2019 Security Breach Legislation

12/31/2019

Introduction

A photo of a an open padlock and broken chain on top of a silver laptop keyboard.All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

Even so, lawmakers continue to add to or change laws related to data breaches. At least 21 states in 2019 considered measures that would amend existing security breach laws.

Trends in legislation this year include proposals that would:

  • Expand definitions of "personal information" (e.g., to include biometric information, email address with password, passport number, etc.).
  • Set or shorten the timeframe within which a business must report a breach.
  • Require reporting of breaches to the state attorney general
  • Provide for free credit freezes or identity theft protection for victims of data breaches.

Note: Although this list includes some state legislation related to consumer report credit freezes when part of existing breach laws or when tied to a breach, it does not include all bills that relate to consumer report credit freezes if they are not tied to the security breach law. Please check individual legislative websites for the most current status, summaries and versions of a bill's text.

2019 Legislation

Arkansas

HB 1943
Status: Enacted, Act 1030
Amends the Personal Information Protection Act; relates to biometric data generated by automatic measurements of an individual's biological characteristics including fingerprints, faceprint, retina or iris scan, hand geometry, voiceprint analysis, deoxyribonucleic acid, or any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual's identity when the individual accesses a system or account.

California

AB 1035
Status: Pending-carryover
Requires a person or business, as defined, that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system within 72 hours following discovery or notification of the breach, subject to legitimate needs of law enforcement

AB 1130
Status: Enacted, Chap.750
Revises the definition of personal information to add specified unique biometric data and government-issued identification numbers in addition to those for driver's licenses and California identification.

Connecticut

HB 5989
Status: Failed
Offers protection to certain business data holders in the event of a data breach.

Florida

SB 7008
Status: Enacted, Chap. 32
Relates to a review under the Open Government Sunset Review Act, which provides a public records exemption for information received by the Department of Legal Affairs pursuant to a notification of a security breach or during the course of an investigation of such breach, removes the scheduled repeal of the exemption.

Iowa

HSB 14
Status: Pending-Carryover
Modifies certain provisions relating to personal information security breach protection.

SB 204
Status: Pending-Carryover
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

SB 575
Status: Pending-Carryover
Relates to the conduct of state and local elections, provides penalties, includes effective date provisions.

SSB 1071
Status: Pending-Carryover
Modifies certain provisions relating to personal information security breach protection.

SSB 1078
Status: Pending-Carryover
Relates to the administration of elections.

SSB 1241
Status: Pending-Carryover
Relates to the conduct of state and local elections, provides penalties.

Illinois

HB 2237
Status: Enacted, Chap. 466
Amends the State Treasurer Act, provides that the state treasurer shall establish the Higher Education Savings Program for the purpose of expanding access to higher education through savings, provides for enrollment in the program, provides further duties and requirements of the treasurer regarding the program, creates the Higher Education Savings Program Fund as a fund held outside of the state treasury to be the official repository of all contributions, appropriations, interest and dividend payments.

HB 2871
Status: Pending
Creates the Data Broker Registration Act, requires a data broker to annually register with the secretary of state, defines data broker as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

HB 3200
Status: Pending
Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the attorney general in addition to the resident to whom the breach relates, requires the notice to be provided no later than a certain number of days after the breach.

SB 1393
Status: Pending
Amends the State Treasurer Act, provides that the state treasurer shall establish the Higher Education Savings Program for the purpose of expanding access to higher education through savings, provides for enrollment in the program, provides further duties and requirements of the treasurer regarding the program, creates the Higher Education Savings Program Fund as a fund held outside of the state treasury to be the official repository of all contributions, appropriations, interest and dividend payments.

SB 1624
Status: Enacted, Chap. 343
Amends the Personal Information Protection Act, provides that a data collector required to report breaches to more than 100 residents as a result of a single breach must also report to the attorney general, provides that the attorney general shall report to the General Assembly specified information concerning breaches of data security by Feb. 1 of each year.

Maine

SB 209
Status: Enacted, Chap. 512
Requires municipalities and school districts to provide notice of breaches in personal data security.

Massachusetts

SB 98
Status: Pending
Protects biometric information under the security breach law.

SB 100
Status: Pending
Relates to data breach notification.

SB 170
Status: Pending
Protects personal identifying information.

SB 180
Status: Pending
Relates to the security of personal financial information.

Maryland

HB 1127
Status: Failed-adjourned
Establishes and strengthens consumer protections in certain areas of financial transactions, including mobile home purchases, security breaches, vehicle purchases, money transmission and other areas, applies certain existing financial consumer protections to new forms of financial transactions, establishes that a mobile home retailer has a duty of good faith and fair dealing, prohibits a mobile home retailer from steering a consumer borrower to products that offer less favorable terms.

HB 1154
Status: Enacted, Chap. 294
Alters the applicability of certain security breach investigation requirements to certain businesses, alters the applicability of certain security breach notification requirements to a certain owner or licensee of computerized data.

SB 30
Status: Enacted, Chap. 103
Relates to insurance, relates to breach of security of a computer system, relates to notification requirement.

SB 693
Status: Enacted, Chap.295
Alters the applicability of certain security breach investigation requirements to certain businesses, alters the applicability of certain security breach notification requirements to a certain owner or licensee of computerized data, prohibits a certain business from charging a certain owner or licensee of computerized data a fee for providing information that the owner or licensee needs to provide a certain notification.

SB 786
Status: Failed
Establishes and strengthens consumer protections in certain areas of financial transactions, including mobile home purchases, security breaches, vehicle purchases, money transmission and other areas, applies certain existing financial consumer protections to new forms of financial transactions, establishes that a mobile home retailer has a duty of good faith and fair dealing, prohibits a mobile home retailer from steering a consumer borrower to products that offer less favorable terms.

Michigan

HB 4187
Status: Pending
Enacts data breach notification act.

Minnesota

HB 54
Status: Pending-carryover
Relates to government data practices, expands the requirement for notification of security breaches.

HB 1376
Status: Pending-carryover
Relates to data practices, modifies notification procedure related to an unauthorized acquisition of government data.

HB 1377
Status: Pending-carryover
Relates to data practices, modifies the definition of a data security breach.

HB 1683
Status: Pending-carryover
Relates to utilities, provides access rights to energy usage data maintained by utilities.

HB 1821
Status: Pending-carryover
Relates to education, creates the Student Data Privacy Act, provides penalties.

S.B. 248
Status: Pending-carryover
Relates to government data practices, expands the requirement for notification of security breaches.

SB 2054
Status: Pending-carryover
Relates to utilities, provides access rights to energy usage data maintained by utilities.

SB 2062
Status: Pending-carryover
Relates to data practices, modifies notification procedure related to an unauthorized acquisition of government data.

SB 2063
Status: Pending-carryover
Relates to data practices, modifies the definition of a data security breach.

SB 2291
Status: Pending-carryover
Relates to education, creates the Student Data Privacy Act, provides penalties.

Missouri

HB 35
Status: Failed-adjourned
Changes the laws regarding the safekeeping of personal information.

HB 329
Status: Failed-adjourned
Changes the laws regarding the safekeeping of personal information.

HB 592
Status: Failed-adjourned
Creates new provisions related to student data privacy.

SB 401
Status: Failed-adjourned
Relates to student data privacy.

New Jersey

AB 1360 
Status: Pending
Requires certain notifications and free credit reports for customers following a breach of security of personal information within a business or public entity.

AB 2427 
Status: Pending
Prohibits consumer reporting agencies from charging certain fees and including certain provisions in contracts with consumers.

AB 3043 
Status: Pending
Requires consumer reporting agencies to increase the protection of consumers' personal information.

AB 3245 
Status: Pending
Requires disclosure of breach of security of online account, provides that in the case of a breach of security involving a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information the business or public entity may provide the notification in electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question.

AB 3541 
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

AB 4975 
Status: Pending
Requires disclosure of a breach of security of geolocation data.

SB 52 
Status: Enacted, Chap. 95
Requires disclosure of a breach of security of an online account.

SB 1524 
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

SB 1850 
Status: Pending
Requires consumer reporting agencies to increase the protection of consumers' personal information.

SB 2042 
Status: Pending
Prohibits retail sales establishment from storing certain magnetic-stripe data, requires reimbursement for costs incurred by financial institution due to a breach of security.

New York

AB 465
Status: Pending
Enacts the Personal Information Protection Act, establishes a personal information bill of rights requiring parties having custody of residents personal identifying information to ensure the security thereof, provides for the approval of programs to secure personal identifying information by the office of information security, requires the notification of the division of state police and the subjects of information upon the breach of such information, etc.

AB 1387
Status: Pending
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

AB 2213
Status: Pending
Relates to financial technology products and services, establishes a regulatory sandbox program.

AB 2374
Status: Enacted, Chap. 115
Amends the General Business Law, relates to requiring a consumer credit reporting agency to offer identity theft prevention and mitigation services in the case of a breach of the security of such agency's system.

AB 5635
Status: Pending
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties.

SB 40
Status: Pending
Relates to automatic license plate readers.

SB 133
Status: Failed
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties.

SB 135
Status: Pending
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system that contains private information, removes language that a fee be paid when a freeze is lifted, requires a security freeze be lifted within one business day of a request.

SB 1749
Status: Pending
Relates to creating a private right of action for the breach of a consumer's identifying information such as their Social Security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.

SB 2540
Status: Pending
Amends the General Business Law, provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

SB 2704
Status: Pending
Amends the General Business Law, prohibits consumer credit reporting agencies from charging a fee to a consumer requesting the placement of a security freeze.

SB 2821
Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

SB 3582
Status: Pending
Amends the General Business Law, relates to requiring a consumer credit reporting agency to offer identity theft prevention and mitigation services in the case of a breach of the security of such agency's system.

SB 5575
Status: Enacted, Chap 117
Relates to notification of a security breach; includes credit and debit cards; increases civil penalties.

SB 5721
Status: Pending
Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach; exempts businesses under financial hardship.

Oklahoma

SB 288
Status: Pending-carryover
Relates to the Security Breach Notification Act, relate to duty to disclose breach and enforcement, requires disclosure of security breach to attorney general, grants exclusive authority to enforce certain violation to Attorney General, imposes certain monetary civil penalties, increases certain civil penalty, updates statutory reference, provides an effective date.

Oregon

SB 684
Status: Enacted, Chap. 180
Relates to actions with respect to a breach of security that involves personal information.

Pennsylvania

HB 245
Status: Pending
Amends the act of Dec. 22, 2005, known as the Breach of Personal Information Notification Act, provides for definitions, provides for privacy agreements, provides for notification of breach, provides for disposal of materials containing personal information.

HB 270
Status: Pending
Amends the Credit Reporting Agency Act, provides for definitions, for security freezes, and for fees, provides for credit monitoring services, prohibits the waiver of rights and for a protected person's security freeze.

HB 662
Status: Pending
Amends the act, known as the Breach of Personal Information Notification Act, provides for notification of breach.

SB 308
Status: Pending
Amends the act, known as the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.

South Carolina

HB 4000
Status: Enacted, Chap. 91
An agency of this State owning or licensing computerized data or other data that includes personal identifying information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this State whose personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

Texas

HB 3000
Status: Failed-adjourned
Relates to student data security in public schools.

HB 4390
Status: Enacted, Chap. 1326
Revises provisions relating to the privacy of personal identifying information, provides that a person who is required to disclose or provide notification of a breach of system security under this section shall notify the Attorney General of that breach in a certain number of days after the breach occurred.

SB 1423
Status: Failed-adjourned
Relates to the fee for placing, temporarily lifting, or removing a security freeze on a consumer file.

Utah

SB 193
Status: Enacted, Chap. 348
Amends provisions enforced by the attorney general, modifies the applicability of the Protection of Personal Information Act, amends the penalty for a violation of the Protection of Personal Information Act or the Consumer Credit Protection Act, establishes a statute of limitations for an enforcement action under the Protection of Personal Information Act or the Consumer Credit Protection Act.

Vermont

SB 110
Status: Pending-carryover
Relates to data privacy and consumer protection.

Washington

HB 1071
Status: Enacted, Chap. 241
Revises provisions relating to the protection of personal information and breach of security thereto.

SB 5064
Status: Pending, carryover
Protects personal information.

 

StateNet logoLexis Nexis Terms and Conditions

Additional Resources