2021 Security Breach Legislation

5/21/2021

DATA BREACH

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

Lawmakers continue to review existing laws, however. At least 22 states, listed below, introduced or considered measures in 2021 that would amend existing security breach laws. Bills were enacted in three states—Georgia, North Dakota and Utah (highlighted in bold below) so far in 2021. 

The most common trends in legislation this year include proposals that would:

  • Establish or shorten the time frame within which an entity must report a breach.
  • Require state or local government entities to report data breaches.
  • Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach.
  • Expand definitions of "personal information" (e.g., to include biometric information, health information, etc.).
  • Require private sector entities to report breaches to the state attorney general or other state entity.

2021 Legislation

Arizona

AZ S.B. 1279
Status: Pending
Relates to student-level data, relates to accessibility, relates to allowable disclosure, relates to appropriations, relates to Department of Education.

California

CA A.B. 346
Status: Pending
Relates to the Information Practices Act which requires an agency, which includes a local agency, that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Makes this requirement applicable if the information is accessed by an unauthorized person.

CA A.B. 825
Status: Pending
Specifies that personal information includes genetic information, and would define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified.

Connecticut

CT H.B. 5310
Status: Pending
Expands the data privacy breach notification statute consumer protection.

CT H.B. 5868
Status: Failed
Requires an online listing of all cyberattacks or data breaches in the state, establishes a central location that lists all cyberattacks or data breaches in the state.

Florida

FL H.B. 971
Status: Failed
Relates to public records, relates to consumer data privacy, provides exemption from public records requirements for information relating to investigations by Department of Legal Affairs and law enforcement agencies of certain data privacy violations, provides for future review and repeal, provides statement of public necessity.

Georgia

GA H.B. 156
Status: Enacted
Relates to military, emergency management, and veterans affairs, so as to provide for additional powers and duties related to homeland security and the military, facilitates the sharing of information and reporting of cyber attacks, requires governmental agencies and utilities to report any cyber attacks to the director of emergency management and homeland security, provides for certain reports and records related to cyber attacks to be exempt from public disclosure, relates to workforce development.

GA H.B. 260
Status: Pending - Carryover
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

GA S.B. 52
Status: Pending - Carryover
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

Hawaii

HI S.B. 1009
Status: Pending - Carryover
Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law, prohibits the sale of geolocation information and internet browser information without consent, amends provisions relating to electronic eavesdropping law, prohibits certain manipulated images of individuals.

Illinois

IL H.B. 3412
Status: Pending
Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the resident to whom the breach relates, requires the notice to be provided no later than 5 days after the breach.

IL S.B. 2353
Status: Pending
Amends the Personal Information Protection Act, provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the Attorney General regarding the breach.

Massachusetts

MA S.B. 50
Status: Pending
Relates to data security and privacy.

MA S.B. 161
Status: Pending
Protects biometric information under the security breach law.

MA S.B. 225
Status: Pending
Protects personal identifying information.

Maryland

MA SD 1682
Status: Pending
Relates to protecting biometric information under the security breach law.

Maryland

MD H.B. 117
Status: Failed
Relates to the Personal Information Protection Act.

MD H.B. 148
Status: Failed 
Relates to the Personal Information Protection Act.

MD S.B. 112
Status: Failed 
Relates to the Personal Information Protection Act.

MD S.B. 217
Status: Failed -
Relates to the Personal Information Protection Act.

Michigan

MI H.B. 4437
Status: Pending
Provides database security breach policy for state agencies.

Minnesota

MN H.B. 347
Status: Pending - Carryover
Relates to government data practices, expands the requirement for notification of security breaches.

MN S.B. 1127
Status: Pending - Carryover
Relates to government data practices, expands the requirement for notification of security breaches.

Missouri

MO S.B. 4
Status: Pending
Relates to motor vehicle financial responsibility.

MO S.B. 222
Status: Pending
Relates to the safe keeping of personal information.

Nevada

NV S.B. 26
Status: Failed
Expands the information which constitutes personal information by including several additional data elements that, when paired with a portion of the name of a natural person, constitute personal information. This bill also treats a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer as personal information regardless of whether such information is paired with a portion of the name of a natural person. Finally, this bill excludes as personal information: (1) a number which is altered to provide not more than the last four digits of the number and to remove at least two digits; and (2) publicly available information that is widely distributed through other media.

NV S.B. 239
Status: Failed
Relates to cybersecurity, provides immunity from liability for damages arising from the commission of certain unfair trade practices under certain circumstances to certain owners of the rights to a proprietary program or the data stored in a computer who have adopted certain security controls or standards, provides additional circumstances under which certain data collectors are immune from liability for damages for a breach of the security of the system data.

New Jersey

NJ A.B. 193
Status: Pending
Requires disclosure of breach of security of geolocation data.

NJ A.B. 1718
Status: Pending
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

NJ A.B. 2449
Status: Pending
Prohibits consumer reporting agencies from charging certain fees and including certain provisions in contracts with consumers.

NJ A.B. 3590
Status: Pending
Revises requirements for the disclosure of a breach of security of certain computerized records containing personal information.

NJ A.B. 3984
Status: Pending
Creates affirmative defense for certain breaches of security.

NJ S.B. 1225
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

NJ S.B. 3062
Status: Pending
Creates affirmative defense for certain breaches of security.

New York

NY A.B. 2500
Status: Pending
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

NY A.B. 3088
Status: Pending
Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY A.B. 3127
Status: Pending
Amends the General Business Law, amends the definition of private information to include birth dates, home addresses or phone numbers or any combination thereof.

NY A.B. 7612
Status: Pending
Relates to the notification of certain state agencies within twenty-four hours of a discovery of a data breach or network security breach.

NY S.B. 2087
Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

NY S.B. 3003
Status: Pending
Creates a private right of action for the breach of a consumer's identifying information such as their social security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.

NY S.B. 3161
Status: Pending
Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY S.B. 5808
Status: Pending
Provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

North Dakota

ND H.B. 1314
Status: Enacted
Relates to cybersecurity incident reporting requirements.

Oregon

OR H.B. 2128
Status: Pending
Requires tax professionals to report a breach of security associated with tax return preparation to Department of Revenue.

Pennsylvania

PA S.B. 608
Status: Pending
Amends the Breach of Personal Information Notification Act; provides for definitions and for notification of breach; provides for contents and nature of notice and for storage policies.

PA S.B. 696
Status: Pending
Prohibits employees of the Commonwealth from using nonsecured Internet connections, provides for Commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act.

Tennessee

TN H.B. 470
Status: Pending - Carryover
Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN H.B. 1551
Status: Pending - Carryover
Relates to Consumer Protection, reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

TN S.B. 891
Status: Pending - Carryover
Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN S.B. 1540
Status: Pending - Carryover
Reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

Texas

TX H.B. 3746
Status: Pending
Relates to certain notifications required following a breach of security of computerized data.

Utah

UT H.B. 80
Status: Enacted
Creates affirmative defenses to certain causes of action arising out of a breach of system security.

Washington

WA S.B. 5462
Status: Pending - Carryover
Concerns claims due to a breach of the security of a state database or information technology system.

StateNet logoLexis Nexis Terms and Conditions

Additional Resources