2015 Security Breach Legislation

12/31/2015

At leThe word Securityast 33 states in 2015 introduced or are considering security breach notification bills or resolutions. Many of the bills would amend existing security breach laws to:

  • Require entities to report breaches to attorneys general or another central state agency
  • Expand the definition of "personal information" (e.g., to include medical, insurance or biometric data) in cases of a security breach
  • Require businesses or government entities to implement security plans or various security measures
  • Require educational institutions to notify parents or government entities if a breach occurs. 


Only three states--Alabama, New Mexico and South Dakota--do not currently have a law requiring consumer notification of security breaches involving personal information (see also NCSL's Security Breach Statutes). 

Enacted bills are highlighted in bold below. 

ALABAMA
H.B. 564
Status: Failed. Adjourned.
Related to protection of student data containing personal information; requires notification of data breaches to subjects; and allows the Attorney General to investigate. Sets limits on student data that may not be collected; provides what data may be used on a local level to a minimum degree for clearly stated academic purposes; sets limits on the state government and data collection systems and programs in order to protect students and parents from invasive government practices; protects the civil liberties of students and parents which are foundational to strong academics, freedom of speech, and progressS

S.B. 106
Status: June 3, 2015; Failed. Adjourned
Relates to the protection of data containing personal information; requires notification of data breaches to the Attorney General and consumers; provides for disposal of records; provides for civil penalties.

ALASKA
S.B. 3
Status: Pending. Carryover.
Relates to the collection, storage, and handling of student data. Provides for a detailed data security plan for collecting, maintaining, and sharing student data that addresses breach planning, notification, and procedures, among other provisions.

ARKANSAS
H.B. 1691
Status: Failed. Died in House Committee at Sine Die adjournment
Creates the information practices act of 2015; protects the right to privacy to restrict access to certain government records containing personal information.

H.B. 1828
Status: April 2, 2015; Withdrawn by author. 
Ensures that the personally identifiable information of students is protected; limits disclosure or access to personally identifiable information of students; relates to the Department of education; relates to a state-supported institution of higher education.

ARIZONA
S.B. 1306
Status: April 2, 2015; In House. Read third time. Failed to pass House.
Relates to schools and data privacy. Requires planning for a possible breach of data security, including notification procedures.

S.B. 1464
Status: Failed--Adjourned.
Relates to students and teacher data collection; relates to prohibitions. Requires planning for a possible breach of data security, including notification procedures.

CALIFORNIA
A.B. 259
Status: Aug. 27, 2015; In Senate Committee on Appropriations. Held in Committee.
Requires an agency, if the agency was the source of the breach and the breach compromised a person's social security number, driver's license number, or California identification card number, to offer to provide the person with identity theft prevention and mitigation services at no cost for not less than 12 months.

A.B. 739
Status: May 12, 2015; Pending
Makes nonsubstantive changes to existing law that requires a person or business conducting business, that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system or data following discovery or notification of the security breach to any resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted.

A.B. 964
Status: Oct. 6, 2015; Signed by Governor. Chap. 522
Defines encrypted for purposes of existing law that provides the regulation of entities that own or licenses computerized data that includes personal information to disclose a breach of the security of the system or data to any State resident whose unencrypted person information was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 34
Status: May 7, 2015; Passed Senate; To Assembly
Imposes specified requirements on an automated license plate recognition operator to ensure that the information the operator collects is protected with certain safeguards, and implements specified security procedures and a usage and privacy policy with respect to that information; requires notification to California residents subject to a breach, and in certain circumstances to the Attorney General.

S.B. 570
Status: Oct. 6, 2015; Signed by Governor. Chap. 543
Makes nonsubstantive changes to existing law requiring a person or business conducting business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, as specified.

COLORADO
H.B. 1199
Status: Postponed indefinitely.Failed.
Relates to the Student and Teacher Data Privacy and Security Act. Establishes a minimum protocol for an education institution or state agency to follow in the case of a security breach or unauthorized disclosure of personally identifiable information.

S.B. 173
Status: May 1, 2015; Senate refused to concur in House amendments.
Concerns expanding protections for student data security. Requires notice to the parent or legal guardian if there is a security breach or other unauthorized disclosure of his or her child's information. Prohibits vendors using information acquired through the site or service to create a profile of a student; prohibits vendors from selling a student's information and disclosing covered student information; allows vendors to delete a student's data at the request of the school or school district and disclose covered student information if required by state or federal law; allows vendors to implement and maintain security procedures and practices.

CONNECTICUT
S.B. 949
Status: June 30, 2015; Signed by Governor. Public Act 15-142
Improves data security and agency effectiveness; implements the Governor's budget recommendations

GEORGIA
S.B. 157
Status: Pending. Carryover
Relates to general provisions relating to education; establishes limitations and requirements regarding student data; provides for definitions; provides for limitations on the collection of student information; provides for limitations on the disclosure of personally identifiable information to third parties; provides for penalties and enforcement; provides for related matters; provides for an effective date and applicability; repeals conflicting laws.

HAWAII
S.B. 1186
Status: Pending. Carryover.
Expands definition of "personal information"; establishes or amends the timeline by which a business or government agency must notify persons affected by a security breach of personal information; specifies additional information required in notification following certain security breaches; prohibits the use of email as a means of notification of a security breach if login credentials for email were compromised.

S.R. 41
Status: Pending
Requests the information privacy and security council, in cooperation with the state chief information officer council, to assess existing procedures of notification following the breach of personal information.

SCR 88
Status: Adopted.
Requests the the information privacy and security council, in cooperation with the state chief information officer council, to assess existing procedures of notification following the breach of personal information.

ILLINOIS
H.B. 1260
Status: Pending. 
Amends the Personal Information Protection Act; includes breaches of security involving medical information, health insurance information, and certain unique biometric data to the types of breaches for which notice is required; adds requirements concerning notices on breaches involving a user name or email address in combination with a password or security question and answer; permits substitute notices; requires notice to the Attorney General; provides the notification and notice timelines.

H.B. 3188
Status: Pending. 
Amends the Personal Information Protection Act; expands the scope of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information; requires notice of breaches of security to be provided to the Attorney General; requires privacy policies to be posted.

H.B. 3652
Status: Pending. 
Amends the Personal Information Protection Act; expands the scope of the Act to cover private contact information; limits the transfer of private contact information.

S.B. 1833
Status: Sept. 24, 2015; Failed-Amendatory Veto.  
Amends the Personal Information Protection Act; expands the scope of information to be protected to include medical, health insurance, and biometric information; requires notice of breaches of security to be provided to the Attorney General; requires privacy policies to be posted; provides for the scope of the notice required with respect to breaches of certain personal information and for notice to the Attorney General; provides for compliance by certain data collectors.

INDIANA
H.B. 1243
Status: Failed. Adjourned
Prohibits access to personally identifiable student information obtained from education records to outside parties without the consent of the student or student's parent except under certain circumstances; prohibits the commercial use of student information without consent; sets forth requirements for data repositories of education records; provides for enforcement by the attorney general and civil penalties for noncompliance.

S.B. 413
Status: Failed. Adjourned
Makes the following changes to the statute concerning the breach of the security of data that includes the personal information of Indiana residents and that is collected and maintained by a person other than a state agency or the judicial or legislative department of state government Specifies that the statute is not limited to breaches of computerized data; repeals the definition of a term that is not used in the statute; replaces the term "data base owner" with "data owner"; defines the term "data.”

KENTUCKY
H.B. 33
Status: Failed. Adjourned.
Requires the state board of education to ensure that access to any student or teacher information collected by the Kentucky Department of Education or by vendors contracted by the department or by local school districts is restricted to the fulfillment of contractual obligations for processing data on behalf of the school district and the schools. Specifies data security and breach notification obligations and procedures consistent with KRS 61.931 to 61.934.

MAINE
H.B. 851
Status: Failed
This bill establishes data privacy practices for the Department of Education and school administrative units. It prohibits the department and school administrative units from disclosing personally identifiable information about students without the written consent of the parents of children under 18 years of age and the written consent of the students themselves when the students are at least 18 years of age. There are specific exceptions to the prohibitions, including provisions related to a security breach or unauthorized disclosure of personally identifiable information.

MARYLAND
S.B. 548
Status: Failed. Adjourned
Requires a business, when destroying a customer's records that contain certain personal or private information of the customer, to take certain steps to protect against unauthorized access to or use of the information; requiring a certain business to implement and maintain certain procedures and practices to protect against the unauthorized access, use, modification, or disclosure of the personal or certain private information under certain circumstances; requiring a certain business that owns or licenses computerized data that includes certain personal or private information of an individual residing in the state to implement and maintain certain security procedures and practices under certain circumstances; altering the circumstances under which a certain business that owns, licenses, or maintains computerized data that includes certain private information of an individual residing in the state must conduct a certain investigation and notify certain persons of a breach of the security of a system; specifying the time at which certain notice must be given; altering the contents of the notice; defining certain terms; altering certain definitions; making certain conforming changes; providing for the application of a certain provision of this Act; and generally relating to the protection of personal or private information contained in the records of businesses, owned or licensed by businesses, or included in computerized data owned, licensed, or maintained by businesses.

MASSACHUSETTS 
S.B. 124
Status: Pending
Relates to protecting biometric information under the security breach law.

S.B. 184
Status: Pending
Relates to the security of personal financial information.

S.B. 530
Status: Pending
Relates to protecting the privacy of student data.

S.B. 545
Status: Pending
Relates to the security of personal financial information. Whenever there is a breach of the security of the system of a person or entity that has without authorization retained certain financial card information, that person or entity shall be liable to the financial institution that issued any card access devices affected by the data breach for all resulting damages.

MISSOURI
H.B. 1240
Status: Failed. Adjourned
Specifies protections for the privacy of student data.

S.B. 530
Status: Failed. Adjourned
Provides for a breach-remediation plan for education records and requires reporting of breaches of education records.

MONTANA 
H.B. 74
Status: Feb. 27, 2015; Signed by governor. Chap. 74
Revises data system security breach notification laws; requires the Attorney General and Insurance Commissioner to be notified of a data system security breach.

H.B. 123
Status: April 29, 2015; Signed by governorChap. 348
Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

NEVADA
S.B. 72
Status: Failed. Adjourned
Expands current law to requires the Division of Enterprise Information Technology Services to investigate and resolve attempted breaches ((in addition to actual breaches) of an information system of a state agency or elected officer.

NEW HAMPSHIRE
H.B. 322
Status: June 12, 2015; Signed by Governor. Chap. 136
Requires the department of education to implement additional procedures to protect student and teacher personally identifiable data from security breaches; the bill also requires the department of education to make public certain rights available to parents, legal guardians, and affected students regarding the protection of personally identifiable data.

NEW JERSEY
A.B. 1239
Status: Pending. Carryover
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 1329
Status: Pending. Carryover
Revises penalties imposed on businesses for failure to report security breach of computer system.

A.B. 2480
Status: Pending. Carryover
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

A.B. 3146
Status: Dec. 15, 2014; Passed Assembly. To Senate.
Requires disclosure of breach of security of an online account; relates to an email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

S.B. 965
Status: Pending. Carryover
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

S.B. 2188
Status: Pending. Carryover
Requires businesses and public entities that compile or maintain computerized records to disclose to consumers if there has been a breach of security of information that would permit access to an online account; adds user names and email addresses in combination with any password or security question and answer that would permit access to an online account to the list of breaches requiring disclosure.

S.B. 2261
Status: Pending. Carryover
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

NEW MEXICO
H.B. 217
Status: March, 2015; Failed. Adjourned.
Relates to consumer protection; creates the Data Breach Notification Act; requires notification to persons affected by a security breach involving personal identifying information; requires secure storage and disposal of data containing personal identifying information; requires notification to consumer reporting agencies, the office of the attorney general and card processors in certain circumstances; provides an action for civil liability by card issuers for a breach of access device data.

NEW YORK
A.B. 307
Status: Pending. 
Relates to the protection of personal information by businesses.

A.B. 5925
Status: Pending
Amends the General Business Law; relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

A.B. 6811
Status: Pending
Requires a payroll card issuer to disclose any breach of security to all affected cardholder employees and the employer of such employees within twenty-four hours of such breach, or as soon as reasonably practicable.

A.B. 6866
Status: Pending
Relates to the data security act.

S.B. 4073
Status: Pending.
Amends the General Business Law; establishes the New York State Online Privacy Protection and Internet Safety Act; Creates a data breach group, to consist of the attorney general, the secretary of state, the commissioner of the division of homeland security and emergency services, the chief information officer of the office of information technology services, and others. Its purposes shall be: to receive, evaluate, and act on any report of a security breach; to maintain database records and reports concerning security breaches; to establish cooperative working relationships with federal, state, and local police and investigators; and to insure appropriate and timely public notification of security breaches. 

S.B. 4685
Status: Pending
Requires a payroll card issuer to disclose any breach of security to all affected cardholder employees and the employer of such employees within twenty-four hours of such breach, or as soon as reasonably practicable.

S.B. 4887
Status: Pending
Relates to the data security act. Expands the definition of peronal information to include biomentric information, a user nema or email with a password or security question and answer that would permit access to an online account; or any unsecured protected health information.

NORTH DAKOTA
S.B. 2214
Status: April 13, 2015; Signed by Governor.
Relates to security breach notification; requires any person that conducts business in the state to disclose by mail any breach to the attorney general.

S.B. 2326
Status: April 13, 2015; Signed by Governor.
Requires the statewide longitudinal data systems committee to establish protocols, including procedures, for the notification of students and parents, in the event of a data breach involving the statewide longitudinal data system.

S.C.R. 4012
Status: March 23, 2015; Adopted
Directs the Legislative Management to study the privacy, security, and data sharing Laws in North Dakota, the effectiveness of federal privacy, security, and data sharing Laws and the Laws of other states, the interaction of federal and state laws, and whether current privacy, security, and data sharing protections meet the reasonable expectations of the citizens of North Dakota.

OREGON
S.B. 601
Status: June 10, 2015; Signed by Governor. Chap. 357
Expands definition of "personal information" for purposes of Oregon Consumer Identity Theft Protection Act; requires person that owns, maintains or otherwise possesses personal information, or person that maintains or possesses personal information on another person's behalf, to report breach of security to Attorney General in addition to reporting breach of security to affected consumer.

PENNSYLVANIA
H.B.. 668
Status: Pending
Amends the act of December 22, 2005, known as the Breach of Personal Information Notification Act; provides that if a state agency is the subject of a breach of security of the system, the state agency shall provide notice of the breach.

S.B. 753
Status: Pending
Amends the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act. Provides that if an entity required to provide notification offers to provide appropriate identity theft prevention and mitigation services, the services must be provided at no cost to the affected individuals for not less than 12 months. In addition, the entity may explain action taken by the entity to protect the individuals whose personal information has been breached and steps that the individuals may take to protect themselves..

RHODE ISLAND
H.B. 5220
Status: July 2, 2015; Signed by Governor. Public Law 2015-148
Requires any municipal agency, state agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses data that includes personal information, to provide notification of any disclosure of personal information, or any breach of the security of the system, which poses a risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

S.B. 134
Status: June 26, 2015; Signed by Governor. Public Law 2015-138
Requires any municipal agency, state agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses data that includes personal information, to provide notification of any disclosure of personal information, or any breach of the security of the system, which poses a risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

SOUTH CAROLINA
S.B. 402
Status: Pending
Relates to a breach of security of state agency data that includes personal identifying information; revises the definition of personal identifying information for these purposes.

TENNESSEE
H.B. 193
Status: March 16, 2015; Substituted on House floor by S.B. 416.
Relates to State Comptroller; requires state agencies to notify the comptroller of the treasury of any breach of a computer information system or unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the computer information system.

S.B. 416
Status: March 31, 2015; Signed by Governor. Chap. 42. 
Relates to Comptroller; relates to State; requires state agencies to notify the comptroller of the treasury of any breach of a computer information system or unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the computer information system.

TEXAS
H.B. 896
Status: May 28, 2015; Signed by Governor.Chap. 154
Amends the Breach of Computer Security law provisions relating to the prosecution of the offense of breach of computer security--expands provisions related to unauthorized access of computer systems.

H.B. 3478
Status: Failed. Adjourned.
Relates to a breach of system security of a business that exposes consumer credit card or debit card information; provides a civil penalty.

S.B. 345
Status: Failed. Adjourned.
Relates to the prosecution of the offense of breach of computer security.

UTAH
H.B. 163
Status: March 24, 2015; Signed by Governor. Chap. 117  
Amends provisions related to student data privacy breaches.

VIRGINIA
H.B. 2350
Status: March 23, 2015; Signed by Governor. Chap. 561
Relates to Department of Education; relates to student data security; directs the Department to develop a model data security plan that may be used by school divisions to implement policies and procedures related to the protection of student data and data systems; provides that the Department would also be required to designate a chief data security officer to assist local school divisions with the development.

H.B. 2362
Status: Feb. 10, 2015; Failed
Requires the Chief Information Officer of the Commonwealth to include in the policies, procedures, and standards required to be developed for the protection of confidential data maintained by state agencies requirements for prompt notification of affected citizens of the Commonwealth in the event of a breach of the security of state government electronic information from unauthorized uses, intrusions, or other security threats..

WASHINGTON
H.B. 1078
Status: April 23, 2015; Signed by Governor. Chap. 64
Enhances the protection of consumer financial information. Provides that notice of a breach is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity. Makes changes in notification requirements.

H.B. 1469
Status: Pending. Carryover.
Provides that if a data security breach resulting in the compromise of payment credentials collected by the state occurs at a third-party institution, and if that institution is found not to have been fully compliant with PCI security standards at the time of the breach, that institution shall be fully financially liable for the damages resulting from the breach. Damages may include costs of notification, credit monitoring, identity theft prevention measures, or any other remedies provided under relevant data breach laws.

S.B. 5047
Status: Pending. Carryover
Enhances the protection of consumer financial information. Provides that notice of a breach is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity. Makes changes in notification requirements.

WYOMING
S.B. 35
Status: March 2, 2014; Signed by Governor, Chapter 65
Relates to consumer protection; specifies notice requirements to consumers affected by breaches of personal identifying information; provides the requirements for breach notification content; relates to computer security breaches.

S.B. 36
Status: March 2, 2014; Signed by Governor, Chapter 63 
Relates to crimes and offenses and consumer protection; amends definitions relating to personal identifying information to include person information, financial information, computer user names and email addresses, medical information, health insurance information, unique biometric data, and individual taxpayer identification numbers.

StateNet logo



Lexis Nexis Terms and Conditions

 

Additional Information