Back 

Security Breach Legislation 2012

2012 Security Breach Legislation

As of Dec. 13, 2012

In 2012, at least 13 states introduced security breach notice legislation, many expanding the scope of laws, setting additional requirements related to notification, or changing penalties for those responsible for breaches. Connecticut and Vermont enacted security breach notification legislation in 2012, and Georgia and North Carolina enacted legislation that limits the liability of private colleges for a breach of data transferred to and caused by the act or omission of a state entity. Since 2002, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

See also Security Breach Laws and 2011201020092008, 2007, 20062005, 2004, 2003, and 2002 legislation and related information: Data disposal laws, consumer report security freeze laws, and  more

 

ALABAMA
H.B. 750
Status: April 24, 2012; To House Committee on Technology and Research. Failed--regular session adjourned.
Requires notification by certain data collectors upon a breach of security regarding personal information.


CALIFORNIA
A.B. 2455
Status: May 25, 2012; In Assembly Committee on Appropriations: Held in committee.
Amends existing law that requires any state office, officer, or executive agency that owns or licenses computerized data that include personal information to disclosure any breach of the security of the system following a discovery or notification of the breach to any resident whose personal information was, or is reasonable believed to have been acquired by an unauthorized person. Expands the disclosure requirement to apply to a breach of data that is owned or licensed by a local agency.

A.B. 2640
Status: February 24, 2012; Introduced.
Makes technical, nonsubstantive changes to the Information Practices Act of 1977, requiring an agency that owns or licenses computerized data that includes personal information to disclose any breach of the security to any resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

S.B. 1250
Status: May 24, 2012; In Senate Committee on Appropriations: Held in committee.
Requires a health care provider, health care service plan, or contractor, if there is a breach in the security of a patient's social security number, driver's license number, state identification card number, of financial information and the above- mentioned are required to issue a breach notification, to offer, in the notification, one year of free credit monitoring services to the patient.

CONNECTICUT
H.B. 5427
Status: April 2, 2012; Failed.
Concerns notice to the attorney general of data security breaches involving the disclosure of personal information; requires that persons who own, license or maintain computerized data that includes personal information immediately notify the Attorney General in the event of a breach of security relating to such data.

H.B. 6001
Status: June 11, 2012; Enacted. Session Law 127
Implements provisions of the state budget. Concerns notice to the attorney general of data security breaches involving the disclosure of personal information; requires that persons who own, license or maintain computerized data that includes personal information immediately notify the Attorney General in the event of a breach of security relating to such data.

GEORGIA
S.B. 405
Status: May 2, 2012; Signed by Governor. Act. 748.
Relates to the office of student achievement; provides that a private college that submits confidential student data and records to the Office of Student Achievement shall not be liable for the breach of the confidentiality of such data and records by the Office of Student Achievement.

HAWAII
H.B. 678
Status: February 18, 2011; To Conference Committee. Failed.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

H.B. 1220
Status: February 18, 2011; To House Committee on Finance. Failed.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

H.B. 1337
Status: January 28, 2011; Subsequent referral set for: House Committee on Finance. Failed.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

H.B. 1549
Status: January 28, 2011; To House Committee on Judiciary. Failed.
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.

S.B. 728
Status: February 11, 2011; In Senate Committee on Commerce and Consumer Protection. Failed.
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.

S.B. 1162
Status: March 10, 2011; Subsequent referral set for: House Committee on Finance. Failed.
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.

S.B. 2098
Status: March 8, 2012; Subsequent referral set for: House Committee on Judiiary. Failed.
Provides that use, disclosure, or authorization for release of individually identifiable health information that complies with federal law shall be deemed to comply with state law; provides that notice of breach of unsecured protected health information that complies with federal law shall be deemed to comply with state law.

MASSACHUSETTS
H.B. 126
Status: March 20, 2012; In Joint Committee on Consumer Protection and Professional Licensure: Set aside for study.
Relates to the protection of personal information in consumer transactions.

NEW HAMPSHIRE
S.B. 186
Status: January 18, 2012; In Senate: Referred for interim study.
Repeals the exemption from the Consumer Protection Act for certain regulated trade and commerce and amends security breach provisions.

NEW JERSEY
A.B. 1742
Status: January 10, 2012; To Assembly Committee on Financial Institutions and Insurance.
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 3078
Status: June 25, 2012; To Senate Committee on Commerce.
Revises penalties imposed on businesses for failure to report security breach of computer system.

NORTH CAROLINA
H.B. 964
Status: June 29, 2012; Signed by Governor. Session Law 133.
Creates the North Carolina longitudinal data system and governing board; provides that private colleges and universities, nonpublic schools, and the North Carolina independent colleges and universities are not liable for a breach of confidentiality caused by the act or omission of a state agency, local school administrative unit, community college, or constituent institution of the University of North Carolina.

OHIO
H.B. 565
Status: June 12, 2012; To House Committee on State Government and Elections. 
Requires governmental agencies and persons that own or license computerized data containing personal information to report security breaches to the Attorney General; requires the Attorney General to establish a searchable database of the reports that is accessible by the public.

PENNSYLVANIA
S.B. 162
Status: September 26, 2011; To House Committee on Judiciary
Amends the Breach of Personal Information Notification Act; provides for notification of breach; provides for investigation of breach involving a state agency, for investigation of breach involving a county, school district or municipality and for individuals responsible for breach.

VERMONT
H.B. 254
Status: May 8, 2012; Act No. 2012-109
Proposes to implement new consumer protections relating to goods and services appearing on a telephone bill, to discount membership programs, to security breach notices, and to change the name of the consumer fraud act to the consumer protection act; relates to billing information, required disclosures, prepaid contracts, and protection of personally identifiable information.

VIRGINIA
S.B. 214
Status: February 2, 2012; In Senate Committee on Education and Health: Continued to 2013.
Relates to notification of breach of medical information; extends the requirement to notify individuals of a breach of their medical information to all individuals and public and private entities, rather than just governmental agencies; allows the Attorney General to impose a civil penalty not to exceed $ 150,000 per breach of the security system.

 

NCSL Contact: Pam Greenberg, NCSL Denver Office, 303-856-1413, pam.greenberg@ncsl.org

 

Share this: 
Fall Forum 2014
State Vote
We are the nation's most respected bipartisan organization providing states support, ideas, connections and a strong voice on Capitol Hill.

NCSL Member Toolbox

Denver

7700 East First Place
Denver, CO 80230
Tel: 303-364-7700 | Fax: 303-364-7800

Washington

444 North Capitol Street, N.W., Suite 515
Washington, D.C. 20001
Tel: 202-624-5400 | Fax: 202-737-1069

Copyright 2014 by National Conference of State Legislatures