US 2006 Enacted Financial Privacy Legislation Resources in United States
US 2006 Enacted Financial Privacy Legislation Resources
| State: | Bill Summary: |
| Arizona | H.B. 2024 Signed by governor 4/17/06, Chapter 117 Requires government agencies to establish procedures ensuring that collected entity identifying information and personal identifying information, except public records, cannot be accessed by unauthorized persons. Defines entity identifying information, personal identifying information and governmental agency. |
| H.B. 2484 Signed by governor 4/25/06, Chapter 208 Specifies that an entity must not knowingly discard or dispose of records or documents without redacting the information or destroying the records or documents if the records or documents contain an individual’s first and last name or first initial and last name in combination with a corresponding complete: a) Social Security number; b) credit card, charge card or debit number; c) retirement account number; d) savings, checking or securities entitlement account number; e) driver license number or non-operating identification license number. Allows the record disposal requirements to be enforced by either the county attorney or the attorney general (AG) in the following manner: a) by the county in the county in which the records or documents were wrongfully discarded or disposed; b)by the county attorney, if it is a multi-county violation by the same entity and after filing a notice of intent to enforce the law and sending a copy of the notice to the other county attorneys where violations have occurred requesting that the actions be consolidated; c) by the AG. Imposes a civil penalty for each violation of improper discarding or disposal of records or documents as follows: a) $500 for a first violation; b)$1,000 for a second violation; c) $5,000 for a third or subsequent violation. Specifies that an entity will be deemed in compliance with this legislation if it maintains and complies with its own procedures that are consistent with the requirements of this legislation. Exempts the following from this legislation: a) an entity subject to the Gramm Leach Bliley Act of 1999; b) covered entities as defined under the regulations implementing the Health Insurance Portability and Accountability Act (HIPAA); c) an entity subject to the Federal Fair Credit Reporting Act. Specifies that this legislation only applies to paper records and paper documents. |
|
| S.B. 1338 Signed by governor 4/26/06, Chapter 232 Requires a business or governmental entity conducting business in Arizona to notify state residents of a breach of their security system when personal information of the individuals has been compromised. |
|
| California | A.B. 424 Signed by governor 2/24/06, Chapter 10 Expands the definition of “personal identifying information” to include an equivalent form of identification. Provides that “person” as used in these provisions includes a firm, association, organization, partnership, business trust, company, corporation, limited liability company, or public entity. |
| A.B. 2291 Signed by governor 9/20/06, Chapter 353 Prohibits a motor vehicle manufacturer, manufacturer branch, distributor, or distributor branch from accessing, modifying, or extracting information from a confidential dealer computer record, as specified, or using electronic, contractual, or using other means to prevent or interfere with the lawful efforts of a dealer to comply with specified data security and privacy laws, to ensure that the accessed data is within the scope of consent, or to monitor data accessed from the dealer’s computer system. The bill provides that these prohibitions do not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer. Prohibits a computer vendor from accessing, modifying, or extracting information from a confidential dealer computer record, as defined, or personally identifiable consumer data, as defined, from a dealer without first obtaining an express written consent from the dealer and without maintaining specified safeguards to protect the information. The bill prohibits requiring a dealer, as a condition of doing or continuing to do business, to give express consent, except under specified circumstances. |
|
| S.B. 1847 Signed by governor 9/22/06, Chapter 405 Under existing law an insurance institution, agent, or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure comes within specified exceptions generally designed to facilitate the legitimate transaction of insurance. This bill adds an exception to the general rule of nondisclosure when the disclosure is to an insured when the information disclosed is from an accident report, supplemental report, investigative report or the actual report from a government agency or is an exact copy of an accident report or other report which the insured is entitled to obtain under other specified provisions of law. |
|
| Colorado | H.B. 1119 Signed by governor 4/26/06, Chapter Requires an individual or a commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information to notify customers who are residents of Colorado of any breach of the security of the system following the discovery of a breach in the security of personal information of the Colorado resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires notice to be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. Requires the notification to be either written or electronic unless the cost of the notice exceeds $250,000, the affected class exceeds 250,000 people, or there is insufficient contact information, in which case conspicuous internet posting and notification to statewide media suffices. Allows the attorney general to file suit to enforce the act. |
| H.B. 1169 Signed by governor 6/2/06, Chapter 319 Requires the state court administrator to convene a committee of interested parties, including representatives of the news media, family law attorneys, and the courts, to make recommendations concerning access to divorce records. Directs the committee to consider issues related to identity theft, protecting children, transparency in government, and open access to public information. Requires the state court administrator to report any committee recommendations to the legislative council no later than December 1, 2006. |
|
| Connecticut | S.B. 566 Signed by governor 5/8/06, Public Act 06-50 Prevents email message phishing. |
| Florida | H.B. 7223 Laid on table 5/5/06 S.B. 512 Signed by governor 6/13/06, Chapter 199 Amends provision regarding exemption from public records requirements for personal identifying info., bank account numbers, and debit, charge, and credit card numbers contained in certain records held by the Department of Health which relate to an individual’s personal health or eligibility for health services; excludes bank account numbers and debit, charge, and credit card numbers contained in such records from exemption; saves exemption from repeal under OGSR Act. |
| S.B. 80 Signed by governor 6/20/06, Chapter 232 Requires certain governmental entities to post notice on their websites that electronic mail addresses sent to them are subject to release to public; provides that remedies and penalties under Electronic Mail Communications Act are cumulative; creates “Anti-Phishing Act”; prohibits certain acts regarding fraudulent use or possession of identifying information; authorizes the Legal Affairs Department to adopt rules. |
|
| Hawaii | H.B. 2327 S.B. 2290 Signed by governor 5/25/06, Act 135 Requires any business doing business in Hawaii and any government agency that owns, licenses, collects, or maintains personal information of Hawaii residents to notify affected persons that a security breach has occurred following the discovery of or receipt of notification of the breach. Permits a civil penalty up to $2,500 for each violation against any business in violation, a private cause of action and an award of reasonable attorneys’ fees to the prevailing party. Requires government agencies to submit a detailed written report to the Legislature within 20 days after discovering the security breach at the government agency, unless the report will impede a criminal investigation. |
| H.B. 2329 S.B. 2292 Signed by governor 5/25/06, Act 136 Requires businesses and government agencies that conduct business in Hawaii that dispose of documents and other records containing personal information of Hawaii residents to take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. Permits a civil penalty up to $2,500 for each violation against any business in violation, a private cause of action, and an award of reasonable attorneys’ fees to the prevailing party. Requires government agencies to submit a detailed written report to the Legislature within 20 days after discovering an unauthorized access to records containing personal information in connection with or after their disposal by or on behalf of the government agency, unless the report will impede a criminal investigation. |
|
| Idaho | S.B. 1374 Signed by governor 3/30/06, Chapter 258 Adds to existing law to provide for disclosure of breach of security of computerized personal information by an agency, individual or a commercial entity; to provide procedures deemed in compliance with security breach requirements; and to provide penalties for violations. |
| Illinois | H.B. 4449 Signed by governor 6/27/06, Public Act 94-0947 Amends the Personal Information Protection Act. Provides that the notice of the breach of the security of the system data shall be provided at no charge. Provides for notice requirements for state agencies that have a breach of security of the system data or written material. Provides that any state agency that collect personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Provides that, in addition to the annual report, any state agency that collects personal data and has had a breach of security shall submit a report to the General Assembly within five business days of the discovery or notification of the breach. Provides that, if a state agency is required to notify more than 1,000 persons of a breach of security, the state agency shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices. Provides that any state agency that collects personal data that is no longer needed or stored at the agency shall dispose of the personal data or written material it has collected in such a manner as to ensure the security and confidentiality of the material. |
| Indiana | H.B. 1101 Signed by governor 3/21/06, Public Law 125 Provides that a person that owns or licenses certain unredacted or unencrypted personal information concerning Indiana residents that is contained in a computerized data base must disclose to those Indiana residents without unreasonable delay a security breach in the computerized database (including the unauthorized acquisition of computerized data that have been transferred to another medium) if the security breach could cause the Indiana residents to become victims of identity theft, identity deception, or fraud. Requires a database owner who is required to make a disclosure concerning a security breach to more than 1,000 persons to notify each credit reporting bureau of the security breach. Specifies that a person that maintains a computer database but does not own or license the personal information contained in the database must notify the database owner if there is a security breach in the database. Provides that a database owner with a privacy plan drafted to comply with certain federal statutes may comply with that plan instead of these provisions if that plan meets the federal requirements, and permits a database owner with its own privacy plan to comply with its own plan instead of these provisions if its plan is at least as stringent as these provisions or a plan that complies with certain federal statutes. Authorizes the attorney general to bring an action to enforce the disclosure requirements. Makes certain information that relates to a license application submitted to the Indiana gaming commission confidential. Provides that a person who disposes of a customer’s unencrypted, unredacted personal information without first shredding, incinerating, mutilating, or erasing the personal information commits a Class C infraction. Enhances the offense to a Class A infraction for a second or subsequent offense, or if the person has unlawfully disposed of the personal information of more than 100 customers. Includes as personal information certain information collected as part of a license or permit application. Provides that a person who unlawfully obtains the identifying information of a deceased person commits identity deception. Makes identity deception a Class C felony if a person unlawfully obtains the identities of more than 100 persons or the fair market value of the fraud or harm caused by the identity theft is at least $50,000. Makes possession of a card skimming device with the intent to commit identity deception or fraud a Class D felony and a Class C felony if the device is possessed with the intent to commit terroristic deception. Permits a court to enter a restitution order requiring a person convicted of identity deception to reimburse the victim for additional expenses that arise or are discovered after sentencing or after the entry of a restitution order. Grants a court a five year period in which to order a person convicted of identity deception to pay additional restitution. Provides that a person who commits the offense of identity deception may be tried in any county in which any element of the offense occurs. Provides that jurisdiction for cases of identity deception lies in Indiana if the victim resides in Indiana. Imposes certain fiduciary obligations on members of the governing board of a county hospital, and specifies that if a hospital governing board has two physician members, only one physician member is required to be an active member of the medical staff of the hospital. |
| Kansas | S.B. 196 Signed by governor 4/19/06, Chapter 149 Relates to the protection of personal information, including creating requirement for a security breach, redacting information, identity theft expungement and protection of Social Security numbers from being published in specified records. |
| S.R. 1824 Passed Senate 3/31/06 Urges the United States Congress to impose prohibitions or limitations on the sale or other dissemination of personal data. |
|
| Maine | L.D. 2017 Signed by governor 4/13/06, Chapter 583 Expands to other types of persons and businesses, including colleges and universities, the current requirement that information brokers notify consumers upon a security breach of the consumers’ personal information. Establishes a private cause of action for certain violations of the obligation to notify consumers. Requires the state’s chief information officer to develop standards and policies requiring notification by state agencies to Maine residents upon a security breach of personal information. |
| Minnesota | H.F. 1943 S.F. 2002 Signed by governor 5/30/06, Chapter 233 Authorizes a consumer to place a security freeze on the consumer’s credit report; provides notice of this right; provides protections against identity theft; provides Social Security number protections; provides credit monitoring; provides for the adequate destruction of personal records; provides civil and criminal penalties. |
| H.F. 3378 S.F. 3132 Signed by governor 6/1/06, Chapter 253 Relates to data practices; regulates the collection, use, and disclosure of certain data; classifies certain data; modifies the powers and duties of certain commissioners; regulates tribal identification cards; authorizes the exchange of certain information; permits the use of a secure subscription service; provides civil remedies; provides criminal penalties. |
|
| Missouri | H.C.R. 10 Passed both houses 5/2/06 Urges the United States Congress to adopt a comprehensive federal law that protects consumer information from data thieves. |
| Nebraska | L.B. 876 Signed by governor 4/10/06 Adopts the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006; provides that an individual or commercial entity (defined in the bill to include government, governmental subdivision, and agency) that owns or licenses computerized data that includes personal information about Nebraska residents is to give notice to the affected Nebraska following a security breach of the computerized data system if an investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur; and authorizes the attorney general to issue subpoenas and seek and recover damages for Nebraska residents injured by violations. |
| New Hampshire | H.B. 1660 Signed by governor 6/1/06, Chapter 242 Requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information. |
| New York | A.B. 8025 Signed by governor 6/7/06, Chapter 64 S.B. 5370 Enacts the “Anti-Phishing Act of 2005,” prohibits the misuse of the Internet to obtain identifying information by misrepresenting oneself as a business; authorizes the attorney general, Internet service providers, and those owning a Web page or trademark, who are adversely affected by such conduct to bring an action for injunctive relief and damages. |
| A.B. 8456 Signed by governor 6/7/06, Chapter 65 S.B. 5178 Substituted by A.B. 8456 5/23/06 Relates to disposal of records containing personal information. |
|
| North Carolina | H.B. 1248 Signed by governor 8/1/06, Chapter 173 Amends the Identity Theft Protection Act of 2005, relates to security breaches and publishing Social Security numbers. |
| Oklahoma | H.B. 2357 Signed by governor 6/8/06, Chapter 298 Requires government agencies to notify persons of a breach of computer systems which results in the unauthorized release of personal information. |
| Rhode Island | H.B. 6811 Became law without governor’s signature 7/14/06, Chapter 583 Makes unlawful certain modifications to computer settings, control of another’s computer, and deceptive sale s of software. This act also provides for a civil action for violations under this chapter. |
| Tennessee | H.B. 3105 S.B. 2575 Signed by governor 5/1/06 Creates Anti-Phishing Act of 2006; penalizes persons who, without authorization or permission of subject of identifying information, obtain, record, access or distribute identifying information of another person through use of Internet, e-mail or wireless communication. |
| H.B. 4005 S.B. 3886 Signed by governor 5/4/06, Public Law Chapter 596 Specifies that otherwise confidential information obtained by the commissioner of financial institutions or any bank examiner in making an examination into the affairs of the bank may be disclosed to certain state and federal officials for purposes of enforcing and complying with the federal Bank Secrecy Act. |
|
| Utah | S.B. 52 Signed by governor 3/13/06, Chapter 120 Provides that when an act of communications fraud involves obtaining sensitive personal identifying information, the offense is a second degree felony and the penalty is not based on the value involved. |
| S.B. 69 Signed by governor 3/20/06, Chapter 343 Addresses the integrity of consumer credit databases. Defines terms; requires a person maintaining personal information in connection with a business to implement procedures to protect personal information; requires destruction of certain records; requires disclosure of breaches of databases containing personal information; and provides for enforcement by the attorney general. |
|
| Vermont | S.B. 284 Signed by governor 5/18/06, Act 162 Enacts a Security Breach Notice Act, a Social Security Number Protection Act, and a Document Safe Destruction Act. |
| Virginia | H.B. 563 Signed by governor 4/5/06, Chapter 647 Removes the sunset provision prohibiting certain information from being posted on a court-controlled website. The Compensation Board policies shall require court clerks to certify that proposed technology improvements of their land records will provide remote access to land records on or before July 1, 2007. If a court clerk provides remote access to land records on or before July 1, 2007, the clerk may then apply to the Compensation Board for an allocation from the Technology Trust Fund. Requests the Virginia Information Technologies Agency to develop methods for the redaction of Social Security numbers from electronic land record documents and to submit a project budget to Compensation Board for approval. |
| Wisconsin | S.B. 164 Signed by governor 3/16/06, Act 138 Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the individual has not authorized to do so (unauthorized access). The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident. |
Leave a Reply