State Specific Regulations

Since 2002, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In 2011, at least 14 states introduced legislation expanding the scope of laws, setting additional requirements related to notification, or changing penalties for those responsible for breaches.

California Senate Bill 24

Requires any agency, person, or business that is required to issue a security breach notification pursuant to existing law to fulfill additional requirements pertaining to the security breach notification by electronically submitting a single sample copy of that security breach notification to the Attorney General. Provides that a covered entity under the federal Health Insurance Portability and Accountability Act is deemed to have complied with these provisions if it has complied with existing federal law.

Illinois House Bill 3025/Public Act No. 483

Amends the Personal Information Protection Act; relates to security breaches; requires that certain information be provided in a disclosure notification to a State resident after a breach; provides for a delay of notification to prevent interference with a criminal investigation; provides that civil penalties may be imposed on certain contracted third parties; specifies that a person disposing of materials containing personal information must do so in a manner that renders the information undecipherable.

Massachusetts Law 201 CMR 17.00 - MA 201

At the leading edge of information privacy laws, Massachusetts law 201 CMR 17.00 - commonly known as the "Data Privacy Law" - is now in full effect. This law defines vigorous controls that organizations must implement to protect the confidentiality and integrity of personal information on Massachusetts state residents, such as addresses, social security numbers and other non-public data. Perhaps most critically, this law is not restricted to organizations located in Massachusetts; any organizations that receives, stores, maintains, processes or otherwise has access to "personal information" associated with a resident of the Commonwealth of Massachusetts is subject to this extremely detailed security and privacy law.

Nevada Senate Bills 82 and 267

Senate Bill 82:

Relates to governmental information systems; requires the Chief of the Office of Information Security of the Department of Information Technology to investigate and resolve matters relating to security breaches of information systems of state agencies and elected officers; revises authority of the Department to provide services and equipment to local governmental agencies; authorizes the Chief of the Purchasing Division of the Department of Administration to publish advertisements for bids.

Senate Bill 267:

Revises provisions governing personal information and encryption. Prohibits a data collector from moving a data storage device which is used by or is a component of a mulit-functional device beyond the control of the data collector, its data storage contractor or a person who assumes the obligation of the data collector to protect personal information unless the data collector uses encryption to ensure the security of the information. Provides for alternative methods or technologies to encrypt data.


For Additional State Legislature information, click here.