2016 Security Breach Legislation

11/29/2016

At least 26 states in 2016 introduced/considered security breach notification bills or resolutions.

Most of these bills would amend existing security breach laws applicable to business, government or educational institutions. Security breach laws require that consumers or citizens be notified if their personal information is breached. Some of the changes would:

  • Expand the definition of "personal information" (e.g., to include medical, insurance or biometric data) in cases of a security breach.
  • Add to or change requirements as to who must comply with notification requirements
  • Require businesses or government entities to implement security measures
  • Require educational institutions to notify parents or government entities if a breach occurs.

As of Nov. 2016, only three states—Alabama, New Mexico and South Dakota—had no law requiring consumer notification of security breaches involving personal information (see also NCSL's Security Breach Statutes).

2016 Legislation

Alabama

H.B. 267
Status: Failed-adjourned.
Relates to public prekindergarten, elementary, and secondary education; limits the collection and disclosure of student and teacher information to specific academic purposes; provides for notification of breaches; provides civil penalties for violations.

H.B. 291
Status: Failed-adjourned.
elates to consumer protection; requires specified entities to take generally acceptable industry practices and measures to protect and secure data containing sensitive personally identifying information in paper or electronic form; requires the entities to notify the Attorney General of data security breaches; requires notice to individuals and credit reporting agencies of data security breaches in certain circumstances; provides for the disposal of customer records

S.B. 238
Status: Failed-adjourned.
Relates to consumer protection; requires specified entities to take generally acceptable industry practices and measures to protect and secure data containing sensitive personally identifying information in paper or electronic form; requires the entities to notify the Attorney General of data security breaches; requires notice to individuals and credit reporting agencies of data security breaches in certain circumstances; provides for the disposal of customer records.

Alaska

S.B. 3
Status: Failed-adjourned. 
Relates to the collection, storage, and handling of student data. Provides for a detailed data security plan for collecting, maintaining, and sharing student data that addresses breach planning, notification, and procedures, among other provisions.

Arizona

H.B. 2363
Status: April 5, 2016; Signed by Governor. Chap. 102
Relates to personal information; relates to breach; relates to business associates.

H.B. 2666
Status: May 19, 2016; Signed by Governor. Chap. 372
Provides that state, local or federal entities, or their contractors or subcontractors, may not make public any unemployment insurance information that identifies an individual or the individual’s employer. Provides that any unauthorized disclosure or security breach shall be reported to the Department and the Office of Economic Opportunity immediately.

California

A.B. 259
Status: Failed.
Requires an agency, if the agency was the source of the breach and the breach compromised a person's social security number, driver's license number, or California identification card number, to offer to provide the person with identity theft prevention and mitigation services at no cost for not less than 12 months.

A.B. 739
Status: Failed
Makes nonsubstantive changes to existing law that requires a person or business conducting business, that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system or data following discovery or notification of the security breach to any resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, unless the information was encrypted.

A.B. 2828
Status: Sept. 13, 2016, Signed by Governor. Chap. 337.
Relates to a breach in the security of the data to a resident of California whose unencrypted personal information was acquired by an unauthorized person. Requires a person or business conducting business in California and any agency, that owns or licenses computerized data that includes personal information to disclose a breach of the security of the data to a resident of the state whose encrypted personal information was acquired by an unauthorized person.

S.B. 34
Status: Pending
Imposes specified requirements on an automated license plate recognition operator to ensure that the information the operator collects is protected with certain safeguards, and implements specified security procedures and a usage and privacy policy with respect to that information; requires notification to California residents subject to a breach, and in certain circumstances to the Attorney General.

S.B. 1444
Status: Failed
Requires a state agency that owns or licenses computerized data that includes personal information to prepare a mitigation and response plan for breach of the database that contains the personal information.

Connecticut

H.B. 3546
Status: Failed-adjourned.
Concerns state agency confidentiality based on a program review and investigations committee study. Requires the Commissioner of Public Health, in consultation with the Secretary of the Office of Policy and Management, to develop and implement internal policies to protect confidential information, including plans for notification of a breach of security.

Florida

H.B. 1033
Status: March 25, 2016; Signed by Governor. Chap. 138
Relates to information technology security; provides Technology Advisory Council requirements; relates to the Council's membership; authorizes Agency for State Technology to impose service charges upon state agencies for information technology projects; reassigns certain Agency duties to chief information security officer; provides for computer security incident response teams; provides for training programs; requires risk assessments; requires notification of data security breaches.

H.B. 1037
Status: Failed
elates to public records; creates exemptions from specified requirements for certain records held by a state agency which identify detection, investigation, or response practices for suspected or confirmed information technology security incidents and for certain portions of risk assessments, evaluations, external audits, and other reports; authorizes disclosure of confidential and exempt information; provides for retroactive application; provides for future legislative review and repeal.

S.B. 624
Status: March 25, 2016; Signed by Governor. Chap. 1
Relates to public records; creates exemptions for certain records which identify detection, investigation, or response practices for suspected or confirmed information state agency technology security breaches and for certain portions of risk assessments, evaluations, external audits, and other reports of a State agency's information and technology program; authorizes disclosure of confidential and exempt information to certain agencies and officers.

Georgia

H.B. 414
Status: Failed-adjourned.
Relates to elementary and secondary education; establishes and implements policies and requirements with respect to the collection and disclosure of student data; provides for a Department of Education leader to serve as the chief privacy officer; provides disclosures and requirements for the state data system; provides for student data collection and reporting restrictions; provides for a detailed data security plan for the state data system; provides for parental rights to inspect and correct the data. Requires plans for responding to security breaches, including notifications, remediations, and related procedures.

S.B. 157
Status: Failed-adjourned.
Relates to general provisions relating to education; establishes limitations and requirements regarding student data; provides for definitions; provides for limitations on the collection of student information; provides for limitations on the disclosure of personally identifiable information to third parties; provides for penalties and enforcement; provides for related matters; provides for an effective date and applicability; repeals conflicting laws.

S.B. 276
Status: Failed-adjourned. 
Relates to identity theft; enacts the Georgia Personal Data Security Act; provides for related matters; repeals conflicting laws

S.B. 306
Status: Failed-adjourned.
Relates to identity theft; removes telephone notification as a permissible means of informing a person of a potential breach of security involving personal information; provides for a free consumer credit report security freeze placement or removal for individuals notified of a potential breach of security involving their personal information; provides for related matters; repeals conflicting laws.

Hawaii

S.B. 1186
Status: Failed.
Expands definition of "personal information"; establishes or amends the timeline by which a business or government agency must notify persons affected by a security breach of personal information; specifies additional information required in notification following certain security breaches; prohibits the use of email as a means of notification of a security breach if login credentials for email were compromised.

S.R. 41
Status: Failed.
Requests the information privacy and security council, in cooperation with the state chief information officer council, to assess existing procedures of notification following the breach of personal information.

S.B. 2485
Status: Failed.
Makes businesses strictly liable for damages to a consumer resulting from a security breach, regardless of disclaimers of liability.

Illinois

H.B. 1260
Status: May 6, 1016; Signed by Governor; Public Act 503
Amends the Personal Information Protection Act; includes breaches of security involving electronic medical information, health insurance information, claims information and unique biometric data to the types of breaches for which notice is required; requires notices on breaches of online accounts involving a user name or email address in combination with a password or security questions; permits substitute notices; requires notice to the Attorney General; provides notification and notice timelines.

H.B. 3188
Status: Pending-carryover.
Amends the Personal Information Protection Act; expands the scope of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information; requires notice of breaches of security to be provided to the Attorney General; requires privacy policies to be posted.

H.B. 3652
Status: Pending. 
Amends the Personal Information Protection Act; expands the scope of the Act to cover private contact information; limits the transfer of private contact information.

Indiana

H.B. 1357
Status: Failed-adjourned.
Makes the following changes to the statute concerning the breach of the security of data that includes the sensitive personal information of Indiana residents and that is collected and maintained by a person other than a state agency or the judicial or legislative department of state government Specifies that the statute is not limited to breaches of computerized data; repeals the definition of a term that is not used in the statute; replaces the term "data base owner" with "data owner"; defines the term.

Iowa

S.B. 2279
Status: March 30, 2016. Signed by Governor. 
Provides that a state credit union shall maintain an information security response program, including notification procedures, in the event of a data breach and in accordance with federal law. The bill also states that state credit unions that experience a security breach may be subject to the provisions of Code chapter 715C, which relates to criminal penalties for personal information security breach protection.

Louisiana

S.B. 103
Status: Failed-adjourned.
Provides for notification to the commissioner of insurance of breaches of data security in systems containing certain personal information relating to consumers.

Massachusetts

S.B. 124
Status: Pending
Relates to protecting biometric information under the security breach law.

S.B. 184
Status: Pending
Relates to the security of personal financial information.

S.B. 545
Status: Pending
Relates to the security of personal financial information. Whenever there is a breach of the security of the system of a person or entity that has without authorization retained certain financial card information, that person or entity shall be liable to the financial institution that issued any card access devices affected by the data breach for all resulting damages.

Michigan
H.B. 5740
Status: Pending
Requires disclosure of security breach in annual statement to director.

H.B. 5948
Status: Pending
Provides for database security breach policy for state agencies.

Minnesota

H.B. 2762
Status: Failed-adjourned.
Relates to education; directs the commissioner of education to develop a detailed plan to ensure the privacy and security of students' personally identifiable information, including education and workforce data. Requires plans, notices, and mitigation procedures for responding to data breaches, among other such policies and protocols.

Mississippi

H.B. 1307
Status: Failed
Prohibits a third party entity with whom a state agency has contracted from establishing a right of ownership in personal data for purposes of mining, selling or releasing other entities. Provides that a third party entity that is provided data by a state agency or collects or maintains data on a state agency's behalf shall be liable for any breach of data.

S.B. 2786
Status: Failed
Prohibits a third party entity with whom a state agency has contracted to provide the personal information or business information of an individual for collection and maintenance from establishing a right of ownership in the data for purposes of mining, selling or releasing other entities.

Missouri

S.B. 989
Status: Failed-adjourned.
Enacts multiple provisions to protect the privacy of student data

Nebraska

L. 835
Status: April 13, 2016. Signed by Governor
Expands breach of security provisions to include paper; changes definitions related to encryption.

New Jersey 

A.B. 311
Status: Pending 
Requires disclosure of breach of security of online account.

A.B. 1970
Status: Pending 
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 3762
Status: Pending 
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

S.B. 439
Status: Pending.
Requires disclosure of breach of security of online account.

S.B. 1953
Status: Pending. 
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

New Mexico

H.B. 325
Status: Failed--adjourned. 
Relates to consumer protection; creates the data breach notification act; requires notification to persons affected by a security breach involving personal identifying information; requires secure storage and disposal of data containing personal identifying information; requires notification to consumer reporting agencies, the office of the attorney general and card processors in certain circumstances; provides civil penalties.

New York

A.B. 307
Status: Pending 
Relates to the protection of personal information by businesses.

A.B. 5925
Status: Pending
Amends the General Business Law; relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

A.B. 6811
Status: Pending
Requires a payroll card issuer to disclose any breach of security to all affected cardholder employees and the employer of such employees within 24 hours of such breach, or as soon as reasonably practicable.

A.B. 6866
Status: Pending
Relates to the data security act.

A.B. 10475
Status: Pending
Amends the general business law and the state technology law, in relation to notification of a security breach; relates to certain biometric information used to authenticate an individual's identity. 

S.B. 4073
Status: Pending
Amends the General Business Law; establishes the New York State Online Privacy Protection and Internet Safety Act; Creates a data breach group, to consist of the attorney general, the secretary of state, the commissioner of the division of homeland security and emergency services, the chief information officer of the office of information technology services, and others. Its purposes shall be: to receive, evaluate, and act on any report of a security breach; to maintain database records and reports concerning security breaches; to establish cooperative working relationships with federal, state, and local police and investigators; and to insure appropriate and timely public notification of security breaches. 

S.B. 4685
Status: Pending
Requires a payroll card issuer to disclose any breach of security to all affected cardholder employees and the employer of such employees within 24 hours of such breach, or as soon as reasonably practicable.

S.B. 4887
Status: Pending
Relates to the data security act. Expands the definition of personal information to include biomentric information, a user name or email with a password or security question and answer that would permit access to an online account; or any unsecured protected health information.

S.B. 6834
Status: Pending
Relates to notification of a security breach; relates to credit and debit card; increases civil penalties.

S.B. 7437
Status: Pending
Relates to the timeliness of disclosure of a breach of the security of a system which contains private information. 

Pennsylvania

H.B. 668
Status: Failed-adjourned.
Amends the act of Dec. 22, 2005, known as the Breach of Personal Information Notification Act; provides that if a state agency is the subject of a breach of security of the system, the state agency shall provide notice of the breach.

S.B. 753
Status: Failed-adjourned.
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act. Provides that if an entity required to provide notification offers to provide appropriate identity theft prevention and mitigation services, the services must be provided at no cost to the affected individuals for not less than 12 months. In addition, the entity may explain action taken by the entity to protect the individuals whose personal information has been breached and steps that the individuals may take to protect themselves.

H.B. 1910
Status: Failed-adjourned.
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act; provides definitions.

H.B. 1911
Status: Failed-adjourned.
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act; provides definitions.

S.B. 1048
Status: Failed-adjourned.
Amends the Breach of Personal Information Notification Act; prohibits employees of the Commonwealth from using nonsecured Internet connections; requires encryption; requires notification by state agencies within a specified time of discovery of the breach; includes health insurance information, medical information, user name, e-mail addresses and passwords; relates to compliance by persons and business associates subject to the health insurance portability and accountability. act.

Rhode Island

H.B. 7707
Status: Pending
Would reduce the time a person or governmental agency who stores personal information has to disclose a breach of that information's security from forty-five (45) days to fourteen (14) days and specifies that breaches affecting more than five hundred (500) people must be reported to the Attorney General and the major credit bureaus within twenty-four (24) hours. This act would take effect upon passage.

S.B. 2600
Status: Pending
Would reduce the time a person or governmental agency who stores personal information has to disclose a breach of that information's security from forty-five (45) days to fourteen (14) days and specifies that breaches affecting more than five hundred (500) people must be reported to the Attorney General and the major credit bureaus within twenty-four (24) hours. This act would take effect upon passage.

South Carolina

S.B. 402
Status: Failed-adjourned.
Relates to a breach of security of state agency data that includes personal identifying information; revises the definition of personal identifying information for these purposes.

Tennessee

H.B. 1631
Status: Failed-adjourned.
Relates to consumer protection; redefines the time period within which a business must notify a consumer if the consumer's personal information that was held by the business was obtained by an unauthorized person from immediate notification to no later than 14 days; includes employees of the business who use the information in an unlawful manner as unauthorized persons, thus triggering the notice requirements.

S.B. 2005
Status: March 24, 2016; Signed by Governor. Chap. 692
Relates to consumer protection; redefines the time period within which a business must notify a consumer if the consumer's personal information that was held by the business was obtained by an unauthorized person from immediate notification; includes employees of the business who use the information in an unlawful manner as unauthorized persons, thus triggering the notice requirements.

Vermont

H.B. 722
Status: Failed-adjourned.
Enhances protections for victims of a security breach.

Washington

H.B. 1469
Status: Failed-adjourned.
Provides that if a data security breach resulting in the compromise of payment credentials collected by the state occurs at a third-party institution, and if that institution is found not to have been fully compliant with PCI security standards at the time of the breach, that institution shall be fully financially liable for the damages resulting from the breach. Damages may include costs of notification, credit monitoring, identity theft prevention measures, or any other remedies provided under relevant data breach laws.

S.B. 5047
Status: Failed-adjourned.
Enhances the protection of consumer financial information. Provides that notice of a breach is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity. Makes changes in notification requirements.

StateNet logo

Lexis Nexis Terms and Conditions

Additional Resources