2017 Security Breach Legislation

12/29/2017

At least 30 states in 2017 introduced or considered security breach notification bills or resolutions. Security breach laws require that consumers or citizens be notified if their personal information is breached. Legislation in most of these states would amend existing security breach laws applicable to business, government or educational institutions.

New Mexico in 2017 became the 48th state to have a breach law. Eight other states enacted security breach laws in 2017. Delaware and Maryland revised their breach laws in 2017, expanding the definition of "personal information" in cases of a breach, among other provisions. Virginia's new law requires companies to notify the attorney general and Department of Taxation if taxpayer ID numbers and withholding information is breached. North Dakota, Illinois and Washington passed laws relating to data breaches involving public entities. Wyoming requires the state superintendent and department of technology develop a data privacy and security plan that includes policies related to data breaches of student data.

Only two states—Alabama and South Dakota—have no law requiring consumer notification of security breaches involving personal information (see also NCSL's Security Breach Statutes).

2017 Legislation

Alabama

S.B. 91
Status: Failed - Adjourned
Relates to consumer protection, requires specified entities to take generally acceptable industry practices and measures to protect and secure data containing sensitive personally identifying information in paper or electronic form, requires the entities to notify the attorney general of data security breaches, requires notice to individuals and credit reporting agencies of data security breaches in certain circumstances, provides for the disposal of customer records.

Arkansas

H.B. 1934
Status: Failed
Ensures that personally identifiable information of students is protected.

H.B. 2251
Status: Failed
Concerns the personal information protection act, defines encryption in the personal information protection act.

California

A.B. 241
Status: Pending
Relates to state and local breaches of privacy. Requires a state or local agency, if it was the source of a computer breach of information, to provide appropriate identity theft prevention and mitigation services at no cost to a person whose personal information, including Social Security number, driver license or identification card number.

Connecticut

H.B. 5035
Status: Failed
Concerns the timing of parental notification for a security breach of student data. Replaces the existing requirement that a Board of Education notify parents and guardians that a security breach of student data has occurred from 48 hours after such board receives notice of such security breach to two business days after such board receives such notice.

H.B. 6708
Status: Failed
Concerns notice to the police of data security breaches involving the disclosure of personal information. Requires that a person who owns, licenses or maintains computerized data that includes personal information notify the police in the event of a breach of security relating to such data.

Delaware

H.B. 180
Status: Enacted, Chap. 129
Relates to breaches of security involving personal information, requires the implementation of procedures to protect personal information.

Florida

S.B. 110
Status: Failed
Provides that records held by the university or institution that identify detection, investigation, or response practices for suspected or confirmed information technology security incidents, including suspected or confirmed breaches, are confidential and exempt from disclosure if the disclosure of such records would facilitate unauthorized access to or unauthorized modification, disclosure, or destruction of specified information.

Georgia

H.B. 82
Status: Pending - Carryover
Relates to notification required upon breach of security regarding personal information, so as to provide that information brokers and data collectors shall provide notice when personal information maintained on individuals by such information broker or data collector is released to unauthorized persons, whether such release is intentional, inadvertent, or accidental, provides for related matters, provides an effective date, repeals conflicting laws.

H.B. 499
Status: Pending - Carryover
Enacts the Personal Data Security Act. Improves systems and procedures for providing and regulating notifications of data breaches affecting residents. Revises legislative findings and declarations, modifies definitions, modifies when notices of certain security breaches are required and to provide for the contents of such notices, requires certain entities to maintain certain data security procedures, requires that certain notices of a data breach be sent to certain officials.

Iowa

H.B. 48
Status: Pending - Carryover
Relates to student data collection by the department of education, school districts, and accredited nonpublic schools. Requires the department to creat a data breach plan.

Idaho

S.B. 1066
Status: Failed - Adjourned
Amends existing law to provide that a tax preparer who experiences a data breach must inform the Idaho State Tax Commission.

Illinois

H.B. 332
Status: Pending
Amends the School Code to add provisions concerning student data privacy and data breaches. Amends the School Student Records Act, makes changes to the definition provisions, sets forth provisions allowing disclosure of student records to researchers at an accredited post-secondary educational institution or an organization conducting research if specified requirements are met, amends the Children's Privacy Protection and Parental Empowerment Act to change the definition of child to mean a person under the age of eighteen.

H.B. 4095
Status: Pending
Amends the Consumer Fraud and Deceptive Business Practices Act; provides that a consumer reporting agency may not impose a charge on a consumer for placing a freeze, removing a freeze, or temporarily lifting a freeze.

S.B. 707
Status: Enacted, Public Act 412
Amends the Personal Information Protection Act. Provides that a state agency that has been subject to a certain single breach or aggravated computer tampering to the security of its data shall submit a comprehensive report to the attorney general and the General Assembly, specifies the content of the report, requires the report to be made available to the public.

S.B. 2018
Status: Pending
Creates the Student Data Privacy Act, on and after Oct. 1, 2017, requires the school board of a school district to enter into a written contract with a contractor any time the school board shares or provides access to student information, student records, or student-generated content with that contractor, among other provisions, sets forth provisions concerning contract requirements, contractor and operator requirements and prohibitions, security breach procedures, and the establishment of a task force.

S.B. 2230
Status: Pending
Amends the Consumer Fraud and Deceptive Business Practices Act; provides that a consumer reporting agency may not impose a charge on a consumer for placing a freeze, removing a freeze, or temporarily lifting a freeze; makes corresponding changes.

Kentucky

S.B. 59
Status: Failed - Adjourned
Includes user name, email address, and security questions with answers in the definition of personal information involved in a data security breach of information held by state and local government agencies, allows a civil cause of action for actual damages, attorney's fees and court costs in Franklin Circuit Court against state and local government agencies who violate the investigation and notice procedures of KRS 61.931 to 61.934, waiving sovereign immunity, expands the definition of breach.

Massachusetts

H.B. 2814
Status: Pending
Relates to amending certain statutes pertaining to data security breaches and calling for an investigation by a special commission on cybersecurity to assess the various threats across the commonwealth.

S.B. 95
Status: Pending
Protects biometric information under the security breach law.

S.B. 149
Status: Pending
Relates to the security of personal financial information.

S.B.D 750
Status: Pending
Relates to protecting biometric information under the security breach law.

Maryland

H.B. 212
Status: Enacted, Chap. 827
Prohibits a consumer reporting agency from charging a consumer a fee for placing a security freeze if the consumer has not previously requested the placement of a security freeze from the consumer reporting agency, alters the contents of a certain notice that must be included with a certain summary of rights provided to a consumer.

H.B. 704
Status: Failed - Adjourned
Requires the State Board of Education to provide identity protection and credit monitoring services for at least five years for current and former students whose personal information has been compromised by a breach of a public school's or a local school system's computer network in violation of a specified provision of law.

H.B. 965
Status: Failed - Adjourned
Alters the applicability of certain security breach investigation and notification requirements to certain business, authorizes a certain business to elect to provide a certain notification, prohibits a certain business from charging a certain business a fee for providing information needed to provide a certain notification or requiring or compelling a certain business to make a certain election, prohibits a certain business from using certain information for certain purposes.

H.B. 974
Status: Enacted, Chap. 518
Requires a specified business, when destroying an employee's or a former employee's records that contain specified personal information of the employee or former employee, to take specified steps to protect against unauthorized access to or use of the information. Alters the circumstances under which a specified business that owns, licenses, or maintains computerized data that includes specified personal information must conduct a specified investigation and notify specified persons of a specified breach.

S.B. 270
Status: Enacted, Chap. 828
Prohibits a consumer reporting agency from charging a consumer a fee for placing a security freeze if the consumer has not previously requested the placement of a security freeze from the consumer reporting agency, alters the contents of a certain notice that must be included with a summary of rights provided to a consumer.

S.B. 552
Status: Failed - Adjourned
Alters the applicability of specified security breach investigation and notification requirements to specified businesses. Authorizes a specified business to elect to provide a specified notification. Prohibits a specified business from requiring or compelling a specified business to make a specified election.

Maine

H.B. 217
Status: Failed - Adjourned
Shortens the time allowed for a delay in notification to residents of the state of a breach of the security of a system that contains computerized personal information from seven business days to three business days.

Michigan

H.B. 4910
Status: Pending
Provides for a database security breach policy for state agencies.

H.B. 4983
Status: Pending
Revises notice of security breach requirements. Requires public access.

H.B. 5055
Status: Pending
Prohibits assessment of fees for security freeze in connection with a security breach of a database maintained by a consumer reporting agency.Minnesota

S.B. 1961
Status: Pending - Carryover
Relates to education, creates the Student Data Privacy Act, provides penalties.

S.B. 536
Status: Pending
Requires state agencies to have policies in place to respond to database security breaches; requires state agencies to assist residents affected by a breach to restore their credit; authorizes state agencies to pay expenses in restoring credit, subject to available funds.

S.B. 3496
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

Minnesota

H.B. 1507
Status: Pending - Carryover
Relates to education. Creates the Student Data Privacy Act, provides penalties.

Missouri

S.B. 478
Status: Failed - Adjourned
Relates to personal information data of students.

North Dakota

H.B. 1088
Status: Enacted, Chap. 234
Relates to data breach response and remediation costs. Provides for payment from the risk management fund for a data breach involving a state entity. Approves the purchase of insurance to cover data breach response and remediation costs. Provides that each state entity shall contribute a share of costs.

New Jersey

A.B. 311
Status: Vetoed.
Requires disclosure of breach of security of online account.

A.B. 1970
Status: Pending
Prohibits retail sales establishment from storing certain magnetic-stripe data. Requires reimbursement for costs incurred by financial institution due to breach of security.

A.B. 3762
Status: Pending
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

S.B. 439
Status: Failed
Requires disclosure of breach of security of online account.

S.B. 1953
Status: Pending
Prohibits retail sales establishment from storing certain magnetic-stripe data. Requires reimbursement for costs incurred by financial institution due to breach of security.

New Mexico

H.B. 15
Status: Enacted, Chap. 36
Relates to consumer protection. Creates the Data Breach Notification Act. Requires notification to persons affected by a security breach involving personal identifying information. Requires secure storage and disposal of data containing personal identifying information. Requires notification to consumer reporting agencies and the office of the attorney general. Provides civil penalties. Exempts New Mexico and its political subdivisions from compliance with the Data Breach Notification Act.

New York

A.B. 180
Status: Pending
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

A.B. 5232
Status: Failed
Amends the General Business Law, relates to the protection of personal information by businesses.

A.B. 7167
Status: Pending
Relates to notification of a security breach, includes credit and debit card, increases civil penalties.

A.B. 7232
Status: Pending
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system which contains private information.

A.B. 7781
Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

A.B. 8695
Status: Pending

S.B. 1104
Status: Pending
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system which contains private information.

S.B. 4615
Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

S.B. 5601
Status: Pending
Relates to notification of a security breach, includes credit and debit card, increases civil penalties.

S.B. 6880
Status: Pending
Amends the General Business Law; provides that a business must provide notification of a data breach within a specified number of days of such breach; includes the Department of Financial Services to the list of entities that must be notified of a data breach that affects any state resident.

S.B. 6889
Status: Pending
Amends the General Business Law; establishes the Identity Theft Prevention and Breach Notification Act; provides that within a specified time prior to a disclosure of a security breach, a preliminary notification shall be made to any resident whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

S.B. 6912
Status: Pending
Amends the General Business Law; provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.

S.B. 6923
Status: Pending
Amends the General Business Law; prohibits fees for security freezes by consumer credit reporting agencies in the case of a breach of information; prohibits fees for subsequent removal or temporary lift of a security freeze; requires a consumer credit reporting agency which has suffered a breach to provide free identity theft protection services.

S.B. 6949
Status: Pending
Amends the General Business Law; directs consumer credit reporting agencies to automatically freeze consumer credit reports that are subject to data breaches; authorizes a consumer to unfreeze accounts, which have been automatically frozen, at no cost to the consumer.

Oklahoma

S.B. 614
Status: Pending - Carryover
Provides an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to each financial institution that issued a credit or debit card compromised by the breach and to any resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

Oregon

H.B. 2581
Status: Failed - Adjourned
Requires person who possesses or has access to account information to report breach of security to financial institution that issued financial access device. Requires person to safeguard account information in accordance with standards that Department of Consumer and Business Services adopts by rule, subjects person to liability to financial institution for costs financial institution incurs as consequence of breach of security if person's failure to comply with standards for safeguarding account.

Pennsylvania

H.B. 33
Status: Pending
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for notification of breach.

H.B. 36
Status: Pending
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for definitions.

H.B. 848
Status: Pending
Amends the act of Dec. 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, provides for notification of breach.

H.B. 1548
Status: Pending
Amends the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.

H.B. 1879
Status: Pending
Amends the Credit Reporting Agency Act; provides for fees; provides for reimbursements for security breaches; provides for notices of security breaches. 

S.B. 308
Status: Pending
Amends the Breach of Personal Information Notification Act, provides for title of act, for definitions and for notification of breach, prohibits employees of the state from using non secured Internet connections, provides for a policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996.

Tennessee

H.B. 545
Status: Pending - Carryover
Relates to consumer protection. Clarifies that the consumer protection violation of failing to disclose a security breach of personal consumer information applies to a breach of unencrypted data or encrypted data when the encryption key has also been acquired by an unauthorized person.

S.B. 547
Status: Enacted, Chap. 91
Relates to consumer protection, clarifies that the consumer protection violation of failing to disclose a security breach of personal consumer information applies to a breach of unencrypted data or encrypted data when the encryption key has also been acquired by an unauthorized person.

Texas

H.B. 2333
Status: Failed - Adjourned
Relates to a breach of system security of a business that exposes consumer credit card or debit card information, provides a civil penalty.

H.B. 3671
Status: Failed - Adjourned
Relates to the requirement that state agencies notify the Department of Information Resources in the event of a breach of system security or unauthorized exposure of certain information.

S.B. 1409
Status: Failed - Adjourned
Relates to a breach of system security of a business that exposes consumer credit card or debit card information, provides a civil penalty.

Virginia

H.B. 2113
Status: Enacted, Chap. 419
Relates to notification requirement, relates to breach of payroll data, requires employers to notify the Department of Taxation after discovery of a security breach of payroll information, provides for confidentiality of records.

S.B. 1033
Status: Enacted, Chap. 427
Relates to notification requirement, relates to breach of payroll data, requires employers to notify the Department of Taxation after discovery of a security breach of payroll information.

Vermont

H.B. 147
Status: Pending
Relates to consumer protection and data security breaches.

Washington

H.B. 1717
Status: Enacted, Chap. 306
Concerns state agency collection, use, and retention of biometric identifiers. Prohibits an agency from obtaining a biometric identifier without first providing notice and obtaining the individual's consent. Provides that the use and storage of biometric identifiers obtained by an agency must comply with all other applicable state and federal laws and regulations, including the health insurance portability and accountability act (HIPAA), the family educational rights and privacy act (FERPA), regulations regarding data breach notifications and individual privacy protections, and any policies or standards published by the office of the chief information officer.

H.J.R 4202
Status: Pending - Carryover
Amends the state Constitution to permit appropriations from the budget stabilization account in certain cases where there has been a breach of information technology systems.

Wyoming

H.B. 8
Status: Enacted, Chap. 14
Amends requirements of the state data security plan to ensure privacy of collected student data. Requires policies for the collection, access, privacy, security and use of student data by school districts. Requires policies for the collection, access, privacy, security and use of student data. Provides for employee training, provides for response to data security incidents, including breach notification and mitigation procedures, provides for retention and verified destruction of student data.

StateNet logoLexis Nexis Terms and Conditions

Additional Resources