Redemtech is an outsource leader in TCM (Technology Change Management) solutions that is revolutionizing IT asset recovery, data security and computer recycling for major, privacy regulated companies worldwide.
White Papers
Webcasts
Presentations
Regulations
 

Data Security Regulations - U.S. State Legislation
Alabama

The Alabama Identity Theft bill 13A-8-190 to 13A-8-201, passed in March, 2006, and requires any person that conducts business in Alabama and that owns or licenses computerized data that contains the personal information of Alabama residents must disclose any security breach of the data to any resident of Alabama whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. The bill provides for notification of security breaches by third-parties that maintain computerized data containing personal information on behalf of the person who owns or licenses the computerized data. The notification may be delayed upon a request by law enforcement if it is determined that the notification will impede a criminal investigation.
Arkansas

SB 1167, passed into law on April 4, 2005, and now is cited as Ark. Code Ann. § 4-110-101 to 108. Effective since March 31, 2005, the law provides notice to consumers of any security breach of unencrypted computerized, personal information which is held by a person or business. Notice is not required if there is no reasonable likelihood of harm to consumers.
Arizona

SB 1338 became effective on Dec. 31, 2006, and provides notice to consumers of security breaches of unencrypted, unredacted computerized personal information when there is a reasonable likelihood of harm to consumers. If the entity complies with federal rules, then it is deemed to be in compliance with Arizona law.
California

Civil Code Sec. 1798.80-1798.82, effective July 1, 2003, requires organizations that maintain personal information about California residents to notify consumers of breach in security, confidentiality or integrity of unencrypted, computerized personal information held by a business or a government agency. The statute applies regardless of whether the computerized consumer records are maintained within or outside California. As long as a company conducts business in California and owns or licenses computerized data that includes personal information about residents, it has a legal obligation to notify its California consumers of security breaches to their personal information. The statute has broad implications for companies across the U.S., and worldwide, if they maintain, own, or license unencrypted computer data containing personal information about California residents. The statute provides a strong incentive for companies to adopt comprehensive security procedures to limit the vulnerability of their computer systems and to create a plan of action in the event of a security breach. Companies that fail to secure themselves face the cost of notification and the negative impact on image and consumer confidence associated with publicly disclosing a security breach. Moreover, companies face private actions for damages if they fail to notify consumers of a security breach, which could include class actions.
Colorado

Co. Rev. Stat. §6-1-716(1)(a) became effective on Sept. 1, 2006. The law provides notice to consumers by persons who conduct business in the state of security breaches of unencrypted, computerized personal information. Notice is not required if there is no reasonable likelihood of harm to consumers.
Connecticut

SB 650, passed into law 2005, and became effective on Jan. 1, 2006, as 699 Gen. Stat. Conn. §36a-701. The law requires notice of security breaches by persons who conduct business in the state and have a breach of the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals.
Delaware

HB 116, signed on June 28, 2005, requires notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons doing business in the state. It also covers sensitive personal information including medical information. Violations trigger triple damages plus attorney’s fees.
Florida

HB 481 was signed on June 14, 2005, as Chapter 2005-229. Effective July 1, 2005, the law requires notice to consumers of material breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Time limits for the notice are specified and penalties are incurred if notice is not given on time. Penalties do not apply to government agencies.
Georgia

SB 230, passed into law in 2005, became effective on May 6, 2005. The law requires notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by a data broker.
Hawaii

S.B.2290 was passed on May 25, 2006, and requires businesses and state agencies that collect individuals’ personal information to notify Hawaii residents in the event of a security breach. If more than 1,000 individuals are notified, notice is also due to the state’s office of consumer protection. Hawaii specifically requires notification in the event of a breach involving computerized or hard-copy data. Hawaii’s breach notice law is part of a package of privacy measures that also includes provisions regarding credit freezes, data disposition and Social Security number protection.
Idaho

Id. Code Ann. §28-51-104, became effective on July 1, 2006. The law provides notice to consumers of breach in the security of unencrypted, computerized personal information. Persons who conduct business in the state are required to notify only if the security breach results in a reasonable likelihood of identity theft.
Illinois

HB 1633, Public Act 094-0036, was signed on June 16, 2005, and became effective on Jan. 1, 2006. The Act requires notice to consumers of breach in the security, confidentiality, or integrity of personal information in system data held by a person or a government agency.
Indiana

Act No. 503, passed into law in 2005, became effective on June 30, 2006. The law provides notification rules to consumers of a breach in the security, confidentiality, or integrity of computerized personal information held by a government agency. In April 2007, Indiana passed a bill that allows consumers who believe the security of their personal information has been breached to place a security freeze on their credit reports.
Kansas

SB 196 went into effect on Jan. 1, 2007. The law provides notice to consumers about a breach in the security of unencrypted, unredacted computerized personal information. To be required to notify, there must be a reasonable likelihood of harm to consumers.
Louisiana

SB 205, Act 499, signed on July 12, 2005, went into effect on Jan. 1, 2006. The Act requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice is required if, after a reasonable investigation, the data holder determines that there is “no reasonable likelihood” of harm to customers. Further exemption is granted for financial institutions which are in compliance with federal guidelines. The law also authorizes civil actions to recover actual damages.
Maine

LD 1671, signed on June 10, 2006, was enacted on Jan. 31, 2006. The regulation covers only information brokers and requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information to residents of the state. The regulation also outlines civil penalties for violations
Maryland

Criminal Law §8-301 to §8-305, addresses identity fraud only as misdemeanor where the value is less than $500; punishable by imprisonment not to exceed 18 months or a fine not exceeding $5,000, or both or felony where the value is $500 or greater; punishable by imprisonment not to exceed five years or a fine not exceeding $25,000, or both
Massachusetts

SB 2058 requires any data collector who owns or uses the personal information of any resident of the commonwealth to notify residents that there has been a breach of the security the personal information following discovery, without regard for whether or not the data has or has not been accessed by an unauthorized third party for legal or illegal purposes. The law covers security freezes in case of violation. The Massachusetts House in May 2007 unanimously passed a bill that would require businesses to disclose breaches of customer data and allow consumers to lock down their credit reports as a way to thwart identity theft.
Michigan

In December 2004, the Michigan Legislature enacted several new ID theft laws, effective on March 1, 2005. The Identity Theft Protection Act, MCL 445.61 protects a broad range of personal identifying information and includes the fraudulent use - or the attempted use - of personal identifying information of another person for the purpose of committing an illegal act. Consumers can bring private actions under the Michigan Consumer Protection Act. MCL 445.903(jj). Michigan’s Social Security Number Privacy Act, MCL 445.81, introduced measures to protect the privacy and security of SSNs. The Michigan Consumer Protection Act requires truncation of credit card numbers, MCL 445.903(ii). The effective dates were: July 1, 2005, for electronic devices put into service after March 1, 2005; and July 1, 2006, for older, existing electronic devices. Courts may impose a $25,000 fine and a consecutive sentence of up to 5 years commencing after the sentence on an underlying fraud crime has been served.
Minnesota

H.F. 2121, passed into law in 2005, became effective on Jan. 1, 2006. The law requires notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons doing business in the state. The law does not apply to financial institutions or HIPAA entities.
Mississippi

A state statute covers fraudulent use of identity, Social Security number, credit card or debit card number or other identifying information to obtain thing of value, as well as computer crimes and identity theft.
Missouri

State statute 570.223.1 covers identity theft as a crime if the perpetrator knowingly and with the intent to deceive or defraud obtains, possesses, transfers, uses or attempts to obtain, transfer or obtain transfer or use, one or more means of identification not lawfully issued for his or her use.
Montana

HB 732, Passed into law in 2005, became effective on March 1, 2006. The law provides notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a Montana resident.
Nebraska

L.B. 876 passed in 2006. The law provides notice to consumers of a breach in the security of unencrypted, computerized personal information. Notification is to be required only if there must be a reasonable likelihood that the information will be used in a way that will harm the consumer.
Nevada

SB 347, passed into law in 2005, became effective on Jan. 1, 2006. The law requires notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations that handle, collect, disseminate or otherwise deal with nonpublic personal information.
New Hampshire

HB 1660 FN passed in 2006 and became effective on Jan. 1, 2007. The law provides notice to consumers of a breach in the security of unencrypted, computerized personal information. If there is a reasonable likelihood of harm to the consumer, the entity must inform the consumer of the breach.
New Jersey

A4001/S1914, passed into law in 2005, became effective on Jan. 1, 2006. The law requires notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice is required if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years.
New York

Information and Security Breach Notification Act, A4254, A3492, passed into law in August 2005. The Act requires notice of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities. The State Attorney General, the State Consumer Protection Board and the Office of Cyber Security and Critical Infrastructure Coordinator must also be notified of the breach of security to protect the residents of New York. The Act also authorizes the attorney general to bring actions on behalf of affected residents.
North Carolina

SB 1048 was passed into law in 2005. The law requires notice of breach of security of unencrypted and unredacted written, drawn, spoken, visual or electromagnetic personal information, and encrypted personal information with the confidential process or key held by a private business if the breach causes, is reasonably likely to cause, or creates a material risk of harm to residents of North Carolina. North Carolina specifically requires notification in the event of a breach involving computerized or hard-copy data. The law provides civil and criminal penalties for violations.
North Dakota

SB 2251, passed into law in 2005, North Dakota Century Code Chapter 51-30, became effective on June 1, 2005. The law requires notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. The law includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exceptions are granted for those financial institutions which are in compliance with federal guidance.
Ohio

HB 104, signed into law on Nov. 17, 2005, became effective on Feb. 15, 2006. The law requires notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business is reasonably believed to have caused or reasonably is believed will cause a material risk of identity theft or other fraud to an Ohio resident. Personal information includes information that describes anything about a person, including actions or certain personal characteristics, and can be retrieved from a system by a name, identifying number, symbol or other identifier.
Oklahoma

Passed on June 8, 2006, H.B.2357 requires all Oklahoma governmental agencies to notify state residents if their computerized, unencrypted personal information is breached. The statute employs the standard definition of “personal information” used in state breach laws, which includes an individual’s name in combination with a Social Security number, driver’s license number or financial account information. The bill does not contain a harm threshold that must be met before notice is required.
Oregon

Proposed to the Oregon legislature in March, 2007, the legislation is pending. The proposed bill would require those who owns or maintain individual personal information to notify subject parties following discovery of a security breach. The law would permit consumers to place a security freeze on consumer report. The legislation also requires consumer reporting agencies to notify consumers of any change in consumer reports that have a freeze in place. The bill permits the Oregon Department of Consumer and Business Services to investigate violations and assess penalties of not more than $1,000 for each violation.
Pennsylvania

SB 712, signed into law Dec. 22, 2005, became effective on June 30, 2006. The law requires notification of breaches of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business, if it is reasonably believed to have caused or will cause loss or injury to any Pennsylvania resident. Personal information includes information accessed and acquired in unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the breach involved a person with access to the encryption key. Exceptions are granted for those financial institutions which are in compliance with federal guidance.
Rhode Island

H. 6191 was enacted on July 10, 2005, and become effective on March 1, 2006. The law requires notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies. The law does not apply to HIPAA entities. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.
South Dakota

South Dakota’s security freeze law became effective on July 1, 2006. SB 180 permits identity theft victims in South Dakota to request a security freeze on credit reporting. A security freeze shall prohibit, with certain specific exceptions, the credit reporting agency from releasing the consumer’s credit report or any information from it without the express authorization of the consumer.
Tennessee

SB 2220, passed into law in 2005, amends Tennessee Code Title 47 Chapter 18, Part 21, and became effective on July 1, 2005. The law requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. The law does not apply to persons subject to Title V of the Gramm-Leach-Bliley Act. Tennessee state lawmakers in April 2007 passed a bill that restricts access to consumers’ credit reports and limits the use of Social Security numbers by businesses and non-profits.
Texas

SB 122, passed into law in 2005, became effective Sept. 1, 2005. The law requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. The law also authorizes the State Attorney General to seek civil penalties for violations.
Utah

SB 69 went into effect on Jan. 1, 2007. The law provides requires notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable. Those entities regulated by other state or federal laws are exempt. If there is a reasonable likelihood of harm to the consumer, then the entity must inform the consumer of the breach.
Vermont

Security Breach Notification Law, SB 284, passed on May 18, 2006, and will take effect July 1, 2007. The law requires that any data collector that owns or licenses computerized personal information that includes personal information concerning a consumer shall expediently notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach.  A law enforcement agency may request a delay if it believes that notification may impede a law enforcement investigation, or a national or homeland security investigation or jeopardize public safety or national or homeland security interests.  In the event a data collector provides notice to more than 1,000 consumers at one time, the data collector is required to notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The law does not apply to financial institutions or HIPAA entities.
Virginia

Legislation requiring government agencies and businesses to notify Virginians if their personal information is lost or stolen was introduced to the state legislature in January, 2007. Discussion of the bill is pending. State Statutes §§ 18.2-152.6, 18.2-152.7, 18.2-152.8, 18.2-152.12, and 19.2-8 amended; § 19.2-249.2 added; §§ 18.2-152.9 and 18.2-152.10 repealed, § 18.2-186.3 cover computer crimes and penalties. The legislation revises provisions in the Virginia Computer Crimes Act relating to theft of computer services, personal trespass by computer, embezzlement, larceny or receiving stolen goods by computer, and civil damages. Additional statutes have been considered to cover identity theft, restitution and victim assistance.
Washington

SB 6043, passed on May 10, 2005, became effective on July 24, 2005. The law requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. The law imposes civil liability for damages caused by failure to give notice as required.
West Virginia

State Statute 61-3-54, covers taking identity of another person and penalties. Any person who knowingly takes the name, birth date, social security number or other identifying information of another person, without the consent of that other person, with the intent to fraudulently represent that he or she is the other person for the purpose of making financial or credit transactions in the other person's name, is guilty of a felony.
Wisconsin

SB 164. Law requires notice to consumers when information is taken in a security breach of data that is not encrypted, redacted or altered in any manner rendering the information unreadable. The law includes DNA and biometric data. The entity need only provide notice if it knows that personal information has been acquired by an unauthorized person and there is a material risk of identity theft or fraud. Wisconsin specifically requires notification in the event of a breach involving computerized or hard-copy data.
Wyoming

State Statute 6-3-901, covers unauthorized use of personal identifying information, penalties and restitution. A misdemeanor punishable by imprisonment for not more than six months, a fine of not more than $750, or both, if no economic benefit was gained or was attempted to be gained, or if an economic benefit of less than $1,000 was gained or was attempted to be gained A felony punishable by imprisonment for not more than 10 years, a fine of not more than $10,000, or both, if an economic benefit of $500.00 or more was gained or was attempted to be gained.
Puerto Rico Privacy Statutes

Puerto Rico has privacy-related statutory and regulatory requirements in access, confidentiality and consent. Puerto Rico has enacted a Bill of Rights and Responsibilities of the Patient which includes patient rights to confidentiality of, and access to, medical records. The Bill of Rights applies to “medical-hospital health services facilities, health professionals and insurers and health care plans throughout the whole jurisdiction of the Commonwealth of Puerto Rico.” The Federal District Court for the District of Puerto Rico has held that HIPAA does not provide a private cause of action. 
Looking for more information?
E-waste and Environmental Regulations Database
Mounting pressures regarding the environmentally and socially responsible management of e-waste are triggering more stringent laws around the globe. Redemtech’s E-waste and Environmental Regulations Database delivers information about regulations, directives, national decrees, statutes, ordinances and pending e-waste and environmental legislation.
Data Security Regulations
Legislation governing the protection of consumer privacy and identify theft continue to propagate on a global, federal, state and local level. Redemtech’s Data Security and Privacy Regulatory Database documents applicable regulations, established laws, constitutional amendments and pending legislation for many nations around the globe.

Follow Us on Twitter    Subscribe to News & Views

Home  |  Company  |  Sustainable Computing  |  Solutions  |  News & Success  |  Resources  |  Blog  |  Contact Us

4115 Leap Rd. : Columbus, OH, 43026 : tel 614.850.3366 : toll free 800.743.3499 : fax 614.850.3354 : Information Request

Copyright © 2010 Redemtech, Inc. All Rights Reserved. | Privacy Policy | Site Map