Www.ehcca.com



DAVIS WRIGHT TREMAINE LLP

Anne Shelby, Esq.

(206) 757-8183

anneshelby@

STATUS OF DATA BREACH NOTIFICATION STATUTES IN THE 50 STATES AND WASHINGTON D.C.

|Tab |State |Statute |Legislative |Effective Date |Definition of Personal Information (“PI”) |Covered Entities |Key Provisions/Comments |

| | | |Reference | | | | |

| |Alaska |N/A |H.B. 31 | |Individual’s first name or initial and |Any person that owns or uses PI of an AK |House and Senate bills introduced 01/16/07 and still |

| | | |S.B. 21 | |last name, address, or telephone number in|resident. |under consideration in committee in 2008. |

| | | | | |combination with any of the following: | |The proposal does not include a description of the risk |

| | | | | |SSN; | |of harm that would trigger notification. |

| | | | | |Driver’s license or state ID number; | | |

| | | | | |Account, credit or debit card number | | |

| | | | | |combined with security code or password | | |

| | | | | |that permits access to an individual’s | | |

| | | | | |financial account. | | |

| | | | | |PI does not include data that is encrypted| | |

| | | | | |or redacted. | | |

| |Arkansas |Ark. Code Ann. §§ |S.B. 1167 |03/31/05 |Individual’s first name or initial and |Any person or business that acquires, |Disclosure made in the most expedient time and manner |

| | |4-110-101 through | | |last name combined with any of the |owns, or licenses computerized data that |possible, without reasonable delay. |

| | |4-110-108 | | |following: |includes PI or maintains such data of AR |Enforced by Attorney General under Ark. Code Ann. §§ |

| | | | | |SSN; |residents. |4-88-101 through 4-88-115. |

| | | | | |Driver’s license or state ID number; |Applies to any entity that maintains PI |Any waiver is void and unenforceable. |

| | | | | |Account, credit or debit card number in |about an AR resident, whether or not it | |

| | | | | |combination with any information that |conducts business in the state. | |

| | | | | |allows access to financial account; | | |

| | | | | |Medical information. | | |

| | | | | |Encrypted or redacted information is | | |

| | | | | |excluded from PI. | | |

| |Colorado |Colo. Rev. Stat. §|H.B. 06-1119 |09/01/06 |Colorado resident’s first name or initial |Any individual or commercial entity that |Conduct, in good faith, a prompt investigation to |

| | |6-1-716 | | |and last name combined with any of the |conducts business in CO and owns or |determine likelihood that PI has been or will be misused|

| | | | | |following: |licenses computerized data that includes |and give notice as soon as possible to the affected CO |

| | | | | |SSN; |PI or maintains such data. |resident. |

| | | | | |Driver’s license or state ID number; |“Commercial entity” means any private |Notice may be written, telephonic, or electronic. |

| | | | | |Account, credit or debit card number in |legal entity, whether for-profit or |Substitute notice (email notice, conspicuous posting on |

| | | | | |combination with any information that |not-for-profit. |website, and notification to major statewide media) can |

| | | | | |allows access to financial account. | |be employed if the cost of providing notice would exceed|

| | | | | |Data that is redacted or secured by other | |$250,000 or 200,000 CO residents would have to be |

| | | | | |methods that renders information | |individually notified. |

| | | | | |unreadable or unusable is excluded from | | |

| | | | | |PI. | | |

| |Delaware |Del. Code Ann. |H.B. 116 |06/28/05 |Delaware resident’s first name or initial |Any individual or commercial entity that |Notification is not required, if after investigation, |

| | |tit. 6, §§ 12B-101| | |and last name combined with any of the |conducts business in DE and owns or |breach will not likely result in harm to individuals |

| | |through 12B-104 | | |following: |licenses computerized data that includes |whose PI has been acquired or accessed. |

| | | | | |SSN; |PI or maintains such data. |Substitute notice permitted if cost of notice will |

| | | | | |Driver’s license or state ID number; |“Commercial entity” includes corporations,|exceed $75,000 or the affected class to be notified |

| | | | | |Account, credit or debit card number in |business trusts, estates, trusts, |exceeds 100,000 residents. |

| | | | | |combination with any information that |partnerships, limited partnerships, LLPs, | |

| | | | | |allows access to financial account. |LLCs, associations, organizations, joint | |

| | | | | |Encrypted information is excluded from PI.|ventures, governments, governmental | |

| | | | | | |subdivisions, agencies, or | |

| | | | | | |instrumentalities, or any other legal | |

| | | | | | |entity, whether for-profit or | |

| | | | | | |not-for-profit. | |

| |Georgia |Ga. code Ann. §§ |S.B. 230 |05/05/05 |Individual’s first name or initial and |Applies to “information brokers” or “data |Notification must be made in the most expedient time |

| | |10-1-910 through | | |last name combined with any of the |collectors” that own or license |possible and without reasonable delay. |

| | |10-1-912 | | |following: |computerized data that includes PI or a |Provides for substitute notice if the information broker|

| | | | | |SSN; |person or business who maintains such data|demonstrates costs would exceed $50,000 or the affected |

| | | | | |Driver’s license or state ID number; |on behalf of Information Broker. |class exceeds 100,000 individuals. |

| | | | | |Account, credit or debit card number, if |“Information broker” means any person or |Any person that maintains, but does not own, |

| | | | | |circumstances exist that the number could |entity who engages in the business of |computerized data on behalf of an information broker or |

| | | | | |be used without any additional identifying|collecting, assembling, evaluating, |data collector that includes PI shall notify it of any |

| | | | | |information, access codes, or passwords; |compiling, reporting, transmitting, |breach within 24 hours following discovery if the PI |

| | | | | |Account passwords or personal |transferring, or communicating information|was, or is reasonably believed to have been acquired by |

| | | | | |identification numbers or other access |concerning individuals for the primary |an unauthorized person. |

| | | | | |codes; |purpose of furnishing personal information| |

| | | | | |Any of the previous items when not |to third parties, but does not include | |

| | | | | |connected with first name or initial and |governmental agencies. | |

| | | | | |last name if the information would be |“Data collector” means any state or local | |

| | | | | |sufficient to perform or attempt identity |agency or subdivision thereof, but does | |

| | | | | |theft against the person whose information|not include any governmental agency whose | |

| | | | | |was compromised. Allows access to account.|records are maintained primarily for | |

| | | | | |Encrypted information is excluded from PI.|traffic safety, law enforcement, or | |

| | | | | | |licensing purposes or for purposes of | |

| | | | | | |providing public access to court records | |

| | | | | | |or to real/personal property information. | |

| |Idaho |Idaho Code Ann. §§|S.B. 1374 |07/01/06 |Idaho resident’s first name or initial and|Any agency, individual, or commercial |Must conduct in good faith a reasonable and prompt |

| | |28-51-104 to | | |last name combined with any of the |entity that conducts business in ID and |investigation to determine the likelihood that PI has |

| | |28-51-107 | | |following: |owns or licenses computerized data that |been or will be misused. If investigation determines |

| | | | | |SSN; |includes PI about ID residents, or that |that the misuse has occurred or is reasonably likely to |

| | | | | |Driver’s license or state ID number; |maintains computerized data that includes |occur, the agency, individual, or the commercial entity |

| | | | | |Account, credit or debit card number in |PI. |shall give notice as soon as possible to the ID |

| | | | | |combination with any information that | |resident. |

| | | | | |allows access to financial account. | |Substitute notice if costs of notice exceed $25,000 or |

| | | | | |Encrypted information is excluded from PI.| |if more than 50,000 individuals would have to be |

| | | | | | | |notified. |

| | | | | | | |Provides for a penalty of $25,000 to any agency, |

| | | | | | | |individual, or commercial entity that intentionally |

| | | | | | | |fails to give notice in accordance with the statute. |

| |Indiana |Ind. Code §§ |H.B. 1101 |07/01/06 |PI means: |Data base owners that own or license |After discovering or being notified of a breach, the |

| | |24-4.9-1 to 4.9-3 | | |SSN that is not encrypted or redacted or |computerized data that includes PI. |data base owner shall disclose breach to IN resident |

| | |Ind. Code §§ | | |individuals first name or initial and last|Any person that maintains computerized |whose unencrypted PI was or may have been acquired by an|

| | |4-1-11-1 to | | |name combined with any of the following: |data but is not a data base owner shall |unauthorized person; or encrypted PI was or may have |

| | |4-1-11-10 (for | | |Driver’s license number; |notify the data base owner if the person |been acquired by an unauthorized person with access to |

| | |state agencies) | | |State ID number; |discovers that PI was or may have been |the encryption key; if acquisition resulted in or could |

| | | | | |Credit card number; |acquired by an unauthorized person. |result in identity deception, identity theft, or fraud. |

| | | | | |Financial account number or debit card |“Data base owner” means a person that owns|Substitute notice if costs of notice exceed $250,000 or |

| | | | | |number combined with security code, |or licenses computerized data that |if more than 500,000 individuals would have to be |

| | | | | |password, or access code that would permit|includes PI. |notified. |

| | | | | |access to the person’s account. |“Person” includes individual, corporation,|Provides for enforcement by the Attorney General. |

| | | | | | |or other legal entity doing business in |Attorney General may seek injunctive relief, penalties |

| | | | | | |IN. |up to $150,000 per violation, and costs and expenses of |

| | | | | | | |investigation and suit. |

| | | | | | | |Amendment proposed 01/10/08 would require notification |

| | | | | | | |of Attorney General and data base owner’s regulator, if |

| | | | | | | |any. Attorney General would be required to post on its |

| | | | | | | |website information about each reported data breach. The|

| | | | | | | |amendment also would change notification rules for |

| | | | | | | |instances of portable device thefts. If passed, it would|

| | | | | | | |be effective 07/1/08. |

| |Kansas |Kan. Stat. Ann. |S.B. 196 |07/01/06 |Consumer’s first name or initial and last |Any person that conducts business in KS, |Substitute notice if costs of notice exceed $100,000 or |

| | |50-7a01, 50-7a02 | | |name combined with any of the following: |or any government, governmental |if more than 5,000 individuals would have to be |

| | | | | |SSN; |subdivision or agency that owns or |notified, or the individual or commercial entity does |

| | | | | |Driver’s license or state ID number; |licenses computerized data that includes |not have sufficient contact information to provide |

| | | | | |Account number, credit or debit card |PI, or any individual or commercial entity|notice. |

| | | | | |number in combination with any information|that maintains such data. |Enforcement by the Attorney General except as to |

| | | | | |that allows access to financial account. | |insurance companies. For violations by any insurance |

| | | | | |Encrypted or redacted information is | |company licensed to do business in the state, the |

| | | | | |excluded from PI. | |insurance commissioner has exclusive enforcement |

| | | | | | | |authority. |

| |Louisiana |La. Rev. Stat. |S.B. 205 |01/01/06 |Individual’s first name or initial and |Any person that conducts business in LA or|Substitute notice if costs of notice exceed $250,000 or |

| | |Ann. §§ 51:3071 | | |last name combined with any of the |owns or licenses computerized data that |if more than 500,000 individuals would have to be |

| | |through 51:3077 | | |following: |includes PI, or any person or agency that |notified, or the agency or person does not have |

| | | | | |SSN; |maintains such data. |sufficient contact information. |

| | | | | |Driver’s license or state ID number; |“Person” means any individual, |Notification is not required if after a reasonable |

| | | | | |Account number, credit or debit card |corporation, partnership, sole |investigation the person or business determines that |

| | | | | |number in combination with any information|proprietorship, joint stock company, joint|there is no reasonable likelihood of harm to customers. |

| | | | | |that allows access to financial account. |venture, or any other legal entity. |A financial institution that is subject to compliance |

| | | | | |Encrypted or redacted information is | |with the Federal Interagency Guidance on Response |

| | | | | |excluded from PI. | |Programs for Unauthorized Access to Customer Information|

| | | | | | | |and Customer Notice is deemed to be in compliance with |

| | | | | | | |the statute. |

| |Maryland |Md. Code Ann., |H.B. 208 |01/01/08 |Individual’s first name or initial and |A business that owns or licenses PI of |After investigation, if business concludes that |

| | |Com. Law § 14-3501|S.B. 194 | |last name combined with any of the |individual residents of MD or maintains |notification is not required under the statute, the |

| | |to 3508 | | |following: |such data. |business must maintain records that reflect its |

| | | | | |SSN; | |determination for three years after the determination is|

| | | | | |Driver’s license or state ID number; | |made. |

| | | | | |Account number, credit or debit card | |Substitute notice available if costs of notice exceed |

| | | | | |number in combination with any information| |$100,000 or the affected individuals to be notified |

| | | | | |that allows access to financial account; | |exceeds 175,000. |

| | | | | |An individual tax ID number. | |Provisions of this subtitle are exclusive and preempt |

| | | | | |Excludes information that is encrypted, | |any provision of local law. |

| | | | | |redacted, or otherwise protected by | | |

| | | | | |another method that renders information | | |

| | | | | |unreadable or unusable. | | |

| |Michigan |Mich Comp. Laws § |S.B. 309 (Public |06/29/07 |Individual’s first name or initial and |Any person or agency that owns or licenses|No notice required if it is determined that security |

| | |445.61, 445.63, |Act 566) | |last name combined with one of the |data, or any person or business that |breach has not or is not likely to cause substantial |

| | |445.72 | | |following: |maintains such data. |loss or injury. |

| | | | | |SSN; | |Substitute notice permitted if affected class to be |

| | | | | |Driver’s license or state ID number; | |notified exceeds 500,000 people or notification costs |

| | | | | |Demand deposit or financial account | |would exceed $250,000. |

| | | | | |number, credit or debit card number in | |Provides for a penalty if a person knowingly fails to |

| | | | | |combination with any information that | |provide notice required by statute of not more than $250|

| | | | | |allows access to a financial account. | |for each failure to provide such notice with a cap of |

| | | | | | | |$750,000 per security breach. |

| | | | | | | |Two proposed amendments, S.B. 945 and 703, have been |

| | | | | | | |referred to committee and are pending in 2008. |

| |Mississippi |N/A | | | | |The bill introduced in 2007 did not pass. |

| | | | | | | |No data breach legislation was identified at press time.|

| |Montana |Mont. Code Ann. §§|H.B. 732 H.B. 789|03/01/06 |Individual’s first name or initial and |Any individual or business that conducts |Provides for a private right of action and action by the|

| | |30-14-1701 to 1704|(amended PI to | |last name combined with any of the |business in MT and owns or licenses |Attorney General or county attorney. |

| | | |include tribal ID| |following: |computerized data that includes PI, or any|Any violation constitutes an unlawful practice under the|

| | | |number.) | |SSN; |person or business that maintains such |Consumer Protection Act (Mont. Code Ann. § 30-14-103), |

| | | | | |Driver’s license, state ID card number, or|data. |and is subject to the penalties provided by § 30-14-142.|

| | | | | |tribal ID card number; | |Unlawful violations may also be restrained by temporary |

| | | | | |Account number, credit or debit card | |or permanent injunction, or temporary restraining order.|

| | | | | |number in combination with any information| |Substitute notice permitted if costs of notification |

| | | | | |that would permit access to an | |will exceed $250,000 or affects more than 500,000 |

| | | | | |individual’s financial account. | |people, or the person or business does not have |

| | | | | |Encrypted information is excluded from PI.| |sufficient contact information. |

| | | | | |PI defined more expansively for records | | |

| | | | | |destruction provisions. | | |

| |Nevada |Nev. Rev. Stat. §§|S.B. 347 |01/01/06 |Natural person’s first name or initial and|Any data collector that owns or licenses |Substitute notice permitted if costs of notification |

| | |603A.010 to 920 | | |last name combined with one of the |computerized data that includes PI or |will exceed $250,000 or affects more than 500,000 people|

| | | | | |following: |maintains such computerized data. |or the data collector does not have sufficient contact |

| | | | | |SSN (last four numbers of SSN does not |“Data collector” means any governmental |information. |

| | | | | |qualify as PI); |agency, institution of higher education, |Data collector must notify consumer reporting agencies |

| | | | | |Driver’s license or state ID number; |corporation, financial institution or |if more than 1,000 persons are affected at one time. |

| | | | | |Account number, credit or debit card |retail operator or any other type of |Effective 10/01/08, Chapter 597 of the Nevada Revised |

| | | | | |number in combination with any information|business entity or association that |Statutes will prohibit a business in the state from |

| | | | | |that allows access to the person’s |handles, collects, disseminates or |transferring a customer’s personal information through |

| | | | | |financial account. |otherwise deals with nonpublic PI. |electronic transmission other than a facsimile to a |

| | | | | |Encrypted information is excluded from PI.| |person outside the secure system of the business unless |

| | | | | | | |the business uses encryption. |

| |New Jersey |N.J. Stat. Ann. § |A 4001/ |01/01/06 |Individual’s first name or initial and |Any business that conducts business in NJ,|Substitute notice permitted if costs of notification |

| | |56:8-161 to 163 |S.B. 2665 | |last name combined with one of the |or any public entity that compiles or |will exceed $250,000 or affects more than 500,000 people|

| | | | | |following: |maintains computerized records that |or the business or public entity does not have |

| | | | | |SSN; |includes PI, or any business or public |sufficient contact information. |

| | | | | |Driver’s license or state ID number; |entity that compiles or maintains such |Requires reporting to State Police before notifying |

| | | | | |Account number, credit or debit card |data. |customers. |

| | | | | |number in combination with any information| |Contains data destruction provisions. |

| | | | | |that allows access to the person’s | |If required to notify more than 1,000 consumers of a |

| | | | | |financial account. | |breach of security, must also notify all consumer |

| | | | | |Includes “dissociated data” that, if | |reporting agencies. |

| | | | | |linked, would constitute PI if the means | | |

| | | | | |to link the dissociated data were accessed| | |

| | | | | |in connection with access to the | | |

| | | | | |dissociated data. | | |

| |New York |N.Y. State Tech |A.B. 4254 |12/08/05 |PI means any information concerning a |Any person or business that conducts |Electronic notice permitted only if recipient gave |

| | |law § 208 (applies| | |natural person which, because of name, |business in NY and owns or licenses |express consent to its receipt and a log for each |

| | |to state agencies)| | |number, personal mark, or other identifier|computerized data that includes PI, or any|notification is kept. |

| | |N.Y. Gen. Bus. Law| | |can be used to identify such natural |person or business that maintains such |Telephonic notification is available only if a log of |

| | |§ 899-aa (applies | | |person, combined with any of the |data. |such notification is kept. |

| | |to businesses) | | |following: |Any state entity that owns or licenses or |Substitute notice permitted if costs of notification |

| | | | | |SSN; |maintains computerized data that includes |will exceed $250,000 or affects more than 500,000 |

| | | | | |Driver’s license or ID card number; |PI. |people, or the business does not have sufficient contact|

| | | | | |Account number, credit or debit card | |information. |

| | | | | |number in combination with any required | |The Attorney General, consumer protection board, and |

| | | | | |information that would permit access to an| |state office of cyber security must be notified if any |

| | | | | |individual’s financial account. | |NY residents are notified. |

| | | | | |Encrypted data is excluded unless the | |In the event that 5,000 NY residents are to be notified |

| | | | | |encryption key has also been compromised. | |at one time, the person or business shall notify |

| | | | | | | |consumer reporting agencies. |

| | | | | | | |A.B.4622 (identical to S.B. 5419) was referred to |

| | | | | | | |committee 01/09/08. The bill applies to both the Tech. |

| | | | | | | |and Bus. laws and would modify the definition of private|

| | | | | | | |information to include data publicly available from |

| | | | | | | |government; expand the use of e-mail notification; |

| | | | | | | |require state agencies to notify out-of-state residents;|

| | | | | | | |require notices to include credit bureau contact |

| | | | | | | |information; and make technical changes to the laws. |

| |Oklahoma |Okla. Stat. tit. |H.B. 2357 |06/08/06 |Individual’s first name or initial and |Any state agency, board, commission or |Substitute notice permitted if costs to notify exceed |

| | |74, § 3113.1 | | |last name combined with any of the |other unit or subdivision of state |$250,000 or affected class exceeds 500,000 persons. |

| | | | | |following: |government that owns or licenses | |

| | | | | |SSN; |computerized data that includes PI or | |

| | | | | |Driver’s license or state ID number; |maintains such data. | |

| | | | | |Account number, credit or debit card | | |

| | | | | |number in combination with any information| | |

| | | | | |that allows access to the person’s | | |

| | | | | |financial account. | | |

| | | | | |Encrypted information is excluded from PI.| | |

| |Pennsylvania |73 Pa. Stat. § |S.B 712 |06/20/06 |Individual’s first name or initial and |Any entity or vendor that maintains, |Must provide notice if encrypted information is accessed|

| | |2303 | | |last name combined with any of the |stores, or manages computerized data that |and acquired in an unencrypted form. |

| | | | | |following: |includes PI. |Substitute notice permitted if cost of notification |

| | | | | |SSN; | |exceeds $100,000, the affected class exceeds 175,000, or|

| | | | | |Driver’s license or state ID number; | |the entity does not have sufficient contact information.|

| | | | | |Financial account number, credit or debit | | |

| | | | | |card number combined with any information | | |

| | | | | |that would permit access to a consumer’s | | |

| | | | | |financial account. | | |

| | | | | |Encrypted or redacted information is | | |

| | | | | |excluded from PI. | | |

| |South Carolina |Not yet codified |H.B. 3035 S.B. 8 | |“Personal identifying information” means |Any person conducting business in the |Law takes effect July 1, 2009. Follows the normal model|

| | | | | |an individual’s first name or initial and |state owning, licensing, maintaining, or |when it comes to standards for notification, though with|

| | | | | |last name combined with: |otherwise possessing personal identifying |some variations. |

| | | | | |SSN; |information of consumer residents. Any |Gives the state Department of Consumer Affairs the power|

| | | | | |Driver’s license numbers; |agency of the state owning, licensing or |to assess administrative fines of $1,000 "for each |

| | | | | |Checking account numbers; |maintaining computerized data that |resident whose information was accessible by reason of |

| | | | | |Savings account numbers; |includes personal identifying information.|the breach," and also allows state residents who have |

| | | | | |Credit card numbers; | |been injured by a violation of the notification |

| | | | | |Debit card numbers; | |requirement to sue for damages, an injunction, and |

| | | | | |Personal ID numbers; | |attorneys' fees and court costs. |

| | | | | |Electronic ID numbers; | | |

| | | | | |Digital signatures; | | |

| | | | | |Other numbers or information that may be | | |

| | | | | |used to access a person’s financial | | |

| | | | | |resources; | | |

| | | | | |Identifying documentation that defines a | | |

| | | | | |person other than the person presenting | | |

| | | | | |the document (includes passports, driver’s| | |

| | | | | |licenses, birth certificates, immigration | | |

| | | | | |documents, and state issued ID cards) | | |

| |Tennessee |Tenn. Code Ann. § |S.B. 2220 |07/01/05 |Individual’s first name or initial and |Any information holder, or information |Substitute notice permitted if costs of notification |

| | |47-18-2107 | | |last name combined with any of the |holder that maintains computerized data |would exceed $250,000 or affected persons to be notified|

| | | | | |following: |that includes PI. |exceeds 500,000. |

| | | | | |SSN; |“Information holder” means person or |Any information holder that maintains its own |

| | | | | |Driver’s license number; |business that conducts business in TN, or |notification procedures as part of an information |

| | | | | |Account number, credit or debit card |any agency of the State of TN or any of |security policy for PI, and whose plan’s timing is |

| | | | | |number in combination with any information|its political subdivisions that owns or |consistent with the timing requirements of the law, is |

| | | | | |that allows access to financial account. |licenses computerized data that includes |deemed in compliance if it notifies persons in |

| | | | | |Encrypted information is excluded from PI.|PI. |accordance with its policies in the event of a breach. |

| | | | | | | |If notice to more than 1,000 persons at one time, the |

| | | | | | | |person must notify consumer reporting agencies and |

| | | | | | | |credit bureaus. |

| |Utah |Utah Code Ann. § |S.B. 69 |01/01/07 |Person’s first name or initial and last |Any person who conducts business in UT and|Provides a general obligation to implement and maintain |

| | |13-44-101 to 301 | | |name combined with any of the following: |maintains PI and any person who owns or |reasonable procedures to prevent unlawful use or |

| | | | | |SSN; |licenses computerized data that includes |disclosure of PI and ensure the proper destruction of |

| | | | | |Financial account number, or credit or |PI. |PI. |

| | | | | |debit card number combined with required | |Notification can be provided by first-class mail, |

| | | | | |information that permits access to the | |electronically if that is the primary way of |

| | | | | |person’s account; | |communicating, telephone, or publishing in a newspaper |

| | | | | |Driver’s license or state ID number. | |of general circulation. |

| | | | | |PI excludes information protected by a | |If entity maintains its own notification procedures as |

| | | | | |method that renders the data unreadable or| |part of information security policy for PI, the entity |

| | | | | |unusable. | |is in compliance with notification requirements if it |

| | | | | | | |notifies each affected UT resident in accordance with |

| | | | | | | |that policy. |

| | | | | | | |A waiver of this provision is void and unenforceable. |

| |Virginia |N/A |H.B. 390 |None proposed |Varies among bills. |H.B. 390: A state agency that owns or |H.B. 1052 and S.B. 307 are identical. |

| | | |H.B. 971 | | |licenses computerized data that includes |All of the bills were introduced in 01/08. |

| | | |H.B. 1052 | | |PI. | |

| | | |S.B. 307 | | |H.B. 971: A person or business that | |

| | | |H.B. 1469 | | |conducts business in VA and that owns or | |

| | | | | | |licenses computerized data that includes | |

| | | | | | |PI. | |

| | | | | | |H.B. 1052/S.B. 307: An individual or | |

| | | | | | |commercial entity that conducts business | |

| | | | | | |in VA and that owns or licenses data that | |

| | | | | | |includes PI about a VA resident. | |

| | | | | | |H.B. 1469: Any individual or entity that | |

| | | | | | |owns or licenses computerized data that | |

| | | | | | |includes PI of a VA resident. | |

| |West Virginia |Not yet codified |H.B. 2175 | |Consumer’s last name, address, or phone |Any data collector that owns or uses |Law takes effect June 6, 2008. Follows the normal model|

| | | | | |number combined with any of the following:|personal information in any form |when it comes to standards for notification, though with|

| | | | | | |(computerized, paper, or otherwise) that |some variations. |

| | | | | |SSN; |includes PI. |Gives the state Attorney General exclusive enforcement |

| | | | | |Driver’s license or state ID number; | |authority, and allows civil penalties only where "the |

| | | | | |Account number, credit or debit card | |defendant has engaged in a course of repeated and |

| | | | | |number if circumstances exist wherein such| |willful violations," and caps all civil penalties at |

| | | | | |a number could be used without additional | |$150,000. |

| | | | | |identifying information, access codes or | | |

| | | | | |passwords; | | |

| | | | | |Account passwords or PIN numbers or other | | |

| | | | | |access codes; | | |

| | | | | |Biometric data; | | |

| | | | | |Any items previously listed not in | | |

| | | | | |connection with the consumer’s last name | | |

| | | | | |if information comprised would be | | |

| | | | | |sufficient to perform or attempt identity | | |

| | | | | |theft. | | |

| |Wyoming |Wyo. Stat. Ann. § |S.F. 53 |07/01/07 |“Personal identifying information” means |An individual or commercial entity that |Notice shall include a toll-free number that the |

| | |40-12-501 to 509 | | |first name or initial and last name |conducts business in WY and that owns or |individual may use to contact the person or his agent |

| | | | | |combined with one of the following: |licenses, or maintains computerized data |collecting the data, and toll-free contact telephone |

| | | | | |SSN; |that includes PI of a resident of WY. |numbers and addresses for the major credit card |

| | | | | |Driver’s license or state ID number; | |reporting agencies. |

| | | | | |Account number, credit or debit card | |Substitute notice permitted if cost of notice would |

| | | | | |number in combination with any information| |exceed $10,000 for WY-based persons or businesses and |

| | | | | |that allows access to financial account; | |$250,000 for all other businesses operating but not |

| | | | | |Tribal identification card; | |based in WY, or affected persons to be notified exceeds |

| | | | | |Federal or state government issued | |10,000 WY-based persons or businesses and 500,000 other |

| | | | | |identification card | |persons or businesses operating but not based in WY. |

| | | | | |Redacted information is excluded. | | |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download