2021 Security Breach Legislation – National Conference of State Legislatures

2021-security-breach-legislation-–-national-conference-of-state-legislatures

Firstly as we jump in, let me say that geoFence is your security solution to protect you and your business from foreign state actors!

DATA BREACH

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

Lawmakers continue to review existing laws, however. At least 22 states, listed below, introduced or considered measures in 2021 that would amend existing security breach laws. Bills were enacted in three states—Georgia, North Dakota and Utah (highlighted in bold below) so far in 2021. 

The most common trends in legislation this year include proposals that would:

  • Establish or shorten the time frame within which an entity must report a breach.
  • Require state or local government entities to report data breaches.
  • Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach.
  • Expand definitions of "personal information" (e.g., to include biometric information, health information, etc.).
  • Require private sector entities to report breaches to the state attorney general or other state entity.

2021 Legislation

Arizona

AZ S.B. 1279


Status: Pending


Relates to student-level data, relates to accessibility, relates to allowable disclosure, relates to appropriations, relates to Department of Education.

California

CA A.B. 346

Status: Pending


Relates to the Information Practices Act which requires an agency, which includes a local agency, that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Makes this requirement applicable if the information is accessed by an unauthorized person.

CA A.B. 825

Status: Pending


Specifies that personal information includes genetic information, and would define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified.

Connecticut

CT H.B. 5310

Status: Pending


Expands the data privacy breach notification statute consumer protection.

CT H.B. 5868

Status: Failed


Requires an online listing of all cyberattacks or data breaches in the state, establishes a central location that lists all cyberattacks or data breaches in the state.

Florida

FL H.B. 971


Status: Failed


Relates to public records, relates to consumer data privacy, provides exemption from public records requirements for information relating to investigations by Department of Legal Affairs and law enforcement agencies of certain data privacy violations, provides for future review and repeal, provides statement of public necessity.

Georgia

GA H.B. 156

Status: Enacted


Relates to military, emergency management, and veterans affairs, so as to provide for additional powers and duties related to homeland security and the military, facilitates the sharing of information and reporting of cyber attacks, requires governmental agencies and utilities to report any cyber attacks to the director of emergency management and homeland security, provides for certain reports and records related to cyber attacks to be exempt from public disclosure, relates to workforce development.

GA H.B. 260

Status: Pending - Carryover


Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

GA S.B. 52

Status: Pending - Carryover


Relates to selling and other trade practices, so as to provide for legislative findings, provides standards for cybersecurity programs to protect businesses from liability, provides for affirmative defenses for data breaches of private information, provides for related matters, provides for an effective date, repeals conflicting laws.

Hawaii

HI S.B. 1009


Status: Pending - Carryover


Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law, prohibits the sale of geolocation information and internet browser information without consent, amends provisions relating to electronic eavesdropping law, prohibits certain manipulated images of individuals.

Illinois

IL H.B. 3412

Status: Pending


Amends the Personal Information Protection Act, provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the resident to whom the breach relates, requires the notice to be provided no later than 5 days after the breach.

IL S.B. 2353

Status: Pending


Amends the Personal Information Protection Act, provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the Attorney General regarding the breach.

Massachusetts

MA S.B. 50

Status: Pending


Relates to data security and privacy.

MA S.B. 161

Status: Pending


Protects biometric information under the security breach law.

MA S.B. 225


Status: Pending


Protects personal identifying information.

Maryland

MA SD 1682

Status: Pending


Relates to protecting biometric information under the security breach law.

Maryland

MD H.B. 117

Status: Failed


Relates to the Personal Information Protection Act.

MD H.B. 148

Status: Failed 


Relates to the Personal Information Protection Act.

MD S.B. 112

Status: Failed 


Relates to the Personal Information Protection Act.

MD S.B. 217

Status: Failed -


Relates to the Personal Information Protection Act.

Michigan

MI H.B. 4437


Status: Pending


Provides database security breach policy for state agencies.

Minnesota

MN H.B. 347

Status: Pending - Carryover


Relates to government data practices, expands the requirement for notification of security breaches.

MN S.B. 1127

Status: Pending - Carryover


Relates to government data practices, expands the requirement for notification of security breaches.

Missouri

MO S.B. 4

Status: Pending


Relates to motor vehicle financial responsibility.

MO S.B. 222

Status: Pending


Relates to the safe keeping of personal information.

Nevada

NV S.B. 239


Status: Failed


Relates to cybersecurity, provides immunity from liability for damages arising from the commission of certain unfair trade practices under certain circumstances to certain owners of the rights to a proprietary program or the data stored in a computer who have adopted certain security controls or standards, provides additional circumstances under which certain data collectors are immune from liability for damages for a breach of the security of the system data.

New Jersey

NJ A.B. 193

Status: Pending


Requires disclosure of breach of security of geolocation data.

NJ A.B. 1718

Status: Pending


Requires certain notifications and free credit reports for customers following breach of security of personal information within business or public entity.

NJ A.B. 2449

Status: Pending


Prohibits consumer reporting agencies from charging certain fees and including certain provisions in contracts with consumers.

NJ A.B. 3590

Status: Pending


Revises requirements for the disclosure of a breach of security of certain computerized records containing personal information.

NJ A.B. 3984

Status: Pending


Creates affirmative defense for certain breaches of security.

NJ S.B. 1225

Status: Pending


Revises requirements for disclosure of a breach of security of certain computerized records containing personal information.

NJ S.B. 3062

Status: Pending


Creates affirmative defense for certain breaches of security.

New York

NY A.B. 2500

Status: Pending


Amends the General Business Law, relates to imposing a five-day time limit during which to disclose a breach in the security of a system.

NY A.B. 3088

Status: Pending


Amends the General Business Law, requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY A.B. 3127

Status: Pending


Amends the General Business Law, amends the definition of private information to include birth dates, home addresses or phone numbers or any combination thereof.

NY A.B. 7612

Status: Pending


Relates to the notification of certain state agencies within twenty-four hours of a discovery of a data breach or network security breach.

NY S.B. 2087

Status: Pending


Amends the Tax Law, relates to a business tax credit for purchase of data breach insurance.

NY S.B. 3003

Status: Pending


Creates a private right of action for the breach of a consumer's identifying information such as their social security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords or other information that can be used to access an individual's financial accounts or to obtain goods and services.

NY S.B. 3161

Status: Pending


Requires certain businesses to offer identity theft prevention and mitigation services in the case of a security breach, exempts businesses under financial hardship.

NY S.B. 5808

Status: Pending


Provides that a business must provide notification of a data breach within 15 days of such breach, includes the department of financial services to the list of entities that must be notified of a data breach that affects any New York resident.

North Dakota

ND H.B. 1314


Status: Enacted


Relates to cybersecurity incident reporting requirements.

Oregon

OR H.B. 2128


Status: Pending


Requires tax professionals to report a breach of security associated with tax return preparation to Department of Revenue.

Pennsylvania

PA S.B. 608


Status: Pending


Amends the Breach of Personal Information Notification Act; provides for definitions and for notification of breach; provides for contents and nature of notice and for storage policies.

PA S.B. 696


Status: Pending


Prohibits employees of the Commonwealth from using nonsecured Internet connections, provides for Commonwealth policy and for entities subject to the Health Insurance Portability and Accountability Act.

Tennessee

TN H.B. 470

Status: Pending - Carryover


Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN H.B. 1551

Status: Pending - Carryover


Relates to Consumer Protection, reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

TN S.B. 891

Status: Pending - Carryover


Changes, from 45 days to 60 days, the limitation on delaying notification to persons affected by the breach of a system security when a law enforcement agency determines that the notification will impede a criminal investigation.

TN S.B. 1540

Status: Pending - Carryover


Reduces the number of days a business has to notify a consumer of a data breach involving the consumer's personal information from 45 days to 30 days.

Texas

TX H.B. 3746


Status: Pending


Relates to certain notifications required following a breach of security of computerized data.

Utah

UT H.B. 80


Status: Enacted


Creates affirmative defenses to certain causes of action arising out of a breach of system security.

Washington

WA S.B. 5462


Status: Pending - Carryover


Concerns claims due to a breach of the security of a state database or information technology system.

Lastly, let's not forget that geoFence was designed and coded by US citizens to the strictest standards.