Since Jan. 1, 2006 the group of U.S. states with their own legislation on sensitive data leaks has been joined by New Jersey, Louisiana and Illinois. The number of states regulating confidential and private information has now reached two dozen.
InfoWatch recently published a review of the New Jersey Identity Theft Protection Act that came into force on Jan. 1, 2006. The law has already gained a reputation as being the harshest law in the sphere of information leaks. The uncompromising act forces companies to destroy all kinds of personal customer information they may have on file after it's no longer needed, and obliges companies to notify any affected individuals if sensitive information is compromised. The main provisions of the law in Louisiana stipulate that both the affected individuals and the state authorities must be informed if there is a breach of private information. The regulations in Illinois differ from the law in Louisiana in that the state authorities do not need to be informed. Today there is a variety of laws in over twenty states regulating leaks of confidential information. Below is a table summarizing the legislative measures found in the different states.
State Title of legislation and date it came into force Those affected by the law Does there need to be proof of data being compromised or posing a risk of causing harm before notification is necessary? Exceptions to the law Penalties/supervising body Do any special measures need to be taken even before a data breach? Arkansas SB 1167, 12 August 2005 All legal entities and natural persons engaged in commercial activities Yes Entities conforming to a federal or state law that requires greater protection or equivalent action in the case of a data leak Department of Justice Yes California SB 1386, 1 July 2003 All legal entities and natural persons engaged in commercial activities (separate section for state organizations) No An entity conforming to the state laws in the field of healthcare, the financial and transport code on confidentiality, as well as the HIPAA law, is exempt from the regulations before a data leak, but not exempt from the rules governing the notification of victims Civil fine and reimbursement of damages to the victim, fines and injunctions. Department of Justice Yes Connecticut SB 650, 1 January 2006 All legal entities and natural persons engaged in commercial activities Yes Entities complying with the provisions of the GLBA law on the privacy of IT security and notifying victims of leaks are considered to satisfy the requirements of the law Incompatibility with the law is equivalent to unethical trading practices. Department of Justice No Delaware HB 116, 28 June 2005 All legal entities and natural persons engaged in commercial activities No Entities conforming to a federal or state law that requires greater protection of personal information Reimbursement of damages, civil lawsuits, fines and injunctions. Department of Justice No Florida HB 481, 1 July 2005 All legal entities and natural persons engaged in commercial activities Yes An entity that is considered to have satisfied the requirements of the law if it uses a federally-approved procedure to notify victims. Government agencies cannot be fined $1,000 for every day an entity fails to make public a leak (for a period of 30 days), and then $50,000 for every thirty-day period (for a period of 180 days), but no more than $500,000. No Georgia SB 230, 5 May 2005 Only companies trading in data, with the exception of state agencies No No Illinois HB 1633, 1 January 2006 Any entity collecting data, including all organizations and government agencies No A violation is considered an illegal act and comes under the law on consumer fraud and unethical trading practices No Indiana SB 503, 1 July 2006 State agencies No No Louisiana SB 205, 1 January 2006 Any entity or agency Yes Financial institutions complying with interdepartmental directives on data leaks and the demands of the law on delivery of notification are considered to be in compliance with the law Lawsuits filed by private individuals No Maine LD 1671, 31 January 2006 Only companies trading in data, with the exception of state agencies No State supervisory bodies must monitor the licensing of brokers. The Department of Justice must monitor all other brokers. Fines of no more than $500 for each violation and no more than $2,500 for every day a leak is not made public No Maryland SB 43 A special commission has been formed to study the issue No Minnesota HF 2121, 1 January 2006 All legal entities and natural persons engaged in commercial activities (separate section for state organizations) No Entities complying with the GLBA and HIPAA laws Department of Justice No Montana HB 732, 1 March 2006 All legal entities and natural persons engaged in commercial activities (special requirements for insurance companies) Yes Fines for unethical trading practices Yes Nevada SB 347, 1 October 2005 Any entity collecting data, including all organizations and government agencies Yes Entities complying with the provisions of the GLBA law on the privacy of IT security and notifying victims of leaks are considered to satisfy the requirements of the Nevada state law. An exception is made for some entities regarding the measures that need to be taken even before leaks Department of Justice Yes New Jersey A4001, 1 January 2006 Any commercial or public company Yes A violation is equivalent to an illegal act and a violation of the P.L. 1960 law New York SB 5827, 7 December 2005 All legal entities and natural persons No Fines and reimbursement of damages to the victim. Department of Justice No North Carolina HB1048, 17 February 2006 All entities and government agencies Yes Financial companies complying with federal laws on the notification of victims in the case of a leak are considered to satisfy the requirements of the law. Firms complying with the provisions of the HIPAA law in the sphere of social security are also exempt Fines of $1,000 per day for every day the law is violated, for a period of 60 days; $5,000 for every day from 61-90 days; $10,000 for every day after the 91st day. Department of Justice No North Dakota SB 2251, 1 June 2005 All entities engaged in commercial activities No Financial institutions complying with interdepartmental directives on data leaks and the demands of the law on delivery of notification, are considered to be in compliance with the law Department of Justice No Ohio HB104, 17 February 2006 All entities and government agencies Yes Financial companies complying with federal laws on the notification of victims in the case of a leak are considered to satisfy the requirements of the law. Firms complying with the provisions of the HIPAA law. Fines of $1,000 per day for every day the law is violated, for a period of 60 days; $5,000 for every day from 61-90 days; $10,000 for every day after the 91st day. No Pennsylvania SB 721, 1 July 2006 All entities Yes Financial institutions complying with interdepartmental directives on data leaks and the demands of the law on delivery of notification are considered to be in compliance with the law. Any company satisfying the requirements of a federal or other regulatory body on notification of leaks A violation is considered to constitute unethical trading practices. Department of Justice No Rhode Island HB 6191, 10 July 2005 All state agencies and entities (including those engaged in commercial activities) Yes Firms complying with the provisions of the HIPAA law. Entities conforming to a federal or state law that requires greater protection or equivalent action in the case of a data leak Compensation lawsuits by private individuals, civil fines, penalties and injunctions from the Department of Justice Yes Tennessee HB 2170, 1 July 2005 Holders of data, including all citizens and companies, as well as state agencies Yes Entities complying with the GLBA law Compensation lawsuits by private individuals No Texas SB 122, 1 September 2005 Any entity engaged in commercial activities No Companies complying with the GLBA law are exempt from the provisions of the law regarding measures to be taken before a data leak occurs Minimum fines of $2,000, but no more than $50,000, for one violation. Civil fines. A violation comes under the law on consumer fraud and unethical trading practices Yes Washington SB 6043, 24 July 2005 All citizens and companies, including state agencies Yes Compensation lawsuits filed by private individuals NoSource: Crowell & Moring