The smart grid is an advanced metering infrastructure made up of “smart meters” capable of recording detailed and near-real time data on consumer electricity usage.  That data would then be sent to utilities through a wireless communications network.  In recent years, utilities have increased the pace of smart meter deployment—smart meters are expected to be on 65 million homes by 2015.  A smart grid could deliver electricity more efficiently and would enable consumers to track and adjust their energy usage in real time through a home display.  But these new capabilities also implicate new privacy concerns.

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides

On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer’s personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.