Introduced
by
To require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. Also, to require the notification of law enforcement agencies and the state Attorney General. A person damaged by an unauthorized release could sue for actual damages and costs. The bill was introduced following news stories about hackers obtaining personal data on 145,000 persons from the ChoicePoint database company. ChoicePoint voluntarily performed the actions that would be required by the bill.
Referred to the Committee on Judiciary
Reported without amendment
With the recommendation that the substitute (S-5) be adopted and that the bill then pass.
Substitute offered
To replace the previous version of the bill with one that refines and specifies procedures that would be required in various kinds of security breaches. Among other changes it requires the notification of credit reporting agencies if a breach could lead to cases of identity theft, and revises penalties.
The substitute passed by voice vote
Passed in the Senate 36 to 0 (details)
To require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. The bill specifies allowable formats for the notices and the information to be included in the notice. Also, to require the notification of credit reporting agencies of a security breach that could lead to indentity theft. Failure to comply with the notification requirements would be punishable by civil fines of $1,000 for each individual affected by a security breach, up to a maximum of $2.5 million.
Referred to the Committee on Banking and Financial Services
Reported without amendment
With the recommendation that the substitute (H-3) be adopted and that the bill then pass.
Substitute offered
To replace the previous version of the bill with one that lowers the proposed penalty for each failure to notify an individual to $250, up the an aggregate maximum of $750,000, and makes other minor revisions.
The substitute passed by voice vote
Amendment offered
by
To exempt courts from the entities covered by the bill.
The amendment passed by voice vote
Amendment offered
by
To revise details the definition of "redacted" as it applies to personally identifying numbers (such as the last four digits of a person's social security number). The bill does not apply the same requirements to breaches of redacted information.
The amendment passed by voice vote
Passed in the House 107 to 0 (details)
To require a state agency or a private company that maintains computerized data with personalized information on individuals to notify those individuals if a breach of security allows unencrypted personal identifying information to be acquired by an unauthorized person. The bill specifies allowable formats for the notices and the information to be included in the notice. Also, to require the notification of credit reporting agencies of a security breach that could lead to identity theft. Failure to comply with the notification requirements would be punishable by civil fines of $250 for each individual affected by a security breach, up to a maximum of $750,000.
To concur with the House-passed version of the bill.
Passed in the Senate 36 to 0 (details)
