Sunteți pe pagina 1din 41

STATE DATA SECURITY BREACH LEGISLATION SURVEY

NOTE: This is a survey of the major provisions of each state law. In the event of a security breach, you should consult legal
counsel to ascertain the appropriate method of notification and other requirements.

State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Alaska Personal information of Any person doing Written or electronic notice Statute not applicable if Entities subject A waiver of the statute is Governmental agencies Yes. A person
Alaska residents, business, any person must be provided to victims the personal data that to Title V of the void and unenforceable. are liable to the state for a injured by a breach
H.B. 65 defined as first name or with more than 10 of a security breach in the was lost, stolen, or Gramm Leach civil penalty of up to $500 may bring an
first initial and last name employees, and any most expeditious time accessed by an Bliley Act of Authorizes a state for each state resident who action against a
Signed into law agency to promulgate
plus one or more of state or local possible and without unauthorized individual 1999, 15 U.S.C. was not notified, but the non-governmental
June 13, 2008. implementing regulations
following data elements: governmental agency. unreasonable delay, unless is encrypted or § 6801, et seq total civil penalty may not entity.
(i) Social Security disclosure impedes a redacted. (“GLBA”) are at any point after July 1, exceed $50,000.
Alaska Stat. Tit.
number, (ii) driver’s Judicial branch criminal investigation. exempt. 2009. Private actions
45, Ch. 48, §§ 10
license number or state agencies are not Substitute notice by means The Department of may not be brought
to 90
ID card number, (iii) covered. prescribed in the statute Administration may enforce against
account number, credit allowed in the case of very violations by a governmental
Exemption for governmental entities. agencies.
card number or debit large breaches.
good-faith
card number combined
If an entity is required to acquisition by an Entities that are not
with any security code,
notify more than 1,000 state employee, so governmental agencies are
access code, PIN or
residents of a breach, it long as PI not subject to state fair trade
password needed to
must also notify without used for an laws under AS 45.50.471 -
access an account, and
unreasonable delay all illegitimate 45.50.561. Entities are
(iv) passwords, PINs or
consumer credit reporting purpose or make liable for civil penalties up
other access codes for
agencies that compile and further to $500 per resident, with
financial accounts.
maintain files on consumers unauthorized the total civil penalty not
on a nationwide basis. disclosure. exceeding $50,000.
Damages awarded under
Applies to data in both Notice not required if, after AS 45.50.531 are limited to
electronic and paper an investigation and written actual economic damages
formats. notice to the attorney that do not exceed $500,
general, the entity and damages awarded
determines that there is not under AS 45.50.537 are
a reasonable likelihood that limited to actual economic
harm to the consumers will damages.
result. The determination
must be documented in
writing and maintained for
five years.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Arizona Personal information of Any person that Written, electronic or Statute not applicable if Entities that Actual damages for a willful No. Enforcement
Arizona residents. conducts business in telephonic notice must be the personal data that comply with the and knowing violation of by Attorney
S.B. 1338 Arizona and owns or provided to victims of a was lost, stolen, or notification the statute. General only.
licenses computerized security breach within the accessed by an requirements or
Ariz. Rev. Stat. Civil penalty not to exceed
data that includes most expedient time unauthorized individual security breach
Tit. 44, Ch. 32, $10,000 per breach of the
personal information. possible and without is encrypted or procedures
44-7501 security of the system or
unreasonable delay, unless redacted. pursuant to the
disclosure impedes law rules, series of breaches of a
enforcement investigation. “Encrypted” defined as regulations, similar nature that are
Substitute notice by means “an algorithmic process procedures, discovered in a single
prescribed in the statute to transform data into a guidance or investigation.
allowed in the case of larger form in which the data guidelines
breaches. is rendered unreadable established by
or unusable without use the entities’
Notice not required if the of a confidential primary or
breached entity or a law process or key.” functional federal
enforcement agency regulator are
determine after a “Redact" defined as
exempt.
reasonable investigation altering or truncating
that the breach does not data “such that no more Entities subject
materially compromise the than the last four digits to Title V of the
security or confidentiality of of a social security GLBA as well as
personal information. number, driver license entities covered
number, nonoperating by the Health
identification license Insurance
number, financial Portability and
account number or Accountability
credit or debit card Act (“HIPAA”) are
number is accessible exempt.
as part of the personal
information.”

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Arkansas Personal information of Individuals, Written or electronic notice Statute not applicable if Entities regulated Covered entities must Fines consistent with state No.
Arkansas residents. businesses, and state must be provided to victims the personal data that by any state or implement and maintain fair trade laws.
S.B. 1167 agencies that acquire, of a security breach within was lost, stolen, or federal law that reasonable security
Personal information own, or license the most expedient time accessed by an provides greater procedures and practices
Ark. Code tit. 4, defined as the first name personal information possible and without unauthorized individual protection to to protect the personal
ch. 110, §§ 101 to or initial and last name about Arkansas unreasonable delay, unless is encrypted. personal information.
108 of an individual, with one residents. disclosure impedes law information and
or more of the following enforcement investigation. similar disclosure Data destruction or
data elements: social Substitute notice by means requirements are encryption mandatory
security number, driver’s prescribed in the statute exempt. when personal
license or state allowed in the case of very information records are
identification card large breaches. discarded.
number, credit card or
debit card number, or a Notice not required if the
financial account entity responsible for the
number with any code data concludes that there is
that would provide no reasonable likelihood of
access to the account harm to consumers.
(“personal information”).
Definition of “personal
information” includes
medical data.

California Personal information of Any person or business Written or electronic notice Statute not applicable if Entity responsible for Civil remedies available for Yes.
California residents. that conducts business must be provided to victims the personal data that data required to take all violation of the statute.
S.B. 1386 in California or any of a security breach within was lost, stolen, or reasonable steps to
Amendment expands state agency that owns the most expedient time accessed by an destroy a customer's
Cal. Civ. Code the scope of covered or licenses possible and without unauthorized individual records that contain
§§ 56.06, information to include computerized data that unreasonable delay, unless is encrypted. personal information
1785.11.2, medical information and includes personal disclosure impedes a when the entity will no
1798.29, 1798. health insurance information. criminal investigation. longer retain those
82 information. records.
Substitute notice by means
Amended by A.B. prescribed in the statute
1298 allowed in the case of very
large breaches.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Colorado Personal information of Individual or Written, electronic or Statute not applicable if Entities regulated No. Enforcement
Colorado residents. commercial entity that telephonic notice must be the personal data that by state or by Attorney
H.B. 1119 conducts business in provided to victims of a was lost, stolen, or federal law that General only.
Colorado and owns or security breach within the accessed by an maintain
Col. Rev. Stat. tit.
licenses computerized most expedient time unauthorized individual procedures for
6, art. 1, §6-1-716
data that includes possible and without is encrypted, redacted addressing
personal information. unreasonable delay, unless or secured by any other security
disclosure impedes law method rendering it breaches
enforcement investigation. unreadable or pursuant to those
Substitute notice by means unusable. laws are exempt.
prescribed in the statute
allowed in the case of large
breaches.
Notice not required if the
entity determines after a
good faith investigation that
misuse of the data has not
or is not reasonably likely to
occur.

An entity that must notify


more than 1,000 persons at
one time of a security
breach is required to also
promptly notify all consumer
reporting agencies of the
breach. Entities subject to
Title V of the GLBA are
exempt.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Connecticut Personal information of Any person who Written, electronic or Statute not applicable if Any person that Consumers have the Failure to comply with No. Enforcement
Connecticut residents. conducts business in telephonic notice must be the personal data that maintains a right to place a “security statute constitutes an by Attorney
Conn. Gen Connecticut, and who, provided to victims of a was lost, stolen, or security breach freeze” on their credit unfair trade practice. General only.
Stat. 36a- in the ordinary course security breach within the accessed by an procedure reports.
701(b) of such person's most expedient time unauthorized individual pursuant to the
business, owns possible and without is secured by rules,
licenses or maintains unreasonable delay, unless encryption or by any regulations,
computerized data that disclosure impedes law other method or procedures or
includes personal enforcement investigation. technology that renders guidelines
information. Substitute notice by means it unreadable or established by
prescribed in the statute unusable the primary or
allowed in the case of very functional
large breaches. regulator is
exempt.
Notice not required if the
entity responsible for the
data determines in
consultation with federal,
state and local law
enforcement agencies that
there is no reasonable
likelihood of harm to
consumers.

Delaware Personal information of An individual or a Written or electronic notice Statute not applicable if Entities regulated Appropriate penalties and Yes. Plaintiff may
Delaware residents. commercial entity that must be provided to victims the personal data that by any state or damages may be assessed recover treble
H.B. 116 Definition of “personal conducts business in of a security breach within was lost, stolen, or federal law that in an enforcement action damages
information” includes Delaware and owns or the most expedient time accessed by an provides greater brought by the Attorney
Del. C., Tit. 6, and reasonable
medical information. licenses computerized possible and without unauthorized individual protection to General.
Chapter 12B, §§ attorney fees.
data that includes unreasonable delay, unless is encrypted. personal
101-104
personal information. disclosure impedes law information are
enforcement investigation. exempt.
Substitute notice by means
prescribed in the statute
allowed in the case of large
breaches.
Notice not required if the
entity responsible for the
data concludes that the
breach will not likely result
in harms to consumers.

Prompt, written notification


of the nature and
circumstances of the
breach must also be
provided to the Consumer
Protection Division of the
Department of Justice.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Florida Personal information of Any person who Written or electronic notice Statute not applicable if Entities subject For failure to provide notice No.
Florida residents. conducts business in must be provided to victims the personal data that to federal data of the security breach
H.B. 481 Florida and maintains of a material security was lost, stolen, or security within 45 days:
computerized data in a breach no later than 45 accessed by an regulations are
Fl. Stat. Tit. XLVI, $1,000 per day per breach,
system that includes days following the unauthorized individual exempt.
Ch. 817, §5681 then up to $50,000 for
personal information. determination of the breach. is encrypted.
The notification procedures each 30-day period up to
must be consistent with the 180 days, not to exceed
legitimate needs of law $500,000.
enforcement.
For failure to document
Substitute notice by means and maintain written
prescribed in the statute documentation of the
allowed in the case of very investigation for five (5)
large breaches. years: an administrative
fine in the amount of up to
An entity that must notify $50,000.
more than 1,000 persons at
one time of a security Penalties do not apply to
breach is required to also government agencies,
promptly notify all consumer unless the agencies
reporting agencies of the entered into an agreement
breach. with contractors or third-
party administrators to
Notice not required if the provide governmental
entity responsible for the services.
data concludes after a
reasonable investigation or
consultation with federal,
state and local law
enforcement agencies that
the breach will not likely
result in harm to
consumers.
Such a determination must
be documented in writing
and the documentation
must be kept for five (5)
years.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Georgia Personal information of Any information broker Written or electronic notice Statute not applicable if No.
Georgia residents. that maintains must be provided to victims the personal data that
S.B. 230 Definition of “personal computerized data that of a security breach within was lost, stolen, or
information” includes (1) includes personal the most expedient time accessed by an
Ga. Code Ann.,
a social security information. possible and without unauthorized individual
tit. 10, ch. 1, §910
number, (2) a driver’s unreasonable delay, unless is encrypted.
thru 912 “Information broker”
license number or state disclosure impedes a
identification card defined as “any person criminal investigation.
number; (3) a financial or entity who, for
account information monetary fees or dues, Substitute notice by means
number; or (4) a engages in whole or in prescribed in the statute
password, if any of part in the business of allowed in the case of very
these data elements collecting, assembling, large breaches.
alone would be sufficient evaluating, compiling,
reporting, transmitting, A data broker that must
to perform or attempt to
transferring, or notify more than 10,000
perform identity theft
communicating individuals at one time of a
against the person
information concerning security breach is required
whose information was
individuals for the to also promptly notify all
compromised.
primary purpose of consumer reporting
furnishing personal agencies of the breach.
information to
nonaffiliated third
parties, but does not
include any
governmental agency
whose records are
maintained primarily for
traffic safety, law
enforcement, or
licensing purposes.”

Hawaii Personal information of Any agency, individual, Notice only required where Statute not applicable if Entities regulated At most $2,500 per No.
Hawaii residents. or commercial entity illegal use of the PI has the personal data that by state or violation and for any actual
SB 2290 Person's first name or that conducts business occurred or is reasonably was lost, stolen, or federal law that damages faced by an
initial and last name in Hawaii and owns or likely to occur or that accessed by an maintain individual.
Hawaii Rev. Stat.
combined with: SSN; licenses computerized creates a material risk of unauthorized individual procedures for
Tit. 26/Act 135
driver's license or state data that includes PI or harm to the person. Notices is encrypted. addressing
ID #; acct #, credit or maintains such data of must include descriptions of security
debit card #, combined PI of residents of the security breach. Allows breaches
with any required info Hawaii. substitute notice if more pursuant to those
that allows access to than 200,000 people laws are exempt.
account; or any other affected, or would cost
financial info. more than $100,000. Must
notify credit reporting
Statute covers paper agencies if more than 1,000
records also. people are affected.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Idaho Personal information of An agency, individual Written, electronic or Statute not applicable if Entities regulated Fine of not more than No. Enforcement
Idaho residents. or a commercial entity telephonic notice must be the personal data that by state or twenty-five thousand action brought by
Idaho Code §§ that conducts business provided to victims of a was lost, stolen, or federal law that dollars ($25,000) per an agency's,
28-51-104 to in Idaho and owns or security breach within the accessed by an maintain breach of the security of commercial entity’s
28-51-107 licenses computerized most expedient time unauthorized individual procedures for the system. or individual’s
data that includes possible and without is encrypted. addressing primary regulator.
personal information unreasonable delay, unless security
about a resident of disclosure impedes law breaches “ ‘Primary
Idaho. enforcement investigation. pursuant to those regulator’ of a
laws are exempt. commercial entity
Substitute notice by means or individual
prescribed in the statute licensed or
allowed in the case of larger chartered by the
breaches. United States is
that commercial
Notification required solely entity's or
in the case of breaches that individual's primary
“materially compromise the federal regulator,
security, the security, the primary
confidentiality, or integrity of regulator of a
personal information for one commercial entity
(1) or more persons or individual
maintained by an agency, licensed by the
individual or a commercial department of
entity.” finance is the
department of
finance, the
primary regulator
of a commercial
entity or individual
licensed by the
department of
insurance is the
department of
insurance and, for
all agencies and all
other commercial
entities or
individuals, the
primary regulator is
the attorney
general.”

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Illinois Personal information of Any data collector that Written or electronic notice Statute not applicable if A violation of the statute No.
Illinois residents. owns or licenses must be provided to victims the personal data that constitutes an unlawful
H.B. 1633 personal information of a security breach within was lost, stolen, or practice under the
Ill. Comp. Stat., concerning a resident the most expedient time accessed by an Consumer Fraud and
of Illinois. possible and without unauthorized individual Deceptive Business
815 ILCS 530/1 unreasonable delay. is encrypted or Practices Act.
et seq. “Data collector” redacted.
definition includes, but Substitute notice by means
is not limited to prescribed in the statute
“government agencies, allowed in the case of very
public and private large breaches.
universities, privately
and publicly held
corporations, financial
institutions, retail
operators, and any
other entity that, for
any purpose, handles,
collects, disseminates,
or otherwise deals with
nonpublic personal
information.”

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Indiana Personal information of Any state agency that Written or electronic notice Statute not applicable if Definition of “breach of No.
Indiana residents. owns or licenses must be provided to victims the personal data that the security system” does
S.B. 503 computerized data that of a security breach within was lost, stolen, or not include the
includes personal the most expedient time accessed by an “unauthorized acquisition
(government
information. possible and without unauthorized individual of a portable electronic
agencies only)
unreasonable delay, unless is encrypted. device on which personal
Ind. Code, tit. 24, disclosure impedes law information is stored if
art. 4.9 enforcement investigation. access to the device is
protected by a password
Substitute notice by means that has not been
prescribed in the statute disclosed”
allowed in the case of very
large breaches.

If an agency is required to
provide notice under this
section to more than 1,000
persons, the state agency
must also promptly notify all
consumer reporting
agencies

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Indiana Personal information of Any company owning Written, electronic, Statute applies to both Entities subject Entities responsible for The attorney general may No.
Indiana residents. or using computerized telephonic or facsimile unencrypted and to and in personal data are bring an action o obtain
H.B. 1101 “personal information notice must be provided to encrypted personal compliance with required to also notify any or all of the following:
Ind. Code §§ of an Indiana resident victims of a security breach information acquired by certain federal each consumer reporting (1) an injunction to enjoin
for commercial within the most expedient an unauthorized data security agency of the security future violations of the
24-4.9 et seq., purposes.” time possible and without person. laws and breach. statute (2) a civil penalty of
4-1-11 et seq., unreasonable delay, unless regulations not more than one hundred
2009 H.B. 1121 disclosure impedes law "Encrypted" is defined specified in the fifty thousand dollars
enforcement investigation as (1) the present statute ($150,000) per deceptive
or jeopardizes national transformation of data are exempt. act; (3) the attorney
security. through the use of an general's reasonable costs
algorithmic process into in: (a) the investigation of
Substitute notice by means a form in which there is the deceptive act; and (b)
prescribed in the statute a low probability of maintaining the action; (4)
allowed in the case of very assigning meaning reasonable attorney's fees,
large breaches. without use of a and (5) costs of the action.
confidential process or
key; or (2) securing
data through another
method that renders the
personal information
unreadable or
unusable.
“Redacted" is defined
as altering or truncating
personal information so
that not more than the
last four digits of: (1) a
social security
number; (2) a driver's
license number; (3) a
state identification
number; or (4) an
account number; is
accessible as part of
personal information.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Iowa Personal information of Any person who owns Written or electronic notice Statute not applicable if Statute does not Attorney general may seek No.
Iowa residents. or licenses must be given to any the personal data that apply to a person and obtain an order that a
S.F. 2308 computerized data that consumer whose personal was breached was that : (1) party held to violate this
includes a consumer's information was included in encrypted, redacted, or complies with section pay damages to
Iowa Code § § notification
personal information the information that was otherwise altered by the Attorney General on
715C.1 (2008 that is used in the breached in the most any method or requirements or behalf of a person injured
S.F. 2308) course of the person's expeditious manner technology in such a breach of by the violation.
business, vocation, possible and without manner that the name security
occupation, or unreasonable delay, unless or data elements are procedures
volunteer activities. a law enforcement agency unreadable. established by a
determines that notification person’s primary
Any person who “Encryption” is defined or functional
will impede a criminal as “the use of an
maintains or otherwise investigation and the federal regulator
possesses personal algorithmic process to or by a state or
agency has made a written transform data into a
information on behalf of request that the notification federal law that
another person. form in which the data provides greater
be delayed. is rendered unreadable protection to
The definition of Substitute notice by means or unusable without the personal
“person” includes prescribed in the statute use of a confidential information and
governmental allowed in the case of very process or key.” at least as
subdivisions, agencies, large breaches. thorough
or instrumentalities. “Redacted” is defined disclosure
Notice not required if the as “altered or truncated requirements for
breached entity determines so that no more than breach of
after appropriate five digits of a social security or
investigation or after security number or the personal
consultation with relevant last four digits of other information than
federal, state, or local numbers designated in that provided by
agencies responsible for section this
law enforcement, that no 715A.8,subsection 1, statute, and (2) is
reasonable likelihood of paragraph "a", is subject to and in
financial harm to the accessible as part of compliance with
consumers whose personal the data.” Title V of the
information has been GLBA.
acquired has resulted or will
result from the breach.
Such a determination must
be documented in writing
and the documentation
must be maintained for five
years.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Kansas Personal information of A person that conducts Written or electronic notice Statute not applicable if Entities regulated Enforcement actions Appropriate penalties and No.
Kansas residents. business in Kansas, or must be provided to victims the personal data that by state or against insurance damages may be assessed
S.B. 196 a government, of a security breach within was lost, stolen, or federal law that companies licensed to do in an enforcement action
governmental the most expedient time accessed by an maintain business in Kansas may brought by the Attorney
K.S.A. 50-7a01, subdivision or agency possible and without unauthorized individual procedures for only be brought by the General.
50-7a02 that owns or licenses unreasonable delay, unless is encrypted or addressing insurance commissioner.
computerized data that disclosure impedes a redacted. security
includes personal criminal investigation. breaches
information. Substitute notice by means “Encrypted” defined as pursuant to those
prescribed in the statute the “transformation of laws are exempt.
allowed in the case of large data through the use of
breaches. algorithmic process into
a form in which there is
An entity that must notify a low probability of
more than 1,000 consumers assigning meaning
at one time of a security without the use of a
breach is required to also confidential process or
promptly notify all consumer key, or securing the
reporting agencies of the information by another
breach. method that renders the
data elements
unreadable or
unusable.“
“Redacted” is defined
as the “alteration or
truncation of data” so
that no more than the
(a) five digits of a social
security number, or
(b)the last four digits of
a driver’s license
number, state
identification number or
account number are
accessible as part of
the personal
information.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Louisiana Personal information of Any person that Written or electronic notice Statute not applicable if Financial Fines of $1,000 per day for Yes. Civil action to
Louisiana residents. conducts business in must be provided to victims the personal data that institutions the first 30 days, and recover actual
S.B. 205 Louisiana or that owns of a security breach within was lost, stolen, or subject to and in $50,000 per day thereafter, damages.
or licenses the most expedient time accessed by an compliance with up to a total maxim of
La. Rev. Stat., computerized data that possible and without unauthorized individual the Federal $500,000.
ch. § 51:3071 includes personal unreasonable delay, unless is encrypted or Interagency
et seq information. disclosure impedes law redacted. Guidance on
enforcement investigation. Response
Programs for
Substitute notice by means Unauthorized
prescribed in the statute Access to
allowed in the case of very Customer
large breaches. Information and
Customer Notice
Notice not required if the
are exempt.
entity responsible for the
data concludes after a
reasonable investigation
that there is no reasonable
likelihood of harm to
consumers.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Maine Personal information of All private sector Written or electronic notice Statute not applicable if Entities covered The statute is enforced Fines of not more than No.
Maine residents. businesses (added to must be provided to victims the personal data that by Title V of the by the Department of $500 per violation, up to a
L.D. 1671 Definition of “personal regs Jan. 1, 2007). of a security breach. was lost, stolen, or GLBA that Professional and maximum of $2500 per
information” includes (1) Information brokers Entities may not delay accessed by an maintain Financial Regulation as each day.
Me. Rev. Stat. Tit.
a social security that maintain notification to Maine unauthorized individual procedures to to licensed data brokers
10, ch. 210-B,
number, (2) a driver’s computerized data residents any longer than is encrypted or block and by the Attorney
§§1346-1349
license number or state containing personal seven business days after a redacted. unauthorized General as to all other
Amended by L.D. identification card information. law enforcement agency transactions are brokers.
number; (3) a financial determines that notification “Encryption” defined as exempt.
70, eff. Sept 13,
account information “Information broker" will not compromise a “the disguising of data
2009
number; or (4) a defined as “a person criminal investigation. using generally
password, if any of who, for monetary fees accepted practices.
or dues, engages in Substitute notice by means Good-faith
these data elements
whole or in part in the prescribed in the statute acquisition,
alone would be sufficient
business of collecting, allowed if the cost of release or use by
to permit a person to
assembling, evaluating, providing notice exceeds employee acting
fraudulently assume or
compiling, reporting, $5,000, the affected class on behalf of
attempt to assume the
transmitting, exceeds 1,000 or the data entity is not
identity of the person
transferring or broker does not have breach if PI is not
whose information was
communicating sufficient contact used or subject
compromised. Includes
information concerning information. to further
unauthorized
individuals for the unauthorized
acquisition, release or
primary purpose of A data broker that must disclosure to
use of PI.
furnishing personal notify more than 1,000 another person
information to persons at one time of a
nonaffiliated 3rd security breach is required
parties.” to also promptly notify all
consumer reporting
The definition does not agencies of the breach, as
include “a prescribed in the statute.
governmental agency
whose records are The data broker must also
maintained primarily for notify the appropriate state
traffic safety, law regulators within the
enforcement or Department of Professional
licensing purposes.” and Financial Regulation
(data brokers) or
alternatively, the Attorney
General.
Notice not required if
security software to block
unauthorized transactions
does not show improper
activity after the security
breach.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Maryland Personal information of Any business that Notice shall be given as Statute applies only to A business that Statute requires A violation of the statute Yes, consumers
Maryland residents. owns or licenses soon as reasonably unencrypted personal is subject to and reasonable security implicates Title 13 of the may bring actions
S.B. 486 personal information of practicable after the information acquired by in compliance procedures and practices Maryland Code, the Unfair under Title 13 of
Md. Code, an individual residing in business discovers or is an unauthorized with § 501(b) of that are appropriate to and Deceptive Trade the Maryland
Maryland, and any notified of the breach of the person. the GLBA, § 216 the nature of the Practices Act. Code, the Unfair
Com. Law § business that uses a security of a system, unless of the federal personal information and Deceptive
14-3501 et seq. nonaffiliated third party a law enforcement agency "Encrypted" means the Fair and owned or licensed and Appropriate penalties and Trade Practices
as a service provider to determines that the transformation of data Accurate the nature and size of the damages may be assessed Act.
perform services for notification will impede a through the use of an Transactions Act, business and its in an enforcement action
the business and criminal investigation or algorithmic process into 15 U.S.C. § operations. brought by the Attorney
discloses personal jeopardize homeland or a form in which there is 1681w, shall be General.
information about an national security, or to a low probability of deemed to be in
individual residing in determine the scope of the assigning meaning compliance with
Maryland under a breach of the security of a without use of a the statute.
written contract with system, identify the confidential process or
the third party must individuals affected, or key.
require by contract that restore the integrity of the
the third party system.
implement and
maintain reasonable Notice may be given by
security procedures written notice, by electronic
and practices. mail if the individual has
expressly consented to
receive electronic notice; or
the business conducts its
business primarily through
the Internet, by telephonic
notice, or by substitute
notice by means prescribed
in the statute allowed in the
case of very large
breaches.

Notice must include a


description of the
categories of information
breached, contact
information for the Attorney
General, Federal Trade
Commission, and Credit
Reporting Agencies.
Prior to giving the
notification required this
section a business shall
provide notice of a breach
of the security of a system
to the Office of the Attorney
General.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Massachusetts Personal information of State agencies, Entities that maintain or Covers unencrypted An entity is When disposing of The Massachusetts Yes.
Massachusetts commissions, bureaus store but do not own data or the acquisition considered in records: paper records Attorney General may Massachusetts
House No. 4144 residents. Personal etc. and persons, personal information must of the confidential compliance with containing personal bring an action under consumers may
information is defined as corporations provide notice to, and process or key that is the statute if the information must be Chapter 93A, the seek damages
Signed into law
first name or initial and associations, cooperate with, the entity capable of entity follows a redacted, burned, Commonwealth’s under Chapter
Aug. 2, 2007
last name combined partnerships or other that owns or leases the compromising the federal law pulverized or shredded. consumer protection 93A, which in
Effective Feb. 3, with one of the following: legal entities that data. security and regarding Electronic data statute, which permits the some cases, may
2008, codified as SSN, driver’s license, maintains, stores, owns confidentiality of protection or containing personal imposition of significant be trebled.
state i.d. card number, or licenses data that The entity that owns or encrypted data. privacy of information shall be fines, injunctive relief, and
Mass. Gen. passport, financial includes personal leases the data must information and destroyed or erased. attorneys’ fees. (93H § 6)
Laws § 93H-1 account information information about a provide notice as soon as the entity notifies
et seq. along with password or resident of possible and without MA residents A civil penalty of $5,000
security code Massachusetts. unreasonable delay to the pursuant to the may be awarded for each
information. attorney general , the federal law. violation. (93A § 4)
director of consumer affairs M.G.L. c. 93H,
and business regulation Businesses can be subject
§5. Please note
and to affected residents. to a fine of up to $50,000
that this does
for each instance of
not apply to 201
Notice may be delayed if improper disposal of data.
C.M.R. 17.00.
provision of such notice will (93I § 3)
impede a criminal
investigation.
Notice may be written or
electronic. Substitute
notice permitted if cost of
notice will exceed $250,000
or the affected class of
residents is greater than
500,000.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Regulation: "Personal information" Every person that None. The regulations None. The regulations require Please see above for a Please see above.
201 CMR 17.00 means a owns, licenses, stores require the encryption the development, summary of applicable Consumers may
Massachusetts or maintains personal of all transmitted implementation, penalty provisions of Mass. seek damages
General resident's first name and information about a records and files maintenance and Gen. Laws. c. 93A, c. 93H under Mass. Gen.
compliance last name or first initial resident of containing personal monitoring of a and c. 93I. Laws. c. 93A.
deadline: March and last name in Massachusetts. information, including comprehensive
1, 2010 combination with any those in wireless information security
one or more of the “Person” means a environments, that will program consistent with
following data elements natural person, travel across public industry standards that is
that relate to such corporation, networks. applicable to any records
Revised
resident: (a) Social association, containing such personal
Regulations
Security number; (b) partnership or other For files containing information.
driver's license number legal entity, other than personal information on
or state-issued an agency, executive a system that is Whether the
identification card office, department, connected to the comprehensive
number; or (c) financial board, commission, Internet, there must be information security
account number, or bureau, division or firewall protection with program (called for by
credit or debit card authority of the up-to-date patches, the statute) is in
number, with or without Commonwealth, or any including operating compliance with these
any required security of its branches, or any system security regulations for the
code, access code, political subdivision patches. protection of personal
personal identification thereof. information, whether
number or password, pursuant to section 17.03
Covers third-party or 17.04 hereof, shall be
that would permit
service providers with evaluated taking into
access to a resident’s
access to personal account (i) the size,
financial account;
information. scope and type of
provided, however, that
“Personal information” business of the person
Requires entities to
shall not include obligated to safeguard
collect and store the
information that is the personal information
minimum amount of
lawfully obtained from under such
personal information
publicly available comprehensive
necessary to
information, or from information security
accomplish the
federal, state or local program, (ii) the amount
legitimate purpose for
government records of resources available to
which it was collected,
lawfully made available such person, (iii) the
and requires entities to
to the general public. amount of stored data,
restrict access to the
and (iv) the need for
personal information to
security and
the smallest possible
confidentiality of both
number of users.
consumer and employee
information.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Michigan Personal information of State agencies Notice required without Statute not applicable if Financial Misdemeanor and fine of No.
Michigan residents. including institutions of unreasonable delay unless the personal data that institutions and $250 for each violation with
S.B. 309 Person's first name or higher education; determination that breach was lost, stolen, or entities covered a maximum aggregate
initial and last name individual, partnership, has not or is not likely to accessed by an by HIPAA are liability is $750,000.
Mich. Comp.. combined with: SSN; corporation, limited cause substantial loss or unauthorized individual exempt.
Law § 445.72 driver's license or state liability company, injury to, or result in, identity is encrypted.
ID #; acct #, credit or association or other theft with respect to one or
debit card #, combined legal entity that owns more residents of the state.
with any required info or licenses personal
that allows access to information. Notice may be by mail,
account; or any other email or telephone
financial info. depending on existing
business relationship with
recipient.

Substitute notice permitted


if the cost of providing
notice will exceed $250,000
or notice must be provided
to more than 500,000
residents.

Minnesota Personal information of State agencies (HF Entities doing business in Statute not applicable if Financial Definition of “breach” Yes.
Minnesota residents. 225). Minnesota must provide the personal data that institutions and does not include loss of a
H.F. 225 written or electronic notice was lost, stolen, or entities covered portable electronic device
Any person or business to victims of a security accessed by an by HIPAA are containing password
H. F. 2121 doing business in breach within the most unauthorized individual exempt. protected personal
Minn. Stat. §§ Minnesota that owns or expedient time possible and is encrypted. information.
licenses computerized without unreasonable delay,
325E.61, data containing unless disclosure impedes
325E.64 personal information law enforcement
(H.F. 2121). investigation.

Substitute notice by means


prescribed in the statute
allowed in the case of very
large breaches.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Missouri Personal information of State agencies. Entities conducting Notice not required if Entities regulated “Material risk of harm” Attorney General may seek No.
Missouri residents. Also business in Missouri must the personal by state or trigger - notice not actual damages and/or civil
Mo. Rev. Stat. includes medical and Any person or business provide written or electronic information federal law that required if, after an penalties (not to exceed
§ 407.1500 health insurance that conducts business notice to residents of compromised was maintain appropriate investigation $150,000 for each security
(2009 H.B. 62) information, including an in Missouri that owns Missouri when the security encrypted. procedures for or consultation with law breach) for failures to
individual’s medical or licenses of their personal information addressing enforcement authorities, comply
Effective August history, mental or computerized data has been compromised. security the business determines
28, 2009 physical condition, containing personal breaches that identity theft is not
treatment or diagnosis, information. Notice to the Missouri AG pursuant to those likely to result from the
health insurance policy and national consumer laws are deemed breach.
number and any other credit reporting agencies if to be in
unique identifier used by more than 1,000 Missouri compliance.
a health insurer. residents are affected.
Entities that
maintain its own
notice
procedures as
part of an
information
security plan and
whose notice
procedures are
consistent with
the timing of the
Missouri statute
will be deemed in
compliance if
notice is provided
in accordance
with the
information
security plan.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Montana Personal information of Any person or business Written, electronic or Statute not applicable if Entities responsible for Temporary and permanent No.
Montana residents. that conducts business telephonic notice must be the personal data that personal data must injunction. Penalties for a
H.B. 732 Definition of “personal in Montana, and owns provided to victims of a was lost, stolen, or destroy the data that is violation of the statute are
Mont. Code § information” includes or licenses security breach without accessed by an no longer necessary by provided in 30-14-142.
insurance policy number computerized data that unreasonable delay, unless unauthorized individual shredding, erasing or
30-14-1701 et as well as a social includes personal disclosure impedes law is encrypted. modifying the data so
seq., 2009 H.B. security number alone. information. enforcement investigation. that it becomes
155, Chapter Substitute notice by means unreadable.
163 specified in the statute
allowed in the case of very
large breaches.

Notification required solely


in the case of breaches that
materially compromise the
security, confidentiality, or
integrity of personal
information maintained by
the person or business
responsible for the data and
causes or is reasonably
believed to cause loss or
injury to a Montana
resident.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Nebraska Personal information of Individual or Written, electronic or Statute not applicable if Entities regulated No.
Nebraska residents. commercial entity that telephonic notice must be the personal data that by state or
Neb. Rev. Definition of “personal conducts business in provided to victims of a was lost, stolen, or federal law that
Stat. §§ 87- information” includes Nebraska and that security breach within the accessed by an maintain
801, -802, - biometric data: owns or licenses most expedient time unauthorized individual procedures for
803, -804, - fingerprints, voiceprints, computerized data possible and without is encrypted or addressing
retina or iris images, which includes unreasonable delay, unless redacted. security
805, -806, -807 DNA profiles and any personal information. disclosure impedes law breaches
other “unique physical enforcement investigation. “Encrypted” is defined pursuant to those
representations.” Substitute notice by means as “converted by use of laws are exempt.
specified in the statute an algorithmic process
allowed in the case of very to transform data into a
large breaches. form in which the data
is rendered unreadable
Notification required solely or unusable without use
in the case of breaches that of a confidential
“materially compromise the process or key.”
security, confidentiality or
integrity of the personal “Redact” is defined as
information.” altering or truncating
data in a way that only
the last fours digits of a
social security number,
driver’s license number,
state identification card
or account number are
accessible.

Nevada Personal information of Governmental Written or electronic notice Statute not applicable if Entities subject Entities responsible for No.
Nevada residents. agencies (A.B. 334) must be provided to victims the personal data that to and in personal data must take
A.B. 334 Definition of of a security breach within was lost, stolen, or compliance with reasonable measures to
“personal information” Data collectors (S.B. the most expedient time accessed by an the privacy and destroy the data that is
S.B. 347 347). “Data collectors”
includes “unique possible and without unauthorized individual security no longer necessary.
Nev. Rev. Stat. biometric data,” definition includes unreasonable delay, unless is encrypted. provisions of Title
electronic signature, “government, disclosure impedes law V of the GLBA Entities responsible for
603A.010 et businesses and personal data are also
alien registration enforcement investigation. are exempt.
seq. number, government associations who Substitute notice by means required to encrypt data
passport number, handle, collect, specified in the statute that is being transmitted
employer id number, tax disseminate or allowed in the case of very using encryption
payer id number, otherwise deal with non large breaches. consistent with PCI DSS
Medicaid account public personal standards.
number, food stamp information.” Notification required solely
account number, health in the case of breaches that
insurance number, materially compromise the
professional license security, confidentiality or
numbers, and utility integrity of the personal
account number. information.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Nev. Rev. Stat. § Prohibits the transfer of Applies to “businesses Statute not applicable if Personal No.
597-970 “any personal in” Nevada. The statute personal information information does
information of a does not differentiate transferred to a person not include the
customer through an between entities doing outside of the secure last four digits of
electronic transmission business in Nevada system of the business a social security
other than a facsimile to and entities is encrypted. number or
a person outside of the incorporated in publicly available
secure system of the Nevada. information that
business unless the is lawfully made
business uses available to the
encryption to ensure the general public.
security of electronic
transmission.”

Personal information
includes a natural
person’s first name or
first initial and last name
in combination with any
one or more of the
following data elements,
when the name and
data elements are not
encrypted: 1) Social
Security number; 2)
Driver’s license number
or identification card
number; or 3) Account
number, credit card
number or debit card
number, in combination
with any required
security code, access
code or password that
would permit access to
the person’s financial
account.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

New Hampshire Personal information of Any person that Notification as soon as None Entities regulated Up to $10,000 per Person injured as a
New Hampshire conducts business in possible is required if PI by state or violation. result of violation
HB 1660 residents. Person's first NH and owns or has been misused or is federal law that may bring an
N.H. Rev. Stat. name or initial and last licenses computerized reasonably likely to be maintain action for
name combined with: data that includes PI or misused. Notice must be procedures for damages.
§§ 359-C:19, - SSN; driver's license or maintains such in writing, by telephone or in addressing Recovery may be
C:20, -C:21 state ID #; acct #, credit computerized data. electronic form such as security in the amount of
or debit card #, email. If engaged in trade or breaches actual damages
combined with any commerce, notify the pursuant to those (two to three times
required info that allows regulator which has laws are exempt. actual damages if
access to account; or authority over such trade or violation was
any other financial info. commerce. All others notify knowing and
AG. Substitute notice willful). Injunctive
allowed when cost of relief permitted
providing notice would also.
exceed $5,000 or affected
class of individuals to be
notified exceeds 1,000.
Requires notification of
CRA if notice provided to
more than 1,000 people.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

New Jersey Personal information of Any business that Written or electronic notice Statute not applicable if Allows consumers to No.
New Jersey residents. conducts business in must be provided to victims the personal data that place a security freeze
A 4001/S. 1914 Data elements alone New Jersey or any of a security breach within was lost, stolen, or on their credit report.
N.J. Stat. 56:8- may constitute “personal public entity that the most expedient time accessed by an
information” in certain compiles or maintains possible and without unauthorized individual
163 situations. computerized records unreasonable delay, unless is encrypted or secured
that include personal disclosure impedes law by any other method or
information. enforcement investigation. technology that renders
Substitute notice by means the personal
specified in the statute information unreadable
allowed in the case of very or unusable.
large breaches.

Notice not required if the


entity responsible for the
data establishes that
misuse of the information is
not reasonably possible.
Such determinations must
be documented in writing
and retained for five (5)
years.

An entity that must notify


more than 1,000 persons at
one time of a security
breach is required to also
promptly notify all consumer
reporting agencies of the
breach.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

New York Personal information of Any state entity that State entities must provide Statute not applicable if Electronic notice allowed Civil penalty of the greater No. Attorney
New York residents. owns or licenses written or electronic notice the personal data that only when the consumer of $5,000 or up to $10,000 General may bring
A 4254,A 3492 computerized data that to affected persons within was lost, stolen, or to be notified has per instance of failed action on behalf of
includes private the most expedient time accessed by an consented to such notice. notification, provided that victims of a
N.Y. St. Tech.
information and any possible and without unauthorized individual A log of all consumers the latter amount shall not security breach.
Law §208 (apply
person or business that unreasonable delay, unless is encrypted. No safe notified electronically exceed $150,000. Two year statute of
to state agencies)
conducts business in disclosure impedes law harbor if the must be kept. limitation.
and Gen. Bus.
New York that owns or enforcement investigation. compromised data was
Law, Sect. 899-
licenses computerized Substitute notice by means “encrypted with an
aa (apply to
data containing private specified in the statute encryption key that has
business)
information. allowed in the case of very also been acquired.”
large breaches.

N.Y. Gen. Bus. Breached entities must


Law § 899-aa provide written, electronic
or telephonic notice to
victims of a security breach
within the most expedient
time possible and without
unreasonable delay, unless
disclosure impedes law
enforcement investigation.

Substitute notice by means


specified in the statute
allowed in the case of very
large breaches.

Notice must also be


provided to the Attorney
General, the State
Consumer Protection Board
and the Office of Cyber
Security and Critical
Infrastructure Coordination.

In the event that notice of


the security breach must be
given to more than 5,000
persons at one time, the
breached entity is required
to also promptly notify all
consumer reporting
agencies of the breach.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

North Carolina Personal information of Any business that Written, electronic or Statute not applicable if Financial Gives affected Civil and criminal penalties Yes, but only if the
North Carolina owns or licenses telephonic notice provided the personal data that institutions consumers the right to for violations. individual is injured
S.B. 1048 residents. personal information of to victims of a security was lost, stolen, or subject to and in place a security freeze as a result of a
residents of North breach within the most accessed by an compliance with on their credit reports. violation of the
N.C. Gen'l Stat.,
Carolina or any expedient time possible and unauthorized individual the Federal statute.
ch. 75, §65
business that conducts without unreasonable delay, is encrypted or Interagency
business in North unless disclosure impedes redacted. No safe Guidance
Carolina that owns or law enforcement harbor if the Response
licenses personal investigation. Substitute compromised data is Programs for
information in any form, notice by means specified encrypted with an Unauthorized
whether computerized, in the statute allowed in the encryption key that has Access to
paper, or otherwise. case of very large been acquired. Consumer
breaches. Information and
“Encryption” defined as Customer Notice
Notice not required if the “the use of an are exempt.
entity responsible for the algorithmic process to
data concludes that the transform data into a
security breach is not form in which the data
reasonably likely to cause is rendered unreadable
or create a “material risk of or unusable without use
harm” to consumers. of a confidential
process or key.”
An entity that must notify
more than 1,000 persons at “Redaction” defined as
one time of a security “the rendering of data
breach is required to also so that it is unreadable
promptly notify all consumer or is truncated so that
reporting agencies of the no more than the last
breach. four digits of the
identification number is
accessible as part of
the data.”

North Dakota Personal information of Any person that Written or electronic notice Statute not applicable if Financial Civil and criminal penalties No. Enforcement
North Dakota residents. conducts business in must be provided to victims the personal data that institutions, trust (identity theft felonies). by Attorney
S.B. 2251 Definition of “personal North Dakota and owns of a security breach within was lost, stolen, or companies, and General only.
information” includes or licenses the most expedient time accessed by an credit unions
N.D. Cent. Code,
date of birth, mother’s computerized data that possible and without unauthorized individual subject to and in
tit. 51, ch. 30
maiden name, employee includes personal unreasonable delay, unless is encrypted or secured compliance with
identification number, information. disclosure impedes law by any other method or federal
birth/death/marriage enforcement investigation. technology that renders regulations are
certificate, and Substitute notice by means the personal exempt.
electronic signature. specified in the statute information unreadable
allowed in the case of very or unusable.
large breaches.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Ohio Personal information of Any state agency or Written, electronic or Statute not applicable if Financial Civil penalty of up to No. Enforcement
Ohio residents. agency of a political telephonic notice must be the personal data that institutions, trust $1,000 for each day of by Attorney
H.B. 104 “Personal information” subdivision that owns provided to victims of a was lost, stolen, or companies, and non-compliance with General only.
defined as “any or licenses security breach no latter accessed by an credit unions statute, up to $5,000 per
Oh. Rev. Code,
information that computerized data that than 45 days following the unauthorized individual subject to and in day after 60 days, and up
tit. XIII, ch. 1349,
describes anything includes personal discovery of the breach, is encrypted or compliance with to, and up to $10,000 per
§19
about a person or that information and any unless disclosure impedes redacted. federal day after 90 days.
indicates actions done person that owns or law enforcement regulations are
by or to a person, or that licenses computerized investigation. Substitute “Encryption” defined as exempt.
indicates that a person data that includes notice by means prescribed “the use of algorithmic
possesses certain personal information. in the statute allowed for process to transform Entities regulated
personal characteristics, businesses with less than data into a form in by sections 1171
and that contains, and ten (10) employees when which there is a low to 1179 of the
can be retrieved from a notification costs exceed probability of assigning "Social Security
system by, a name, $10,000. meaning without use of Act," chapter
identifying number, a a confidential process 531, 49 Stat. 620
symbol, or other Notification required solely or key.” (1935), 42 U.S.C.
identifier assigned to a in the case of breaches that 1320d to 1320d-
have caused or are “Redacted” is defined 8, and any
person.”
reasonably likely to cause a as “altered or truncated corresponding
material risk of identity theft so that no more than regulations in 45
or other fraud to an Ohio the last four digits of a C.F.R. Parts 160
resident. social security number, and 164 are also
driver’s license number, exempt.
In the event that an entity state identification card
must notify more than 1,000 number, account
persons at one time of a number, or credit or
security breach is required debit card number is
to also promptly notify all accessible as part of
consumer reporting the data.”
agencies of the breach.

Oklahoma Personal information of Applies only to state


Oklahoma residents. agencies.
HB 2357 Person's first name or
initial and last name Any state agency,
Ok. Stat., Tit. 74, board, commission or
combined with: SSN;
§3113.1 other unit or
driver's license or state
ID #; acct #, credit or subdivision of state
debit card #, combined government that owns
with any required info or licenses
that allows access to computerized data that
account; or any other includes PI or
financial info. maintains such data.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Oregon Personal information of Any person that owns, Notice must be given in the Does not apply if Contains restrictions on $1,000 per violation. In the Compensation can
Oregon consumers. maintains or otherwise most expeditious time covered entity including social security case of a continuing be ordered by the
SB 583 Personal information is possesses data that possible and without complies with numbers in documents. violation, each day’s state upon a
defined as first name or includes personal unreasonable delay. Notice state or federal continuance is a separate finding that
Effective Oct. 1, Covered entities must
initial and last name information that is used may be written, electronic laws that provide violation. Maximum penalty enforcement of the
2007 “develop, implement and
combined with one of in the course of the or by telephone. Substitute greater of $500,000. rights of
the following: SSN, person’s business, notice can be used if the protection and maintain” reasonable consumers by
driver’s license, state i.d. vocation, occupation or cost of notice will exceed those subject to safeguards to protect private civil action
card number, passport, volunteer activities. $250,000 or if the number Title V of the personal information. would be so
financial account of consumers to be notified GLBA. burdensome or
information along with exceeds 350,000 or if there expensive as to be
password or security is insufficient contact impractical.
code information. information to provide
notice.
Notice not required if after
investigation or consultation
with relevant authorities, it
is determined that no
reasonable likelihood of
harm will result.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Pennsylvania Personal information of Any entity that Written, telephonic or e-mail Statute not applicable if Financial Notice of the breach Violation of the statute No. Attorney
Pennsylvania residents. maintains, stores, or notice (only if a prior the personal data that institutions must be provided if constitutes an unfair or General has
S.B. 712 manages computerized business relationship was lost, stolen, or subject to and in encrypted personal deceptive act in violation of exclusive authority
data that contains exists) must be provided to accessed by an compliance with information is accessed the Unfair Trade Practices to bring an action
Pa. Cons. St., ch.
personal information of affected persons within the unauthorized individual federal and acquired in and Consumer Protection under the Unfair
73, §2302
Pennsylvania most expedient time is encrypted or regulations are unencrypted form using Law. Trade Practices
residents. possible and without redacted. exempt. the encryption key. and Consumer
unreasonable delay, unless Protection Law.
disclosure impedes law “Encryption” defined as Entities that are
enforcement investigation. “the use of an in compliance
Substitute notice by means algorithmic process to with notification
prescribed in the statute transform data into a requirements and
allowed in the case of large form in which there is a procedures
breaches. low probability of established by
assigning meaning the entities’
Notice not required if the without use of a primary or
entity responsible for the confidential process or functional federal
data concludes that the key.” regulator are also
breach did not materially exempt.
compromise the personal “Redacted” is defined
information. as altered or truncated
so that no more than
In the event that the the last four digits of a
breached entity must notify social security number,
more than 1,000 persons at driver’s license number,
one time of a security state identification card
breach is required to also number, account
promptly notify all consumer number, or financial
reporting agencies of the account number is
breach. accessible as part of
the data.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Rhode Island Personal information of Any person or business Written or electronic notice Statute not applicable if Entities subject Businesses are required Civil penalty of up to $500 Yes. Plaintiff may
Rhode Island residents. that conducts business must be provided to victims the personal data that to and in to implement reasonable per violation and up to also recover
H. 6191 Definition of “personal in Rhode Island and of a security breach, within was lost, stolen, or compliance with data destruction and $3000 per intentional or attorney fees and
information” includes that owns or licenses the most expedient time accessed by an state and federal information security reckless violations. costs.
R.I. Gen'l Law, tit.
physical characteristics, computerized data that possible and without unauthorized individual that provides procedures.
11, ch. 49.2, §§1
signature, address, includes personal unreasonable delay unless is encrypted. greater
thru 7
telephone number, information. disclosure impedes law protection to
insurance policy enforcement investigation. personal
number, education, information and
employment, and Substitute notice by means HIPAA are
employment history. prescribed in the statute exempt.
allowed when the number
of affected consumers
exceeds $50,000 and
notification costs exceed
$25,000.
Notice not required if law
enforcement concludes that
there is “no significant risk
of identity theft.”

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

South Carolina Personal identifying A person conducting A person conducting Statute applies only to Financial A person that maintains Three times the amount of A resident of South
information of business in South business in South Carolina unencrypted personal institutions as its own notification actual damages or not Carolina who is
S.B. 453 individuals residing in Carolina, and owning must notify the owner of data in both paper and defined in Title V procedures as part of an more than one thousand injured by a
South Carolina who or licensing data that is breached electronic forms of the GLBA, information security dollars for each incident, violation of this
S.C. Code Ann.
undertake transactions computerized data or immediately upon discovery accessed by an health insurers policy for the treatment of whichever is greater, as section, in addition
§39-1-90
for personal, family, or other data that includes of the breach. unauthorized person for subject to personal identifying well as reasonable to and cumulative
household purposes. personal identifying an unlawful purpose. HIPAA, persons information and is attorneys’ fees and costs. of all other rights
“Personal identifying information. A consumer reporting complying with a otherwise consistent with and remedies
information” = first agency, not later than the court order, and the timing requirements If a credit reporting agency available at law,
name or first initial and Consumer reporting tenth business day after the consumer of this section is fails to impose a freeze may institute a civil
last name in agencies. date the agency receives reporting considered to be in after being notified of a action to recover
combination with and the request for a security agencies in compliance with the breach, then damages may damages and
linked to one or more of freeze shall send a written compliance with notification requirements be increased by one recover attorneys’
the following data confirmation of the security the Fair Credit of this section if the thousand dollars each day fees and costs if
elements: (i) Social freeze to the consumer and Reporting Act are person notifies subject until the security freeze is successful.
Security number, (ii) provide the consumer with exempt. persons in accordance imposed.
driver’s license number a unique personal with its policies in the
of state ID card number, identification number or event of a breach of
(iii) financial account password to be used by the security of the system.
consumer to authorize a Exemption for
number or credit card or
removal or temporary lifting good-faith
debit card number in
of the security freeze. acquisition by an
combination with any
employee for the
required security code,
Notice must be written or purposes of its
access code, or
electronic, if the entity’s the business if the PI
password that would
person's primary method of is not used or
permit access to a
communication with the subject to further
resident’s financial
individual is by electronic unauthorized
account, and (iv) other
means. disclosure.
numbers or information
that may be used to Substitute notice by means
access a person’s prescribed in the statute
financial accounts or allowed in the case of very
numbers or information large breaches.
issued by a
governmental or If the entity provides notice
regulatory entity that to more than one thousand
uniquely will identify an persons at one time notice
individual. must be given to the
Consumer Protection
Division of the Department
of Consumer Affairs and the
consumer reporting
agencies.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Tennessee Personal information of Any person or business Written or electronic notice Statute not applicable if Entities subject Businesses must have Yes.
Tennessee residents. that conducts business must be provided to victims the personal data that to Title V of the reasonable data
S.B. 2220 in Tennessee, or any of a security breach, within was lost, stolen, or GLBA are destruction security
agency of the state of the most expedient time accessed by an exempt. procedures.
Tenn. Code, tit.
Tennessee or any of its possible and without unauthorized individual
47, ch. 18,
political subdivisions, unreasonable delay unless is encrypted.
§§2101-2107
that owns or licenses disclosure impedes law
computerized data that enforcement investigation.
includes personal
information. Substitute notice by means
prescribed in the statute
allowed in the case of very
large breaches.

Texas Personal information of Any person that Written or electronic notice Statute not applicable if Entities subject Businesses required to Civil penalty of at least No. Enforcement
Texas residents. conducts business in must be provided to victims the personal data that to Title V of the have data destruction $2,000 but not more than by Attorney
S.B. 122 Texas and owns of a security breach, within was lost, stolen, or GLBA are security procedures. $50,000 for each violation. General only.
Definition of “personal the most expedient time accessed by an exempt.
Tex. Bus. & information” includes or licenses possible and without unauthorized individual
Comm. Code tit. date of birth, mother’s computerized data that unreasonable delay unless is encrypted, EXCEPT
4, ch. 48, §§101 - maiden name, includes sensitive disclosure impedes law in the event that the
103, and 201 - telecommunication personal information. enforcement investigation. encryption key is also
203 access device and breached.
unique biometric data, Requires public Substitute notice by means
Amended by H.B. agencies to notify state
health and medical prescribed in the statute
2004, eff. Sept. 1, residents if their PI is
information including allowed in the case of very
2009 breached.
information regarding large breaches.
physical or mental
condition, provision of In the event that the
health care, or payment breached entity must notify
for health care. more than 10,000 persons
at one time of a security
breach is required to also
promptly notify all consumer
reporting agencies of the
breach.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Utah Personal information of Any person who owns Written, electronic or Statute not applicable if Entities regulated All entities that conduct Fine no greater than No. Enforcement
Utah residents. or licenses telephonic notice must be the personal data that by state or business in the state are $2,500 per violation or by Attorney
S.B. 69 computerized data that provided to victims of a was lost, stolen, or federal law that required to maintain series of violations General only.
includes personal security breach, within the accessed by an maintain reasonable data concerning a specific
Utah Code, tit.
information concerning most expedient time unauthorized individual procedures for protection measures. consumer, and no greater
13, ch. 42,
a Utah resident. possible and without is encrypted or addressing than $100,000 in the
§§101-301
unreasonable delay unless protected by another security aggregate for related
disclosure impedes law method that renders the breaches violations concerning more
enforcement investigation. data unreadable or pursuant to those than one consumer.
Notice of the security unusable. laws are exempt.
breach may also be
provided via publication in a
newspaper of general
circulation.

Vermont Personal information of State agency, Notice only required if Excludes info redacted Financial Up to $10,000 per Individuals have a
Vermont residents. university, corporation, misuse is not reasonably or not protected by institutions violation. right to seek an
SB 284 Person's first name or LLC, financial possible and provides another method that subject to certain injunction.
initial and last name institution, retail notice that misuse is not renders the data federal
Vermont. Stat., tit.
combined with: SSN; operator or other retail possible. Allows telephonic unreadable or interagency
9 §§2430-2445
driver's license or state entity that handles, notice of breach. Substitute unusable. guidance
ID #; acct #, credit or collects disseminates notice allowed when cost of regarding
debit card #, combined or otherwise deals with providing notice would consumer
with any required info nonpublic personal exceed $50,000 or affected information are
that allows access to information. class of individuals to be exempt.
account; or any other notified exceeds 5,000. If
financial info. more than 1,000 persons
must be notified at one
Also includes acct #s on time, CRA must also be
their own and notified.
passwords, pin #s on
their own.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Virginia Personal information of Any individual or entity Individuals and entities Statute applies only to An entity that Statute permits notice of Attorney General may Yes.
Virginia residents. storing personal must disclose any breach of unencrypted and maintains its own the breach to be given bring an action and may
SB 307.2 information of Virginia the security of the system unredacted notification via telephone, e-mail, or impose a civil penalty not
residents. following discovery or computerized data that procedures as in writing. to exceed $150,000 per
Virginia Code §
notification of the breach of the owner of the data part of an breach of the security of
18.2-186.6 Entity includes the security of the system to reasonably believes will information the system or a series of
corporations, business the Office of the Attorney result in identity theft or privacy or breaches of a similar
trusts, estates, General and any affected other fraud. security policy nature that are discovered
partnerships, limited Virginia resident. that is consistent in a single investigation.
partnerships, limited "Encrypted" means the
transformation of data with the statute,
liability partnerships, Notice may be written, an entity that is
limited liability telephonic, or electronic. through the use of an
algorithmic process into subject to Title V
companies, of the GLBA , or
associations, Substitute notice by means a form in which there is
a low probability of an entity that
organizations, joint prescribed in the statute
assigning meaning complies with the
ventures, governments, allowed in the case of very
without the use of a notification
governmental large breaches.
confidential process or requirements of
subdivisions, agencies, the entity's
Notice must include a key, or the securing of
or instrumentalities or primary state or
description of the incident in the information by
any other legal entity, federal regulator.
general terms, the type of another method that
whether for profit or not
personal information that renders the data
for profit.
was breached, the general elements unreadable or
acts of the individual or unusable.
entity to protect the
personal information from "Redact" means
further breaches, a alteration or truncation
telephone number that the of data such that no
person may call for further more than the following
information and assistance, are accessible as part
and advice that directs the of the personal
person to remain vigilant by information.
reviewing account
statements and monitoring
free credit reports.

In the event an individual or


entity provides notice to
more than 1,000 persons at
one time pursuant to this
section, the individual or
entity shall notify, without
unreasonable delay, the
Office of the Attorney
General and the consumer
reporting agencies.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Washington Personal information of Any person or business Written or electronic notice Statute not applicable if Civil liabilities imposed for Yes.
Washington residents. that conducts business must be provided to victims the personal data that damages caused by failure
S.B. 6043 in Washington and of a security breach, within was lost, stolen, or to comply with the statute.
owns or licenses the most expedient time accessed by an
Wa. Rev. Code,
computerized data that possible and without unauthorized individual
tit. 19, §255.010
includes personal unreasonable delay unless is encrypted.
information; as well as disclosure impedes law
any agency that owns enforcement investigation.
or licenses
computerized data that Substitute notice by means
includes personal prescribed in the statute
information. allowed in the case of very
large breaches.

Notice not required in the


case of a technical breach
of the security system
which does not reasonably
subject consumers to a “risk
of criminal activity.”

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

West Virginia Personal information of An individual or entity Individual or entity must Statute applies only to An entity that Attorney General has No.
West Virginia residents. that owns or licenses give notice if encrypted unencrypted and maintains its own exclusive authority to bring
S.B. 340 computerized data that information is accessed and unredacted notification action. No civil penalty may
includes personal acquired in an unencrypted computerized data that procedures as be assessed unless the
W.V. Code §
information. form or if the security the owner of the data part of an court finds that the
46A-2A-101
breach involves a person reasonably believes will information defendant has engaged in
Entity includes with access to the result in identity theft or privacy or a course of repeated and
corporations, business encryption key and the other fraud. security policy willful violations. No civil
trusts, estates, individual or entity that is consistent penalty shall exceed one
partnerships, limited reasonably believes that “Encrypted" means with the statute, hundred fifty thousand
partnerships, limited such breach has caused or transformation of data an entity that is dollars per breach or series
liability partnerships, will cause identity theft or through the use of an subject to Title V of breaches of a similar
limited liability other fraud to any resident algorithmic process to of the GLBA, or nature that are discovered
companies, of West Virginia. into a form in which an entity that in a single investigation.
associations, there is a low complies with the
organizations, joint Notice may be written, probability of assigning notification
ventures, governments, telephonic, or electronic. meaning without use of requirements of
governmental a confidential process the entity's
subdivisions, agencies, Substitute notice by means or key or securing the primary state or
or instrumentalities or prescribed in the statute information by another federal regulator.
any other legal entity, allowed in the case of very method that renders the
whether for profit or not large breaches. data elements
for profit. unreadable or
Notice shall include a
unusable.
description of the
categories of information "Redact" means
breached, a telephone alteration or truncation
number or website address of data such that no
that the individual may use more than the last four
to contact the entity or the digits of a social
agent of the entity and from security number,
whom the individual may driver's license number,
learn what types of state identification card
information the entity number or account
maintained about that number is accessible
individual or about as part of the personal
individuals in general, information.
whether the entity
maintained information
about that individual, and
the toll-free contact
telephone numbers and
addresses for the major
credit reporting agencies
and information on how to
place a fraud alert or
security freeze.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Wisconsin Personal information of All entities, including Notice must be provided to Statute not applicable if Entities regulated
Wisconsin residents. state and local victims of a security breach, the personal data that by certain federal
S.B. 164 Definition of “personal governments that by mail or a method was lost, stolen, or law mentioned in
information” includes engage in one of the previously used to accessed by an the statute are
Wisc. Stat., ch.
biometric data and the following activities: communicate with the unauthorized individual exempt.
895, §507
individual’s affected individuals, within a is encrypted redacted
deoxyribonucleic acid (i) conduct business in reasonable time, not to or altered in a manner
profile. Wisconsin and exceed 45 days, unless that renders it
maintain personal disclosure impedes law unreadable.
information in the enforcement investigation.
ordinary course of
business; (ii) license Substitute notice by means
personal information in prescribed in the statute
Wisconsin; (iii) allowed when the mailing
maintain a depository address of the affected
account for a individual(s) is unknown.
Wisconsin resident; or
(iv) lend money to a Notice not required if the
Wisconsin resident. breach does not create “a
material risk of identity theft
or fraud,” or if the personal
information was obtained in
good faith and is used for a
lawful purpose.
In the event that an entity
must notify more than 1,000
or more persons at one
time of a security breach is
required to also promptly
notify all consumer
reporting agencies of the
breach.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Wyoming Personal identifying Any individual or An individual or entity, when None. Entities subject A civil penalty of $1,000 for A consumer may
information about a commercial entity that it becomes aware of a to and in a consumer reporting file a complaint
H.B. 208 resident of Wyoming. conducts business in breach of the security of the compliance with agency’s failure to comply with the federal
Wyoming and that system, must conduct in the privacy and with notification trade commission
S.B. 194
owns or licenses good faith a reasonable and security requirements. and the state
Wyo.Stat. 40-12- computerized data that prompt investigation to provisions of Title attorney general.
501-509 includes personal determine the likelihood V of the GLBA
identifying information that personal identifying are exempt. If a consumer
about a resident of information has been or will reporting agency
Wyoming. be misused. If the intentionally or
investigation determines negligently violates
that the misuse of personal a valid security
identifying information freeze, the
about a Wyoming resident consumer may
has occurred or is bring a civil action
reasonably likely to occur, to recover
the individual or the damages, including
commercial entity shall give attorneys’ fees and
notice as soon as possible costs.
to the affected Wyoming
resident.

Notice may be written or


electronic.

Substitute notice by means


prescribed in the statute
allowed in the case of very
large breaches.
Notice must include a toll-
free number that the
individual may use to
contact the person
collecting the data and the
toll-free contact telephone
numbers and addresses for
the major credit reporting
agencies.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

District of Personal information Any person or entity Upon discovery of breach, None. Entities subject Attorney General may Yes. Any D.C.
Columbia* stored in computerized who conducts business person or entity must to Title V of the bring petition for temporary resident may bring
or other electronic form. in the District of promptly notify any District GLBA are or permanent injunctive a civil action to
Bill 16-810 Statute is not limited to Columbia, and who, in of Columbia resident whose exempt. relief and for an award of recover actual
D.C. residents. the course of such personal information was restitution for property lost damages, the
D.C. Code § 28-
business, owns or included in the breach, in or damages suffered by costs of the action,
3851 et seq.
licenses computerized the most expedient time D.C. residents. Attorney and reasonable
or other electronic data possible and without General may recover a civil attorney's fees.
that includes personal unreasonable delay, penalty not to exceed $100 Actual damages
information. consistent with the for each violation, the costs shall not include
legitimate needs of law of the action, and dignitary damages,
enforcement. This applies reasonable attorney's fees. including pain and
even if the person or entity Each failure to provide a suffering.
that discovers the breach D.C. resident with
does not own the notification is a separate
compromised data. If the violation.
breach involves personal
information of more than
1,000 people, the person or
entity must also notify
consumer reporting
agencies.
Notice must be written or
electronic, if the customer
has consented to receipt of
electronic notice.

Substitute notice by means


prescribed in the statute
allowed in the case of very
large breaches.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009
State and Data and consumers Covered Notice Procedures/ Encryption General Other Private Cause
Bill Number protected entities Timing/Exemptions Safe Harbor Exemptions provisions Penalties of Action

Puerto Rico* Personal information of Any entity that is the Clients must be notified as Yes. Statute applies to No provision of this Fines of five hundred Yes. Consumers
Puerto Rico residents. proprietor or custodian expeditiously as possible, data that is not chapter is prejudicial to dollars up to a maximum of may bring actions
Bill 111 of a data bank for taking into consideration the protected by a those institutional five thousand dollars for apart from the
commercial use that need of law enforcement cryptographic code but information and security each violation. statute.
10 Laws of
includes personal agencies to secure possible only by a password. policies that an
Puerto Rico §
information of citizens crime scenes and evidence enterprise or entity may
4051 et. seq.
who reside in Puerto as well as the application of have in force to provide
Rico. measures needed to protection equal or better
restore the system's to the protection called
security. Within a non- for by the statute.
extendable term of ten (10)
days after the violation of
the system's security has
been detected, the parties
responsible shall inform the
Department of Consumer
Affairs, which shall make a
public announcement of the
fact within twenty-four (24)
hours after having received
the information.
Notice must be written or
electronic.

Substitute notice by means


prescribed in the statute
allowed in the case of very
large breaches.

Virgin Islands* Personal information of Any person or business Upon discovery of breach, Yes. Any waiver of the Any business that violates, Yes. Any customer
Virgin Islands residents. that conducts business disclosure must be made in provisions of the statute proposes to violate, or has injured by a
Bill 6789 in the Virgin Islands, the most expedient time is contrary to public violated this title may be violation of this title
and that owns or possible and without policy, and is void and enjoined. Statute does not may commence a
14 V.I. Code §
licenses computerized unreasonable delay, unenforceable. contain fines. civil action to
2208
data that includes consistent with the recover damages.
personal information. legitimate needs of law
enforcement.

Notice must be written or


electronic.

Substitute notice by means


prescribed in the statute
allowed in the case of very
large breaches.

Copyright © 2009 Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C. B OSTON | W ASHINGTON | N EW Y ORK | S TAMFORD | L OS A NGELES | P ALO A LTO | S AN D IEGO | L ONDON WWW . MINTZ . COM

August 2009

S-ar putea să vă placă și