Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

On June 10, Connecticut Governor M. Jodi Rell signed into law a bill to safeguard Social Security numbers and other personal information. The law imposes a civil penalty of up to $500,000 on violators. The new law takes effect October 1, 2008. 

The new law penalizes any individual or business that intentionally fails to protect personal information.  “Personal information” includes Social Security numbers, driver’s license numbers, and account numbers for insurance policies, credit card numbers and bank accounts. Individuals and businesses are subject to civil penalties of $500 per violation, up to $500,000 for any single event. The law imposes the same penalty for intentional failure to “destroy, erase or make unreadable” personal information during disposal of records. It does not, however, impose fines on negligent or unintentional violators, nor does it apply to public entities.        

The law also requires businesses that collect Social Security numbers to create a privacy protection policy. The policy must protect the confidentiality of Social Security numbers, prohibit unlawful disclosure and limit access to them.

Unlike its counterpart in California, the Connecticut law only applies to willful violations. California also protects more categories of information. However, the Connecticut law creates a duty to safeguard personal information, whereas the California laws require only “reasonable steps” to protect or destroy personal information. 

This law is part of a broader effort in Connecticut to protect Social Security numbers; in the last two months, Connecticut has enacted three separate bills to protect Social Security numbers. The other two bills affect the use of Social Security numbers on birth certificates.

Whereas California Civil Code § 1798.84 authorizes a private right of action for California consumers injured by violations of its data security law, the new Connecticut law does not appear to create a private right of action. Instead, civil penalties are paid to the state, and the Department of Consumer Protection and other business licensing agencies share enforcement duties. 

Leslie Buoncristiani, a summer associate in Proskauer’s Los Angeles office, contributed to this post.

• Print
• Comments
• Trackbacks

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.  Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

• Print
• Comments
• Trackbacks

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma).  Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §210-B-1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

H.B. 208 and S.B. 194)

• Print
• Comments
• Trackbacks