US 2006 Introduced Financial Privacy Legislation Resources in United States
US 2006 Introduced Financial Privacy Legislation Resources
| State: | Bill Summary: |
| Alabama | H.B. 355 Prohibits any state department or agency from revealing or placing personal information of a person on any electronic document or file available for public inspection unless the personal information is encrypted in a manner that it is not available for general public view. An exception would be made when the personal information is needed for a government purpose by a state or federal agency. |
| S.B. 114 Requires a person that owns or licenses computerized data containing the personal information of an Alabama resident to notify the resident of a breach of security involving the personal information. Provides for notification of breaches of security by third-party persons that maintain computerized data containing personal information on behalf of the person who owns or licenses the computerized data. Provides limited exceptions for the time and manner of the notification. |
|
| S.B. 220 Indefinitely postponed 1/19/06 Requires a person that owns or licenses computerized data containing the personal information of an Alabama resident to notify the resident of a breach of security involving the personal information. Provides for notification of breaches of security by third-party persons that maintain computerized data containing personal information on behalf of the person who owns or licenses the computerized data. Provides limited exceptions for the time and manner of the notification. |
|
| Alaska | H.B. 226 Relates to breaches of security involving personal information; and relating to credit report security freezes. |
| S.B. 222 Relates to breaches of security involving personal information, consumer report security freezes, protection of Social Security numbers, disposal of records, factual declarations of innocence after identity theft, furnishing consumer credit header information, and filing police reports regarding identity theft; and amending Rule 60, Alaska Rules of Civil Procedure. |
|
| Arizona | H.B. 2015 Relates to the disclosure of compromised personal identifying information and entity identifying information. |
| H.B. 2016 Relates to the discarding and disposal of personal and entity identifying information records. |
|
| H.B. 2019 Relates to the disclosure of compromised personal identifying information and entity identifying information. |
|
| H.B. 2020 Relates to the discarding and disposal of personal and entity information records by a government agency. |
|
| H.B. 2276 Relates to the disclosure of compromised personal identifying information. |
|
| H.B. 2331 Relates to the disclosure of compromised personal identifying information. |
|
| H.B. 2333 Changes the designation of Title 41, Chapter 39 to “Information obtained or disseminated by state and local governments:” changes the designation of Title 41, Chapter 39, Article 1, to “Access to state agency Web site records and privacy;” amends Title 41, Chapter 39, by adding Article 2, relating to information obtained or disseminated by state and local governments. |
|
| H.B. 2351 Passed House 3/14/06 States that if a defendant is convicted of specific identity theft offenses and receives probation, the defendant must serve the following amount of time in county jail: 1) Taking the identity of another person: At least 60 days; 2) Aggravated identity theft: At least 270 days; 3) Trafficking in the identity of another person: At least one year. Prohibits these jail terms from being deferred, deleted or suspended. Begins the jail sentence on the date of sentencing. Exempts persons sentenced to the Department of Corrections from having to serve these jail sentences. Requires any entity/person who does business in Arizona and owns or licenses computerized data that includes personal identifying information to disclose any breach of security of the system. Disclosure must be made following the discovery of the breach or upon notification of the breach. Every resident whose personal identifying information is believed to have been acquired/accessed must be notified. If the person/entity maintains computerized data including personal or entity identifying information that the person/entity does not own, the owner or licensee of the information must be notified immediately upon discovery that the information was acquired/accessed by an unauthorized person. States that each breach must be reported to a local, state or federal law enforcement agency and to each national credit reporting agency (CRA) within 48 hours of discovery of the breach. Reporting may be delayed if a law enforcement agency determines that it will impede the investigation. Law enforcement must request a delay in reporting within 72 hours. Allows a person/entity to have its own notification procedures considered to be in compliance as long as those procedures are consistent with the timing aspects of this law. States that a waiver of any of these provisions is contrary to public policy and is void and unenforceable. Requires a person/entity who violates this section to: 1) Pay a civil penalty of $500 per individual who does not receive proper notification. Caps the total penalty at $250,000 per breach. 2) Reimburse any individual who did not receive proper notification for actual and secondary costs. 3) Reimburse the county attorney or attorney general (AG) for costs. 4) Allows either the county attorney or the AG to enforce this section. Provides an exception to the disclosure requirement if the information is encrypted by the use of a process that makes the data unreadable without a confidential process or key, as long as the entity/person has a good faith belief that the process/key has not been acquired/accessed. Exempts a person/entity from this section if the person/entity is subject to and in compliance with federal law that specifically addresses the unauthorized acquisition/access of computerized data. Prohibits a business from discarding or disposing of any record containing personal identifying information unless it does one of the following: 1) Shreds the record; 2) Erases the personal/entity identifying information; 3) Modifies the record to make the personal/entity identifying information unreadable; or 4) Takes actions that the business believes will ensure that no unauthorized person has access to the personal/entity identifying information. States that a business that violates the requirements for disposal of records shall reimburse each customer whose information was wrongfully discarded/disposed of for actual and secondary costs. Imposes a civil penalty on any business that violates the disposal requirements, not to exceed the greater of either $10,000 or the actual amount of the loss to the victims. Requires any business in violation to also pay costs incurred by the county attorney or attorney general. Provides an affirmative defense to the wrongful discard/disposal of records if the business shows that it is either: In compliance with federal laws governing the disposal of customer records, or that it used due diligence to properly dispose of the record. Allows either the county attorney or the AG to enforce this section. |
|
| S.B. 1375 Relates to the discarding and disposal of personal and entity identifying information. |
|
| California | A.B. 695 Vetoed by governor 9/28/06 Requires a retail seller to provide legible receipts that remain legible for the entire return period of a product. On and after April 1, 2007, the bill further requires a retailer who maintains customer-specific return information, as defined, to display its policy, as specified, protect and not share customer information, with specified exceptions, and limits use of the information to detection and pursuit of fraud or abuse. The bill also authorizes a retailer to offer discounts or other sales incentives to a customer upon the return of goods. |
| A.B. 786 Died pursuant to Art. IV, Sec. 10(c) of the Constitution 1/31/06 Requires the California State University system to provide an employee, upon request, with four hours of time off with pay following a disclosure by the university that there is, or could have been, a breach of security of employee personal information data, as specified. |
|
| A.B. 1694 Died pursuant to Art. IV, Sec. 10(c) of the Constitution 1/31/06 Requires a consumer credit reporting agency, upon the request of a consumer whose personal information was breached by a computerized data system, to place a security freeze on the consumer’s credit report without charge to the consumer for this service. Authorizes the consumer credit reporting agency to charge the agency responsible for the breach, and requires the consumer to submit a copy of notification of the breach to the consumer credit reporting agency, as a condition of receiving the security freeze. Makes related findings and declarations of the Legislature. Requires a consumer credit reporting agency to notify each consumer who is the subject of a consumer credit report of each instance that a new account is entered on the consumer’s report if the address on the credit application is different from the last address on record held by the consumer credit reporting agency. |
|
| A.B. 2505 Passed Assembly 5/22/06 Existing law permits a state agency, or a person or business that conducts business in California, to provide substitute notice, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person because of a breach of the security of the data, when the person or business demonstrates that the costs of providing notice, as defined, would exceed $250,000, or if the number of persons to be notified exceeds 500,000, or if the person or business does not have sufficient contact information. This bill defines substitute notice to include notification to the Office of Privacy Protection. Establishes the California Information Security Response Team in state government, with a specified membership chaired by the state chief information officer. The bill requires the California Highway Patrol, upon receiving notification of any information security information incident or computer-related crime, as described, to notify the state chief information officer, who would be required to convene the team to ensure that specified activities have been carried out under existing organizational frameworks, and would require state agencies to cooperate with the team in this regard. |
|
| S.B. 185 Passed Assembly 8/31/06 Existing law prohibits a prison inmate from being assigned to employment that would provide access to personal information of private individuals, as specified, excepting incidental contact in employment programs and public service facilities. This bill prohibits any inmate from being allowed to participate in any activity that would provide the inmate with access to personal information of private individuals. |
|
| S.B. 280 Died pursuant to Art. IV, Sec. 10(c) of the Constitution 1/31/06 Known as the Taxpayer Privacy Bill of Rights Act, this bill prohibits the board from releasing a taxpayer’s personal or financial information to the general public, unless the board shows a compelling interest for the disclosure of that information and the disclosure is first authorized by the courts. Expands the scope of the Taxpayers’ Rights Advocate’s authority to review and facilitate the resolution of taxpayer complaints to include complaints regarding the unauthorized release of a taxpayer’s personal and financial information to the general public by employees or officers of the board. Provides for the suspension of the accrual of interest and penalties during any stay of a pending action that is authorized by the advocate. Specifies that an officer or employee of the board may not threaten to release a taxpayer’s personal or financial information for purposes of forcing a taxpayer to accept an offer to settle the taxpayer’s civil tax liability dispute. Provides that the release of, or an express or implied threat to release, that information by an officer or an employee of the board for purposes of forcing a tax settlement would constitute grounds for termination or other disciplinary actions as provided by existing law. Specifies conditions for the board’s disclosure of a taxpayer’s financial or personal information in any court or administrative proceeding where that information would otherwise be made available to the general public. Allows a taxpayer, who has sustained damages as the result of any unauthorized release of, or a threat to release, the taxpayer’s personal or financial information, to pursue an action for damages against the board or its officers or employees. |
|
| S.B. 550 Passed Senate 5/19/05 Enacts the California Data Broker Access and Accuracy Act of 2005. Regulates the disclosure of personally identifiable information by data brokers, as defined. Requires data brokers to disclose to individuals who are the subject of the information all personally identifiable information about the individual and the specific sources of the information. Requires data brokers to reinvestigate disputed items of information, to post a specified notice on their Web sites, and to maintain specified procedures to control access to the information. Provides for civil actions, injunction, and the imposition of civil penalties for violations of these provisions. Authorizes any individual whose personal information is disclosed and who is injured by a violation of these provisions to institute a civil action to recover damages. |
|
| S.B. 852 Passed Senate 5/26/05 Requires an agency, or a person or business conducting business in California, that owns, licenses, or collects computerized data that includes the personal information of a California resident, to notify the resident of any breach of the security of the data, as specified, regardless of whether the data was computerized when it was acquired. Requires that a copy of the notice be sent to the Office of Privacy Protection. Revises the definition of personal information in this context and would prescribe that a request by a law enforcement agency to delay notification be in writing or made electronically, as specified. |
|
| S.B. 1015 Passed Senate 8/31/05 Existing law permits a party to request that documents listing or identifying the parties’ assets and liabilities be sealed in specified family law proceedings, including dissolution of marriage. This bill revises those provisions to include documents listing or identifying the parties’ income or expenses, permits specified portions of those records to be redacted, subject to a finding by the court, and makes related changes. This bill additionally requires the court, upon request of a party, to redact the Social Security number, residence address, and certain financial information of a party, as specified. This bill requires the Judicial Council to adopt rules governing procedures for redacting and restoring those records. |
|
| S.B. 1104 Died pursuant to Art. IV, Sec. 10(c) of the Constitution 2/1/06 Existing law, the California Financial Information Privacy Act, regulates the sale, sharing, transfer, or disclosure by a financial institution of nonpublic personal information, as defined. This bill excludes specified entities from the act, including a provider of health care, a health care service plan, and a state agency. Provides that the act supplements and does not limit the application of various other provisions, including the Consumer Credit Reporting Agencies Act. Establishes a policy in the event that the act conflicts with another statute enacted before the act was enacted. Existing law, the Song-Beverly Credit Card Act of 1971, requires a credit card issuer to provide specified information to a cardholder if the credit card issuer discloses marketing information to any person. This bill deletes that requirement. Existing law provides for issuance of a subpoena duces tecum for the production of various kinds of defined personal records pertaining to a consumer, including records containing “personal information,” as defined. This bill also makes subject to subpoena records containing nonpublic personal information otherwise protected from disclosure under the California Financial Information Privacy Act. Existing law requires the Franchise Tax Board to collect child support delinquencies, as defined. Under existing law, the Franchise Tax Board, through an agreement with the Department of Child Support Services and in coordination with financial institutions, operates a Financial Institution Match System utilizing automated data exchanges that is not subject to the limitations in the California Right To Financial Privacy Act. This bill also exempts the Financial Institution Match System from the limitations in the California Financial Information Privacy Act. Requires the California Law Revision Commission to study the law governing sharing and disclosure of a consumer’s nonpublic personal information by a financial institution, and to make recommendations to the Governor and Legislature for specified purposes. |
|
| S.B. 1512 Existing law requires any person or business conducting business in California that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law permits substitute notice of the breach to be provided if the person or business demonstrates that the cost of providing notice would exceed $250,000. This bill changes the threshold for providing substitute notice from $250,000 to $500,000. The bill also repeals duplicative provisions of law. |
|
| S.B. 1666 Includes a telephone calling pattern record or list in the definition of “personal information” for specified purposes. The bill also prohibits any person, as defined, from, among other things, obtaining or attempting to obtain, or causing or attempting to cause the disclosure of, personal information about a customer or employee contained in the records of a business through specified methods, such as by making false, fictitious, or fraudulent statements or representations, with specified exceptions. Provides civil remedies for the violation thereof, and makes related and conforming changes in that regard. |
|
| Connecticut | H.B. 5596 Prohibits a person, by use of a Web page, electronic mail message or otherwise using the Internet, from soliciting, requesting or taking any action to induce another person to provide identifying information by representing that the person is an on-line business without the authority or approval of the on-line business. |
| S.B. 419 Requires by July 1, 2006, the Banking Commissioner toconvene a working group to analyze and recommend methods to protect consumer data and prevent identity theft, as defined in section 53a-129a of the general statutes. |
|
| Delaware | S.B. 325 Stricken 6/28/06 Bans anyone who prepares any tax return (state or federal) from selling or renting any of the information furnished for, or in connection with, preparation of any other person’s tax return. This prohibition encompasses both the sale or rent for identity theft and for telemarketing purposes. |
| Florida | H.B. 54 Laid on table 5/2/06 Requires certain governmental entities to post notice on their Web sites that electronic mail addresses sent to them are subject to release to public; provides that remedies and penalties under Electronic Mail Communications Act are cumulative; creates “Anti-Phishing Act”; prohibits certain acts regarding fraudulent use or possession of identifying information; provides applicability. |
| H.B. 1043 Died in committee 5/5/06 S.B. 446 Died in committee 5/5/06 Provides that it is third-degree felony to willfully and without authorization disclose, sell, or transfer, or attempt to disclose, sell, or transfer, personal identification information concerning individual, including information sent to foreign country, without first obtaining consent of individual; provides criminal and civil penalties; provides that remedies are cumulative and not exclusive. |
|
| H.B. 7157 Died on calendar 5/5/06 Prohibits certain acts regarding fraudulent use or possession of identifying information; authorizes civil actions for violations; provides for injunctive relief and damages; authorizes courts to increase awards of actual damages under certain circumstances; provides for recovery of attorney’s fees and court costs; provides for nonapplication to certain entities’ good faith handling of identifying information. |
|
| Georgia | S.B. 394 Passed Senate 2/2/06 Prohibits persons from using the Internet or electronic mail to induce another to provide identifying information by falsely representing themselves to be a business without the authority or approval of the business; provides definitions; provides for penalties and sanctions; provides for civil actions. |
| Hawaii | H.B. 3243 Requires persons, business, or government agencies who maintain personal information in computerized form to notify persons to whom the information relates of a breach of the security of the information. Authorizes the attorney general to take legal action to enforce notice requirement. |
| S.B. 2220 Requires government agencies and private businesses that maintain personal information to inform the subject of the information if the security of the information is breached. Permits consumer to place “security alert” and “credit freeze” on credit report to warn of possible identity theft and to prevent release of information without express authorization. Provides civil remedies. |
|
| S.B. 2524 Implements measures to assist in the prevention of identity theft, including a security freeze, data destruction requirements and a notification requirement. |
|
| S.B. 2803 Requires that all financial disclosures filed with the Commission on Judicial Conduct to be posted on the Internet by the judiciary. Requires that personal information be redacted prior to posting on the Internet. |
|
| Illinois | H.B. 4198 Amends the Personal Information Protection Act. Requires a data collector to disclose to a consumer, at no cost, the personal information obtained resulting in a breach of the security of the system data. |
| H.B. 4229 Amends the State Records Act. Requires that each agency’s program for efficient management of records require shredding as the means of destroying or disposing of records containing personal information unless otherwise provided by the Act. Makes failure to shred a Class B misdemeanor. |
|
| H.B. 4253 Tabled by sponsor 1/31/06 Amends the Personal Information Protection Act. Changes the definition of “breach of security of the system data” to “breach of the security of the system data or written material.” Provides that the notice requirements of the Act apply to breaches of written material containing personal information. Provides that any state agency that collects personal data and has had a breach of security of the system data or written material shall submit an annual report to the General Assembly listing the breaches and outlining any corrective measures that have been take to prevent future breaches of the security of the system data or written material. |
|
| H.B. 5293 Tabled by sponsor 2/1/06 Creates the Financial Institution Credit Watch Services Act. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit monitoring services for a period of not less than 6 months, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Excludes a financial institution that is independently owned and operated, not dominant in its field, and employs fewer than 50 full-time employees from the requirements of the Act. |
|
| S.B. 2384 Amends the Personal Information Protection Act. Provides that, in addition to any remedies provided for under the Consumer Fraud and Deceptive Business Practices Act, any consumer injured by a violation of the Act may institute a civil action to recover actual damages from the data collector. |
|
| S.B. 3036 Creates the Consumer Protection Against Computer Spyware Act. Sets forth provisions for unauthorized collection or culling of personally identifiable information, unauthorized access to or modifications of computer settings and computer damage, unauthorized interference with installation or disabling computer software, and other prohibited conduct. Provides that certain persons may bring a civil action against a violator of the Act. Provides a civil penalty for violations of the Act. Permits the attorney general to obtain a restraining order or injunction for violations of the Act. |
|
| S.B. 3040 Amends the Personal Information Protection Act. Adds written data to the definition of “breach of security of the system”. Provides that the notification requirements of the Act apply to breaches of security concerning written data. Provides that any financial institution that has suffered a breach of security concerning personal information shall provide the owner or licensee of the personal information with free credit watch services for one year, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. |
|
| S.B. 3041 Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that no person may sell consumer identification or purchasing information of Illinois residents to other persons without providing written notice to the Illinois resident before doing so and giving the resident 30 days after the resident receives the notice to refuse permission to sell his or her information. Provides that a notice must give the resident the option to refuse all sales or transfers of his or her information by that person. Makes it an unlawful practice to violate these provisions. |
|
| Iowa | H.F. 2107 Requires an information holder that owns or licenses computerized data that includes personal information to disclose any breach of the person’s security of the data to those residents of this state whose personal information was or may have been acquired by an unauthorized person. An “information holder” is defined as any person that conducts business in this state and includes a state agency or a political subdivision of the state. The bill requires an information holder that maintains computerized data that includes personal information that the information holder does not own to notify the owner of the data of any breach in thesecurity of the data. The notification shall be provided immediately unless a law enforcement agency determines that the notification will impede a criminal investigation. The notice may be made in writing, through electronic means, or by substitute notice as defined by the bill. The bill provides that a person who is injured by the failure to be notified of a security breach required by the bill may file a civil action for an injunction and actual damages, attorney fees, interest, and court costs. |
| H.F. 2484 Provides for certain consumer protections against identity theft including notification of a breach in the security of computerized data of personal information, provides for a security alert or block on a consumer report, and for the issuance of an identity theft passport. |
|
| Kansas | H.B. 2381 Limits the publication of court records that include Social Security numbers and other banking and credit card numbers. |
| H.B. 3003 Requires a person who conducts business in this state, including state and local governments and agencies that own or license computerized personal information, to inform a consumer of any breach of security immediately following the discovery of the breach. Notice may be delayed if disclosure would impede a criminal investigation, as determined by law enforcement. In addition, the bill would prohibit parties filing or submitting documents with the court from filing documents that contain a Social Security number. The Supreme Court is responsible for implementing this provision. |
|
| H.R. 6016 Stricken from calendar 5/10/06 Urges the United States Congress to impose prohibitions or limitations on the sale or other dissemination of personal data. |
|
| Kentucky | H.B. 4 Passed House 3/14/06 Prohibits a business from making or requiring certain uses of a consumer’s Social Security number; establishes a procedure to allow a consumer to place a security freeze on his or her credit report; requires an agency or business that conducts business in the Commonwealth to take certain measures to protect against unauthorized access or use of personal information during its disposal; requires an agency or business that conducts business in the Commonwealth, and that owns or maintains data that includes personal information, to disclose any security breach to any resident of the Commonwealth whose personal information was acquired or accessed; requires an agency or business that conducts business in the Commonwealth to take certain measures to safeguard against security breaches; establishes a procedure for victim of certain identity-theft-related crimes to petition the District Court for a determination that he or she is a victim of identity theft; establishes a procedure allowing a person who has been charged with a crime because another person used his or her identifying information, and who has been found not guilty or the charges have been dismissed, to make a motion to the District or Circuit Court to redact his or her identifying information from certain records; prohibits an agency from making or requiring certain uses of a person’s Social Security number or identifying information; prohibits an agency from collecting a Social Security number unless authorized by law or necessary for the agency’s duties; requires an agency to segregate Social Security numbers from the rest of a record and to provide a person with a written statement of the purpose for collecting and using the Social Security number. |
| H.B. 175 Creates a new section of KRS Chapter 367 to require an agency or person or business that conducts business in the Commonwealth, and that owns or maintains computerized data that includes personal information, to disclose any breach of the security of the data to any resident of the Commonwealth whose personal information was acquired, or to any owner or licensee whose information was acquired, by an unauthorized person; creates a new cause of action exempted from the State Board of Claims’ jurisdiction. |
|
| Maryland | H.B. 630 S.B. 486 Requires a business to destroy or arrange for the destruction of records that contain specified personal information in a specified manner; requires a business that compiles, maintains, or makes available specified personal information of an individual residing in the state to implement and maintain specified security procedures and practices; requires businesses that compile, maintain, or make available specified records to notify specified individuals of a breach of the security of a system under specified circumstances. |
| H.B. 873 Withdrawn from further consideration 2/20/06 Requires specified business and state entities that own, license, or maintain specified records that include specified personal information of an individual residing in the state to notify specified persons of a breach of the security of a system under specified circumstances; specifies the time at which notification must be given; authorizes notification to be given in a specified manner. |
|
| H.B. 1099 Prohibits a person from initiating, conspiring with another person to initiate, or assisting in the transmission of commercial electronic mail that solicits, requests, or induces the recipient to provide specified personally identifying information by misrepresenting the identity of the person initiating the transmission; and defines a term. |
|
| H.B. 1170 Requires a business to destroy or arrange for the destruction of a customer’s records that contain specified personal information of the customer in a specified manner; requires a business that owns or licenses specified personal information of an individual residing in the state to implement and maintain specified security procedures and practices; requires businesses that own, license, or maintain specified records to notify specified persons of a breach of the security of a system. |
|
| H.B. 1349 Prohibits specified businesses from disclosing to a third party, for compensation, specified personal information obtained in a specified manner; provides that a violation of specified provisions of the Act is an unfair or deceptive trade practice; provides that a waiver of specified provisions of the Act is contrary to public policy and is void and unenforceable; prohibits units of state government from selling or distributing specified mailing lists under specified circumstances. |
|
| H.B. 1453 To conference committee 4/9/06 Prohibits a person, by means of a Web page, electronic mail message, or other use of the Internet, willfully or with actual knowledge or a conscious avoidance of actual knowledge, from soliciting, requesting, or taking action to induce another person to provide specified identifying information by misrepresenting oneself, either directly or by implication, to be a legitimate business, without the authority or approval of the business; establishes penalties. |
|
| S.B. 134 Passed House 3/9/06 Requires specified businesses, when destroying a customer’s records that contain personal information of the customer, to take specified steps to protect against unauthorized access to or use of the personal information under specified circumstances; requires specified businesses that own or license personal information of an individual residing in the state to implement and maintain specified security procedures and practices under specified circumstances. |
|
| Massachusetts | H.B. 2797 Protects consumers following disclosure of personal information, requires notification of security breaches. |
| H.B. 3064 Regulates the use of personal information by insurance companies. |
|
| H.B. 4061 Relates to counterfeit and fraudulent documents; strengthens the current law by specifically targeting offenses associated with identity theft, adds more identity theft crimes, and creates a forfeiture provision to assist law enforcement. Provides assistance to the victims of identity theft, by requiring rapid notification to consumers when personal identifying information is compromised and facilitating measures to mitigate the impact of such thefts. |
|
| H.B. 4775 Relates to the protection of personal information. |
|
| S.B. 183 Creates the Personal Information Protection Act. |
|
| S.B. 184 Prevents identity theft through security breach notices and establishes a victim’s bill of rights. |
|
| S.B. 247 Restores consumer control over the private information collected by retail discount cards. |
|
| S.B. 2058 Requires companies that collect personal information to disclose when said data has been compromised. |
|
| Michigan | H.B. 4658 Prohibits the denial of credit or services because the consumer has been a victim of identity theft; requires an agency of this state that owns or licenses computerized data that include personal identifying information shall provide notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal identifying information is acquired by an unauthorized person or if the agency reasonably believes that an unauthorized person has acquired that information. The agency shall provide notice within five days after the agency discovers or is notified of the breach, unless otherwise specified. |
| H.B. 4687 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings and loan associations. |
|
| H.B. 4688 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by banks. |
|
| H.B. 4689 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by credit unions. |
|
| H.B. 4690 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings banks. |
|
| H.B. 4691 Requires notice to, and consent of, a person before disclosing or sharing of nonpublic personal financial information. |
|
| H.B. 6459 Passed House 9/19/06 Amends the Identity Theft Protection Act (MCL 445.71) to prohibit a person, in the conduct of trade or commerce, from retaining all or any part of a consumer’s credit card or account number for more than four years after a credit card purchase transaction was completed or for more than the retention period established in any agreement between the person and the credit card issuer, whichever is longer. Information could be retained for a longer period with the consumer’s consent. |
|
| H.B. 6522 Creates the Information Privacy and Protection Act, creates notification requirements. |
|
| S.B. 309 Requires notification of a security breach of a database containing personal identifying information. |
|
| S.B. 426 Requires notice to, and consent of, a person before disclosing or sharing of nonpublic personal financial information. |
|
| S.B. 427 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings banks. |
|
| S.B. 428 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by banks. |
|
| S.B. 429 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by savings and loan associations. |
|
| S.B. 430 Revises the procedure for the disclosure of nonpublic financial information to unaffiliated third parties by credit unions. |
|
| S.B. 1458 Creates the Information Privacy and Protection Act, creates notification requirements. |
|
| Minnesota | H.F. 2843 Indefinitely postponed 4/24/06 S.F. 3200 Relates to consumer protections; reduces identity theft and assists its victims with security freezes; provides for data destruction; creates identity theft passport; provides penalties. |
| H.F. 3686 S.F. 2964 Relates to consumer protection; creates standards for disposal of personal information to limit the potential for identity theft. |
|
| H.F. 3963 S.F. 2965 Relates to consumer protection; regulates the disclosure of personal information by data warehouses; provides notice content requirements; removing an exemption for financial institutions and health care entities. |
|
| Missouri | H.B. 1127 Changes the laws regarding the release of personal information to unauthorized persons. In its main provisions, the bill: (1) Prohibits financial institutions from disclosing their customers’ personal financial information to unauthorized persons unless the customer’s consent has been given; (2) Requires a person or company conducting business in this state that owns or licenses computerized data containing personal information to disclose any breach of security of that data to any resident whose information was or may have been acquired by an unauthorized person. Any person or company who violates this provision will be guilty of a class A misdemeanor and subject to a fine of up to $1,000 and/or imprisonment for up to one year; (3) Allows persons to place on their credit report a “security alert” notifying recipients of the report that the person may have been a victim of identity theft or a “security freeze” prohibiting the release of the person’s information without authorization; and (4) Requires consumer reporting agencies to supply the consumer with a copy of his or her credit file. |
| H.B. 1210 Excludes any information relating to a private individual that is collected or maintained by a municipality including, but not limited to, the individual’s financial information or transactions, medical history, or criminal or employment history from the definition of “public record” in Chapter 610, RSMo. The new definition also excludes any information that contains the individual’s name, identifying number, symbol, fingerprint, voice print, or photograph from being a public record. |
|
| H.B. 1397 Establishes the Consumer Protection Against Computer Spyware Act making it illegal for an unauthorized user to intentionally modify the settings of a computer belonging to a consumer, collect personally identifiable information from the computer, prevent an authorized user’s reasonable efforts to block the installation of or disable installed software, remove or disable security software installed on the computer, or take control of the consumer’s computer by transmitted commercial electronic mail or a computer virus from the consumer’s computer. A manufacturer or retailer of computer equipment will not be liable to the extent that the manufacturer or retailer is providing third-party branded software loaded on the equipment they are manufacturing or selling. Makes it a crime for anyone to assist or conspire with another to violate the provisions of the substitute. Any violation will be a class B misdemeanor. |
|
| S.B. 680 Prohibits the sharing of personal financial information with any unauthorized person unless the individual consents to such. The act requires a business or person that conducts business in this state and owns or licenses computerized data to disclose any breach of security of that data to any Missouri resident whose information may, or potentially may have been, acquired by an unauthorized person. Notification requirements are laid out in the act. The act contains a penalty provision for violations. The act allows for an individual to place security alerts and security freezes on their credit report, notifying any recipients of the report that the individual may have been a victim of identity theft, and prohibiting the release of the individual’s information without the express consent of the consumer. The act details the obligations of consumer reporting agencies in response to this option. |
|
| Nebraska | L.B. 917 Indefinitely postponed 4/13/06 Adopts the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. |
| L.B. 918 Indefinitely postponed 2/2/06 Adopts the Personal Information Privacy Act. |
|
| New Hampshire | H.B. 1374 Establishes a committee to study requiring personal information holders to disclose a security breach. |
| H.B. 1382 Failed to pass House 2/22/06 Prohibits a public or private entity from using personal information without the individual’s consent. Prohibits the public or private entity from requiring a release of personal information as a condition of providing goods or services. |
|
| H.B. 1404 Inexpedient to legislate 2/22/06 Requires an individual, agency, or commercial entity to notify a resident when there is a breach of computer security regarding the resident’s personal information. |
|
| H.B. 1414 Inexpedient to legislate 2/15/06 Requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information. |
|
| New Jersey | A.B. 259 Requires a business to take all reasonable steps to destroy customer records within its control containing personal information which is no longer to be retained by the business. The customer records shall be destroyed by shredding, erasing, or otherwise modifying the personal information to make them unreadable or undecipherable through any means. In addition, any business that conducts business in New Jersey and owns or licenses computerized data that includes personal information must disclose any breach of the security of the computer system within 15 days to any customer who is a resident of New Jersey whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the disclosure may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Any business that maintains computerized data that includes personal information that the business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. For purposes of this bill, notice may be written or electronic. If the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business does not have sufficient contact information, it may provide substitute notice, which must consist of all of the following: (1) e-mail notice when the business has an e-mail address; (2) conspicuous posting of the notice on the Web site page of the business, if the business maintains one; and (3) notification to major statewide media. However, a business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of the bill, shall be deemed to be in compliance with the notification requirements of this bill if the business notifies subject persons in accordance with its policies in the event of a breach of security of the system. Finally, a violation of any provisions of this bill shall be an unlawful practice subject to the penalties applicable to a violation of the consumer fraud law pursuant to N.J.S.A. 56:8-13. Under N.J.S.A. 56:8-13, any business who violates any of the provisions of this bill, in addition to any other penalty provided by law, shall be liable to a penalty of not more that $10,000 for the first offense and not more than $20,000 for the second and each subsequent offense. |
| A.B. 1810 Protects the privacy of an individual’s financial information by prohibiting disclosure without the prior informed, affirmative consent of the consumer. Requires such consent before a financial institution may disclose information to affiliated or unaffiliated third parties. Requires financial institutions to adopt fair information practices when selling or disclosing confidential consumer information and provides that a violation of the bill, or of a company’s privacy policy, constitutes consumer fraud. The bill takes current requirements, provided under federal law, a step further, and requires that a financial institution that seeks to disclose confidential consumer information must first provide to the consumer a written “financial privacy notice,” at the time a financial relationship is initiated and at least annually thereafter. The notice shall clearly and conspicuously describe: the specific types of confidential consumer information that the financial institution seeks to disclose; the circumstances under which disclosure will be made; the specific types of affiliated or unaffiliated third parties to which disclosure will be made; the specific uses that will be made of the information after it is disclosed; how the institution will protect the security of the information; that the consumer has the right to revoke the consent at any time; that a new authorization will be sought from the consumer prior to the disclosure of any confidential consumer information other than under the conditions set forth in the notice or following revocation of the consent; and whether the financial institution will receive compensation for the disclosure, as well as other information. Confidential consumer information” is defined by the bill as personally identifiable information which is provided by a consumer to a financial institution or obtained about the consumer from third parties. The information may be about spending habits or result from transactions with the consumer or services performed for the consumer; generated by the consumer’s online movements; about the consumer’s health; or information otherwise obtained by the financial institution. Provides that a financial institution may disclose confidential consumer information without the required notice when specifically authorized by the consumer; when necessary to maintain or service the consumer’s account with the financial institution; when disclosure is required by federal or state law or regulation; or under other specified circumstances. Requires that financial institutions establish reasonable means for consumers to access their confidential information maintained, shared, sold or transferred by the institution. Any violation of the bill’s provisions, or of the financial institution’s privacy policy, shall be a violation of the consumer fraud law, P.L.1960, c.39 (C.56:8-1 et seq.), which carries maximum penalties of $10,000 for the first offense and $20,000 for the second and subsequent offenses. In addition, all the rights, remedies and penalties available under or applicable to violations of the consumer fraud law will apply to violations of the bill. Primary among those remedies, a consumer may bring an individual cause of action and seek treble damages. |
|
| A.B. 1869 Under current law, a financial institution may disclose information relative to an electronic fund transfer or account to a third party in certain limited circumstances. This bill requires a financial institution to notify the account holder in writing anytime a financial institution discloses that information to a third party under these circumstances. |
|
| A.B. 2173 Prohibits financial institutions from disclosing a customer’s personal information without that customer’s consent to nonaffiliated third parties, and, even with the customer’s consent, limits disclosure to the customer’s current name, address and phone number. Makes exceptions for certain circumstances, however, such as where disclosure is required by state or federal law, or is necessary to assist the customer or protect the institution’s legal interests. Provides for a penalty of up to $500 for each violation of the disclosure prohibitions. |
|
| A.B. 2518 S.B. 547 Enacts the “New Jersey Financial Information Privacy Act,” which requires a financial institution to provide a specified written form to a consumer relative to the sharing of the consumer’s nonpublic personal information and, instead to permit consumers to “opt in” to allow the sharing of such information. Under this bill, a consumer could direct the financial institution to share the nonpublic personal information with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services. However, the bill does not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or entities that are regulated by the same functional regulator and are engaged in the same line of business. A financial institution is not required to provide the written form to its consumers if the financial institution does not disclose any nonpublic personal information to any nonaffiliated third party or to any affiliate. Provides that a financial institution shall not discriminate in offering or denying an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information and requires a financial institution to comply with the consumer’s request regarding nonpublic personal information within 45 days of receipt of the request. There are certain situations in which a financial institution may disclose nonpublic personal information to a nonaffiliated third party in order to perform certain services on behalf of the financial institution. However, the bill specifies the requirements that must be met for the financial institution to disclose a consumer’s nonpublic personal information. The bill also provides that nonpublic personal information may be released in order to identify or locate missing children, witnesses, criminals and fugitives, parties to lawsuits, and missing heirs and that it would not change existing law regarding access by law enforcement agencies to information held by financial institutions. Provides various civil penalties for negligent, or knowing and willful violations of its provisions. |
|
| A.B. 2989 Passed Assembly 5/22/06 S.B. 2017 This act bars the disclosure of personal identifying information of any witness except for the name of the witness, whose testimony is transcribed in a grand jury transcript, or who submitted evidence to the grand jury. The bar does not apply to an attorney for a party in a civil action or for a defendant in a criminal matter arising out of a grand jury seeking discovery of grand jury testimony contained in a grand jury transcript or grand jury records. However, under the bill, an attorney who shall purposely, knowingly or recklessly disclose the personal identifying information of any witness whose testimony is transcribed in the grand jury transcript or who submitted evidence to the grand jury, except for the name of the witness, commits a crime of the fourth degree. A crime of the fourth degree is punishable by up to 18 months imprisonment, a fine of up to $10,000 or both. |
|
| S.B. 316 Corrects an inconsistency resulting from the recent enactment of two laws, both of which provided definitions of “personal identifying information.” P.L.2002, c.85 deleted the definition of “personal identifying information” found in the state’s impersonation and theft of identity statute, N.J.S.2C:21-17, and replaced it with a comprehensive definition of the term in N.J.S.2C:20-1 that would apply to all crimes in chapters 20 and 21 of Title 2C of the New Jersey Statutes. But P.L.2003, c.39 cross-referenced the definition of “personal identifying information” that had been deleted in N.J.S.2C:21-17, while also adding certain computer specific language to the definition. Resolves the inconsistency created by the passage of these two laws by placing the additional computer specific language within the definition of “personal identifying information” in the comprehensive definition section of N.J.S.2C:20-1. |
|
| S.B. 438 Protects the privacy of customers of financial institutions in the state. Mandates that financial institutions send each customer an annual notice that clearly and conveniently offers the customer the opportunity to prohibit disclosure of nonpublic personal information to nonaffiliated third parties, except in certain circumstances, such as where disclosure is required by state or federal law, or is necessary to assist the customer or protect the institution’s legal interests. |
|
| New Mexico | H.B. 387 Relating to the taxation and revenue department; permits the department to disclose taxpayer information to law enforcement agencies of the state for joint investigation purposes; permits that department to disclose certain records or credits that the department is required to make available for public inspection. |
| S.B. 537 Relates to the taxation and revenue department; permits the department to disclose personal income tax information to the bureau of business and economic research and to the earth data analysis center of the University of New Mexico for population and demographic research purposes and taxpayer information to law enforcement agencies of the state for joint investigation purposes. |
|
| New York | A.B. 223 Passed Assembly 2/7/06 S.B. 1550 Grants consumers the option to prohibit the rental, sale, exchange or other availability of personal information possessed by an issuer of a credit card, charge card or debit card; requires notice of such option be given to cardholders by credit card, charge card and debit card issuers in existing bill mailings and in credit card and debit card agreements and renewals thereof; limits any effect on credit card registration services. |
| A.B. 227 Passed Assembly 6/23/05 S.B. 2901 Makes unsolicited electronic mail advertising unlawful unless certain information is provided by the sender, including the sender’s name and street and e-mail address; prohibits sale, lease or exchange of certain personal identifying information obtained online without the knowledge and affirmative consent of the consumer; makes provisions for penalties for violations. |
|
| A.B. 660 Prohibits the use of inmate labor to access, collect or process personal information relating to a natural person residing in this state; provides for a civil penalty of not more than $1500 for a first violation and not more than $2500 for a second or subsequent violation. |
|
| A.B. 1052 Enacts the “Electronic Fund Transfer Privacy Act”; provides privacy protection for consumer engaging in electronic fund transfer transactions by limiting disclosure of personal information about any consumer involved in such and limiting the circumstances in which government authority may get such information; outlines procedures and limitations for obtaining such information and civil and criminal penalties for violations. |
|
| A.B. 1226 Passed Assembly 3/20/06 S.B. 7060 Restricts insurers from demanding intrusive personal, financial and tax information from insureds as a standard practice in processing ordinary theft claims where no special circumstances warranting a demand for such information exists. |
|
| A.B. 1365 Authorizes the superintendent of Banks to audit the international administrative offices of banking organizations doing business in this state which process personal information from customers for the purposes of enforcing privacy protection. |
|
| A.B. 1525 Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security; further allows for a consumer to elect for a security freeze on his or her consumer report to prevent identity theft; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general. |
|
| A.B. 1747 Relates to regulating the use and dissemination of confidential customer information by financial institutions; prohibits the disclosure of financial information without the informed consent of the customer to whom the information relates; establishes the basic privacy rights for financial information; authorizes attorney general enforcement; imposes civil penalties; allows a private cause of action. |
|
| A.B. 4033 S.B. 159 Enacts the Financial Information New York Privacy Act to require that financial institutions obtain consent from consumers prior to disclosing nonpublic personal information; defines terms and sets penalties. |
|
| A.B. 4038 Makes provisions for privacy in banking, insurance, and other financial transactions, forbidding disclosure of personal information without prior consent granted by the customer to the financial institution; requires written notice of privacy policies and practices be given to customers; requires security and confidentiality safeguards; prohibits disclosure of account number or access code information; provides for enforcement by the attorney general and authorizes private actions. |
|
| A.B. 5487 Enacting clause stricken 2/6/06 S.B. 3000 Enacts the “Personal Information Protection Act”, requires disclosure of breaches of security of data systems of business entities to affected persons; provides for administration by the department of state; requires use of best available technology to detect breaches of security; provides for a private right of action. |
|
| A.B. 6688 Requires notification of breach of security of personal information kept by state agencies; defines breach of security and personal information. |
|
| A.B. 6903 Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions. |
|
| A.B. 7013 S.B. 4106 Provides for the protection of confidential personal information collected and distributed by individual reference services providers or marketing list brokers; establishes exclusion lists, penalties and grounds for civil liability. |
|
| A.B. 7670 Passed Assembly 5/16/06 Prohibits persons or business entities from filing unnecessary personal identifying information as defined with the state or any political subdivision thereof; provides for enforcement by the attorney general. |
|
| A.B. 9037 Requires notice to consumers by credit agencies of a breach of security involving personal information. |
|
| A.B. 9321 S.B. 4687 Establishes issuers of credit cards and debit cards are prohibited from knowingly accepting or soliciting personal information of a cardholder from a third-party; establishes a civil penalty not to exceed $2,000 for each violation of this section. |
|
| A.B. 9950 Establishes a consumer has to “opt-in” in order for a commercial entity to sell or disclose the personal information of such consumer; defines terms; prohibits wrongful disclosure of protected personal information with certain exceptions; provides for civil liability for wrongful disclosure; authorizes the attorney general to bring enforcement action for injunction and penalties; limits time period in which such an action may be brought. |
|
| A.B. 10515 S.B. 1597 Enacts the New York consumer and worker protection act; requires employers to provide notice of the outsourcing of jobs prior to such outsourcing; prohibits any governmental agency from engaging in the practice of outsourcing jobs; requires consumers be made aware and provide consent if such consumers nonpublic personal information is disclosed to nonaffiliated third parties by any corporation or other business entity; requires ratification by the legislature of procurement contracts between the state, through the governor, and any multinational trade organization or corporation; and defines applicable terms. |
|
| A.B. 10973 S.B. 7151 Relates to the fees that may be charged by a county clerk’s office; requires that a county clerk not accept any document for recording if unnecessary personal identifying information is written on such document. |
|
| S.B. 620 Provides that banking institutions in New York State may release customer information in the following manner; (a) to the actual customer or authorized agent, or (b) unless a customer affirmatively and in writing prohibits the release, to a subsidiary or affiliate of the banking institution, or, (c) to any other persons or entities if the customer information intended to be released consists only of customer identification, (e.g. name or address of customer) and/or is recorded in public records; defines the term “customer information” to mean account records and any other information constructed from those records relating to the customer’s relationship with the institution. |
|
| S.B. 1847 Provides privacy protection for voter registration records; prohibits sale or other dissemination of records or information contained in such records if use of such information would promote identity theft, fraud or otherwise invade privacy. |
|
| S.B. 2161 Enacting clause stricken 1/9/06 Requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person; provides enforcement provisions. |
|
| S.B. 2673 Creates a nine member privacy task force within the State Office for Technology to conduct ongoing review of state and local laws, regulations and practices with respect to the compilation, protection and dissemination of “personal information”; provides for composition of the task force and for annual reports to the governor and the Legislature. |
|
| S.B. 2906 Requires notice to residents when a computerized database security breach releases personal information. |
|
| S.B. 3141 Requires any banking institution that owns or licenses data that includes personal identifying information to disclose any breach of security following discovery or notification of such breach to any person whose personal identification was, or is reasonably believed to have been, acquired by an unauthorized person; defines personal identifying information and breach of security. |
|
| S.B. 3494 Enacts the Identity Theft Prevention and Mitigation Act; establishes procedures to allow consumers to put a “security freeze” on their consumer information; provides for enforcement by the attorney general and security of Social Security account numbers; and provides for notice of information of breach of security. |
|
| S.B. 3721 Enacts the Consumer Privacy Act to protect the personal privacy of individuals and families who choose to retain such privacy without unreasonably restricting the ability of commercial entities to collect and use information necessary to conduct business or as is permitted by the subject of such information: defines terms; prohibits wrongful disclosure of protected personal information with certain exceptions; provides for civil liability for wrongful disclosure; authorizes the attorney general to bring enforcement action for injunction and penalties; limits time period in which such an action may be brought. |
|
| S.B. 4623 Prohibits the disclosure of personal information on consumers by banking organizations to third parties without providing notice in plain language to the consumer in writing or electronic form. |
|
| S.B. 4687 Establishes issuers of credit cards and debit cards are prohibited from knowingly accepting or soliciting personal information of a cardholder from a third-party; establishes a civil penalty not to exceed $2,000 for each violation of this section. |
|
| S.B. 4813 Prohibits persons or business entities from filing unnecessary personal identifying information with the state or any political subdivision thereof; provides for enforcement by the attorney general. |
|
| S.B. 4978 Requires state agencies and business entities to disclose the breach of the security of any personal information of any resident of the state maintained on a computerized database; establishes notice requirements; directs the state Consumer Protection Board to enforce such provisions. |
|
| S.B. 5178 Relates to disposal of records containing personal information. |
|
| S.B. 5472 Requires notice to consumers by credit agencies of a breach of security involving personal information. |
|
| S.B. 6364 Makes provisions for privacy in banking, insurance, and other financial transactions, forbidding disclosure of personal information without prior consent granted by the customer to the financial institution; requires written notice of privacy policies and practices be given to customers; requires security and confidentiality safeguards; prohibits disclosure of account number or access code information; provides for enforcement by the attorney general and authorizes private actions. |
|
| Ohio | S.B. 89 Requires a state agency, person, or business to contact individuals if unencrypted personal information about those individuals that is maintained on the computers of the agency, person, or business is obtained by unauthorized persons. |
| S.B. 358 Allows a consumer to place a security freeze on the consumer’s credit report, to specify that Social Security numbers are confidential, to specify that certain personal information is not a public record, to require a public office to redact from a document that is otherwise a public record certain personal information, to require a public office to redact Social Security numbers and other confidential information from any document that is made available online to the public through the internet, to require the Office of Criminal Justice Services to make state funding grants available to local law enforcement agencies for enforcement of identity fraud laws, to require the attorney general to support local law enforcement agencies with the enforcement of identity fraud laws, and to enact a special statute of limitations for criminal prosecutions and civil actions against identity fraud. |
|
| Oklahoma | S.B. 425 Passed Senate Prohibits the printing of Social Security numbers and credit card numbers on checks in a consumer transaction. |
| Pennsylvania | H.B. 896 Adds provisions relating to privacy protection for customer information of financial transactions; and imposes penalties. |
| H.B. 1023 Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and provides for penalties. |
|
| H.B. 1795 Provides for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposes penalties. |
|
| H.B. 1921 Creates the Consumer Credit Rights Act; provides for consumer credit protections and restricts the use of Social Security numbers. |
|
| H.B. 2005 Prohibits the installation, transmission and use of computer software that collects personally identifiable information; authorizes the attorney general and district attorneys to bring civil actions against persons who violate this act; and provides for damages. |
|
| H.B. 2006 Creates the Breach of Personal Information Data Notification Act; provides for breach of security of identifying information and for penalties. |
|
| H.R. 215 Memorializes the Congress of the United States and the federal government to take steps to discontinue outsourcing and to prevent the Internal Revenue Service from hiring foreign contractors to prepare, process or collect any personal financial information of United States taxpayers. |
|
| H.R. 791 Memorializes the Congress of the United States to review and strengthen the Fair Credit Reporting Act and associated statutes to further protect the privacy of consumer financial information. |
|
| Rhode Island | H.B. 6835 Vetoed by governor 7/10/06 Establishes rules of disclosure of personal information about insurers, by businesses to third-parties, rules of notification to consumers of breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules. |
| S.B. 2225 Establishes rules of disclosure of personal information about insurers, by businesses to third-parties, rules of notification to consumers of breaches in the security protecting consumer identification information as well as civil penalties and damages for violation of the disclosure and notification rules. |
|
| South Carolina | H.B. 4358 Provides that a utility may not disclose customer information without the consent of the customer. |
| S.B. 150 Passed Senate 2/14/06 Enacts the “Family Court Financial Privacy Act” so as to provide that a financial declaration made a part of the record in a matter before the family court is confidential and not subject to disclosure to the public; and relates to exemptions from the Freedom of Information Act, so as to exempt financial declarations in matters before the family court. |
|
| S.B. 1013 Requires a public body under the Freedom of Information Act be required to provide a procedure for the deletion of electronically retrievable on-line personal financial information including, but not limited to, personal and real property taxes and amounts of mortgages relating to the property listed. |
|
| Tennessee | H.B. 3474 S.B. 3110 Enacts the “Tennessee Financial Information Privacy Act.” |
| H.B. 3619 S.B. 3425 Requires public and private entities to disclose any breach of the security of personal consumer information. |
|
| Vermont | H.B. 792 Requires any data collector of personal information of a Vermont resident to disclose to an individual if there was an unauthorized acquisition or access to the individual’s personal information that the collector owns or is using. Notice would not be required if the data collector establishes that the misuse of the personal information is not reasonably possible and the data collector so notifies the attorney general or the Department of Banking, Insurance, Securities, and Health Care Administration. Exempts certain financial institutions subject to existing guidance from the notice requirements. The attorney general has authority to investigate and prosecute violations. Prohibits business or state agency use of an individual’s Social Security number, but allows several exemptions for specific uses. In addition, the bill requires any business in the state that maintains or otherwise possesses personal information of Vermont residents to take all reasonable measures to destroy or arrange for the destruction of a customer’s records containing personal information. |
| Virginia | H.B. 995 Continued to 2007 1/23/06 Requires an individual or a commercial entity that conducts business in Virginia and that owns or licenses computerized data that includes personal information to conduct in good faith a reasonable and prompt investigation when it becomes aware of a breach of the security of the system. If the investigation determines that misuse of information has or is reasonably likely to occur, the individual or commercial entity shall give notice to the Virginia resident as soon as possible. Notification must be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. The bill also contains alternative notification provisions. The office of the attorney general may bring an action in law or equity to address violations of this section and other appropriate relief. |
| H.B. 1154 Continued to 2007 session 1/23/06 Requires an individual or a commercial entity that conducts business in Virginia and that owns or licenses computerized data that includes personal information to notify a resident of Virginia of any breach of the security of the system immediately following the discovery of a breach in which unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification must be made in good faith, in the most expedient time possible, and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. The bill also contains alternative notification provisions. For a private civil action to recover damages, the award is triple the amount of actual damages plus reasonable attorney fees. The office of the attorney general may also bring an action in law or equity to address violations of this section and other appropriate relief. |
|
| H.B. 1508 Continued to 2007 session 2/7/06 Requires consumer reporting agencies to provide individuals with monthly access to their credit reports for a fee of up to $2 per report, for up to 12 reports per year. Additional reports would be available for a fee of $8. The measure also requires data collectors that keep personal information on individuals to notify a Virginia resident when there has been a breach of the security of the data. The notice shall include a description of the categories of information that were acquired by an unauthorized person and a toll-free number that the individual may use to learn what types of information were maintained about the individual. An individual receiving such a notice may obtain, at no cost, consumer credit reports beginning two months following the breach of security and continuing on a quarterly basis for two years thereafter. |
|
| S.B. 383 Continued to 2007 session 2/13/06 Repeals the sunset on the restrictions set out for personal information posted on a court Web site and broadens the restrictions to apply to records within a secure remote access system established for land records. Such restrictions include prohibiting the posting of any document that contains (i) an actual signature, (ii) a Social Security number, (iii) a date of birth identified with a particular person, (iv) the maiden name of a person’s parent so as to be identified with a particular person, (v) any financial account number or numbers, or (vi) the name and age of any minor child. The bill also repeals the stated intent of the General Assembly that all clerks provide secure remote access to land records on or before July 1, 2006. |
|
| Washington | S.B. 6344 Passed Senate 2/8/06 Authorizes the department to create and maintain a registry describing the information systems or data bases maintained by state agencies that contain personally identifiable information. The registry need not include systems or data bases that contain personally identifiable information pertaining solely to public officials acting in their official capacity. The department may require state agencies to provide information necessary to create and maintain the registry. |
| West Virginia | H.B. 4420 Requires commercial entities who maintain databases containing resident individuals’ personal information, to notify a resident individual, in writing, whenever the individual’s personal information has been compromised by unauthorized disclosure; and defining personal information. |
| H.B. 4551 S.B. 601 Relates to the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector; requires notification to the consumer that there has been a breach of the security of information maintained on a consumer following discovery or notification of the breach; requires certain actions by data collectors with respect to breach of security; prohibits waiver of provisions; makes violations an unconscionable act; provides civil penalties for violations; provides other remedies; and provides that the provisions of the article are severable under certain circumstances. |
|
| Wisconsin | A.B. 320 Failed to pass pursuant to Senate Joint Resolution 1 5/11/06 Requires a business (or other corporate entity) that knows of the unauthorized use of unencrypted personal identifying information that was obtained from the business to make reasonable efforts to notify the individual whose personal identifying information was used. Generally, a business must notify the individual within 30 days after the business learns of the unauthorized use. |
| A.B. 621 Failed to pass pursuant to Senate Joint Resolution 1 5/11/06 Requires notification of the unauthorized acquisition of personal information that is stored on a computer or other electronic medium (unauthorized acquisition). The bill’s notice requirements apply to entities, including the state, that do any of the following: 1) conduct business in Wisconsin and maintain personal information in the ordinary course of business; 2) store personal information in this state; 3) maintain a depository account for a Wisconsin resident; or 4) lend money to a Wisconsin resident. |
|
| A.B. 836 Failed to pass pursuant to Senate Joint Resolution 1 5/11/06 Requires an entity that possesses certain personal information about an individual to notify the individual when the information is accessed by a person who the entity has not authorized to do so (unauthorized access). The bill’s notice requirements apply to entities, including the state and local governments, that do any of the following: conduct business in Wisconsin and maintain personal information in the ordinary course of business; store personal information in this state; maintain a depository account for a Wisconsin resident; or lend money to a Wisconsin resident. |
|
| Wyoming | H.B. 44 Designated inactive 3/8/06 Relates to consumer protection; provides for notice to consumers affected by breaches of consumer information databases, as specified; authorizes consumers to prohibit release of information maintained by credit rating agencies, as specified; provides definitions; and provides exceptions. |
Leave a Reply