2018 Security Breach Legislation

2/8/2019

Introduction

A photo of a an open padlock and broken chain on top of a silver laptop keyboard.New laws in Alabama and South Dakota in March 2018 brought the number of states with security breach notification bills to 50.  States have enacted security breach notification laws that require businesses or government to notify consumers or citizens if their personal information is breached.

Even so, lawmakers in other states are still working to protect consumers in the face of continuing data breaches. At least 31 states, Puerto Rico and D.C. in 2018 are considering measures that would amend existing security breach laws.

For example, since the Equifax data breach in 2017, several states introduced legislation that would provide for free credit freezes for victims of data breaches or that are otherwise aimed at credit bureaus or financial institutions. Other bills would amend breach laws to expand the definition of "personal information," to set specific timeframes within which a breach must be reported, or require reporting to the state's attorney general. In addition, several bills would require notification in the case of breaches of student information.  

Note: Although this list includes some state legislation related to consumer report credit freezes when part of existing breach laws or when tied to a breach, it does not include all bills that relate to consumer report credit freezes.

Please check individual legislative websites for the most current status, summaries and versions of bill text.

2018 Legislation

Alaska

S.B. 93
Status: Failed--adjourned
Relates to security freezes on the credit reports or records of incapacitated persons and certain minors.

Alabama

H.B. 410
Status: Failed--adjourned
Relates to consumer protection, requires certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information.

S.B. 318
Status: Enacted, Act No. 2018-396
Relates to consumer protection, requires certain entities to provide notice to certain persons upon a breach of security that results in the unauthorized acquisition of sensitive personally identifying information.

Arizona

H.B. 2154
Status: Enacted, Chap. 177
Relates to personal information, relates to data security breaches.

California

S.B. 1121
Status: Enacted, Chap. 266
Provides that any consumer whose nonencrypted or nonredacted personal information is subject to a breach due to the business's violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action, as specified.

Colorado

H.B. 1128
Status: Enacted, Chap. 266
Concerns strengthening protections for consumer data privacy.

Connecticut

S.B. 472
Status: Enacted, Chap. 18-90
Concerns fees for security freezes on credit reports, notification of a consumer’s decision to place or remove a security freeze on a credit report and the duration of certain identity theft prevention services required after a data breach; prohibits credit rating agencies from charging a fee to consumers to place or remove a security freeze from the consumer’s account; requires credit rating agencies to notify other credit rating agencies of a consumer’s request.

Georgia

H.B. 82
Status: Failed--adjourned
Relates to notification required upon breach of security regarding personal information, to provide that information brokers and data collectors shall provide notice when personal information maintained on individuals by such information broker or data collector is released to unauthorized persons, whether such release is intentional, inadvertent, or accidental, provides for related matters, provides an effective date, repeals conflicting laws.

H.B. 499
Status: Failed--adjourned
Enacts the Personal Data Security Act, improves systems and procedures for providing and regulating notifications of data breaches affecting residents, revises legislative findings and declarations, modifies definitions, modifies when notices of certain security breaches are required and to provide for the contents of such notices, requires certain entities to maintain certain data security procedures, requires that certain notices of a data breach be sent to certain officials.

H.R. 1613
Status: Failed--adjourned
Urges the federal government to address the issue of data security breaches and enact a uniform national data breach law.

Hawaii

H.B. 2342
Status: Enacted, Chap. 22
Eliminates the fee charged by a consumer reporting agency to place, lift, or remove a security freeze requested by a consumer, protected consumer, or a protected consumer's representative; allows a consumer to request a security freeze at any time.

S.B. 2259
Status: Failed--adjourned
Requires state consumers, who are required to receive a Summary of Rights under the federal Fair Credit Reporting Act, to also receive a notice of their rights under state law to obtain a security freeze on their credit reports.

S.B. 2769
Status: Failed--adjourned
Eliminates the fee charged by a consumer reporting agency to place, lift, or remove a security freeze requested by a consumer, protected consumer, or a protected consumer's representative, allows a consumer to request a security freeze at any time.

Iowa

H.B. 48
Status: Failed--adjourned
Relates to student data collection by the department of education, school districts, and accredited nonpublic schools.

H.B. 2137
Status: Failed--adjourned
Relates to student data collection by the Department of Education, school districts, and accredited nonpublic schools.

H.B. 2423
Status: Failed--adjourned
Relates to consumer protection, modifies provisions applicable to consumer security freezes and personal information security breach protection.

H.S.B. 526
Status: Failed--adjourned
Modifies certain provisions relating to personal information security breach protection.

H.S.B. 622
Status: Failed--adjourned
Relates to consumer protection, modifies provisions applicable to consumer security freezes and personal information security breach protection.

S.B. 2177
Status: Enacted, Chap. 1091
Relates to consumer protection; modifies provisions applicable to consumer security freezes and personal information security breach protection.

Illinois

H.B. 332
Status: Failed--adjourned
Amends the School Code to add provisions concerning student data privacy, amends the School Student Records Act, makes changes to the definition provisions, sets forth provisions allowing disclosure of student records to researchers at an accredited post-secondary educational institution or an organization conducting research if specified requirements are met, amends the Children's Privacy Protection and Parental Empowerment Act to change the definition of child to mean a person under the age of eighteen.

H.B. 3872
Status: Failed--adjourned.
Amends the Consumer Fraud and Deceptive Business Practices Act, provides that in addition to a freeze on a minor's consumer report, a freeze may be placed on the minor's credit file, establishes the procedures for obtaining a freeze on a minor's or protected consumer's credit file, defines terms.

H.B. 4095
Status: Enacted, Chap. 589
Amends the Consumer Fraud and Deceptive Business Practices Act; provides that a consumer reporting agency may not impose a charge on a consumer for placing a freeze, removing a freeze, or temporarily lifting a freeze.

S.B. 2018
Status: Failed--adjourned
Creates the Student Data Privacy Act, on and after Oct. 1, 2017, requires the school board of a school district to enter into a written contract with a contractor any time the school board shares or provides access to student information, student records, or student-generated content with that contractor, among other provisions, sets forth provisions concerning contract requirements, contractor and operator requirements and prohibitions, security breach procedures, and the establishment of a task force.

S.B. 2230
Status: Failed--adjourned
Amends the Consumer Fraud and Deceptive Business Practices Act, provides that a consumer reporting agency may not impose a charge on a consumer for placing a freeze, removing a freeze, or temporarily lifting a freeze, makes corresponding changes.

S.B. 3007
Status: Failed--adjourned
Amends the Personal Information Protection Act, provides that a data collector required to report breaches to more than 100 residents as a result of a single breach must also report to the Attorney General, provides that the Attorney General shall report annually to the General Assembly specified information concerning breaches of data security by Feb. 1 of each year.

S.B. 3201
Status: Failed--adjourned
Amends the School Student Records Act, provides that upon the discovery of a breach of security that results in the unauthorized release, disclosure, or acquisition of student information contained in a school student record, a school shall, no later than 48 hours after discovery, notify the parent of the student whose record is involved in the breach of security.

H.B. 4174
Status: Failed--adjourned
Amends the Personal Information Protection Act, requires any data collector that owns or licenses personal information concerning a resident and any State Agency that collects personal information concerning an resident to notify the resident of any security breach of the system data within 48 hours of discovery of the breach.

H.B. 4367
Status: Failed--adjourned
Amends the Personal Information Protection Act, provides that a private entity data collector that owns or licenses personal information concerning a resident must notify the resident of any security breach of the system data within 14 days after discovery of the breach.

Kansas

H.B. 2359
Status: Failed--adjourned
Creates the Kansas information technology enterprise agency.

Kentucky

H.B. 46
Status: Enacted, Act 41.
Allows for security freezes to be requested by methods established by the consumer reporting agency; allows consumers to request a replacement personal identification number or password in the same manner as the original security freeze request; removes the expiration of a credit freeze after seven years; includes gender-neutral language.

H.B. 188
Status: Failed--adjourned
Includes additional definitions, provides for a free security freeze in the event a protected person has been notified of a security breach pursuant to the Act or has been notified of a free security freeze, and to make technical corrections, requires consumer reporting agencies to encrypt electronic data contained in consumer Files and consumer reports, allows for security freezes to be requested by methods established by the consumer reporting agency.

S.B. 33
Status: Failed--adjourned
Revises provisions relating to the security of personal information, provides for a free security freeze in the event a protected person has been notified of a security breach, requires consumer reporting agencies to encrypt electronic data contained in consumer files and consumer reports, allows for security freezes to be requested by methods established by the consumer reporting agency.

Louisiana

S.B. 361
Status: Enacted, Chap. 480
Database Security Breach Notification Law: provides for the protection of personal information; requires certain security procedures and practices; provides for notification requirements; relates to violations; provides definitions.

Maryland

H.B. 848
Status: Enacted, Chap. 480
Alters a certain prohibition on a consumer bringing a certain action or proceeding against a consumer reporting agency; alters the manner in which a consumer may place, temporarily lift, or remove a security freeze on the consumer's report; requires a consumer reporting agency to develop certain procedures involving the use of certain secure connections to receive and process certain requests to place or remove a security freeze.

H.B. 1285
Status: Failed
Prohibits a consumer reporting agency from charging a fee for the placement, temporary lift, or removal of a security freeze requested by a consumer or a certain consumer representative within 90 days after a certain data breach; alters the contents of a certain notice that must be included with a summary of rights provided to a consumer; requires a consumer reporting agency that keeps a file on a consumer to maintain a toll-free customer call center.

H.B. 1584
Status: Failed--adjourned
Alters the applicability of certain security breach investigation and notification requirements to certain businesses; prohibits a certain business from charging a certain owner or licensee of computerized data a fee for providing information that the owner or licensee needs to provide a certain notification; prohibits a certain owner or licensee from using certain information for certain purposes.

Massachusetts

H.B. 134
Status: Failed--adjourned
Relates to removing fees for security freezes and disclosures of consumer credit reports.

H.B. 2814
Status: Failed--adjourned
Relates to amending certain statutes pertaining to data security breaches and calling for an investigation by a special commission on cybersecurity to assess the various threats across the Commonwealth.

H.B. 4806
Status: Enacted, Chap. 444
Revises provisions relatiing to consumer protections from security breaches.

S.B. 95
Status: Failed--adjourned
Protects biometric information under the security breach law.

S.B. 130
Status: Failed--adjourned
Removes fees for security freezes and disclosures of consumer credit reports.

S.B. 149
Status: Failed--adjourned
Relates to the security of personal financial information.

H.B. 4094
Status: Failed--adjourned
Provides for free credit freeze for active duty military personnel.

H.B. 5055
Status: Failed--adjourned
Prohibits assessment of fees for security freeze in connection with a security breach of a database maintained by a consumer reporting agency.

H.B. 5094
Status: Enacted, Chap. 76
Provides for free security freeze for consumers.

H.B. 4910
Status: Failed--adjourned
Provides for a database security breach policy for state agencies.

H.B. 4983
Status: Failed--adjourned
Revises notice of security breach requirements, requires public access.

S.B. 536
Status: Failed--adjourned
Requires state agencies to have policies in place to respond to database security breaches, requires state agencies to assist residents affected by a breach to restore their credit, authorizes state agencies to pay expenses in restoring credit, subject to available funds.

S.B. 633
Status: Failed--adjourned
Makes changes to the Identity Theft Protection Act to require encryption of certain computerized data and provides remedies for depository institutions for security breaches.

Michigan

H.B. 4910
Status: Failed--adjourned
Provides for a database security breach policy for state agencies. 

H.B. 4983
Status: Failed--adjourned
Revises notice of security breach requirements; requires public access.

H.B. 5055
Status: Failed--adjourned
Pohibits assessment of fees for security freeze in connection with a security breach of a database maintained by a consumer reporting agency.

H.B. 5094
Status: Enacted, Chap. 76
Amends an act to require certain consumer reporting agencies to place security freezes for consumers under certain circumstances; provides for the removal of those security freezes; authorize and limit fees.

H.B. 6405
Status: Failed--adjourned
Requires certain entities to provide notice to certain persons in the event of a breach of security that results in the unauthorized acquisition of sensitive personally identifying information; to provide for the powers and duties of certain state governmental officers and entities; and to prescribe penalties and provide remedies.

H.B. 6491
Status: Enacted, Chap. 690
Enacts the Insurance Data Security Model law; establishes the exclusive standards, for this state, applicable to licensees for data security, the investigation of a cybersecurity event, and notification to the director. 

S.B. 536
Status: Failed--adjourned
Requires state agencies to have policies in place to respond to database security breaches; requires state agencies to assist residents affected by a breach to restore their credit; authorizes state agencies to pay expenses in restoring credit, subject to available funds.

S.B. 633
Status: Failed--adjourned
Makes changes to the Identity Theft Protection Act to require encryption of certain computerized data and provides remedies for depository institutions for security breaches.

Minnesota

H.B. 1507
Status: Failed--adjourned
Relates to education, creates the Student Data Privacy Act, provides penalties.

H.B. 3480
Status: Failed--adjourned
Relates to consumer protection; revises consumer report regulations; provides regulation alternative dispute resolutions and credit monitoring services.

H.B. 4277
Status: Failed--adjourned
Alters a certain prohibition on a consumer bringing a certain action or proceeding against a consumer reporting agency; alters the manner in which a consumer may place, temporarily lift, or remove a security freeze on the consumer's report; requires a consumer reporting agency to develop certain procedures involving the use of certain secure connections to receive and process certain requests to place or remove a security freeze.

S.B. 1811
Status: Failed--adjourned
Relates to security freezes, authorizes security freezes for protected persons, provides exceptions.

S.B. 1961
Status: Failed--adjourned
Relates to education, creates the Student Data Privacy Act, provides penalties.

S.B. 3881
Status: Failed--adjourned
Relates to consumer protection; regulates security freezes on consumer credit reports; modifies fees.

Missouri

H.B. 1606
Status: Enacted
Requires school districts to send written notification of a breach of data of student personal information to parents or guardians, the department of elementary and secondary education and the state auditor.

H.B. 2399
Status: Failed--adjourned.
Creates new provisions of law related to student data privacy. 

S.B. 582
Status: Failed--adjourned. 
Relates to personal information data of students.

Nebraska

L 757
Status: Enacted
Revises provisions of the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act, provides for substantially similar types of a security product that provides the same level of protection to a consumer's credit report as that provided under the Credit Report Protection Act, prohibits an agency using a similar type of security product from charging a fee to a consumer, requires maintenance of reasonable security procedures and practices.

New Hampshire

H.B. 1612
Status: Enacted, Chap. 2018-209
Requires each local education agency to: I. Create and make publicly available an index of data elements containing definitions of certain individual student personally-identifiable data Fields, II, develops a data security plan, III, makes publicly available students' and parents' rights under the Family Educational Rights and Privacy Act, IV, requires school districts that use digital badges to obtain the written consent of a student's parent or legal guardian.

H.B. 1677
Status: Failed
Allows persons notified of a security breach to exercise the rights of victims of identity theft under the credit freeze Laws, 18-2592 03/04.

S.B. 303
Status: Enacted, Chap. 209
Eliminates fees for credit freezes and allows persons notified of a security breach to exercise the rights of victims of identity theft under the credit freeze laws.

New Jersey

A.B. 1360
Status: Pending
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

A.B. 2427
Status: Pending
Prohibits consumer reporting agencies from charging certain fees and including certain provisions in contracts with consumers.

A.B. 3043
Status: Pending
Requires consumer reporting agencies to increase protection of consumers' personal information.

A.B. 3245
Status: Pending
Requires disclosure of breach of security of online account.

A.B. 3541
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

S.B. 52
Status: Pending
Requires disclosure of breach of security of online account.

S.B. 1524
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

S.B. 1850
Status: Pending
Requires consumer reporting agencies to increase protection of consumers' personal information.

S.B. 2042
Status: Pending
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

New Mexico

S.M. 12
Status: Adopted
Requests the attorney general to analyze the general compliance with the notification requirements of the data breach notification act stemming from the 2017 Equifax data breach and the methods used by some states to eliminate charges to individual consumers seeking to place a freeze, or lock, on their credit reports, requests a report.

New York

A.B. 180
Status: Failed--adjourned
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

A.B. 7167
Status: Failed--adjourned
Relates to notification of a security breach, includes credit and debit card, increases civil penalties.

A.B. 7232
Status: Failed--adjourned
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system which contains private information.

A.B. 7781
Status: Failed--adjourned
Amends the Tax Law, relates to a business tax credit for the purchase of data breach insurance.

A.B. 8672
Status: Failed--adjourned
Amends the General Business Law, relates to fee assessments for security freezes following consumer credit reporting agency data breaches, no fee shall be assessed within five years of a data breach occurring, affected consumer credit reporting agencies shall reimburse individuals for such fees assessed by other consumer credit reporting agencies within the same five year period.

A.B. 8695
Status: Failed--adjourned
Amends the General Business Law, prohibits fees for security freezes by consumer credit reporting agencies in the case of a breach of information, prohibits fees for subsequent removal or temporary lift of a security freeze, requires a consumer credit reporting agency which has suffered a breach to provide free identity theft protection services.

A.B. 8756
Status: Failed--adjourned
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties.

A.B. 8782
Status: Failed--adjourned
Amends the General Business Law, provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.

A.B. 8884
Status: Failed--adjourned
Relates to notifications of a security breach, includes credit and debit cards, increases civil penalties, requires the Office of Information Technology Services to develop, update, and provide regular training to all state entities relating to best practices for the prevention of a breach of the security of the system.

A.B. 9780
Status: Failed--adjourned

Enacts the Personal Information Protection Act; establishes a personal information bill of rights requiring parties having custody of residents' personal identifying information to ensure the security thereof; provides for the approval of programs to secure personal identifying information by the office of information security; requires the notification of the division of state police and the subjects of information upon the breach of such information.

S.B. 1104
Status: Failed--adjourned
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system which contains private information.

S.B. 4615
Status: Failed--adjourned
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance, states, a taxpayer that is a business or owner of a business shall be allowed a credit against the tax imposed by this article equal to twenty-five percent of the premium paid during the taxable year for qualified data breach insurance.

S.B. 5601
Status: Failed--adjourned
Relates to notification of a security breach, includes credit and debit card, increases civil penalties.

S.B. 6879
Status: Failed--adjourned
Amends the General Business Law, directs consumer credit reporting agencies to automatically freeze consumer credit reports that are subject to data breaches, authorizes a consumer to unfreeze accounts, which have been automatically frozen, at no cost to the consumer.

S.B. 6880
Status: Failed--adjourned
Amends the General Business Law, provides that a business must provide notification of a data breach within a specified number of days of such breach, includes the Department of Financial Services to the list of entities that must be notified of a data breach that affects any state resident.

S.B. 6886
Status: Enacted, Chap. 480
Amends the General Business Law, relates to fee assessments for security freezes following consumer credit reporting agency data breaches, prohibits consumer reporting agencies from charging a fee for a security freeze when the request is made within a specified time, requires consumer credit reporting agencies to reimburse individuals any fee assessed by another reporting agency when the request is made within a specified time.

S.B. 6889
Status: Failed--adjourned
Amends the General Business Law, establishes the Identity Theft Prevention and Breach Notification Act, provides that within a specified time prior to a disclosure of a security breach, a preliminary notification shall be made to any resident whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

S.B. 6891
Status: Failed--adjourned
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system that contains private information, repeals provisions relating to the charging of fees when a freeze is lifted, requires a security freeze be lifted within a specified period of time of a request.

S.B. 6912
Status: Failed--adjourned
Amends the General Business Law, provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.

S.B. 6914
Status: Failed--adjourned
Establishes the Consumer Credit Rights and Responsibilities Outreach Program, provides that the program is established to educate citizens of the state about their rights and obligations relating to credit services and reporting, requires an annual report concerning the operation of such program.

S.B. 6923
Status: Failed--adjourned
Amends the General Business Law, prohibits fees for security freezes by consumer credit reporting agencies in the case of a breach of information, prohibits fees for subsequent removal or temporary lift of a security freeze, requires a consumer credit reporting agency which has suffered a breach to provide free identity theft protection services.

S.B. 6933
Status: Failed--adjourned
Amends the Data Security Act, relates to notification of a security breach, expands the definition of private information to include credit and debit cards, biometric information, user names, and certain unsecured protected health information, provides for substitute notices, requires a certain notification from credit or debit card issuer, increases the statute of limitation to bring an action and increases civil penalties, requires the practice of reasonable security.

S.B. 7038
Status: Failed--adjourned
Amends the General Business Law, prohibits consumer credit reporting agencies from charging a fee to a consumer requesting the placement of a security freeze.

S.B. 7555
Status: Failed--adjourned
Enacts the "personal information protection act", establishes a personal information bill of rights requiring parties having custody of resident's personal identifying information to ensure the security thereof, provides for the approval of programs to secure personal identifying information by the office of information security.

Ohio

S.B. 220
Status: Enacted, Chap. 104
Provides a legal safe harbor to covered entities that implement a specified cybersecurity program.

Oklahoma

S.B. 614
Status: Failed--adjourned
Provides an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to each financial institution that issued a credit or debit card compromised by the breach and to any resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

Oregon

H.B. 4147
Status: Failed
Prohibits consumer reporting agencies from charging certain fees related to security freezes on consumer reports or protective records, requires certain persons who own, license, possess or have access to personal consumer information to give notice of breach of data security to certain financial institutions and merchant services providers, requires financial institutions and merchant services providers that discover or receive notice of data breach of another person to notify other person.

S.B. 1551
Status: Enacted, Chap. 10
Requires person to report breach of security that involves personal information to financial institution that issues financial access device that stores personal information and to any other person that processed financial transaction on person's behalf using account information that was subject to breach of security, requires person to report breach of security in Most expeditious manner possible but not later than 45 days after discovering or receiving notification of breach, with certain exceptions.

Pennsylvania

H.B. 33
Status: Failed--adjourned
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for notification of breach.

H.B. 36
Status: Failed--adjourned
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for definitions.

H.B. 494
Status: Failed--adjourned
Amends the act of November 29, 2006 (P.L.1463, No.163), known as the Credit Reporting Agency Act, provides for definitions, for security freeze, for consumer reporting agency, for personal identification, for temporary access or removal of security freeze, for secure procedures and for fees, provides for construction.

H.B. 848
Status: Failed--adjourned
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for notification of breach.

H.B. 1345
Status: Failed--adjourned
Amends Title 24 (Education) of the Pennsylvania Consolidated Statutes, in preliminary provisions, provides for student data privacy and protection, imposes duties on the Department of Education.

H.B. 1548
Status: Failed--adjourned
Amends the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.

H.B. 1846
Status: Failed--adjourned
Amends the act of Dec. 22, 2005, known as the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for notification, provides for notice exemption, provides for civil relief.

H.B. 1847
Status: Failed--adjourned
Amends the Credit Reporting Agency Act, provides for definitions and for fees, provides for credit monitoring and consumer reports, prohibits the waiver of rights, provides for civil relief.

H.B. 1879
Status: Failed--adjourned
Amends the Credit Reporting Agency Act, provides for fees, provides for reimbursements for security breaches, provides for notices of security breaches.

S.B. 308
Status: Failed--adjourned
Amends the Breach of Personal Information Notification Act, provides for title of act, for definitions and for notification of breach, prohibits employees of the state from using non secured Internet connections, provides for a policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996.

Rhode Island

H.B. 7387
Status: Failed--adjourned
Establishes procedures to notify individuals of any breaches of their unencrypted personal information and penalties for any violation.

H.B. 7789
Status: Failed--adjourned
Would create the "Insurance Data Security Act" which would adopt the National Association of Insurance Commissioners' Model Act regarding data security.

S.B. 2497
Status: Failed--adjourned
Would create the "Insurance Data Security Act" which would adopt the National Association of Insurance Commissioners' Model Act regarding data security.

S.B. 2790
Status: Failed--adjourned
Would establish procedures to notify individuals of any breaches of their unencrypted personal information and penalties for any violation. This act would take effect on July 1, 2018.

South Carolina

H.B. 4383
Status: Failed--adjourned
(House Resolution) Urges the Attorney General to file a lawsuit against Equifax for the data breach that affected over two million South Carolina residents.

H.B. 4655
Status: Enacted, Chap. 171
Enacts the South Carolina Insurance Data Security Act; defines necessary terms; requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee's risk assessment and to establish certain requirements for the security program; provides minimum requirements for a licensee's Board of Directors, if applicable; requires a licensee to monitor the security program and make adjustments, if necessary; provides that the licensee must establish an incident.

S.B. 856
Status: Failed--adjourned
Enacts the Insurance Data Security act; requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee's risk assessment; establishes certain requirements for the security program; provides minimum requirements for a licensee's Board of Directors, if applicable; requires a licensee to monitor the security program and make adjustments, if necessary.

South Dakota

S.B. 62
Status: Enacted, Chap. 135
Provides for the notification related to a breach of certain data and to provide a penalty therefor, relates to personal information, relates to health information, provides that any information holder that experiences a breach of system security under this section shall disclose to the attorney general by mail or electronic mail any breach of system security that exceeds 250 residents of this state.

Tennessee

H.B. 545
Status: Failed--adjourned
Relates to consumer protection, clarifies that the consumer protection violation of failing to disclose a security breach of personal consumer information applies to a breach of unencrypted data or encrypted data when the encryption key has also been acquired by an unauthorized person.

H.B. 1723
Status: Failed--adjourned
Relates to education, requires a director of schools to report a breach of security in the administration of the Tennessee Comprehensive Assessment Program test, or any successor test, and the Local Education Agency's response to the breach of security to the commissioner of education and the state board of education within five days of discovering the breach.

H.B. 2508
Status: Failed--adjourned
Relates to consumer protection, revises provisions relating to the duty to notify consumers when there is a breach of system security that contains the consumers' personal identifying information.

S.B. 547
Status: Enacted. Chap. 91
Relates to consumer protection; clarifies that the consumer protection violation of failing to disclose a security breach of personal consumer information applies to a breach of unencrypted data or encrypted data when the encryption key has also been acquired by an unauthorized person.

S.B. 1761
Status: Failed--adjourned
Relates to education, requires a Director of schools to report a breach of security in the administration of the Comprehensive Assessment Program test, or any successor test, requires the local education agency's response to the breach of security to the Commissioner of Education and the Board of Education within a specified number of days of discovering the breach.

S.B. 2536
Status: Failed--adjourned
Relates to Consumer Protection, revises various provisions relating to the duty to notify consumers when there is a breach of system security that contains the consumers' personal identifying information.

Utah

S.B. 207
Status: Enacted, Chap. 304
Amends provisions related to student data protection, requires the State Board of Education to share certain student data with the Utah Registry of Autism and Developmental Disabilities and the State Board of Regents, relates to adult student, relates to a student that qualifies under the McKinney-Vento Homeless Education Assistance Improvements Act.

Virginia

H.B. 183
Status: Enacted, Chap. 283
Relates to notification of tax return data breach, requires paid income tax return preparers to notify the Department of Taxation within a reasonable time period if they discover that an unauthorized person has accessed a taxpayer's return information, the bill defines return information and provides that it does not include publicly available information.

H.B. 1588
Status: Failed
Relates to State Consumer Protection Act, relates to notice of data breach, makes the failure by a consumer reporting agency to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Section 18.2 186.6, a prohibited practice under the State Consumer Protection Act.

HJR 39
Status: Failed
Relates to study, relates to Joint Commission on Technology and Science, relates to reporting of information breaches by localities, relates to report, directs the Joint Commission on Technology and Science to evaluate and compare the various methods used by localities to report unauthorized breaches of personal information to the Office of the Attorney General and affected residents of the Commonwealth.

S.B. 271
Status: Enacted, Chap. 360
Relates to notification of tax return data breach, requires paid income tax return preparers to notify the Department of Taxation within a reasonable time period if they discover that an unauthorized person has accessed a taxpayer's return information, the bill defines return information and provides that it does not include publicly available information.

Vermont

H.B. 147
Status: Failed--adjourned
Relates to consumer protection and data security breaches.

H.B. 765
Status: Failed--adjourned
Relates to blockchain, cryptocurrency, and financial technology.

S.B. 156
Status: Failed--adjourned
Relates to protecting resident consumer data.

Washington

H.B. 2277
Status: Failed--adjourned
Relates to consumer reporting agency security freeze fees.

H.B. 2354
Status: Failed--adjourned
Restricts fees for security freezes by consumer reporting agencies.

H.B. 2384
Status: Failed--adjourned
Concerns consumer reporting agency security freeze fees.

H.B. 2999
Status: Failed--adjourned
Concerns security breaches of election systems or election data.

H.J.R. 4202
Status: Failed--adjourned
Amends the state Constitution to permit appropriations from the budget stabilization account in certain cases where there has been a breach of information technology systems.

S.B. 6014
Status: Failed--adjourned
Concerns automatic security freezes on consumer credit reports.

S.B. 6018
Status: Enacted, Chap. 54
Revises provisions relating to security freeze fees charged by consumer reporting agencies, repeals the requirement of payment of a fee required by a consumer reporting agency to freeze a consumer's credit report. Also requires a report about trends in data breaches including the frequency and nature of security breaches, best practices for preventing cybersecurity attacks, identity theft mitigation services available to consumers, and identity theft mitigation protocols recommended by the federal trade commission, the consumer financial protection bureau, and other relevant federal or state agencies. The report must be submitted to the house of representatives committee on business and financial services and the senate committee on financial institutions and insurance by December 1, 2020

Wisconsin

A.B. 565
Status: Failed.
Relates to fees related to security freezes on consumer credit reports.

S.B. 462
Status: Failed.
Relates to fees imposed on security freezes of consumer credit reports.

S.B. 233
Status: Failed.
Relates to privacy and security of customer information obtained by a broadband Internet access service provider, relates to providing a criminal penalty.

District of Columbia

B 630
Status: Failed
(Permanent Law) Amends Title 28 of the District of Columbia Official Code to expand the definition of personal information subject to protection from the breach of the security of a system, to specify the required contents of a notification of a security breach to a person whose personal information is included in a breach, to require that written notice of the breach be given to the Office of the Attorney General, to specify the security requirements for the protection of personal information.

R 930
Status: Adopted, Chap. 547
Declares the existence of an emergency with respect to the need to amend Chapter 38 of Title 28 of the District of Columbia Official Code to restrict a credit reporting agency's authority to charge consumers for security freeze services.

Puerto Rico

H.B. 607
Status: Pending
Amends Law 234 of 2014 for the purposes of establishing the obligation of the holder of personally identifiable information from consumers to notify failures or violations to the security settings in the receipt of information, requires the ways to notify the consumer and the terms to do so.

StateNet logoLexis Nexis Terms and Conditions

Additional Resources

 

 

Provides for a database security breach policy for state agencies.