US 2005 Introduced Financial Privacy Legislation Resources in United States
US 2005 Introduced Financial Privacy Legislation Resources
| State: | Bill Summary: |
| Alaska | H.B. 226 Relates to breaches of security involving personal information; and relating to credit report security freezes. |
| H.B. 270 Relates to breaches of security involving personal information, consumer report security freezes, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, furnishing consumer credit header information, and filing police reports regarding identity theft; and amending Rule 60, Alaska Rules of Civil Procedure. |
|
| S.B. 148 Relates to breaches of security involving personal information; and relating to credit report security freezes. |
|
| S.B. 149 Relates to breaches of security involving personal information; and relating to credit report security freezes. |
|
| S.B. 180 Relates to breaches of security involving personal information, consumer report security freezes, protection of Social Security numbers, disposal of records, and the accuracy of reports on credit history, score, and ranking. |
|
| Arizona | H.B. 2575 Requires that if personal identifying information is stolen from a person or entity, the person or entity shall send notice to its customers within 48 hours of the theft discovery that their personal identifying information has been stolen and shall provide information on what the customers may do to protect against the unauthorized use of their personal identifying information. |
| S.B. 1114 Requires an entity disposing of records to take reasonable steps to ensure the destruction of personal financial and health information and personal identification numbers that are issued by governmental entities. Directs an entity discovering that personal identifying information has been stolen or improperly obtained, the entity must, within the most expedient time possible and without unreasonable delay: a) transmit notice to the person that there has been a breach of security regarding that person’s personal identifying information. b) Provide information to that person regarding steps to be taken to protect against the unauthorized use of personal identifying information. Immunizes the entity from liability if it returned custody and control of the records back to the individual to whom the records pertain. Specifies that this legislation does not apply to the disposal of records by a transfer of the records to another entity. Allows an individual, who believes he or she may be injured by an entity’s actions or failure to act, to request that a court stop an entity’s actions or failure to act pursuant to this legislation. Permits the court to grant an injunction to stop an entity’s actions or failure to act. Authorizes the attorney general to bring a civil action for damages and/or injunctive relief against an entity that fails to comply with this legislation. Specifies that any bank, financial institution, health care organization or other entity subject to and in compliance with certain federal regulations regarding protecting identifying information is in compliance with this legislation. Provides that the rights and remedies of this legislation are in addition to other rights or remedies provided by law. Defines “destroy,” “entity,” “individual,” “personal identifying information” and “record.” |
|
| California | A.B. 786 Requires the California State University system to provide an employee, upon request, with four hours of time off with pay following a disclosure by the university that there is, or could have been, a breach of security of employee personal information data, as specified. |
| A.B. 1694 Requires a consumer credit reporting agency, upon the request of a consumer whose personal information was breached by a computerized data system, to place a security freeze on the consumer’s credit report without charge to the consumer for this service. Authorizes the consumer credit reporting agency to charge the agency responsible for the breach, and requires the consumer to submit a copy of notification of the breach to the consumer credit reporting agency, as a condition of receiving the security freeze. Makes related findings and declarations of the Legislature. Requires a consumer credit reporting agency to notify each consumer who is the subject of a consumer credit report of each instance that a new account is entered on the consumer’s report if the address on the credit application is different from the last address on record held by the consumer credit reporting agency. |
|
| S.B. 234 Passed Assembly 8/25/05 Prohibits the Franchise Tax Board’s disclosure of a taxpayer’s personal information, as defined, to the general public unless the disclosure is specifically authorized or required by law. The State Board of Equalization administers a variety of tax programs, determines the value of specified property, and serves as a quasi-judicial body with respect to taxpayer appeals from actions taken by the Franchise Tax Board designate personal information regarding certain appeals to the State Board of Equalization as protected from disclosure under the California Public Records Act. |
|
| S.B. 280 Known as the Taxpayer Privacy Bill of Rights Act, this bill prohibits the board from releasing a taxpayer’s personal or financial information to the general public, unless the board shows a compelling interest for the disclosure of that information and the disclosure is first authorized by the courts. Expands the scope of the Taxpayers’ Rights Advocate’s authority to review and facilitate the resolution of taxpayer complaints to include complaints regarding the unauthorized release of a taxpayer’s personal and financial information to the general public by employees or officers of the board. Provides for the suspension of the accrual of interest and penalties during any stay of a pending action that is authorized by the advocate. Specifies that an officer or employee of the board may not threaten to release a taxpayer’s personal or financial information for purposes of forcing a taxpayer to accept an offer to settle the taxpayer’s civil tax liability dispute. Provides that the release of, or an express or implied threat to release, that information by an officer or an employee of the board for purposes of forcing a tax settlement would constitute grounds for termination or other disciplinary actions as provided by existing law. Specifies conditions for the board’s disclosure of a taxpayer’s financial or personal information in any court or administrative proceeding where that information would otherwise be made available to the general public. Allows a taxpayer, who has sustained damages as the result of any unauthorized release of, or a threat to release, the taxpayer’s personal or financial information, to pursue an action for damages against the board or its officers or employees. |
|
| S.B. 433 Existing law contains two identical provisions of law requiring any person or business that conducts business in California and that owns or licenses computerized data that includes personal information to disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Repeals one of those two identical provisions, thereby making a technical, nonsubstantive change. |
|
| S.B. 440 Passed Senate 5/9/05 On and after July 1, 2006, this bill requires a state agency, or any person contracting with a state agency, to encrypt all personal information, as defined, that is owned by the state and stored or transported on a portable computing or electronic storage device. Prohibits a business, as defined, from discriminating against or denying an otherwise qualified consumer a product or service, or charging a higher price for that product or service, because the consumer has not provided the consent to disclose or share covered information, as defined, pertaining to him or her, or because the consumer has directed that the information not be disclosed or shared. The bill excepts from that prohibition a business that cannot provide a product or service without provision of that covered information and certain institutions already subject to specified federal provisions or regulations. Provides that no liability is created with regard to the above, and that the measure is not intended to prohibit a business from offering incentives or discounts to elicit a specific response pertaining to the disclosure or sharing of covered information. |
|
| S.B. 550 Passed Senate 5/19/05 Enacts the California Data Broker Access and Accuracy Act of 2005. Regulates the disclosure of personally identifiable information by data brokers, as defined. Requires data brokers to disclose to individuals who are the subject of the information all personally identifiable information about the individual and the specific sources of the information. Requires data brokers to reinvestigate disputed items of information, to post a specified notice on their Web sites, and to maintain specified procedures to control access to the information. Provides for civil actions, injunction, and the imposition of civil penalties for violations of these provisions. Authorizes any individual whose personal information is disclosed and who is injured by a violation of these provisions to institute a civil action to recover damages. |
|
| S.B. 852 Passed Senate 5/26/05 Requires an agency, or a person or business conducting business in California, that owns, licenses, or collects computerized data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified, regardless of whether the data was computerized when it was acquired. Requires that a copy of the notice be sent to the Office of Privacy Protection. Revises the definition of personal information in this context and would prescribe that a request by a law enforcement agency to delay notification be in writing or made electronically, as specified. |
|
| S.B. 1104 Existing law, the California Financial Information Privacy Act, regulates the sale, sharing, transfer, or disclosure by a financial institution of nonpublic personal information, as defined. This bill excludes specified entities from the act, including a provider of health care, a health care service plan, and a state agency. Provides that the act supplements and does not limit the application of various other provisions, including the Consumer Credit Reporting Agencies Act. Establishes a policy in the event that the act conflicts with another statute enacted before the act was enacted. Existing law, the Song-Beverly Credit Card Act of 1971, requires a credit card issuer to provide specified information to a cardholder if the credit card issuer discloses marketing information to any person. This bill deletes that requirement. Existing law provides for issuance of a subpoena duces tecum for the production of various kinds of defined personal records pertaining to a consumer, including records containing “personal information,” as defined. This bill also makes subject to subpoena records containing nonpublic personal information otherwise protected from disclosure under the California Financial Information Privacy Act. Existing law requires the Franchise Tax Board to collect child support delinquencies, as defined. Under existing law, the Franchise Tax Board, through an agreement with the Department of Child Support Services and in coordination with financial institutions, operates a Financial Institution Match System utilizing automated data exchanges that is not subject to the limitations in the California Right To Financial Privacy Act. This bill also exempts the Financial Institution Match System from the limitations in the California Financial Information Privacy Act. Requires the California Law Revision Commission to study the law governing sharing and disclosure of a consumer’s nonpublic personal information by a financial institution, and to make recommendations to the Governor and Legislature for specified purposes. |
|
| Connecticut | H.B. 5059 Replaces current “opt out” laws regarding the release of consumer and private financial information with “opt in” laws. |
| H.B. 6641 Requires employees of call centers to identify themselves to consumers and to prohibit such employees from sending consumers’ personal identifying or financial information to foreign countries. |
|
| S.B. 192 Failed Joint Favorable deadline 3/22/05 Prohibits retailers from acquiring a customer’s driver’s license number and address when the customer returns an item to such retailer. |
|
| Delaware | S.B. 124 Prohibits the installation, transmission, and use of computer software that collects personally identifiable information, and authorizes the attorney general to bring a civil action against anyone who violates any provision of this act and seek damages ranging from $1,000 to $1 million. |
| Florida | H.B. 129 Died in council 5/6/05 Prohibits the use of deception to obtain certain personal information for commercial solicitation purposes; prohibits the sale or other transfer to third party of personal customer information that is protected from disclosure; provides that transferring such protected information is unfair or deceptive act or practice or unfair method of competition; provides penalties; provides an exception to civil penalty. |
| S.B. 272 Withdrawn prior to introduction 1/20/05 Cites act as “Call Center Customer’s Protection Act”; requires each customer sales call center and customer service call center to disclose certain information to customers; prohibits call center from sending customer’s personal identifying information to a foreign country without express written consent of customer; provides that customer service employee or call center that violates this act commits deceptive and unfair trade practice in violation of certain provisions. |
|
| S.B. 614 Died in committee 5/6/05 Requires each customer sales call center and customer service call center to disclose certain information to customers; prohibits customer service employee from soliciting personal identifying information from a customer; requires that audio recording or written documentation of customer’s consent be made and preserved by said call centers; prohibits call center from sending customer’s personal identifying information to foreign country without express consent of customer. |
|
| S.B. 978 Died in committee 5/6/05 Provides that using deception to obtain certain personal identification information for commercial solicitation purposes is deceptive and unfair trade practice in violation of Deceptive and Unfair Trade Practices law; prohibits unauthorized disclosure, sale, or transfer of said information to third party; revises criminal penalties regarding the offense of fraudulently using, or possessing with intent to fraudulently use, personal identifying information. |
|
| S.B. 2162 Provides legislative intent; prohibits a person or business entity from using the Internet to solicit, request, or take any action to induce a computer user to provide personal identification information by fraudulently representing that person or business is an on-line business; prohibits a business entity or person who is not an authorized user of a computer from committing certain specified deceptive acts or practices that involve a computer. |
|
| Georgia | H.B. 638 Relates to selling and other trade practices, so as to provide definitions; requires investigative consumer reporting agencies to give notice to consumers of certain security breaches; provides for a standard of care to be exercised by investigative consumer reporting agencies; provides for rules, regulations, and guidelines. |
| H.B. 648 Requires a person or business that conducts business in this state and that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; to permit notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; to require a person or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of the security of the data; to provide for certain civil actions; to define certain terms; amends Chapter 18 of Title 50 of the Official Code of Georgia Annotated, relating to state printing and documents, so as to require an agency that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires an agency that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of the security of the data; defines certain terms. |
|
| H.B. 649 Provides that any person who is engaged in any business which involves the collection or maintenance of identifying information with respect to consumers shall have a duty to maintain such identifying information in a manner which is secure against unauthorized disclosure; requires prompt notification to a consumer if the security of that consumer’s identifying information is or may have been breached; provides for criminal penalties and civil and administrative remedies. |
|
| S.B. 245 Relates to business records, so as to require a person or business that conducts business in this state and that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires a person or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; provides for certain civil actions; defines certain terms; to amends Chapter 18 of Title 50 of the Official Code of Georgia Annotated, relating to state printing and documents, so as to require an agency that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires an agency that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; defines certain terms; provides for legislative findings and declarations. |
|
| S.B. 251 Relates to selling and other trade practices, so as to provide a short title; provides legislative findings; provides definitions; requires certain business entities to give notice to consumers of certain security breaches; provides for causes of actions and damages for unauthorized or improper access of personal information of consumers; provides for certain criminal penalties. |
|
| Illinois | H.B. 380 Passed House 2/8/05 Creates the Illinois Spyware Prevention Initiative Act. Prohibits a person or entity other than the authorized user of a computer from causing computer software to be copied onto the computer and using the software to: (1) take control of the computer; (2) modify certain settings related to the computer’s access to or use of the Internet; (3) collect, through deceptive means, personally identifiable information, including financial information; (4) prevent, without authorization, an authorized user’s reasonable efforts to block the installation of or disable software; (5) misrepresent that the software will be uninstalled or disabled by an authorized user’s action; or (6) through deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer. |
| H.B. 3743 Creates the Security Breach Notification Act. Requires any person or business conducting business in the state, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person or business that maintains computerized data that includes personal information that the person or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery of such breach, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act. |
|
| H.B. 4198 Amends the Personal Information Protection Act. Requires a data collector to disclose to a consumer, at no cost, the personal information obtained resulting in a breach of the security of the system data. |
|
| H.B. 4253 Amends the Personal Information Protection Act. Changes the definition of “breach of security of the system data” to “breach of the security of the system data or written material.” Provides that the notice requirements of the Act apply to breaches of written material containing personal information. Provides that any state agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been take to prevent future breaches of the security of the system data or written material. |
|
| S.B. 209 Creates the Personal Information Protection Act. Requires each financial institution to provide an annual disclosure statement to all persons for which the financial institution maintains unencrypted personal information concerning measures the financial institution has taken to prevent (i) a breach of the security system and (ii) any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the financial institution. Requires each financial institution to maintain duplicate records of all computerized data at a back-up site located at least 90 miles from the primary site at which the data is stored. Provides that the effectiveness of the back-up site shall be tested annually and requires the results o that test to be included in the annual disclosure statement. |
|
| S.B. 1479 Passed Senate 4/8/05 Creates the Identity Theft Notification Act. Requires any data collector that owns or uses personal information in any form that includes personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act. |
|
| S.B. 1798 Creates the Personal Information Protection Act. Requires any person, business, or State agency conducting business in the state, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person, business, or state agency that maintains computerized data that includes vulnerable personal information that the person, business, or state agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. |
|
| S.B. 1899 Creates the Identity Theft Notification Act. Requires any agency, person, or business that conducts business in Illinois and owns or licenses data that includes personal information concerning an Illinois resident to notify the resident that there has been a breach of the security of that data following discovery or notification of the breach. Requires any agency, person, or business that maintains data that includes personal information concerning an Illinois resident and that the agency, person, or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the agency, person, or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the agency, person, or business does not have sufficient contact information. |
|
| Indiana | S.B. 599 Provides a property tax credit equal to the amount by which property tax on a homestead exceeds 10 percent of the owner’s three year average gross income. Requires a credit application that includes income information to be filed with the county auditor. Applies current confidentiality requirements to income information and other financial information received by the county auditor. |
| Kansas | H.B. 2381 Limits the publication of court records that include Social Security numbers and other banking and credit card numbers. |
| Maine | L.D. 1638 Puts in place an opt-in requirement so that financial services providers, including banks, credit unions, securities firms and mortgage companies must have permission from individuals before disclosing nonpublic personal information to nonaffiliated third parties, but only upon approval by voters at a statewide referendum. |
| Maryland | H.B. 1588 S.B. 1002 Withdrawn from further consideration 3/28/05 Requires a business to destroy or arrange for the destruction of a customer’s records that contain specified personal information of the customer in a specified manner; requires a business that owns or licenses specified personal information of an individual residing in the state to implement and maintain specified security procedures and practices; requires businesses that own, license, or maintain specified records to notify specified persons of a breach of the security of a system. |
| Massachusetts | H.B. 2797 Protects consumers following disclosure of personal information, requires notification of security breaches. |
| H.B. 3064 Regulates the use of personal information by insurance companies. |
|
| H.B. 4061 Relates to counterfeit and fraudulent documents; strengthens the current law by specifically targeting offenses associated with identity theft, adds more identity theft crimes, and creates a forfeiture provision to assist law enforcement. Provides assistance to the victims of identity theft, by requiring rapid notification to consumers when personal identifying information is compromised and facilitating measures to mitigate the impact of such thefts. |
|
| S.B. 183 Creates the Personal Information Protection Act. |
|
| S.B. 184 Prevents identity theft through security breach notices and establishes a victim’s bill of rights. |
|
| S.B. 247 Restores consumer control over the private information collected by retail discount cards. |
|
| S.B. 2058 Requires companies that collect personal information to disclose when said data has been compromised. |
|
| Michigan | H.B. 4658 Prohibits the denial of credit or services because the consumer has been a victim of identity theft; requires an agency of this state that owns or licenses computerized data that include personal identifying information shall provide notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal identifying information is acquired by an unauthorized person or if the agency reasonably believes that an unauthorized person has acquired that information. The agency shall provide notice within five days after the agency discovers or is notified of the breach, unless otherwise specified. |
| H.B. 4687 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings and loan associations. |
|
| H.B. 4688 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by banks. |
|
| H.B. 4689 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by credit unions. |
|
| H.B. 4690 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings banks. |
|
| H.B. 4691 Requires notice to, and consent of, a person before disclosing or sharing of nonpublic personal financial information. |
|
| S.B. 309 Requires notification of a security breach of a database containing personal identifying information. |
|
| S.B. 426 Requires notice to, and consent of, a person before disclosing or sharing of nonpublic personal financial information. |
|
| S.B. 427 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings banks. |
|
| S.B. 428 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by banks. |
|
| S.B. 429 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings and loan associations. |
|
| S.B. 430 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by credit unions. |
|
| Minnesota | H.F. 1410 S.F. 1307 Substituted by H.F. 2121 5/23/05 Relates to consumer protection; requires disclosure to consumers of a breach in security by businesses maintaining personal information in electronic form. |
| H.F. 1805 S.F. 1805 Requires businesses that possess personal data to notify persons whose personal information has been disclosed to unauthorized persons. |
|
| S.F. 2194 Regulates consumer credit reporting agencies; provides a process to remove a consumer’s name from credit card solicitation lists. |
|
| Missouri | S.B. 506 Prohibits the sharing of personal financial information with any unauthorized person unless the individual consents to the share. Requires a business or person that conducts business in the state that owns or licenses computerized data, to disclose any breach of security of that data, to any citizen of this state whose information may, or may very well have been, acquired by an unauthorized person. Notification requirements are laid out in the act. Allows for individuals to place security alerts and security freezes on their credit report, notifying any recipient of the report that the individual may have been a victim of identity theft, and prohibiting the release of the individual’s information without the express consent of the consumer. Details the obligations of consumer reporting agencies in response to this option. The act has a penalty provision for violations – Class A misdemeanor, fines up to $1,000 or imprisonment for up to one year. |
| Nevada | S.B. 435 Relates to personal information; requires a business to implement reasonable measures to ensure security of records containing personal information; requires a business to take reasonable measures to destroy certain records containing personal information; requires data collectors to provide notification of any breach of the security of the system data to persons affected by the breach; and provides other matters properly relating thereto. |
| New Hampshire | H.B. 323 In conference committee 6/13/05 Prohibits a person from filing with the registry of deeds a document that includes an individual’s Social Security number, credit card number, or other financial account numbers. Requires the register of deeds to offer a procedure for redacting such information on records filed prior to the effective date of this bill. Permits a person to request that the record not be available on the Internet. |
| New Jersey | A.B. 757 Allows a financial institution to disclose information relative to an electronic fund transfer account to a third party when the disclosure is permitted by the privacy provisions of the federal Gramm-Leach-Blilely Act and the regulations adopted pursuant thereto. If required by federal law, a financial institution that shares nonpublic personal information with nonaffiliated third parties must provide consumers with an opt-out notice and a reasonable period of time for consumers to opt out of the sharing of the information pursuant to federal law and regulation. The bill is retroactive to July 1, 2001, which coincides with the effective date of compliance with the applicable federal regulations. |
| A.B. 832 S.B. 362 Protects the privacy of an individual’s financial information by prohibiting disclosure without the prior informed, affirmative consent of the consumer. Requires such consent before a financial institution may disclose information to affiliated or unaffiliated third parties. Requires financial institutions to adopt fair information practices when selling or disclosing confidential consumer information and provides that a violation of the bill, or of a company’s privacy policy, constitutes consumer fraud. |
|
| A.B. 1080 Requires that a financial institution that discovers or reasonably should discover that a consumer’s nonpublic personal information maintained by the financial institution was compromised in any way shall promptly notify the consumer of the breach of the security or confidentiality of the information. In addition to promptly notifying a consumer of the security compromise, a financial institution is required to provide assistance to the consumer to remedy any such compromise; to reimburse the consumer for any losses the consumer incurred as a result of the compromise of the security or confidentiality of such information; and to provide information concerning the manner in which the consumer can obtain assistance. However, a financial institution may delay notifying a consumer of the compromise of the security or confidentiality of the information at the request of a law enforcement agency investigating such violation for a period determined by the law enforcement agency performing the investigation. Additionally, if an issuer of credit receives a request for an additional credit card for an existing cardholder no later than 30 days after receiving a change of address for the cardholder, the issuer of credit is required to notify the cardholder of the request at the new address and former address no later than five days after sending the additional card to the new address. The issuer of credit shall also provide the cardholder with a means of promptly reporting incorrect changes. Any violation of this bill shall be punished under either N.J.S.A.56:11-38 or N.J.S.A.56:11-39, or both. |
|
| A.B. 1831 Requires a financial institution to notify the account holder in writing anytime a financial institution discloses that information to a third party under certain limited circumstances. |
|
| A.B. 1982 Establishes guidelines by which a business may discard or dispose of business documents containing personal information. A business may not discard a record containing personal information unless it: (1) shreds the customer’s record before discarding the record, or renders the record unreadable or irretrievable before discarding the device which contained the record; (2) erases the personal information contained in the customer’s record before discarding the record; (3) modifies the customer’s record to make the personal information unreadable before discarding the record; or (4) takes actions that it believes reasonable, and that is in conformance with industry standards, if any, to ensure that no unauthorized person will have access to the personal information contained in the customer’s record for the period between the record’s disposal and the record’s destruction. Any person may file a complaint with the county prosecutor or the attorney general alleging a violation of this bill. A complaint filed under this bill shall be promptly investigated, and if the complaint is determined to be credible by the county prosecutor or attorney general, an action to initiate a hearing shall be filed in the Superior Court. Any person who knowingly violates the provisions of this bill shall be fined $100 for the first offense and no less than $100 nor more than $500 for any subsequent offense, recoverable by the state by a summary proceeding under the “Penalty Enforcement Law of 1999.” The Superior Court shall have jurisdiction to enforce the penalty upon complaint of the attorney general or the county prosecutor. Notwithstanding any provision of this bill, it shall be an affirmative defense to the wrongful disposing of or discarding of a customer’s record that contains personal information if the business can show that it used due diligence in its attempt to properly dispose of or discard such records. |
|
| A.B. 2048 S.B. 2440 Combined with A.B. 4001 Requires a business to take all reasonable steps to destroy customer records within its control containing personal information which is no longer to be retained by the business. The customer records shall be destroyed by shredding, erasing, or otherwise modifying the personal information to make them unreadable or undecipherable through any means. In addition, any business that conducts business in New Jersey and owns or licenses computerized data that includes personal information must disclose any breach of the security of the computer system within 15 days to any customer who is a resident of New Jersey whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the disclosure may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Any business that maintains computerized data that includes personal information that the business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. For purposes of this bill, notice may be written or electronic. If the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the business has an e-mail address; (2) conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and (3) notification to major statewide media. However, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of the bill, shall be deemed to be in compliance with the notification requirements of this bill if the business notifies subject persons in accordance with its policies in the event of a breach of security of the system. Finally, a violation of any provisions of this bill shall be an unlawful practice subject to the penalties applicable to a violation of the consumer fraud law pursuant to N.J.S.A. 56:8-13. Under N.J.S.A. 56:8-13, any business who violates any of the provisions of this bill, in addition to any other penalty provided by law, shall be liable to a penalty of not more that $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense. |
|
| A.B. 2074 S.B. 493 Enacts the “New Jersey Financial Information Privacy Act,” which would require a financial institution to provide a specified written form to a consumer relative to the sharing of the consumer’s nonpublic personal information and, instead to permit consumers to “opt in” to allow the sharing of such information. Does not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or entities that are regulated by the same functional regulator and are engaged in the same line of business. Provides that a financial institution shall not discriminate in offering or denying an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information and requires a financial institution to comply with the consumer’s request regarding nonpublic personal information within 45 days of receipt of the request. Provides specified requirements that must be met for the financial institution to disclose a consumer’s nonpublic personal information. Provides that nonpublic personal information may be released in order to identify or locate missing children, witnesses, criminals and fugitives, parties to lawsuits, and missing heirs and that it would not change existing law regarding access by law enforcement agencies to information held by financial institutions. Provides various civil penalties for negligent, or knowing and willful violations of its provisions. |
|
| A.B. 2130 Prohibits financial institutions from disclosing a customer’s personal information without that customer’s consent to nonaffiliated third parties, and, even with the customer’s consent, limits disclosure to the customer’s current name, address and phone number. Makes exceptions for certain circumstances, however, such as where disclosure is required by state or federal law, or is necessary to assist the customer or protect the institution’s legal interests. Provides for a penalty of up to $500 for each violation of the disclosure prohibitions. |
|
| A.B. 2447 S.B. 1210 Corrects an inconsistency resulting from the recent enactment of two laws, both of which provided definitions of “personal identifying information.” P.L.2002, c.85 deleted the definition of “personal identifying information” found in the state’s impersonation and theft of identity statute, N.J.S.2C:21-17, and replaced it with a comprehensive definition of the term in N.J.S.2C:20-1 that would apply to all crimes in chapters 20 and 21 of Title 2C of the New Jersey Statutes. But P.L. 2003, c.39 cross-referenced the definition of “personal identifying information” that had been deleted in N.J.S.2C:21-17, while also adding certain computer specific language to the definition. Resolves the inconsistency created by the passage of these two laws by placing the additional computer specific language within the definition of “personal identifying information” in the comprehensive definition section of N.J.S.2C:20-1. |
|
| A.B. 2683 S.B. 1169 Protects the privacy of customers of financial institutions in the state. Mandates that financial institutions send each customer an annual notice that clearly and conveniently offers the customer the opportunity to prohibit disclosure of nonpublic personal information to nonaffiliated third parties, except in certain circumstances, such as where disclosure is required by state or federal law, or is necessary to assist the customer or protect the institution’s legal interests. |
|
| A.B. 4366 Prohibits counties and municipalities that fail to comply with the provision of N.J.S.A.47:1A-5 which requires government records custodians to redact certain personal information from government records from receiving grants under the public archives and records infrastructure support grants program created in 2003 and supported by increased fees for the services of county clerks and registers. Requires that once a records custodian, including a records custodian of a county or municipality, redacts material in a government record, all subsequent responses to requests for the government record must contain the same redaction. |
|
| S.B. 370 Provides for regulation by the director of the Division of Consumer Affairs in the Department of Law and Public Safety of inbound call centers, which receive telephone call or electronic mail messages from callers. Provides that an employee at an inbound call center operating in a foreign country shall not solicit any personal information, whether by telephone or by an electronic mail message unless the employee first informs the caller that disclosing that information to the employee is optional, and receives the affirmative consent of the caller to whom the information relates. Provides that any telephone call to an in-bound call center located in a foreign country shall be rerouted to a call center located in the United States, if such a request is made by the caller. As defined in the bill, “personal information” means any personally identifiable information that is provided by a person to an inbound call center, which shall include, but not be limited to, financial and credit information, or a name, address, telephone number or Social Security number. Violators of the bill’s provisions are subject to the provisions of the consumer fraud law, P.L.1960, c.39 (C.56:8-1 et seq.), which carries maximum penalties of $10,000 for the first offense and $20,000 for the second and subsequent offenses. |
|
| S.B. 1050 This bill, the “New Jersey Online Privacy Protection Act,” regulates disclosure of personal information collected by a website or online service. Under the provisions of the bill it would be an unlawful practice under the New Jersey consumer fraud act, P.L.1960, c.39 (C.56:8-1 et seq.), to collect, use or disclose personal information in violation of the regulations adopted pursuant to the act. The provisions of the bill apply to individuals of age 18 and above. The Division of Consumer Affairs in the Department of Law and Public Safety would adopt regulations requiring the operator of a website or online service to provide notice, in a clear and conspicuous manner, of the identity of the operator, what personal information is collected by the operator, how the operator uses such information, and what information may be shared with other companies. The operator would also be required to provide a meaningful and simple online process for individuals to consent to or limit the disclosure of personal information for purposes unrelated to those for which that information was obtained or described in the notice. The regulations provide an individual access to the personal information the website or online service has collected. The regulations require the operator of a website or online service to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information the operator collects and maintains. The regulations permit an operator of a website or online service to terminate service to an individual who has refused to permit the operator’s further use or maintenance in retrievable form, or future online collection of, personal information from that individual. A person who violates the provisions of the consumer fraud act is liable to a penalty of not more than $7,500 for the first offense and not more than $15,000 for the second and each subsequent offense. |
|
| S.B. 2442 Provides that upon establishing a relationship with a consumer, and annually thereafter if the consumer has not previously chosen to opt-out of the sharing of his nonpublic personal information, a financial institution shall notify the consumer of its intention with respect to the use of the consumer’s nonpublic personal information in the opt-out form required by this bill. Provides that beginning 30 days after the date on which the opt-out form was sent to the consumer, a financial institution may disclose a consumer’s nonpublic personal information with any affiliate or nonaffiliated third party, unless within that 30 day period the financial institution has received the opt-out form from the consumer prohibiting the financial institution from disclosing the consumer’s nonpublic personal information. Specifies certain criteria that the opt-out form and the outside of the envelope must meet and includes an example of the opt-out form, which the financial institution must use. Provides that an entity which negligently discloses or shares nonpublic personal information in violation of the bill shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed $2,500 per violation. However, if the disclosure or sharing results in the release of nonpublic personal information of more than one individual, the total civil penalty awarded shall not exceed $500,000. An entity that knowingly and willfully obtains, discloses, shares, or uses nonpublic personal information in violation of the bill shall be liable for a civil penalty not to exceed $5,000 per individual violation, irrespective of the amount of damages suffered by the consumer as a result of that violation. The court shall take into account a number of factors, as provided in the bill, when determining the penalty to be assessed for a violation of the bill. Authorizes to the commissioner of Banking and Insurance to promulgate regulations necessary to effectuate the provisions of the bill. |
|
| New Mexico | H.B. 145 Prohibits a public utility from disclosing consumer’s nonpublic personal information. |
| H.B. 364 Creates the Financial Information Privacy Act; relates to financial privacy; requires consent for sharing certain financial information; limits financial disclosures between financial institutions; provides for enforcement; establishes penalties. |
|
| New York | A.B. 223 Passed Assembly 5/25/05 S.B. 1550 Grants consumers the option to prohibit the rental, sale, exchange or other availability of personal information possessed by an issuer of a credit card, charge card or debit card; requires notice of such option be given to cardholders by credit card, charge card and debit card issuers in existing bill mailings and in credit card and debit card agreements and renewals thereof; limits any effect on credit card registration services. |
| A.B. 227 Passed Assembly 6/23/05 S.B. 2901 Substituted by A.B. 227 5/18/05 Makes unsolicited electronic mail advertising unlawful unless certain information is provided by the sender, including the sender’s name and street and e-mail address; prohibits sale, lease or exchange of certain personal identifying information obtained online without the knowledge and affirmative consent of the consumer; makes provisions for penalties for violations. |
|
| A.B. 660 Prohibits the use of inmate labor to access, collect or process personal information relating to a natural person residing in this state; provides for a civil penalty of not more than $1500 for a first violation and not more than $2500 for a second or subsequent violation. |
|
| A.B. 1052 Enacts the “Electronic Fund Transfer Privacy Act”; provides privacy protection for consumer engaging in electronic fund transfer transactions by limiting disclosure of personal information about any consumer involved in such and limiting the circumstances in which government authority may get such information; outlines procedures and limitations for obtaining such information and civil and criminal penalties for violations. |
|
| A.B. 1226 Passed Assembly 3/29/05 Restricts insurers from demanding intrusive personal, financial and tax information from insureds as a standard practice in processing ordinary theft claims where no special circumstances warranting a demand for such information exists. |
|
| A.B. 1365 Authorizes the superintendent of Banks to audit the international administrative offices of banking organizations doing business in this state which process personal information from customers for the purposes of enforcing privacy protection. |
|
| A.B. 1525 Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security; further allows for a consumer to elect for a security freeze on his or her consumer report to prevent identity theft; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general. |
|
| A.B. 1747 Relates to regulating the use and dissemination of confidential customer information by financial institutions; prohibits the disclosure of financial information without the informed consent of the customer to whom the information relates; establishes the basic privacy rights for financial information; authorizes attorney general enforcement; imposes civil penalties; allows a private cause of action. |
|
| A.B. 4033 S.B. 159 Enacts the Financial Information New York Privacy Act to require that financial institutions obtain consent from consumers prior to disclosing nonpublic personal information; defines terms and sets penalties. |
|
| A.B. 4038 Makes provisions for privacy in banking, insurance, and other financial transactions, forbidding disclosure of personal information without prior consent granted by the customer to the financial institution; requires written notice of privacy policies and practices be given to customers; requires security and confidentiality safeguards; prohibits disclosure of account number or access code information; provides for enforcement by the attorney general and authorizes private actions. |
|
| A.B. 5487 S.B. 3000 Enacts the “Personal Information Protection Act”, requires disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the department of state; requires use of best available technology to detect breaches of security; provides for a private right of action. |
|
| A.B. 6688 Requires notification of breach of security of personal information kept by state agencies; defines breach of security and personal information. |
|
| A.B. 6903 Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions. |
|
| A.B. 7013 S.B. 4106 Provides for the protection of confidential personal information collected and distributed by individual reference services providers or marketing list brokers; establishes exclusion lists, penalties and grounds for civil liability. |
|
| A.B. 7349 Enacts provisions to prevent identity theft and mitigate detriments arising from identity theft; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general. |
|
| A.B. 7670 S.B. 4813 Prohibits persons or business entities from filing unnecessary personal identifying information as defined with the state or any political subdivision thereof; provides for enforcement by the attorney general. |
|
| A.B. 8456 S.B. 5178 Passed Senate 6/21/05 Relates to disposal of records containing personal information. |
|
| A.B. 9037 Requires notice to consumers by credit agencies of a breach of security involving personal information. |
|
| S.B. 620 Provides that banking institutions in New York State may release customer information in the following manner; (a) to the actual customer or authorized agent, or (b) unless a customer affirmatively and in writing prohibits the release, to a subsidiary or affiliate of the banking institution, or, (c) to any other persons or entities if the customer information intended to be released consists only of customer identification, (e.g. name or address of customer) and/or is recorded in public records; defines the term “customer information” to mean account records and any other information constructed from those records relating to the customer’s relationship with the institution. |
|
| S.B. 1597 Enacts the New York Consumer and Worker Protection Act; requires employers to provide notice of the outsourcing of jobs prior to such outsourcing; prohibits any governmental agency from engaging in the practice of outsourcing jobs; requires consumers be made aware and provide consent if such consumers nonpublic personal information is disclosed to nonaffiliated third parties by any corporation or other business entity; requires ratification by the legislature of procurement contracts between the state, through the governor, and any multinational trade organization or corporation; and defines applicable terms. |
|
| S.B. 1847 Provides privacy protection for voter registration records; prohibits sale or other dissemination of records or information contained in such records if use of such information would promote identity theft, fraud or otherwise invade privacy. |
|
| S.B. 2161 Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions. |
|
| S.B. 2673 Creates a nine member privacy task force within the State Office for Technology to conduct ongoing review of state and local laws, regulations and practices with respect to the compilation, protection and dissemination of “personal information”; provides for composition of the task force and for annual reports to the governor and the Legislature. |
|
| S.B. 2906 Requires notice to residents when a computerized database security breach releases personal information. |
|
| S.B. 3141 Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security. |
|
| S.B. 3494 Enacts the Identity Theft Prevention and Mitigation Act; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general and security of Social Security account numbers; and provides for notice of information of breach of security. |
|
| S.B. 3721 Enacts the Consumer Privacy Act to protect the personal privacy of individuals and families who choose to retain such privacy without unreasonably restricting the ability of commercial entities to collect and use information necessary to conduct business or as is permitted by the subject of such information: defines terms; prohibits wrongful disclosure of protected personal information with certain exceptions; provides for civil liability for wrongful disclosure; authorizes the attorney general to bring enforcement action for injunction and penalties; limits time period in which such an action may be brought. |
|
| S.B. 4623 Prohibits the disclosure of personal information on consumers by banking organizations to third parties without providing notice in plain language to the consumer in writing or electronic form. |
|
| S.B. 4687 Establishes issuers of credit cards and debit cards are prohibited from knowingly accepting or soliciting personal information of a cardholder from a third-party; establishes a civil penalty not to exceed $2,000 for each violation of this section. |
|
| S.B. 4978 Requires state agencies and business entities to disclose the breach of the security of any personal information of any resident of the state maintained on a computerized database; establishes notice requirements; directs the state Consumer Protection Board to enforce such provisions. |
|
| S.B. 5472 Requires notice to consumers by credit agencies of a breach of security involving personal information. |
|
| North Carolina | S.B. 783 Requires that data aggregators and other businesses immediately notify individuals of unauthorized or fraudulent access to personal information following information security breaches. |
| S.B. 996 Authorizing the Legislative Research Commission to study issues related to privacy and personal information protection. |
|
| Ohio | S.B. 89 Requires a state agency, person, or business to contact individuals if unencrypted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons. |
| Oklahoma | S.B. 425 Passed Senate Prohibits the printing of Social Security numbers and credit card numbers on checks in a consumer transaction. |
| Oregon | H.B. 3010 Prohibits disclosure of public records relating to criminal investigation or prosecution or to confinement of persons convicted of crimes unless personal identifiers have been deleted. Increases the punishment for identity theft if personal information transferred relates to specified persons. |
| H.B. 3288 Prohibits an insurer that issues personal insurance policies from requesting or requiring a consumer’s Social Security number to issue or renew personal insurance. Prohibits an insurer that issues personal insurance policies from using a consumer’s credit history for specified purposes. Prohibits person from disclosing, selling or making available an individual’s identifying information. Provides exceptions. Makes violation unlawful trade practice. |
|
| H.B. 3320 Requires a person making telephone solicitation from a call center to disclose the location of the call center and name of person who has contracted to use services of call center. Prohibits sending financial, credit or identifying information to a call center located in foreign country. Provides exception. Allows a person receiving a call from a call center located in a foreign country to request that the call be rerouted to a call center located in United States. |
|
| S.B. 626 Requires a person who owns or uses personal information to notify an individual when there is an unauthorized acquisition of personal information that compromises security of information. |
|
| S.B. 630 Allows a state institution of higher education to contract with a private contractor to provide the service of facilitating disbursement of funds to students. Imposes conditions if a student’s personally identifiable information is necessary to administer disbursement. |
|
| Pennsylvania | H.B. 896 Adds provisions relating to privacy protection for customer information of financial transactions; and imposes penalties. |
| H.B. 1023 Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and provides for penalties. |
|
| H.B. 1795 Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposes penalties. |
|
| H.B. 1921 Creates the Consumer Credit Rights Act; provides for consumer credit protections and restricts the use of Social Security numbers. |
|
| H.B. 2005 Prohibits the installation, transmission and use of computer software that collects personally identifiable information; authorizes the attorney general and district attorneys to bring civil actions against persons who violate this act; and provides for damages. |
|
| H.B. 2006 Creates the Breach of Personal Information Data Notification Act; provides for breach of security of identifying information and for penalties. |
|
| H.R. 215 Memorializes the Congress of the United States and the federal government to take steps to discontinue outsourcing and to prevent the Internal Revenue Service from hiring foreign contractors to prepare, process or collect any personal financial information of United States taxpayers. |
|
| S.B. 712 Sent to governor 12/15/05 Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposes penalties. |
|
| Rhode Island | H.B. 5320 Passed House 5/11/05 Prohibits the release of nonpublic information by financial institutions regarding the information obtained about a consumer who applied for credit. |
| H.B. 5893 Establishes a duty to disclose any breach of security of a computerized data system. |
|
| H.B. 6211 Passed House 5/12/05 Prohibits the installation of software on consumer’s computer which would collect the user’s personal identifiable information, including financial information. |
|
| S.B. 880 Establishes a duty to disclose any breach of security of a computerized data system. |
|
| South Carolina | H.B. 3651 Requires that identifying financial information be deleted from public records that are accessed electronically after July 1, 2005. |
| S.B. 150 Enacts the “Family Court Financial Privacy Act” so as to provide that a financial declaration made a part of the record in a matter before the family court is confidential and not subject to disclosure to the public; and relates to exemptions from the Freedom of Information Act, so as to exempt financial declarations in matters before the family court. |
|
| S.B. 383 Requires that identifying financial information be deleted from public records and to require that personal identifying information be kept confidential by a public body. |
|
| S.B. 669 Provides for notice to a South Carolina resident whose personal identifying information may have been accessed through a breach of the security of computerized data owned, licensed, or otherwise controlled by a state agency, provides definitions, specifies requirements of the notice, and provides penalties for noncompliance; and provides for notice to a South Carolina resident whose personal identifying information may have been accessed through a breach of the security of computerized data owned, licensed, or otherwise controlled by a person conducting business in this state, provides definitions, specifies requirements of the notice, and provides penalties for noncompliance. |
|
| Tennessee | H.B. 331 S.B. 235 Passed Senate 5/11/05 Prohibits TSAC from requiring student applying for postsecondary financial assistance from lottery proceeds to provide financial information unless such student is applying for assistance limited to low-income students. |
| H.B. 753 S.B. 1153 Prohibits TSAC from requiring student applying for postsecondary financial assistance from lottery proceeds to provide financial information unless such student is applying for assistance limited to low-income students. |
|
| Texas | H.B. 1527 Relates to a breach in the security of a data system that includes another person’s identifying information. |
| H.B. 2571 Relates to requirements for disclosing a consumer’s personal information. |
|
| H.B. 3030 Relates to personal identifying information contained in a consumer file maintained by a consumer reporting agency. |
|
| S.B. 71 Relates to the prohibition of certain disclosures of a consumer’s financial information. |
|
| S.B. 76 Relates to a consumer’s option to prevent the disclosure of the consumer’s financial information by a financial institution; provides a civil penalty. |
|
| S.B. 1148 Relates to protecting the confidentiality of certain identifying personal information contained in court records. |
|
| Virginia | H.B. 1729 Amends the Computer Crimes Act to prohibit the use of software that changes settings, collects personally identifiable information or obstructs the reasonable operation of the computer. Prohibits the installation of computer software that operates in this manner. Violations of this bill are Class 1 misdemeanors. Provides exemptions for maintenance and security. |
| H.B. 2721 Requires agencies and businesses that maintain computerized data that includes personal information to notify the subject of that information when a breach of the database containing that information is discovered. No notice is required if an investigation determines that there is no reasonable belief that the information has been or will be used in an unlawful manner. Provides for various means of notifying the owner or licensee of that information and requires the agency or business to coordinate notification with consumer reporting agencies if they indicated that the affected individual can obtain a credit report. Damages for an agency violating this requirement are provided in the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.). Damages for a business violating this requirement are provided in the Personal Information Privacy Act or PIPA (§ 59.1-442 et seq.). Expands the damages available for violations of PIPA to include actual damages, if greater than $100 per violation, and injunctive relief. |
|
| West Virginia | H.B. 2772 Requires commercial entities who maintain databases containing resident individuals’ personal information to notify a resident individual, in writing, whenever the individual’s personal information has been compromised by unauthorized disclosure; and defines personal information. |
| Wisconsin | A.B. 320 Requires a business (or other corporate entity) that knows of the unauthorized use of unencrypted personal identifying information that was obtained from the business to make reasonable efforts to notify the individual whose personal identifying information was used. Generally, a business must notify the individual within 30 days after the business learns of the unauthorized use. |
| A.B. 621 Requires notification of the unauthorized acquisition of personal information that is stored on a computer or other electronic medium (unauthorized acquisition). The bill’s notice requirements apply to entities, including the state, that do any of the following: 1) conduct business in Wisconsin and maintain personal information in the ordinary course of business; 2) store personal information in this state; 3) maintain a depository account for a Wisconsin resident; or 4) lend money to a Wisconsin resident. |
|
| A.B. 836 Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the entity has not authorized to do so (unauthorized access). The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident. |
|
| S.B. 164 Passed Senate 11/9/05 Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the individual has not authorized to do so (unauthorized access). The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident. |
Leave a Reply