Alabama |
2018 SB 318 |
A person, sole proprietorship, partnership, government entitym corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. |
Implement and maintain reasonable security measures
(as specified/ detailed in statute)
to protect sensitive personally identifying information against a breach of security. |
California |
Calif. Civil Code § 1798.91.04 |
Manufacturers of connected devices sold in California. |
Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
|
Colorado |
Colo. Rev. Stat. § 6-1-713 to -713.5
|
Any entity that maintains, owns, or licenses personal identifying information in the course of the person’s business or occupation. |
Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access.
|
Delaware |
Del. Code § 12B-100 |
Any person who conducts business in the state and owns, licenses, or maintains personal information.
|
Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. |
Illinois |
815 ILCS 530/45 |
A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information. |
Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures. |
Kansas |
K.S. § 50-6,139b |
A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person. |
Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. |
Louisiana |
La. Rev. Stat. § 3074 (2018 SB 361) |
Any person that conducts business in the state or that owns or licenses computerized data that includes personal information. |
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. |
Maryland |
Md. Code Com Law §§ 14-3501 to -3503 |
A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit. Business includes a financial institution… Nonaffiliated third party/service provider |
Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations. |
Massachusetts |
Mass. Gen. Laws Ch. 93H § 2(a) |
Any person that owns or licenses personal information. |
Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person's size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. See also 201 Mass. Code of Regs. 17.00-17.04 |
Minnesota |
Minn. Stat. § 325M.05
|
Internet service providers.
|
Take reasonable steps to maintain the security and privacy of a consumer's personally identifiable information.
|
Nebraska |
Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)
|
Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents. |
Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.
Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. |
New Mexico |
N.M. Stat. § 57-12C-4 to -5
|
A person that owns or licenses personal identifying information of a New Mexico resident. |
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. |
Ohio |
Ohio Rev. Stat. § 1354.01 to 1354.05
(2018 S.B. 220)
|
Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information.
|
To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry-recognized cybersecurity framework as listed in the act).
|
Vermont |
9 V.S.A § 2446-2447
(2018 HB 764)
|
Data brokers--businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship. |
Register annually with the Secretary of State. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
|