US 2006 Breach of Information Legislation Resources in United States
US 2006 Breach of Information Legislation Resources
In February 2005, ChoicePoint, a corporation that collects and compiles information that includes personal and financial information on millions of consumers, disclosed that it been the victim of a security breach wherein it had sold personal information of almost 145,000 people to a criminal enterprise. The company first disclosed the breach only to California residents, as required by California’s Notice of Security Breach law, enacted in 2002. However, the company later disclosed that residents in other states, the District of Columbia and three territories also may have been affected by the ChoicePoint breach.
Since these disclosures, additional states have introduced legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information. NCSL’s Identity Theft Web page has additional information on related legislation.
Summary: Legislation has been enacted in at least 35 states total as of January 2007: Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma (applies to governmental agencies only), Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin.
In 2006, legislation was introduced in 35 states and D.C. and was enacted in eleven states in 2006: Colorado,Kansas, Idaho, Indiana, Maine, Michigan, Nebraska, Ohio, Oklahoma (applies to governmental agencies only), Utah, andWisconsin. (See also 2005, 2004, 2003, and 2002 legislation.)
2006 Legislation
Alabama
S.B. 114
An act to provide a procedure for notification of a breach of security where there is a reasonable belief that computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person.
S.B. 220
04/06/06 Indefinitely Postponed
An act to provide a procedure for notification of a breach of security where there is a reasonable belief that computer data containing the personal information of an Alabama resident is disclosed to an unauthorized person.
Alaska
H.B. 226
Relates to breaches of security involving personal information; and relating to credit report security freezes.
H.B. 270
Relates to breaches of security involving personal information, consumer report security freezes, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, furnishing consumer credit header information, and filing police reports regarding identity theft.
S.B. 148
Relates to breaches of security involving personal information; and relating to credit report security freezes.
S.B. 149
Relates to breaches of security involving personal information; and relating to credit report security freezes.
S.B. 180
Relates to breaches of security involving personal information, consumer report security freezes, protection of social security numbers, disposal of records, and the accuracy of reports on credit history, score, and ranking.
S.B. 222
An act relating to breaches of security involving personal information, consumer report security freezes, consumer credit monitoring, credit accuracy, protection of social security numbers, disposal of records, factual declarations of innocence after identity theft, filing police reports regarding identity theft, and furnishing consumer credit header information.
Arizona
H.B. 2276
An act relating to disclosure of compromised personal identifying information.
H.B. 2331
An act relating to disclosure of compromised personal identifying information.
S.B. 1338
04/26/06 Signed by Governor, Chapter 232
Requires a business or governmental entity conducting business in Arizona to notify state residents of a breach of their security system when personal information of the individuals has been compromised.
California
A.B. 786
01/31/06 Died
Requires the California State University system to provide an employee, upon request, with four hours of time off with pay following a disclosure by the university that there is, or could have been, a breach of security of employee personal information data, as specified.
A.B. 1694
01/31/06 Died
Requires a consumer credit reporting agency, upon the request of a consumer whose personal information was breached by a computerized data system, to place a security freeze on the consumer’s credit report without charge to the consumer for this service; authorizes the consumer credit reporting agency to charge the agency responsible for the breach, and would require the consumer to submit a copy of notification of the breach to the consumer credit reporting agency, as a condition of receiving the security freeze; requires a consumer credit reporting agency to notify each consumer who is the subject of a consumer credit report of each instance that a new account is entered on the consumer’s report if the address on the credit application is different from the last address on record held by the consumer credit reporting agency.
A.B. 2505
05/22/06 Passed Assembly
Establish the California Information Security Response Team; requires the California Highway Patrol, upon receiving notification of any information security information incident or computer-related crime to notify the state chief information officer; requires the state chief information officer to compile and annually report to the Legislature all information security incidents or computer-related crimes reported to the California Highway Patrol
S.B. 852
05/26/05 Passed Senate
Requires an agency, or a person or business conducting business in California, that possesses any data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified. The bill also repeals duplicative provisions of law.
S.B. 1512
Changes the threshold for providing substitute notice from $250,000 to $500,000.
Colorado
H.B. 1119
04/26/06 Signed by Governor, Chapter 145
Concerning security breaches regarding personal identifying information.
Delaware
S.B. 109
Creates the “Clean Credit and Identity Theft Protection Act”. Also creates the rights to have a “security freeze”. (Substitute bill does not contain security breach notification requirements.)
Georgia
H.B. 638
Relates to selling and other trade practices, so as to provide definitions; to require investigative consumer reporting agencies to give notice to consumers of certain security breaches; to provide for a standard of care to be exercised by investigative consumer reporting agencies; to provide for rules, regulations, and guidelines; to provide for related matters; to provide an effective date; to repeal conflicting laws; and for other purposes.
S.B. 245
Relates to business records, so as to require a person or business that conducts business in this state and that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires a person or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; provides for certain civil actions; defines certain terms; to amends Chapter 18 of Title 50 of the Official Code of Georgia Annotated, relating to state printing and documents, so as to require an agency that owns or licenses computerized data that includes personal information to disclose in specified ways any breach of the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; permits notification to be delayed if a law enforcement agency determines that it would impede a criminal investigation; requires an agency that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data; defines certain terms; provides for legislative findings and declarations.
Hawaii
H.B. 3243
Requires persons, business, or government agencies who maintain personal information in computerized form to notify persons to whom the information relates of a breach of the security of the information. Authorizes attorney general to take legal action to enforce notice requirement.
S.B. 2290
05/25/06 Signed by Governor, Act 135
Requires any business doing business in Hawaii and any government agency that owns, licenses, collects, or maintains personal information of Hawaii residents to notify affected persons that a security breach has occurred following the discovery of or receipt of notification of the breach. Permits a civil penalty up to $2,500 for each violation against any business in violation, a private cause of action against any business in violation, and an award of reasonable attorneys’ fees to the prevailing party. Requires government agencies to submit a detailed written report to the Legislature within twenty days after discovering the security breach at the government agency, unless the report will impede a criminal investigation.
S.B. 2292
05/25/06 Signed by Governor, Act 136
Requires businesses and government agencies that conduct business in Hawaii that dispose of documents and other records containing personal information of Hawaii residents to take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. Permits a civil penalty up to $2,500 for each violation against any business in violation, a private cause of action against any business in violation, and a n award of reasonable attorneys’ fees to the prevailing party. Requires government agencies to submit a detailed written report to the Legislature within twenty days after discovering a material occurrence of an unauthorized access to personal information records in connection with or after their disposal by or on behalf of the government agency unless the report will impede a criminal investigation.
Idaho
S.B. 1374
03/30/06 Signed by Governor, Chapter 258
Provides for disclosure of breach of security of computerized personal information by an agency, individual or a commercial entity; to provide procedures deemed in compliance with security breach requirements; and to provide penalties for violations.
Illinois
H.B. 3743
Creates the Security Breach Notification Act. Requires any person or business conducting business in the State to disclose any breach of the security of the system to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides a private right of action for a violation of the Act.
H.B. 4198
Amends the Personal Information Protection Act. Requires a data collector to disclose to a consumer, at no cost, the personal information obtained resulting in a breach of the security of the system data.
H.B. 4253
02/01/06 Tabled by sponsor
Amends the Personal Information Protection Act; provides that the notice requirements of the Act apply to breaches of written material containing personal information; and provides that any State agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material.
H.B. 4449
06/27/06 Signed by Governor, Act 947
Amends the Personal Information Protection Act. Provides that any State agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Provides that any State agency that collects personal data that is no longer needed or stored at the agency shall dispose of the personal data or written material it has collected in such a manner as to ensure the security and confidentiality of the material.
H.B. 5293
02/01/06 Tabled by sponsor
Creates the Financial Institution Credit Watch Services Act. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit monitoring services, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
S.B. 209
Creates the Personal Information Protection Act. Requires each financial institution to provide an annual disclosure statement to all persons for which the financial institution maintains unencrypted personal information concerning measures the financial institution has taken to prevent (i) a breach of the security system and (ii) any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the financial institution. Requires each financial institution to maintain duplicate records of all computerized data at a back-up site located at least 90 miles from the primary site at which the data is stored. Provides that the effectiveness of the back-up site shall be tested annually and requires the results o that test to be included in the annual disclosure statement.
S.B. 1479
04/08/05 Passed Senate
Creates the Identity Theft Notification Act. Requires any data collector that owns or uses personal information in any form that includes personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.
S.B. 1798
Creates the Personal Information Protection Act. Requires any person, business, or State agency conducting business in the State, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person, business, or State agency that maintains computerized data that includes vulnerable personal information that the person, business, or State agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.
S.B. 1899
Creates the Identity Theft Notification Act. Requires any agency, person, or business that conducts business in Illinois and owns or licenses data that includes personal information concerning an Illinois resident to notify the resident that there has been a breach of the security of that data following discovery or notification of the breach. Requires any agency, person, or business that maintains data that includes personal information concerning an Illinois resident and that the agency, person, or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the agency, person, or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the agency, person, or business does not have sufficient contact information.
S.B. 3040
Amends the Personal Information Protection Act. Provides that the notification requirements of the Act apply to breaches of security concerning written data. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit watch services for one year, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Indiana
H.B. 1101
03/21/06 Signed by Governor, Public Law 125
Provides that a person that owns or licenses computerized data base containing personal information concerning Indiana residents must disclose to those residents a security breach if the breach could cause the Indiana residents to become victims of identity theft, identity deception, or fraud. Authorizes the attorney general to bring an action to enforce the disclosure requirements. Requires a state agency to disclose a breach of security involving confidential information. Provides that a person who disposes of a customer’s unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction. Makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit terroristic deception.
Iowa
H.F. 2107
An act to require notification of a breach of the security of a system of computerized data containing personal information and providing for civil remedies.
H.F. 2484
Provides for the notification of a breach in the security of computerized data of personal information, allows a security alert or block on a consumer report, allowing the issuance of an identity theft passport, requires the deletion of certain records relating to dishonored checks, prohibits the collection of certain unauthorized debt obligations, requires the protection and destruction of customer records containing personal information, and provides for civil remedies and penalties.
S.S.B. 3019
An act requiring notice of a breach of security of computer data containing personal information, and providing a procedure to secure credit information, and providing a penalty.
Kansas
S.B. 196
04/19/06 Signed by Governor
Allows for protection and restriction of the use of certain personal information and amend existing identity theft law and the Fair Credit Reporting Act; creates associated penalties and remedies for violations of the use of personal information; creates new law for the illegal possession or use of scanning devices, protections for personal identifying information and notification requirements associated with a breach of security of computerized data, allowances for the use of and protections associated with security freezes on consumer reports, and procedures for the destruction of data.
Kentucky
H.B. 4
03/14/06 Passed House
Prohibits a business from making or requiring certain uses of a consumer’s Social Security number; establishes a procedure to allow a consumer to place a security freeze on his or her credit report; requires an agency or business that conducts business in the Commonwealth to take certain measures to protect against unauthorized access or use of personal information during its disposal; requires an agency or business that conducts business in the Commonwealth, and that owns or maintains data that includes personal information, to disclose any security breach to any resident of the Commonwealth whose personal information was acquired or accessed; requires an agency or business that conducts business in the Commonwealth to take certain measures to safeguard against security breaches; establishes a procedure for victim of certain identity-theft-related crimes to petition the District Court for a determination that he or she is a victim of identity theft; establishes a procedure allowing a person who has been charged with a crime because another person used his or her identifying information, and who has been found not guilty or the charges have been dismissed, to make a motion to the District or Circuit Court to redact his or her identifying information from certain records; prohibits an agency from making or requiring certain uses of a person’s Social Security number or identifying information; prohibits an agency from collecting a Social Security number unless authorized by law or necessary for the agency’s duties; requires an agency to segregate Social Security numbers from the rest of a record and to provide a person with a written statement of the purpose for collecting and using the Social Security number.
H.B. 175
Requires an agency or person or business that conducts business in the Commonwealth, and that owns or maintains computerized data that includes personal information, to disclose any breach of the security of the data to any resident of the Commonwealth whose personal information was acquired, or to any owner or licensee whose information was acquired, by an unauthorized person.
Maine
H.B. 1417
04/13/06 Signed by Governor, Chapter 583
Expands the definition of person to include colleges and universities; expands private cause of action to include violations by “persons” not just “information brokers”; exempts State governments from civil liability.
Maryland
H.B. 630
Requires a business to destroy or arrange for the destruction of records that contain specified personal information in a specified manner; requires a business that compiles, maintains, or makes available specified personal information of an individual residing in the State to implement and maintain specified security procedures and practices; requires businesses that compile, maintain, or make available specified records to notify specified individuals of a breach of the security of a system under specified circumstances.
H.B. 873
02/20/06 Withdrawn
Requires specified business and State entities that own, license, or maintain specified records that include specified personal information of an individual residing in the State to notify specified persons of a breach of the security of a system under specified circumstances; specifies the time at which notification must be given; authorizes notification to be given in a specified manner.
H.B. 1170
Requires a business to destroy or arrange for the destruction of a customer’s records that contain specified personal information of the customer in a specified manner; requires a business that owns or licenses specified personal information of an individual residing in the State to implement and maintain specified security procedures and practices; requires businesses that own, license, or maintain specified records to notify specified persons of a breach of the security of a system.
S.B. 486
Requires a business to destroy or arrange for the destruction of records that contain specified personal information in a specified manner; requires a business that compiles, maintains, or makes available specified personal information of an individual residing in the State to implement and maintain specified security procedures and practices; requires businesses that compile, maintain, or make available specified records to notify specified individuals of a breach of the security of a system under specified circumstances.
Massachusetts
S.B. 2058
Requires companies that collect personal information to disclose when said data has been compromised.
Michigan
H.B. 4658
Consumer protection; requires notification of security breach of database containing personal identifying information.
HB 6522
Requires certain notices regarding unauthorized access to personal identifying information; to establish procedures for notice; provides remedies and civil sanctions.
S.B. 309
12/31/06 Signed by Governor, Public Act 566
Requires notification of security breach of database containing personal identifying information.
Minnesota
H.F. 1410 / S.F. 1307
Requires businesses maintaining personal information in electronic form to disclose to consumers breaches in security.
Nebraska
L.B. 876
04/10/06 Signed by Governor
Adopts the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006; provides that an individual or commercial entity (defined in the bill to include government, governmental subdivision, and agency) that owns or licenses computerized data that includes personal information about Nebraska residents is to give notice to the affected Nebraska following a security breach of the computerized data system if an investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur; and authorizes the Attorney General to issue subpoenas and seek and recover damages for Nebraska residents injured by violations.
Nevada
B.D.R. 405
8/29/06 Filed Bill Draft Request for 2007 Session
Provides notification requirements for computer security breaches involving personal financial information.
New Hampshire
H.B. 1374
Establishes a committee to study requiring personal information holders to disclose a security breach.
H.B. 1404
Requires an individual, agency, or commercial entity to notify a resident when there is a breach of computer security regarding the resident’s personal information.
H.B. 1414
Requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information.
H.B. 1660
06/02/06 Signed by Governor, Chapter 242
Requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information.
New Jersey
A.B. 259
Requires businesses to disclose any breach of security of computer systems to customers and to destroy certain personal information no longer retained.
New York
A.B. 1525
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security; further allows for a consumer to elect for a security freeze on his or her consumer report to prevent identity theft; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general.
A.B. 5487 / S.B. 3000
Enacts the “personal information protection act”, requiring disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the department of state; requires use of best effective technology to detect breaches of security; provides for a private right of action.
A.B. 6688
Requires notification of breach of security of personal information kept by state agencies; defines breach of security and personal information.
A.B. 6903
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.
A.B. 9037
Requires notice to consumers by credit agencies of a breach of security involving personal information.
S.B. 2161
Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions.
S.B. 3141
Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security.
S.B. 4978
Requires state agencies and business entities to disclose the breach of the security of any personal information of any resident of the state maintained on computerized database; establishes notice requirements; directs the state consumer protection board to enforce such provisions.
S.B. 5472
Requires notice to consumers by credit agencies of a breach of security involving personal information.
North Carolina
S.B. 783
Requiring that data aggregators and other businesses immediately notify individuals of unauthorized or fraudulent access to personal information following information security breaches.
Ohio
S.B. 126
12/29/06 Signed by Governor, Session Law 151
Modifies the laws governing county hospitals and licensed practical nurse duties and exempts a state agency or agency of a political subdivision from the requirement that it disclose or give notice of unauthorized access to personal information if the agency is a covered entity under the Health Insurance Portability and Accountability Act of 1996.
Oklahoma
H.B. 2357
6/06/06 Signed by Governor, Chapter 298
Requires governmental agencies to notify persons of a breach of computer systems which results in unauthorized release of personal information.
Pennsylvania
H.B. 1023
Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach.
H.B. 1795
Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach.
H.B. 2006
Provides for breach of security of identifying information.
Rhode Island
H.B. 6835
07/10/06 Vetoed by Governor
An act relating to criminal offenses – identity theft protection.
S.B. 2225
Establishes rules of disclosure of personal information about insurers, by businesses to third-parties, rules of notification to consumers of breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules.
Tennessee
H.B. 3619 / S.B. 3425
Requires public and private entities to disclose any breach of the security of personal consumer information.
Utah
S.B. 69
3/20/06 Signed by Governor, Chapter 343
Requires a person maintaining personal information in connection with a business to implement procedures to protect personal information; requires destruction of certain records; requires disclosure of breaches of databases containing personal information; and provides for enforcement by the attorney general.
Vermont
S.B. 284
05/18/06, Signed by Governor, Act 162
Enacts a Security Breach Notice Act, a Social Security Number Protection Act, and a Document Safe Destruction Act; requires any data collector that owns or uses computerized personal information concerning a consumer to notify the consumer when there has been a security breach.
Virginia
H.B. 1154
03/11/06 Legislature adjourned
01/23/06 Continued to 2007
Requires an individual or a commercial entity that owns or licenses computerized data that includes personal information to notify a resident of Virginia of any breach of the security of the system immediately following the discovery of a breach in which unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill also contains alternative notification provisions. The Office of the Attorney General may also bring an action in law or equity to address violations of this section and other appropriate relief.
H.B. 1508
03/11/06 Legislature adjourned
02/07/06 Continued to 2007
The measure requires data collectors that keep personal information on individuals to notify a Virginia resident when there has been a breach of the security of the data. The notice shall include a description of the categories of information that were acquired by an unauthorized person and a toll-free number that the individual may use to learn what types of information were maintained about the individual. An individual receiving such a notice may obtain, at no cost, consumer credit reports beginning two months following the breach of security and continuing on a quarterly basis for two years thereafter.
H.B. 2721
03/11/06 Legislature adjourned
Requires agencies and businesses that maintain computerized data that includes personal information to notify the subject of that information when a breach of the database containing that information is discovered. No notice is required if an investigation determines that there is no reasonable belief that the information has been or will be used in an unlawful manner. Provides for various means of notifying the owner or licensee of that information and requires the agency or business to coordinate notification with consumer reporting agencies if they indicated that the affected individual can obtain a credit report. Damages for an agency violating this requirement are provided in the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.). Damages for a business violating this requirement are provided in the Personal Information Privacy Act or PIPA (§ 59.1-442 et seq.). Expands the damages available for violations of PIPA to include actual damages, if greater than $100 per violation, and injunctive relief.
West Virginia
H.B. 4551
03/11/06 Legislature adjourned
Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector; requires notification to the consumer that there has been a breach of the security of information maintained on a consumer following discovery or notification of the breach; requires certain actions by data collectors with respect to breach of security; prohibits waiver of provisions; makes violations an unconscionable act; provides civil penalties for violations; provides other remedies; and provides that the provisions of the article are severable under certain circumstances.
Wisconsin
S.B. 164
03/16/06 Signed by Governor, Act 138
Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the individual has not authorized to do so (unauthorized access). The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident.
District of Columbia
B16-810
Enacted 12/28/06, Act A16-0593 – To Congress for approval
To ensure that consumers are notified when electronically-stored personal information is compromised in a way that increases the risk of identity theft, to create a private right of action for consumers harmed by a violation of the notification requirement, and to provide for enforcement by the Attorney General.
Leave a Reply