2022 Security Breach Legislation

9/29/2022

keyboard with a lock icon

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

Lawmakers continue to review existing laws, however. At least 19 states, listed below, introduced or considered measures in 2022 that would amend existing security breach laws.

The most common legislative trends this year include proposals that would:

  • Establish or shorten the time frame within which an entity must report a breach.
  • Require state or local government entities to report data breaches.
  • Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach.
  • Expand definitions of “personal information” to include biometric information, health information, etc.

2022 Legislation

Arizona

AZ H.B. 2146
Status: Enacted
Relates to data security breach, relates to notification of security system breaches, relates to requirements, relates to enforcement, relates to confidentiality, relates to civil penalty, provides preemption, provides exceptions.

 

California

CA A.B. 346
Status: Failed
Relates to the Information Practices Act which requires an agency, which includes a local agency, that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Makes this requirement applicable if the information is accessed by an unauthorized person.

CA A.B. 1711
Status: Vetoed
Requires an agency to post a notice on the agency's internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system.

 

Georgia

GA H.B. 260
Status: Failed - adjourned
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

GA S.B. 52
Status: Failed - adjourned
Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

 

Hawaii

HI S.B. 1009
Status: Failed - adjourned
Amends the definition of “personal information’ for the purpose of applying modern security breach of personal information law, prohibits the sale of geolocation information and internet browser information without consent, amends provisions relating to electronic eavesdropping law, prohibits certain manipulated images of individuals.

HI S.B. 2292
Status: Failed - adjourned
Amends the definition of personal information for the purpose of applying modern security breach of personal information law.

 

Illinois

IL H.B. 3030
Status: Pending
Creates the Cybersecurity Compliance Act, creates an affirmative defense for every covered entity that creates, maintains and complies with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework, prescribes requirements for the cybersecurity program.

IL H.B. 3412
Status: Pending
Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the attorney general in addition to the resident to whom the breach relates, requires the notice to be provided no later than five days after the breach.

IL S.B. 2353
Status: Pending
Amends the Personal Information Protection Act, provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the attorney general regarding the breach.

 

Indiana

IN H.B. 1351
Status: Enacted
Relates to disclosure or notification of data breach, adds a requirement that disclosure or notice must occur not more than a specified number of days after the discovery of a breach.

 

Massachusetts

MA S.B. 50
Status: Pending
Relates to data security and privacy.

MA S.B. 161
Status: Pending
Protects biometric information under the security breach law.

MA S.B. 225
Status: Pending
Protects personal identifying information.

 

Maryland

MD H.B. 962
Status: Enacted
Requires a business that maintains personal information of an individual residing in the state to implement and maintain certain security procedures and practices; altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.

MD S.B. 643
Status: Enacted
Requires a business that maintains personal information of an individual residing in the state to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained or licensed, alters certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.

 

Michigan

MI H.B. 4437
Status: Pending
Provides database security breach policy for state agencies.

MI S.B. 672
Status: Pending
Provides for an affirmative defense for covered entities with cybersecurity programs under certain circumstances.

 

Minnesota

MN H.B. 347
Status: Failed - adjourned
Relates to government data practices, expands the requirement for notification of security breaches.

MN S.B. 1127
Status: Failed - adjourned
Relates to government data practices, expands the requirement for notification of security breaches.

 

Mississippi

MS H.B. 1366
Status: Failed
Requires reporting of certain instances of a security breach to the office of the attorney general, requires that such report to the attorney general include certain information, exempts certain information marked as confidential from the State Public Records Act of 1983.

MS S.B. 2528
Status: Failed
Requires any business that has experienced a breach of security of the personal information of 100 or more affected individuals to provide written notice to the attorney general as expeditiously as possible and without unreasonable delay, provides that the attorney general is empowered to promulgate rules and regulations necessary to enforce and effectuate the provisions of this act.

 

New Jersey

NJ A.B. 166
Status: Pending
Requires disclosure of breach of security of geolocation data.

NJ A.B. 1268
Status: Pending
Revises requirements for the disclosure of a breach of security of certain computerized records containing personal information.

NJ A.B. 1426
Status: Pending
Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

NJ S.B. 1352
Status: Pending
Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

NJ S.B. 1860
Status: Pending
Creates affirmative defense for certain breaches of security.

 

New York

NY A.B. 2500
Status: Pending
Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

NY A.B. 3088
Status: Pending
Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY A.B. 3127
Status: Pending
Amends the General Business Law, amends the definition of private information to include birth dates, home addresses or phone numbers or any combination thereof.

NY A.B. 7612
Status: Pending
Relates to the notification of certain state agencies within 24 hours of a discovery of a data breach or network security breach.

NY A.B. 8793
Status: Pending
Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network.

NY S.B. 2087
Status: Pending
Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

NY S.B. 3003
Status: Pending
Creates a private right of action for the breach of a consumer's identifying information such as their social security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.

NY S.B. 3161
Status: Pending
Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY S.B. 5808
Status: Pending
Provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

NY S 7019
Status: Enacted
Provides that the Office of Information Technology Services shall, within 24 hours following the discovery of a data breach or network security breach or receiving notice of such breach, notify the chief information officer and/or the chief information security officer, of any state entity with which it shares data, provides networked services or shares a network connection whose data, services or connection is or may have been the subject of such breach.

NY S.B. 7786
Status: Enacted
Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network.

 

Ohio

OH H.B. 432
Status: Pending
Amends section 1347.12, enacts section 125.184 of the Revised Code regarding data breaches on state agency computer systems.

 

Pennsylvania

PA H.B. 1945
Status: Pending
Amends the Breach of Personal Information Notification Act, provides for definitions.

PA H.B. 2285
Status: Pending
Amends the Breach of Personal Information Notification Act, provides for definitions.

PA S.B. 608
Status: Pending
Amends the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.

PA S.B. 696
Status: Pending
Prohibits employees of the commonwealth from using nonsecured Internet connections, provides for commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act.

Rhode Island

RI H 7566
Status: Pending
Expands the definition of "personal information" to include a catchall category, ensuring the ever-changing forms of personal information that can be used to commit identity theft are protected. These other forms of personal information include biometric data, ITIN numbers, passport numbers, or any range of data that "can be used to identify" a person. Hacks and breaches impacting consumers who have provided a business or governmental entity with these additional forms of data would trigger the breach.

RI S 2664
Status: Pending
Provides identity theft protections by requiring reporting of breaches by certain municipal and state agencies, requires notice to collective bargaining agents where required and requires an explanation of remediation services.

Tennessee

TN H.B. 470
Status: Failed - adjourned
Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN H.B. 1551
Status: Failed - adjourned
Relates to Consumer Protection, reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

TN S.B. 891
Status: Failed - adjourned
Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN S.B. 1540
Status: Failed - adjourned
Reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

Utah

UT H 457
Status: Failed
Amends provisions related to the protection of personal information

Washington

WA S.B. 5462
Status: Failed - adjourned
Concerns claims due to a breach of the security of a state database or information technology system.

 

StateNet logoLexis Nexis Terms and Conditions

Additional Resources