Arizona |
AZ H.B. 2146 Status: Enacted Relates to data security breach, relates to notification of security system breaches, relates to requirements, relates to enforcement, relates to confidentiality, relates to civil penalty, provides preemption, provides exceptions. |
California |
CA A.B. 346 Status: Failed Relates to the Information Practices Act which requires an agency, which includes a local agency, that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Makes this requirement applicable if the information is accessed by an unauthorized person.
CA A.B. 1711 Status: Vetoed Requires an agency to post a notice on the agency's internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system. |
Georgia |
GA H.B. 260 Status: Failed - adjourned Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.
GA S.B. 52 Status: Failed - adjourned Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.
|
Hawaii |
HI S.B. 1009 Status: Failed - adjourned Amends the definition of “personal information’ for the purpose of applying modern security breach of personal information law, prohibits the sale of geolocation information and internet browser information without consent, amends provisions relating to electronic eavesdropping law, prohibits certain manipulated images of individuals.
HI S.B. 2292 Status: Failed - adjourned Amends the definition of personal information for the purpose of applying modern security breach of personal information law. |
Illinois |
IL H.B. 3030 Status: Pending Creates the Cybersecurity Compliance Act, creates an affirmative defense for every covered entity that creates, maintains and complies with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework, prescribes requirements for the cybersecurity program.
IL H.B. 3412 Status: Pending Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the attorney general in addition to the resident to whom the breach relates, requires the notice to be provided no later than five days after the breach.
IL S.B. 2353 Status: Pending Amends the Personal Information Protection Act, provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the attorney general regarding the breach. |
Indiana |
IN H.B. 1351 Status: Enacted Relates to disclosure or notification of data breach, adds a requirement that disclosure or notice must occur not more than a specified number of days after the discovery of a breach. |
Massachusetts |
MA S.B. 50 Status: Pending Relates to data security and privacy.
MA S.B. 161 Status: Pending Protects biometric information under the security breach law.
MA S.B. 225 Status: Pending Protects personal identifying information. |
Maryland |
MD H.B. 962 Status: Enacted Requires a business that maintains personal information of an individual residing in the state to implement and maintain certain security procedures and practices; altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.
MD S.B. 643 Status: Enacted Requires a business that maintains personal information of an individual residing in the state to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained or licensed, alters certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.
|
Michigan |
MI H.B. 4437 Status: Pending Provides database security breach policy for state agencies.
MI S.B. 672 Status: Pending Provides for an affirmative defense for covered entities with cybersecurity programs under certain circumstances. |
Minnesota |
MN H.B. 347 Status: Failed - adjourned Relates to government data practices, expands the requirement for notification of security breaches.
MN S.B. 1127 Status: Failed - adjourned Relates to government data practices, expands the requirement for notification of security breaches. |
Mississippi |
MS H.B. 1366 Status: Failed Requires reporting of certain instances of a security breach to the office of the attorney general, requires that such report to the attorney general include certain information, exempts certain information marked as confidential from the State Public Records Act of 1983.
MS S.B. 2528 Status: Failed Requires any business that has experienced a breach of security of the personal information of 100 or more affected individuals to provide written notice to the attorney general as expeditiously as possible and without unreasonable delay, provides that the attorney general is empowered to promulgate rules and regulations necessary to enforce and effectuate the provisions of this act. |
New Jersey |
NJ A.B. 166 Status: Pending Requires disclosure of breach of security of geolocation data.
NJ A.B. 1268 Status: Pending Revises requirements for the disclosure of a breach of security of certain computerized records containing personal information.
NJ A.B. 1426 Status: Pending Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.
NJ S.B. 1352 Status: Pending Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.
NJ S.B. 1860 Status: Pending Creates affirmative defense for certain breaches of security. |
New York |
NY A.B. 2500 Status: Pending Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.
NY A.B. 3088 Status: Pending Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.
NY A.B. 3127 Status: Pending Amends the General Business Law, amends the definition of private information to include birth dates, home addresses or phone numbers or any combination thereof.
NY A.B. 7612 Status: Pending Relates to the notification of certain state agencies within 24 hours of a discovery of a data breach or network security breach.
NY A.B. 8793 Status: Pending Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network.
NY S.B. 2087 Status: Pending Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.
NY S.B. 3003 Status: Pending Creates a private right of action for the breach of a consumer's identifying information such as their social security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.
NY S.B. 3161 Status: Pending Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.
NY S.B. 5808 Status: Pending Provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.
NY S 7019 Status: Enacted Provides that the Office of Information Technology Services shall, within 24 hours following the discovery of a data breach or network security breach or receiving notice of such breach, notify the chief information officer and/or the chief information security officer, of any state entity with which it shares data, provides networked services or shares a network connection whose data, services or connection is or may have been the subject of such breach.
NY S.B. 7786 Status: Enacted Relates to the notification of certain state agencies of a breach of the security system or a breach of the security network. |
Ohio |
OH H.B. 432 Status: Pending Amends section 1347.12, enacts section 125.184 of the Revised Code regarding data breaches on state agency computer systems. |
Pennsylvania |
PA H.B. 1945 Status: Pending Amends the Breach of Personal Information Notification Act, provides for definitions.
PA H.B. 2285 Status: Pending Amends the Breach of Personal Information Notification Act, provides for definitions.
PA S.B. 608 Status: Pending Amends the Breach of Personal Information Notification Act, provides for definitions and for notification of breach, provides for contents and nature of notice and for storage policies.
PA S.B. 696 Status: Pending Prohibits employees of the commonwealth from using nonsecured Internet connections, provides for commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act. |
Rhode Island |
RI H 7566 Status: Pending Expands the definition of "personal information" to include a catchall category, ensuring the ever-changing forms of personal information that can be used to commit identity theft are protected. These other forms of personal information include biometric data, ITIN numbers, passport numbers, or any range of data that "can be used to identify" a person. Hacks and breaches impacting consumers who have provided a business or governmental entity with these additional forms of data would trigger the breach.
RI S 2664 Status: Pending Provides identity theft protections by requiring reporting of breaches by certain municipal and state agencies, requires notice to collective bargaining agents where required and requires an explanation of remediation services. |
Tennessee |
TN H.B. 470 Status: Failed - adjourned Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.
TN H.B. 1551 Status: Failed - adjourned Relates to Consumer Protection, reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.
TN S.B. 891 Status: Failed - adjourned Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.
TN S.B. 1540 Status: Failed - adjourned Reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days. |
Utah |
UT H 457 Status: Failed Amends provisions related to the protection of personal information. |
Washington |
WA S.B. 5462 Status: Failed - adjourned Concerns claims due to a breach of the security of a state database or information technology system. |