Data Breach -
Security Breach Legislation 2011
As of April, 2011
Summary: Security breach-related legislation has been introduced in at least 14 states in 2011.
Also see State Security Breach Notification Laws.
ARIZONA
S.B. 1596
Relates to health records banks; requires a health records bank operator to provide consumers with a centralized and accessible database for the consumer's health records, including lab results; requires compliance with minimum health department standards; requires consumer electronic account access, electronic copies of medical records, permitted delegation of another person to manage account information, shared information for research and prompt reporting of security breaches.
CALIFORNIA
S.B. 24
Requires any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill additional requirements pertaining to the security breach notification by electronically submitting a single sample copy of that security breach notification to the Attorney General. Provides that a covered entity under the federal Health Insurance Portability and Accountability Act is deemed to have complied with these provisions if it has complied with existing federal law.
COLORADO
H.B. 1225
Concerns legal actions addressing breaches of data security that involve personal information.
HAWAII
H.B. 678
Requires a business or government agency responsible for the inadvertent, unauthorized disclosure of personal information to pay for the person's access to credit reports for at least three years
H.B. 1220
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.
H.B. 1337
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.
H.B. 1549
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.
S.B. 728
Provides a private cause of action for a victim who, as a result of an information security breach, suffers a risk of harm from identity theft; amends the type of notice that must be given to a person affected by a security breach; defines identity theft.
S.B. 796
Requires a business or government agency responsible for the inadvertent, unauthorized disclosure of per-sonal information to pay for the person's access to credit reports for at least three years
S.B. 1162
Requires government agencies to develop mandatory training programs for agency personnel to whom disclosures of personal information are made or to whom access to the personal information may be granted; in the event of a government security breach, requires the government agency to be responsible for the cost of credit report or credit monitoring services any individual affected by the breach for two years following the discovery of the security breach.
H.C.R. 31
Requests a comprehensive study on the results and impact of Act 10, Session Laws of Hawaii 2008, as well as other information security proposals in relation to security breaches of personal information that lead to identity theft; requires an organization that has permitted a security breach to conduct an independent audit, to be made available to the public upon completion, to reassure the public and Legislature that the organization has fulfilled any promises to take remedial action.
S.C.R. 31
Requests a comprehensive study on the results and impact of Act 10, Session Laws of Hawaii 2008, as well as other information security proposals.
ILLINOIS
H.B. 3025
Amends the Personal Information Protection Act; relates to security breaches; requires that certain information be provided in a disclosure notification to a State resident after a breach; provides for a delay of notification to prevent interference with a criminal investigation; provides that civil penalties may be imposed on certain contracted third parties; specifies that a person disposing of materials containing personal information must do so in a manner that renders the information undecipherable.
MASSACHUSETTS
H.B. 126
Relates to the protection of personal information in consumer transactions.
NEW HAMPSHIRE
S.B. 186
Repeals the exemption from the Consumer Protection Act for certain regulated trade and commerce.
NEW JERSEY
A.B. 124
Creates offenses pertaining to unauthorized use of confidential information.
A.B. 175
Enhances duty and broadens liability concerning security of personal information, and response to breach of security, under "Identity Theft Prevention Act."
A.B. 1429
Prohibits retail sales establishment from storing certain magnetic-stripe data; requires reimbursement for costs incurred by financial institution due to breach of security.
NEVADA
S.B. 82
Relates to governmental information systems; requires the Chief of the Office of Information Security of the Department of Information Technology to investigate and resolve matters relating to security breaches of information systems of state agencies and elected officers; revises authority of the Department to provide services and equipment to local governmental agencies; authorizes the Chief of the Purchasing Division of the Department of Administration to publish advertisements for bids.
S.B. 267
Revises provisions governing personal information and encryption.
OREGON
H.B. 2851
Expands breaches of security for which notification is required under Oregon Consumer Identity Theft Protection Act to include written data that contains personal information; requires person that owns, maintains or possesses written data that contains personal information to implement safeguards.
PENNSYLVANIA
S.B. 162
Amends the Breach of Personal Information Notification Act; provides for notification of breach.
TEXAS
H.B. 1224
Relates to expulsion of a public school student who commits certain criminal acts, including security breach crimes, involving a school district computer, computer network, or computer system.
H.B. 3396
Relates to the prosecution of and punishment for the offense of breach of computer security.
S.B. 217
Relates to expulsion of a public school student who commits certain criminal acts, including security breach crimes, involving a school district computer, computer network, or computer system.
S.B. 622
Relates to the privacy of protected health information and personal information; provides civil and criminal penalties.
S.B. 808
Relates to the prosecution of and punishment for the offense of breach of computer security.
S.B. 841
Relates to the prosecution of and punishment for the offense of breach of computer security.
VERMONT
H.B. 254
Proposes to implement new consumer protections relating to goods and services appearing on a telephone bill, to discount membership programs, to security breach notices, and to change the name of the consumer fraud act to the consumer protection act.
VIRGINIA
H.B. 2315
Adds private entities to the list of those entities that are required to provide notice of a database breach involving medical information; provides that current law applies to state and local governmental entities only; provides that any entity, public or private, that is required to provide similar notice pursuant to federal law would be exempt from the state re-quirement.
S.B. 1041
Extends the requirement to notify individuals of a breach of their medical information to all individuals and public and private entities, rather than just governmental agencies; allows the Attorney General to impose a civil penalty not to exceed $ 150,000 per breach of the security system.
Data Breach Home
|
64% of data breaches are
enabled by a combination
of events. Hacking, malware,
SQL injection and other forms
of attack may all come into
play in a single data breach.
|
