regarding fraud alerts and security freezes; and a statement that warns against possible imposters who attempt to fraudulently notify individuals of security breaches in an attempt to obtain personal identity information.

S.B. 649
Would enumerate additional patient's rights, including the right to be notified of a breach of the security system with regards to their confidential healthcare information. This act would take effect upon passage.

S.B. 2640
Would impose additional requirements upon a notice of breach and disclosure to affected Rhode Island residents of the contact information for consumer reporting agencies and the Federal Trade Commission; a statement that an individual can obtain information from these sources regarding fraud alerts and security freezes; and a statement that warns against possible imposters who attempt to fraudulently notify individuals of security breaches in an attempt to obtain personal identity information.

SOUTH CAROLINA
S.B. 334
Amends the code of laws. Relates to a protection plan to minimize the actual costs and effects of identity theft because of cyber security breach, a policy that ensures the safety of all personally identifiable information, an individual income tax credit for purchasing identity theft protection, officers being removed for cause, and adoption and annual review by technology investment council.

S.B. 1086
Relates to providing notice of a breach of security of state agency data; requires that the notice describe the breach and provide contact information where assistance may be obtained, including the Department of Consumer Affairs; deletes a provision allowing an agency to adhere to its own policy; relates to providing notice of a breach of security of business data; provides the same notice requirements and to delete the same provision.

VERMONT
H.B. 203
Adds financial institutions and other entities regulated by the Department of Financial Regulation to entities required to report data breaches under the Security Breach Notice Act, 9 V.S.A. § 2435.

H.B. 429
Enhances and clarifies reporting requirements and protocols in the event of a breach of electronic consumer data.

S.B. 269
Relates to business consumer protection and data security breaches.

Additional Information

Share this: 
NCSL Summit 2014
We are the nation's most respected bipartisan organization providing states support, ideas, connections and a strong voice on Capitol Hill.

NCSL Member Toolbox

Denver

7700 East First Place
Denver, CO 80230
Tel: 303-364-7700 | Fax: 303-364-7800

Washington

444 North Capitol Street, N.W., Suite 515
Washington, D.C. 20001
Tel: 202-624-5400 | Fax: 202-737-1069

Copyright 2014 by National Conference of State Legislatures