2020 Security Breach Legislation

11/4/2020

padlocks one open

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

Lawmakers continue to review existing laws, however. At least 21 states, the District of Columbia and Puerto Rico, as listed below, considered measures in 2020 that would amend existing security breach laws. Bills were enacted in six states—Illinois, Maine, New York, South Carolina, Vermont, Washington and the District of Columbia (highlighted in bold below) so far in 2020. 

Trends in legislation this year include proposals that would:

  • Establish or shorten the timeframe within which an entity must report a breach.
  • Expand definitions of "personal information" (e.g., to include biometric information, email address with password, passport number, etc.).
  • Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach.
  • Require reporting of breaches to the state attorney general.
  • Provide for free credit freezes or identity theft protection for victims of data breaches.

Note: Although this list includes some state legislation related to consumer report credit freezes when part of existing breach laws or when tied to a breach, it does not include all bills that relate to consumer report credit freezes if they are not tied to the security breach law. 

2020 Legislation

California

AB 1035
Status: Failed - Adjourned
Exempts a small business with a certain number of employees from liability for an injury or illness to a person due to coronavirus based on a claim that the person contracted coronavirus while at that small business, or due to the actions of that small business. Requires the small business, for this exemption to apply, to have implemented and abided by all applicable state and local health laws, regulations, and protocols.

AB 2004
Status: Vetoed
Requires the Medical Board of California to establish the use of verifiable health credentials for communication of COVID 19 test results or other medical test results in this state. Requires the board to convene a working group of representatives from the public and private sectors to develop methods, using verifiable credential model, to provide access to medical test results.

Connecticut

SB 137
Status: Failed - Adjourned
Expands the data privacy breach notification statute to protect consumers.

Georgia

SB 464
Status: Failed - Adjourned
Relates to military, emergency management, veterans affairs, and state government, facilitates the sharing of information and reporting of cyberattacks, requires governmental agencies and utilities to report any cyber attacks to the director of emergency management and homeland security.

SB 493
Status: Failed - Adjourned
Relates to selling and other trade practices, provides for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

Iowa

HSB 14
Status: Failed - Adjourned
Modifies certain provisions relating to personal information security breach protection.

SB 204
Status: Failed - Adjourned
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

SB 575
Status: Failed - Adjourned
Relates to the conduct of state and local elections, provides penalties, includes effective date provisions.

SB 2073
Status: Failed - Adjourned
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

SB 2252
Status: Failed - Adjourned
Provides for an affirmative defense to certain claims relating to personal information security breach protection.

SSB 1071
Status: Failed - Adjourned
Modifies certain provisions relating to personal information security breach protection.

SSB 1078
Status: Failed - Adjourned
Relates to the administration of elections.

SSB 1241
Status: Failed - Adjourned
Relates to the conduct of state and local elections, provides penalties.

Illinois

HB 2237
Status: Enacted
Amends the State Treasurer Act, provides that the treasurer shall establish the Higher Education Savings Program for the purpose of expanding access to higher education through savings, provides for enrollment in the program, provides further duties and requirements of the treasurer regarding the program, creates the Higher Education Savings Program Fund as a fund held outside of the state treasury to be the official repository of all contributions, appropriations, interest, and dividend payments. Requires the treasurer and any vendors to report a security breach promptly.

HB 2784
Status: Failed - Adjourned
Amends the Personal Information Protection Act, provides that consumer marketing information means information related to a consumer's online browsing history, online search history, or purchasing history, including, but not limited to, consumer profiles that are based upon the information.

HB 2871
Status: Failed - Adjourned
Creates the Data Broker Registration Act, requires a data broker to annually register with the Secretary of State, defines data broker as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

HB 3200
Status: Failed - Adjourned
Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the attorney general in addition to the resident to whom the breach relates, requires the notice to be provided no later than a certain number of days after the breach.

HB 5204
Status: Failed - Adjourned
Creates the Cybersecurity Compliance Act, defines terms, creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework, prescribes requirements for the cybersecurity program.

SB 1393
Status: Failed - Adjourned
Amends the State Treasurer Act, provides that the treasurer shall establish the Higher Education Savings Program for the purpose of expanding access to higher education through savings, provides for enrollment in the program, provides further duties and requirements of the treasurer regarding the program, creates the Higher Education Savings Program Fund as a fund held outside of the State Treasury to be the official repository of all contributions, appropriations, interest, and dividend payments.

SB 1624
Status: Enacted
Amends the Personal Information Protection Act, provides that a data collector required to report breaches to a certain number of residents must provide notice to the attorney general in the most expedient time possible but in no event later than when notice is provided to a consumer, authorizes the attorney generalto publish information concerning the breach.

SB 2301
Status: Failed - Adjourned
Amends the Personal Information Protection Act, provides that, after a breach of security of a state agency that collects personal information concerning a state resident, the agency must, in addition to notifying the resident of the breach, offer free credit monitoring to the affected residents for one calendar year, provides that the credit monitoring may be provided by the agency, by another state agency, or by a third-party provider.

SB 3896
Status: Failed - Adjourned
Amends the Personal Information Protection Act, provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the attorney general regarding the breach.

Massachusetts

S. 98
Status: Pending
Protects biometric information under the security breach law.

SB 100
Status: Pending
Relates to data breach notification.

SB 170
Status: Pending
Protects personal identifying information.

SB 180
Status: Pending
Relates to the security of personal financial information.

Maryland

HB 237
Status: Failed - Adjourned
Requires a business that maintains personal information of an individual residing in the state to implement and maintain certain security procedures and practices, alters the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a certain breach, alters the time periods within which certain notifications regarding the breach of a security system are required to be given.

SB 201
Status: Failed - Adjourned
Requires a business that maintains personal information of an individual residing in the state to implement and maintain certain security procedures and practices, alters the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a certain breach, alters the time periods within which certain notifications regarding the breach of a security system are required to be given.

Maine

SB 209
Status: Enacted
Amends the Notice of Risk to Personal Data Act to add municipalities and school administrative units to the definition of person to make the Act applicable to these entities, exempts these entities from the civil violations provision of the Notice of Risk to Personal Data Act, specifies that notice to residents of the State of a security breach must be given no later than 30 days after the information broker or person maintaining computerized data that includes personal information.

Michigan

HB 4187
Status: Vetoed
Enacts data breach notification act.

HB 4898
Status: Failed - Adjourned
Provides for a database security breach policy for state agencies.

SB 652
Status: Failed - Adjourned
Expands conduct prohibited in the conduct of a trade or business.

Minnesota

HB 54
Status: Failed - Adjourned
Relates to government data practices, expands the requirement for notification of security breaches.

HB 1376
Status: Failed - Adjourned
Relates to data practices, modifies notification procedure related to an unauthorized acquisition of government data.

HB 1377
Status: Failed - Adjourned
Relates to data practices, modifies definition of data security breach.

HB 1683
Status: Failed - Adjourned
Relates to utilities, provides access rights to energy usage data maintained by utilities.

HB 1821
Status: Failed - Adjourned
Relates to education, creates the Student Data Privacy Act, provides penalties.

SB 248
Status: Failed - Adjourned
Relates to government data practices, expands the requirement for notification of security breaches.

SB 2054
Status: Failed - Adjourned
Relates to utilities, provides access rights to energy usage data maintained by utilities.

SB 2062
Status: Failed - Adjourned
Relates to data practices, modifies notification procedure related to an unauthorized acquisition of government data.

SB 2063
Status: Failed - Adjourned
Relates to data practices, modifies definition of data security breach.

SB 2291
Status: Failed - Adjourned
Relates to education, creates the Student Data Privacy Act, provides penalties.

Missouri

HB 1499
Status: Failed - Adjourned
Changes the laws regarding the safekeeping of personal information.

HB 2749
Status: Failed - Adjourned
Changes the laws regarding the safekeeping of personal information.

North Carolina

HB 904
Status: Failed - Adjourned
Amends the identity theft protection act.

New Hampshire

HB 1482
Status: Pending
Provides that following the initial notice of a security breach, further information regarding the breach may be withheld pending a criminal investigation.

New Jersey

AB 193
Status: Pending--carryover
Requires disclosure of breach of security of geolocation data.

AB 1718
Status: Pending--carryover
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

AB 2449
Status: Pending--carryover
Prohibits consumer reporting agencies from charging certain fees and including certain provisions in contracts with consumers.

AB 3590
Status: Pending--carryover
Revises requirements for the disclosure of a breach of security of certain computerized records containing personal information.

AB 3984
Status: Pending--carryover
Creates affirmative defense for certain breaches of security.

SB 1225
Status: Pending--carryover
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

SB 3062
Status: Pending--carryover
Creates affirmative defense for certain breaches of security
.

New York

AB 465
Status: Failed - Adjourned
Enacts the Personal Information Protection Act, establishes a personal information bill of rights requiring parties having custody of residents personal identifying information to ensure the security thereof, provides for the approval of programs to secure personal identifying information by the office of information security, requires the notification of the division of state police and the subjects of information upon the breach of such information, directs the office of technology services to/.

AB 1387
Status: Failed - Adjourned
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

AB 2213
Status: Failed - Adjourned
Relates to financial technology products and services, establishes a regulatory sandbox program.

AB 2374
Status: Enacted
Amends the General Business Law, relates to requiring a consumer credit reporting agency to offer identity theft prevention and mitigation services in the case of a breach of the security of such agency's system.

AB 2868
Status: Failed - Adjourned
Amends the General Business Law, provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.

AB 5635
Status: Failed - Adjourned
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties, adds types of information to the definition of private information.

AB 7897
Status: Failed - Adjourned
Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

AB 8169
Status: Failed - Adjourned
Places strict liability on companies where breaches of security allow for personal information to be compromised.

AB 9797
Status: Failed - Adjourned
Provides that a business must provide notification of a data breach within fifteen days of such breach, includes the Department of Financial Services in the list of entities that must be notified of a data breach that affects any state resident.

SB 40
Status: Failed - Adjourned
Relates to automatic license plate readers.

SB 133
Status: Failed
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties.

SB 135
Status: Failed - Adjourned
Amends the General Business Law, relates to the timeliness of disclosure of a breach of the security of a system that contains private information, removes language that a fee be paid when a freeze is lifted, requires a security freeze be lifted within one business day of a request.

SB 1749
Status: Failed - Adjourned
Relates to creating a private right of action for the breach of a consumer's identifying information such as their Social Security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.

SB 2540
Status: Failed - Adjourned
Amends the General Business Law, provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

SB 2704
Status: Failed - Adjourned
Amends the General Business Law, prohibits consumer credit reporting agencies from charging a fee to a consumer requesting the placement of a security freeze.

SB 2821
Status: Failed - Adjourned
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

SB 3582
Status: Failed - Adjourned
Amends the General Business Law, relates to requiring a consumer credit reporting agency to offer identity theft prevention and mitigation services in the case of a breach of the security of such agency's system.

SB 5575
Status: Enacted
Relates to notification of a security breach, includes credit and debit cards, increases civil penalties, provides that the state office of information technology services shall develop, update and provide regular training to all state entities relating to best practices for the prevention of a breach of the security of the system.

SB 5721
Status: Failed - Adjourned
Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

SB 6701
Status: Failed - Adjourned
Amends the General Business Law, provides that if the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information.

Oklahoma

SB 288
Status: Failed - Adjourned
Relates to the Security Breach Notification Act, relate to duty to disclose breach and enforcement, requires disclosure of security breach to Attorney General, grants exclusive authority to enforce certain violation to attorney general, imposes certain monetary civil penalties, increases certain civil penalty, updates statutory reference, provides an effective date.

Pennsylvania

HB 245
Status: Pending
Amends the act of December 22, 2005, known as the Breach of Personal Information Notification Act, provides for definitions, provides for privacy agreements, provides for notification of breach, provides for disposal of materials containing personal information.

HB 270
Status: Pending
Amends the Credit Reporting Agency Act, provides for definitions, for security freezes, and for fees, provides for credit monitoring services, prohibits the waiver of rights and for a protected person's security freeze.

HB 662
Status: Pending
Amends the act, known as the Breach of Personal Information Notification Act, provides for notification of breach.

HB 1010
Status: Pending
Requires certain entities to provide notification of breach of personal information, provides for a cause of action.

HB 1181
Status: Pending
Amends the act known as the Breach of Personal Information Notification Act, provides for definitions, provides for notification of breach and for notice exemption.

SB 308
Status: Pending
Amends the act, known as the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.

SB 955
Status: Pending
Requires certain entities to provide notification of a breach of personal information, provides for a cause of action.

South Carolina

HB 4000
Status: Enacted
Makes appropriations and to provide revenues to meet the ordinary expenses of state government for the fiscal year beginning July 1, 2019, regulates the expenditure of such funds, furthers provide for the operation of state government during this fiscal year and for other purposes. Provides that an agency of the state owning or licensing computerized data or other data that includes personal identifying information shall disclose any breach of the security of the system to any resident of the state whose personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

Utah

HB 158
Status: Failed
Creates affirmative defenses to causes of action arising out a data breach involving personal information, restricted information, or both personal information and restricted information, provides that an entity may not claim an affirmative defense if the entity had notice of a threat or hazard, establishes the requirements for asserting an affirmative defense, provides a severability clause.

Vermont

SB 110
Status: Enacted
Revises provisions relating to data privacy and consumer protection, proposes to create a Chief Privacy Officer position, directs the state to conduct a privacy audit concerning the collection and use of citizens' data, adopts a Student Online Privacy Act, expands the definition of personally identifiable information subject to the Security Breach Notice Act.

Washington

HB 1071
Status: Enacted
Revises provisions relating to the protection of personal information and breach of security thereto, requires notifications of breaches of information, provides for format for the notice.

SB 5064
Status: Failed - Adjourned
Protects personal information.

SB 6187
Status: Enacted
Modifies the definition of personal information for notifying the public about data breaches of a state or local agency system.

Wisconsin

AB 870
Status: Failed
Relates to consumer access to personal data processed by a controller, provides a penalty.

District of Columbia

B 215
Status: Enacted
Concerns business data breaches, specifies the required contents of a notification of a security breach to a person whose personal information is included in a breach, clarifies timeframes for reporting breaches, requires that written notice of the breach, including specific information, be given to the attorney general, specifies the security requirements for the protection of personal information.

B 321
Status: Pending
(Introductory Resolution) Establishes a tax credit to create incentives for certified business enterprises and certified small business enterprises to purchase qualified data breach insurance, establishes a tax credit toward the corporate or unincorporated taxes a CBE or a certified SBE pays when it purchases data breach insurance, requires the council to reauthorize the use of this tax incentive annually, requires the chief financial officer to establish rules and regulations to implement this Act.

Puerto Rico

HB 607 (2017)
Status: Pending - Carryover
Amends Law 234 of 2014 for the purposes of establishing the obligation of the holder of personally identifiable information from consumers to notify failures or violations to the security settings in the receipt of information, requires the ways to notify the consumer and the terms to do so.

HB 710 (2017)
Status: Failed
Amends Law 364 of 2000 to include the definition of Identity Theft and to give the consumer the right to a notation on his or her credit report in cases in which it has been harmed by a usurpation of identity, requests a freeze of such a credit report so that you can only be made with your specific knowledge and consent prior and have on their regulation and effect.

HB 748 (2017)
Status: Failed
Amends Law 364 of 2000 to include the definition of Identity Theft and to give the consumer the right to a notation on your credit report in cases in which it has been harmed by a usurpation of identity, requests a freeze of the credit report so that you can only be made with ones specific knowledge and consent prior to the regulation and effect.
 

StateNet logoLexis Nexis Terms and Conditions

Additional Resources