Exhibit B. State-By-State Data Security Overview

(1)

Exhibit B

State-By-State Data Security Overview

Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group

Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210

(2)

State Statute Citation Overview of Statutory Scheme Alabama (None)

Alaska Alaska Stat.

§ 45.48.010 et seq.

• Scheme is based on disclosure/notification of breaches in data security

• Violators are liable for a civil penalty of up to $500 for each resident who is not notified of a breach, up to $50,000.

• Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit "security freeze" system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach.

• May delay disclosing breach if an appropriate law enforcement agency determines disclosure will interfere with a criminal investigation.

• Notification may be written, electronic or by substitute notice (e-mail, posting on website, media notification) if the first two methods of notification exceed $150,000 or class of individuals exceeds 300,000 people.

Arizona Ariz. Code

§ 44-7501

Ariz. Rev. Stat. Ann. § 44-7304

• Upon becoming aware of a breach of personal information, a reasonable investigation must be conducted and individuals notified accordingly.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation.

• Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $50,000 or class of individuals exceeds 100,000 people.

• Arizona has adopted anti-Spyware law (AG, software providers and website and trademark owners can bring enforcement suits)

Arkansas Ark. Code

§ 4-110-101 et seq.

Ark. Code. Ann. § 4- 111-101 et seq.

• Establishes general security guidelines for those who own and/or manage personal information to follow in the event or suspicion of a breach.

• Notification of a breach must be made to any resident of Arkansas in the most expedient time and manner possible, without unreasonable delay.

(3)

• Arkansas has adopted anti-Spyware law (AG can enforce)

California Cal. Civ. Code §§

56.06; 1785.11.2;

1798.29; 1798.82 Cal. Bus. & Prof. Code

§ 22947 et seq.

• Establishes general notification guidelines for those who own and/or manage personal information to follow in the event or suspicion of a breach.

• §56.06 specifically addresses maintenance and disclosure requirements of personal medical information.

• Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit “security freeze” system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach.

• 1798.82 applies whether computerized consumer records are maintained in or out of the state.

• NOTE: California created California’s Office of Privacy Protection (COPP) in 2000

• California has adopted anti-Spyware law (no enforcement provisions)

Colorado Colo. Rev. Stat. § 6-1- 716

• Awareness of breach requires a good faith, prompt investigation to determine likelihood personal information has been or will be misused.

• NOTE: Colorado has created the Colorado Office of Cyber Security which focuses on threats to electronic information systems

Connecticut Conn. Gen. Stat. § 36a- 701b

(4)

• Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit “security freeze” system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach.

Delaware Del. Code tit. 6, § 12B- 101 et seq.

Florida Fla. Stat.

§ 817.5681

• Violators are liable for a civil penalty of up to $1,000 for each day the breach goes undisclosed for up to 30 days, and thereafter, $50,000 for each 30-day period or portion thereof for up to 180 days, not to exceed $500,000 total.

Georgia Ga. Code

§§ 10-1-910, 911 Ga. Code. Ann. § 16-9-

• Expressly recognizes the growing risk of identity theft to Georgia citizens due to ever more widespread collection of personal information.

• Establishes general notification guidelines for those who own and/or manage personal

(5)

150 information to follow in the event or suspicion of a breach.

• Georgia has adopted anti-Spyware law (AG, ISP’s and telecommunications carriers can bring suits)

Hawaii Haw. Rev. Stat. § 487N- 2

Idaho Idaho Code

§§ 28-51-104 to 28-51- 107; 2010 H.B. 566

• Violators are subject to a fine of not more than $25,000 per breach of personal information.

• The Idaho Code was amended in 2010 to include the following provisions:

o A governmental agency that becomes aware of a breach shall notify the Idaho Attorney General within 24 hours.

o Government employees who violate the provisions of this statute are guilty of a misdemeanor and subject to a fine of not more than $2,000 or imprisonment for not more than 1 year.

Illinois 815 ILCS 530/1 et seq. • Scheme is based on disclosure/notification of breaches in data security

• Notification may be written, electronic or by substitute notice (e-mail, posting on website, media

(6)

notification) if the first two methods of notification exceed $250,000 or class of individuals exceeds 500,000 people.

Indiana Ind. Code

§§ 24-4.9 et seq.; 4-1-11 et seq.; 2009 H.B. 1121 Ind. Code Ann. §§ 24- 4.8-2-2, 24-4.8-3-1

• Establishes general duty of care for “database owners,” the failure of which is considered a

“deceptive act” actionable only by the attorney general and up to $5,000 per act.

• The attorney general may also bring an action for a civil penalty for the failure to disclose a breach. The penalty may be up to $150,000 per deceptive act.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation or jeopardize national security, or if delay is necessary to restore computer system integrity or discover breach scope.

• Notification may be written, electronic, telephonic, faxed or by substitute notice (e-mail, media notification) if the first four methods of notification exceed $250,000 or class of individuals exceeds 500,000 people.

• Indiana has adopted anti-Spyware law (software providers, website owners, and trademark owners can bring civil action for injunctions and damages)

Iowa Iowa Code

§ 715C.1 (2008 S.F.

2308)

Iowa Code Ann. § 715.7

• Notification may be written, electronic or by substitute notice (e-mail, posting to website, media notification) if the first two methods of notification exceed $250,000 or class of individuals exceeds 350,000 people.

• Iowa has adopted anti-Spyware law (provides for criminal penalties, but no private right of action)

Kansas Kan. Stat.

§§ 50-7a01; 50-7a02

• Notification may be delayed if law enforcement agency advises notification will impede

(7)

criminal investigation.

Kentucky None

Louisiana La. Rev. Stat.

§ 51:3071 et seq.

La. Rev. Stat. Ann. §§

51:1441 to :1449

• Louisiana has adopted anti-Spyware law (criminal penalties, plus AG, software providers trademark owners, and ISP may bring action for injunctive relief and damages)

Maine Me. Rev. Stat. tit. 10 §§

1347 et seq.; 2009 Public Law 161

• Violators are subject to a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation. However, this provision does not apply to State

Government, the University of Maine System, the Maine Community College System or Maine Maritime Academy.

• Notification may be delayed for no longer than 7 business days if law enforcement agency advises notification will impede criminal investigation.

Maryland Md. Code, Com. Law

§ 14-3501 et seq.

• Establishes general notification guidelines and duty of care for those who own and/or manage personal information to follow in the event or suspicion of a breach.

(8)

• First time violators may be subject to $1,000 for the first violation, and up to $5,000 for each additional violation.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation or jeopardize homeland or national security, or to determine the breach scope, identify individuals affected or restore system integrity.

• Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting to website, media notification) if the first three methods of notification exceed $100,000 or class of individuals exceeds 175,000 people.

Massachusetts Mass. Gen. Laws § 93H- 1 et seq. 201 CMR 17.00

• Objectives of this regulation are to ensure the security and confidentiality of customer

information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

• Establishes a duty to protect and standards for protecting personal information.

• Sets minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

Michigan Mich. Comp. Laws § 445.72

• Mangers/owners of personal information are not required to disclose of a breach if

“determine[d] that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft.”

• Anyone who provides false notice of a security breach with the “intent to defraud” is subject to a misdemeanor charge punishable by imprisonment for up to 30 days and/or up to $250 for each violation.

• Violators of the section are subject to a civil fine up to $250 for each failure to provide notice.

The total of civil penalties may not exceed $750,000.

• Notification may be delayed if law enforcement agency advises notification will impede

criminal investigation or jeopardize homeland or national security, or to determine the breach scope or restore system integrity.

• Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting to website, media notification) if the first three methods of notification exceed $250,000 or class of

(9)

individuals exceeds 500,000 people.

Minnesota Minn. Stat.

§§ 325E.61, 325E.64

• Statute also requires ISP’s to maintain confidentiality of customers’ personally identifiable information.

Mississippi 2010 H.B. 583 • Scheme is based on disclosure/notification of breaches in data security

• Allows companies to forego notification if they can prove – after a reasonable investigation – that the breach will not result in harm to affected individuals.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation or national security.

Missouri Mo. Rev. Stat. § 407.1500

• Medical information is expressly included and protected under this provision.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation or jeopardize national or homeland security.

(10)

Montana Mont. Code

§ 30-14-1701 et seq.;

45-6-332; 2009 H.B.

155, Chapter 163

• 45-6-322 defines the crime “Theft of identity.” Violators who sought economic benefit as a purpose in committing this crime may be subject to a civil penalty for up to $10,000 and/or 10 years in state prison.

Nevada Nev. Rev. Stat. §§

603A.010 et seq.

• Establishes general notification guidelines and security requirements, including a requirement to destroy old records, for those who own and/or manage personal information to follow in the event or suspicion of a breach.

• Permits owners/managers of personal information to seek damages and restitution through civil action against the person or persons who “unlawfully obtained or benefited” from the personal information that was breached.

• Statute also requires ISP’s to maintain confidentiality of all their customers’ information

New

Hampshire

N.H. Rev. Stat. §§ 359- C:19 to -C:21

N.H. Rev. Stat. §§ 359- H:2 to :3

• “Any person” injured by a violation under this statute may bring a civil action for actual damages. The statute permits that if the violation was “willful or knowing,” then the court may award as much as 3 times the amount of actual damages, but not less than 2 times the amount, as well as attorney’s fees and costs of the suit.

(11)

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation or jeopardize homeland or national security.

• New Hampshire has adopted anti-Spyware law (violations are Class A misdemeanors)

New Jersey N.J. Stat. 56:8-163 • Scheme is based on disclosure/notification of breaches in data security

New Mexico None

New York N.Y. Gen. Bus. Law § 899-aa

• Permits the attorney general to commence civil action against violators, with damages payable to those affected by the breach. When violated "knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instances of failed notification, provided the latter amount shall not exceed $150,000."

• NOTE: New York has created the Office of Cyber Security and Critical Infrastructure Coordination, which focuses on threats to electronic information systems

(12)

North Carolina

N.C. Gen. Stat § 75-65 • Scheme is based on disclosure/notification of breaches in data security

• Establishes specific notification guidelines for those who own and/or manage personal information to follow in the event or suspicion of a breach.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation, or jeopardize national or homeland security.

North Dakota N.D. Cent. Code § 51- 30-01 et seq.

Ohio Ohio Rev. Code

§§ 1347.12, 1349.19, 1349.191, 1349.192

• Establishes a set of rights for those who are the subject of personal information held by a state or local agency including the right to know what information systems the person's information is maintained on.

• Violators may be subject to a civil penalty of up to $1,000 for each day of noncompliance with the provisions of the statute. After 60 days of "intentional or reckless" noncompliance, a civil penalty of up to $5,000 may be assessed, rising to $10,000 after 90 days of such behavior, with no expressed limit.

• Notification may be delayed if law enforcement agency advises notification will impede criminal investigation, or jeopardize homeland or national security.

(13)

Oklahoma Okla. Stat.

§ 74-3113.1; 2008 H.B.

2245

Oregon Oregon Rev. Stat.

§ 646A.600 et seq.

Pennsylvania 73 Pa. Stat.

§ 2303

• Notification may be delayed if law enforcement agency advises notification will impede a criminal or civil investigation.

Rhode Island R.I. Gen. Laws § 11- 49.2-1 et seq.

• Violators are subject to a civil penalty for up to $100 per occurrence up to $25,000 total.

(14)

South Carolina

S.C. Code

§ 39-1-90

• Permits residents to commence civil actions for damages, with the amount dependent upon the level of mental culpability. Residents are also permitted to seek injunctive relief.

• Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting to website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds 500,000.

South Dakota None

Tennessee Tenn. Code § 47-18- 2107, 2010 S.B. 2793

• 47-18-2103 proscribes identity theft, or engaging in any unfair, deceptive, misleading act or practice for the purpose of directly or indirectly engaging in identity theft

• Attorney General may bring action. Penalty: whichever of the following is greater: $10,000,

$5,000 per day for each day that a person's identity has been assumed or 10 times the amount obtained or attempted to be obtained by the person using the identity theft

• Private right of action: damages (treble if willful/knowing), injunctive relief, attorneys’ fees and costs available

Texas Tex. Bus. & Com. Code

§ 521.053

Tex. Bus. & Com. Code Ann. §§ 48.101, 48.102

• Notification may be written, electronic or by substitute notice (e-mail, posting to website, media notification) if the first two methods of notification exceed $250,000 or class of individuals exceeds

(15)

500,000 people.

• Texas has adopted anti-Spyware law. Software providers, webpage or trademark owners, telecommunications carriers, cable operators and ISP’s can bring private suits for injunctive relief, damages, attorneys’ fees and costs. AG can also recover civil penalties in the amount of $100,000 for each violation.

Utah Utah Code

§§ 13-44-101, 102, 201, 202, 310

• Permits the attorney general to pursue $2,500 in civil penalties for a violation concerning one consumer and no more than $100,000 for aggregated violations concerning more than one consumer.

• Grants the attorney general power to inspect and copy all records related to the business

conducted by a person alleged to be in violation of this statute, and requires that person or business to cover the costs related to the inspection.

• Notification may be written, electronic, by telephone or by publishing notice of the breach in a newspaper.

Vermont Vt. Stat. tit. 9

§ 2430 et seq.

• Also expressly establishes a duty to destroy documents containing personal information.

• Notification may be delayed if law enforcement agency advises notification impede a law enforcement investigation, or a national or homeland security investigation or jeopardize public safety or national or homeland security interests.

Virginia Va. Code

§ 18.2-186.6; 2010 H.B.

1039

• Establishes specific notification guidelines for those who own and/or manage personal information to follow in the event or suspicion of a breach.

• Permits the attorney general to impose a civil penalty up to "$150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single

(16)

investigation."

• Does not prohibit private rights of action for residents affected by a security breach.

• 2010 H.B. 1039 concerns data breaches involving medical information, with provisions analogous to those of Va. Code § 18.2-186.6.

• Notification may be delayed if law enforcement agency advises notification will impede a civil or criminal investigation, or will jeopardize national or homeland security.

Washington Wash. Rev. Code

§ 19.255.010; 2010 H.B.

1149

Wash. Rev. Code Ann.

§§ 19.270.010 et seq.

• Permits individuals to commence civil actions against violators for damages and injunctions.

• Amended effective July 1, 2010 to include credit/debit card theft as security breach that requires notification and also set recommendations to "encourage" financial institutions to "reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data."

• Washington has adopted anti-Spyware law (AG, software provider or website owner may bring action for damages – which may be trebled against repeat offenders)

West Virginia W.V. Code

§§ 46A-2A-101 et seq.

• Grants exclusive enforcement power to the attorney general, however, "no civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article," and the penalty may not exceed $150,000 per breach of security.

• Breaches by financial institutions are exclusively enforceable by the financial institution’s

(17)

primary functional regulator.

• Notification may be delayed if law enforcement agency advises notification will impede a criminal or civil investigation or homeland or national security.

Wisconsin Wis. Stat.

§ 134.98 et seq.

• Limits time required to give notification of breach to 45 days.

• Notification may be delayed if law enforcement agency advises notification will impede an investigation or homeland security.

• Entity is not required to provide notice of personal information acquisition if it does not create material risk of identity theft or fraud, or was acquired in good faith and used for a lawful purpose.

• Notification may be by mail or other method the entity has previously employed to communicate with the subject of the personal information. If the mailing address cannot be

reasonably obtained and the entity has not previously communicated, entity must provide notice by method calculated to provide actual notice.

• NOTE: Wisconsin has created the Office of Privacy Protection, focusing on issues of identity theft and consumer protection

Wyoming Wyo. Stat.

§ 40-12-501, 502

• Notification may be delayed if law enforcement agency advises notification will seriously impede criminal investigation.

• Notification may be written, electronic or by substitute notice (posting to website, media notification) if the first two methods of notification exceed $10,000 for Wyoming-based

persons/businesses and $250,000 for all other business operating, but not based in Wyoming, or if the affected class exceeds 10,000 for Wyoming-based persons/businesses and 500,000 for all other business operating, but not based in Wyoming.

(18)