Security Breach Legislation 2011 

Year-end summary (December 21, 2011)

Information security experts are calling 2011 one of the worst years for data security breaches in the last 10 years. Since 2002, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In 2011, at least 14 states introduced legislation expanding the scope of laws, setting additional requirements related to notification, or changing penalties for those responsible for breaches.  Bills were enacted in California, Illinois, Nevada, and Texas in 2011.

See also Security Breach Laws and related information: Data disposal laws, consumer report security freeze laws, and more

ARIZONA
S.B. 1596
Status: Failed.
Relates to health records banks; requires a health records bank operator to provide consumers with a centralized and accessible database for the consumer's health records, including lab results; requires compliance with minimum health department standards; requires consumer electronic account access, electronic copies of medical records, permitted delegation of another person to manage account information, shared information for research and prompt reporting of security breaches.

CALIFORNIA
S.B. 24
Status: August 31, 2011; Signed by Governor.
Requires any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill additional requirements pertaining to the security breach notification by electronically submitting a single sample copy of that security breach notification to the Attorney General. Provides that a covered entity under the federal Health Insurance Portability and Accountability Act is deemed to have complied with these provisions if it has complied with existing federal law.

COLORADO
H.B. 1225
Status: Feb. 25, 2011; Postponed indefinitely.
Concerns legal actions addressing breaches of data security that involve personal information.

HAWAII
H.B. 678
Status: Pending-Carryover.
Requires a business or government agency responsible for the inadvertent, unauthorized disclosure of personal information to pay for the person's access to credit reports for at least three years

H.B. 1220
Status: Pending-Carryover.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

H.B. 1337
Status: Pending-Carryover.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

H.B. 1549
Status: Pending-Carryover.
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.

S.B. 728
Status: Pending-Carryover.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

S.B. 796
Status: Pending-Carryover.
Requires a business or government agency responsible for the inadvertent, unauthorized disclosure of per-sonal information to pay for the person's access to credit reports for at least three years

S.B. 1162
Status: Pending-Carryover.
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.

H.C.R. 72
Status: Failed.
Requests a comprehensive study on the results and impact of Act 10, Session Laws of Hawaii 2008, as well as other information security proposals in relation to security breaches of personal information that lead to identity theft; requires an organization that has permitted a security breach to conduct an independent audit, to be made available to the public upon completion, to reassure the public and Legislature that the organization has fulfilled any promises to take remedial action.

S.C.R. 31
Status: Failed.
Requests a comprehensive study on the results and impact of Act 10, Session Laws of Hawaii 2008, as well as other information security proposals.

ILLINOIS
H.B. 3025
Status: August 22, 2011; Public Act No. 483
Amends the Personal Information Protection Act; relates to security breaches; requires that certain information be provided in a disclosure notification to a State resident after a breach; provides for a delay of notification to prevent interference with a criminal investigation; provides that civil penalties may be imposed on certain contracted third parties; specifies that a person disposing of materials containing personal information must do so in a manner that renders the information undecipherable.

MASSACHUSETTS
H.B. 126
Status: Pending
Relates to the protection of personal information in consumer transactions.

NEW HAMPSHIRE
S.B. 186
Status: Pending-Carryover.
Repeals the exemption from the Consumer Protection Act for certain regulated trade and commerce.

NEW JERSEY
A.B. 124
Status: Pending.
Creates offenses pertaining to unauthorized use of confidential information.

A.B. 175
Status: Pending
Enhances duty and broadens liability concerning security of personal information, and response to breach of security, under "Identity Theft Prevention Act."

A.B. 1429
Status: Pending
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

NEVADA
S.B. 82
Status: June 13, 2011; Signed by Governor, Chapter 331.
Relates to governmental information systems; requires the Chief of the Office of Information Security of the Department of Information Technology to investigate and resolve matters relating to security breaches of information systems of state agencies and elected officers; revises authority of the Department to provide services and equipment to local governmental agencies; authorizes the Chief of the Purchasing Division of the Department of Administration to publish advertisements for bids.

S.B. 267
Status: June 13, 2011; Signed by Governor, Chapter 354.
Revises provisions governing personal information and encryption. Prohibits a data collector from moving a data storage device which is used by or is a component of a nmulitfuntional device beyond the control of the data collector, its data storage contractor or a person who assumes the obligation of the data collector to protect personal information unless the data collector uses encryption to ensure the security of the information. Provides for alternative mathods or technologies to encrypt data.

OREGON
H.B. 2851
Status: Failed-Adjourned.
Expands breaches of security for which notification is required under Oregon Consumer Identity Theft Protection Act to include written data that contains personal information; requires person that owns, maintains or possesses written data that contains personal information to implement safeguards.

PENNSYLVANIA
S.B. 162
Status: Pending.
Amends the Breach of Personal Information Notification Act; provides for notification of breach.

TEXAS
H.B. 1224
Status: June 17, 2011, Signed by Governor, Chapter 1044.
Relates to expulsion of a public school student who commits certain criminal acts, including security breach crimes, involving a  school district computer, computer network, or computer system.

H.B. 2397
Status: Failed - Adjourned.
Relates to the prosecution of and punishment for the offense of breach of computer security.

H.B. 3396
Status: June 17, 2011; Signed by Governor.
Relates to the prosecution of and punishment for the offense of breach of computer security when the computer, computer network, or computer system is owned by the government or a critical infrastructure facility.

S.B. 217
Status: Failed-Adjourned.
Relates to expulsion of a public school student who commits certain criminal acts, including security breach crimes, involving a  school district computer, computer network, or computer system.

S.B. 622
Status: Failed - Adjourned.
Relates to the privacy of protected health information and personal information; provides civil and criminal penalties.

S.B. 808
Status: Failed - Adjourned.
Relates to the prosecution of and punishment for the offense of breach of computer security.

S.B. 841
Status: Failed - Adjourned.
Relates to the prosecution of and punishment for the offense of breach of computer security.

VERMONT
H.B. 254
Status: Pending-Carryover.
Proposes to implement new consumer protections relating to goods and services appearing on a telephone bill, to discount membership programs, to security breach notices, and to change the name of the consumer fraud act to the consumer protection act.

VIRGINIA
H.B. 2315
Status: Failed
Adds private entities to the list of those entities that are required to provide notice of a database breach involving medical information; provides that current law applies to state and local governmental entities only; provides that any entity, public or private, that is required to provide similar notice pursuant to federal law would be exempt from the state re-quirement.

S.B. 1041
Status: Failed
Extends the requirement to notify individuals of a breach of their medical information to all individuals and public and private entities, rather than just governmental agencies; allows the Attorney General to impose a civil penalty not to exceed $ 150,000 per breach of the security system.

Security Breach Home

State Net logo