Home /

---

Menu:

• About Us
• MS-ISAC Members
• National Webcast Initiative
• Cyber Security Awareness Resources
• SCADA Systems Procurement Project
• Local Government
• Legislative Resources
• Related Links
• Secure Portal
  For MS-ISAC Members Only
• Digital Dashboard

US Department of Homeland Security, National Cyber Security Division

Legislative Review
Summary of 2005/2006

State Laws - passed in 2005/2006:

Data Security /Breach Notification:

Arkansas: An act to provide notice to consumers of the disclosure of their personal information and for other purposes. (Signed by Governor 3/31/2005, Act. 1526)

Connecticut: Requires a business to notify consumers of a breach of personal information without unreasonable delay. It prescribes the method of notice and the options and form for substitute notice. (Signed by Governor 06/08/05, Effective Date for Breach Notification section 1/1/06, Public Act 05-148)

Delaware: Requires a business to notify consumers of a breach of computerized personal information. It prescribes the method of notice and the options and form for substitute notice. Helps ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information. (Signed by Governor 6/28/05, Chapter 75:61)

Florida: Provides notice to consumers of the disclosure of personal information and for other purposes relating in particular to identity theft. (Signed by Governor 06/14/05, Effective date 7/1/05, Chapter 229)

Georgia: Requires information brokers to give notice to consumers of certain security breaches. (Signed by Governor 5/05/05, Act 163)

Illinois: Creates the Personal Information Protection Act. Any data collector must provide notice to consumers regarding a breach of personal information. (Signed by Governor 06/16/05, Effective date 7/1/05, Public Act 94-0036)

Requires the Department of Revenue to notify an individual if the Department discovers or reasonably suspects that another person has used that individual's social security number. (Signed by Governor 6/16/05, Public Act 94-0041)

Indiana: Requires database owners, as defined in the statute, to notify individuals of a breach of their personal information. (Signed by Governor 4/26/05, Effective date 7/1/06, Act 503)

Louisiana: Requires notification of breach of personal information to residents by persons or agencies that maintain computerized data. (Signed by Governor 7/12/05, Act 499)

Maine: Requires a business that owns or licenses electronic data containing personal information, following the discovery of a security breach, to notify the person whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person (Signed by Governor 6/10/05, Effective date 1/31/06, Chapter 379).

Minnesota: Two separate notification laws- one for state agencies and one for businesses.

A state agency that collects, creates, receives, maintains or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. Notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been acquired. (Signed by Governor 6/3/05, Chapter 163)

Bill regarding notification by businesses of a breach: A bill requiring businesses that possess personal data to notify persons whose personal information has been disclosed to unauthorized persons (Signed by Governor 6/2/05, Chapter 167)

Montana: An act requiring businesses to report a breach of computer security and other provisions relating to preventing identity theft. (Signed by Governor 4/28/05, Effective 3/1/06, Chapter 518)

Nevada: Relates to personally identifying information and requires data collectors to provide notification concerning any breach of security involving system data. (Signed by Governor 6/17/05, different effective dates are applicable depending on the Statute provision 10/1/05, 1/1/06 or 1/1/08, Chapter 485)

Requires a governmental agency that owns or licenses computerized data that includes personal information to notify any resident of the state whose personal information included in that data was, or is reasonably believed to have been, acquired by an unauthorized person. (Signed by Governor 6/17/05, Chapter 486)

Makes technical corrections to certain legislative measures, including repeal of security breach provisions of A.B. 334 (Signed by Governor 6/17/05, Chapter 6)

New Jersey: Requires any business that conducts business in New Jersey or any public entity that compiles or maintains computerized records that include personal information to disclose any breach of security of those computerized records to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Prior to notification to a consumer, a report of the breach and any information relating to the breach must be reported to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities. (Signed by Governor 9/22/05, effective date is 7/2/06 except for police reports then effective date is 9/22/05, Chapter 226)

New York: Requires any state agency or business which owns or licenses a computerized database which includes personal information to disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person.(Signed by Governor 8/09/05, effective date 12/8/05, Chapters 442 & 491)

North Carolina: Enacts the Identity Theft Protection Act of 2005, including consumer report security freezes, security breach notifications and protections for Social Security numbers. (Signed by Governor 9/21/05, effective date 12/1/05, Chapter 414)

North Dakota: Requires disclosure to consumers of a breach in security by businesses maintaining personal information in electronic form. (Signed by Governor 4/22/05, Chapter 447)

Ohio: Requires a state agency, an agency of a political subdivision, or a person, including a business entity that does business in Ohio, to contact individuals residing in Ohio if unencrypted or unredacted personal information about those individuals that is included in computerized data owned or licensed by the agency, person, or business entity is accessed and acquired by unauthorized persons and causes or reasonably is believed will create a material risk of the commission of the offense of identity fraud or other fraud to the individual, and to authorize the Attorney General to investigate and enforce compliance with the requirements. (Signed by Governor 11/17/05, Oh. Rev. Code, Tit. XIII, Ch. 1349, §19 )

Pennsylvania: Providing for the notification of residents whose personal information data was or may have been disclosed due to a security system breach; and imposing penalties. (Signed by Governor 2/22/05, Act 94)

Rhode Island: Requires any person or business that conducts business in Rhode Island, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Rhode Island whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Became law without Governor's signature 7/10/05, effective 3/1/2006, Chapter 225)

Tennessee: Requires persons, businesses or government agencies that discover a breach of information security resulting in disclosure of unencrypted personal information about persons to unauthorized third parties to provide notice of such disclosure. (Signed by Governor 06/18/05, effective 7/1/2005 Chapter 473)

Texas: Requires a person that conducts business in this state and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person (Signed by Governor 6/17/05, effective date 9/1/05, Chapter 294)

Washington: An act relating to breaches of security that compromise personal information for both State agency’s and businesses: an agency or person or business that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. (Signed by Governor 5/10/05, Chapter 368)

Freezing Credit Reports:

Note: A credit freeze prevents access to a consumer’s credit report and credit score by prohibiting a consumer reporting agency from releasing information about the individual without the individual's express consent.

Colorado: Eligibility: All consumers. (Signed by Governor 6/01/05, effective date 7/1/06, SB 05-137)

Connecticut: Eligibility: All consumers. (Signed by Governor 6/08/05, effective date 1/1/06, Public Act No. 05-148)

Florida: Eligibility: All consumers. (Signed by Governor 6/09/06, effective date 7/1/06, Chapter 124)

Hawaii: Eligibility: Only victims of Identity Theft with specific supporting documentation such as a police report. (Signed by Governor 5/25/06, effective date 7/1/07, Act 138)

Illinois: Eligibility: All consumers. (Signed by Governor 5/24/06, effective date 1/1/2007, Public Act 094-0799)

Kansas: Eligibility: Only victims of Identity Theft with supporting documentation such as a police report. (Signed by Governor 4/19/2006, effective date 1/1/07, S.B. 196)

Kentucky: Eligibility: All consumers. (Signed by Governor 3/24/06, effective date 7/1/06, H.B. 54)

Maine: Eligibility: All consumers. (Signed by Governor 5/26/05, effective date 2/1/06, Public Law Chapter 243)

Minnesota: Eligibility: All consumers. (Signed by Governor 5/30/06, effective date 8/1/06, Chapter 233)

Nevada: Eligibility: All consumers. (Signed by Governor 6/13/05, effective date 10/1/05, Chapter 391)

New Hampshire: Eligibility: All consumers. (Signed by Governor 5/31/06, effective date 1/1/07, Chapter 208)

New Jersey: Eligibility: All consumers. (Signed by Governor 9/22/05, effective date 1/1/06, Chapter.226)

New York: Eligibility: All consumers. The Security Freeze Law allows consumers, who are either identity theft victims or are concerned that they might be at risk of having their identities stolen, to cut off an identity thief's access to credit, loans, leases, goods and services by placing a "freeze" on their consumer credit report. Consumers must have proper identification and may have to pay an applicable fee, not to exceed $5.00, to have the freeze put in place. Consumers must send a written request to a consumer credit reporting agency by certified or overnight mail and would be permitted to remove a freeze entirely, lift a freeze for specific period of time, or grant a specific party access to their report. Consumers must have proper identification, their PIN or password (that the credit reporting agency supplies), the name of the party to whom the information may be made available, the time period of availability and payment of any applicable fees. (Signed by Governor 6/7/06 , effective date 11/1/06, Chapter 63, Laws of 2006)

North Carolina: Eligibility: All consumers. (Signed by Governor 9/21/05, effective date 12/1/05, Chapter 414)

Oklahoma: Eligibility: All consumers. (Signed by Governor 5/26/06, effective date 1/1/07, SB 1748)

South Dakota: Eligibility: Only victims of Identity Theft with supporting documentation such as a police report. (Signed by Governor 3/21/06, effective date 7/1/06, S.B. 180)

Utah: Eligibility: All consumers. (Signed by Governor 3/20/06, effective date 9/1/08, S.B.0071)

Washington: Eligibility: Only victims of Identity Theft with supporting documentation such as a police report. (Signed by Governor 5/9/05, effective date 7/24/05, Chapter 342)

Wisconsin: Eligibility: All consumers. (Signed by Governor 3/17/06, effective date 1/1/07, ACT 140)

Spyware:

Alaska: Prohibits spyware and unsolicited Internet advertising. (Signed by Governor 09/01/05, S.B. 140, Chapter 97)

Arizona: Makes it unlawful to transmit, through intentionally deceptive means, computer software that modifies certain settings, collects personally identifiable information, or takes control of the computer. (Signed by Governor 04/18/05,H.B. 2414, Chapter 136)

Arkansas:An act to make an appropriation for expenses associated with spyware monitoring for the office of Attorney General. (Signed by Governor 04/14/05, Act 2312)

Establishes the Consumer Protection Against Computer Spyware Act. (Signed by Governor 04/13/2005, Act 2255)

California: Existing law, the Consumer Protection Against Computer Spyware Act, provides specified protections for the computers of consumers in this state against certain types of computer software. This bill would state the intent of the Legislature to enact legislation that would improve the security of the Internet. (Signed by Governor 09/30/05, Chapter 437)

Georgia: Relates to forgery and fraudulent practices, so as to enact the "Georgia Computer Security Act of 2005." Prohibits certain deceptive acts and practices with regard to computers; requires certain notices be given prior to certain software or programs being loaded onto certain computers; requires certain functions be available in certain software; provides for certain exceptions; provides for civil and criminal penalties; provides for recovery of certain damages. (Signed by Governor 05/10/05, Act 389)

Indiana: Prohibits certain uses of spyware. Authorizes a provider of computer software, a web site owner, or a trademark or copyright holder harmed by a prohibited use of spyware to bring a civil action against the person who committed the prohibited act. Allows a person who brings a cause of action for unlawful spyware installation to receive injunctive relief and the greater of actual damages or $100,000 per violation. (Signed by Governor 05/04/05, Public Law 115)

Iowa: Protects owners and operators of computers from the use of spyware and malware that is deceptively or surreptitiously installed on the owner's or the operator's computer. (Signed by Governor 05/03/05, Chapter 94)

New Hampshire: This bill regulates the use of computer spyware software that creates advertisements on a computer as a result of visiting certain Internet websites and that collects information regarding the computer’s Internet use. The bill prohibits installation of spyware on another person’s computer. (Signed by Governor 07/14/05, Chapter 238)

Texas: Relates to the unauthorized collection and transmission of certain information by computer; providing a penalty. (Signed by Governor 06/17/05, Chapter 298)

Utah: This bill amends the Spyware Control Act. IT prohibits certain uses of pop-up advertisements; prohibits the purchase of pop-up advertisements that violate the chapter if the purchaser has actual notice of the violation; provides for the permissive removal of certain software; and defines the scope of actions and penalties authorized by the chapter. (Signed by Governor 03/17/05, Chapter 168)

Virginia: Modernizes the Virginia Computer Crimes Act by updating definitions to comport with changing technology, removing superfluous language and relocating language. The bill adds unauthorized installation of software on the computer of another, disruption of another computer's ability to share or transfer information and maliciously obtaining computer information without authority as additional crimes of computer trespass, a Class 1 misdemeanor. (Signed by Governor 04/04/05, Chapter 812)

Updates the Virginia Computer Crimes Act to include recommendations made by the 2004 joint study on Computer Crimes by the Joint Commission on Technology and Science and Virginia State Crime Commission. Modernizes definitions of "computer", "using a computer" and "without authority" to comport with changing technology. Revises provisions regarding computer trespass, a Class 1 misdemeanor, unless the damage to the property of another is $1,000 ($2,500 under current law) or more, in which case it is a Class 6 felony. Provisions regarding computer invasion of privacy are rewritten to include unauthorized gathering of identifying information and Class 6 penalties added for persons with previous convictions, selling or distributing the information to another or using the information in the commission of another crime. Adds as a new Class 6 felony using a computer to fraudulently gather identifying information of another (phishing), unless the information is sold or distributed to another or the information is used in the commission of another crime, in which case it is a Class 5 felony. Statute of limitation and venue provisions are relocated in the Code. S.B. 1163. (Signed by Governor 03/26/05, Chapter 761)

Washington: Prohibits an unauthorized person or entity from installing software on a consumer's computer that would take over control of the computer, modify its security settings, collect the user's personally identifiable information, interfere with its own removal, or otherwise deceive the authorized user. (Signed by Governor 05/17/05, Chapter 500)

AntiPhishing:

Arizona: Prohibits the solicitation of an individual’s identifying information via a web page or e-mail by a person representing they are an on-line business who has not been approved to do so by the business they are representing and establishes civil penalties and damages. (Signed by Governor 4/18/05, Chapter 114)

Arkansas: Prohibits specified uses of computer spyware; prohibits phishing, brand spoofing or carding. (Signed by Governor 4/15/05, Act 2255)

California: Makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be an online business without the approval or authority of the online business. The bill would enact certain civil remedies. (Signed by Governor 9/30/05, Chapter 437)

Connecticut: Prohibits using the Internet or an e-mail message to solicit or induce another to provide identifying information by pretending to be an on-line Internet business and provides civil and criminal penalties. (Signed by Governor 05/08/06, Act 50)

Colorado: Makes it a crime to use a false identity to gain the personal identifying information of another individual over the internet, over the telephone, or by any other electronic medium. (Signed by Governor 06/01/05, Chapter 218)

Hawaii: Establishes a Hawaii anti-phishing task force to curtail electronic commerce-based criminal activities. Requires the task force to submit a report and make recommendations prior to the 2006 regular session. (Signed by Governor 05/19/2005, Act 65)

Louisiana: Creates the “Anti-Phishing Act of 2006"; provides definitions; prohibits unlawful requests; and provides civil remedies. (Signed by Governor 6/2/06, Act No. 201)

Creates the "Louisiana Anti-Phishing Act"; prohibits the use of the Internet to obtain identifying information of another person for a fraudulent purpose and provides for civil relief. (Signed by Governor 6/22/06, Act No. 459)

Minnesota: Prohibits a person, with intent to obtain another's identity, from using false pretense in an e-mail, Web page, or any other Internet communication. This offense is punishable by five years imprisonment and/or a $10,000 fine. In prosecution under this section, it is not a defense that the person did not obtain or use another's identity, nor is it a defense that the crime did not result in a loss to any person. (Signed by Governor 6/2/05, Chapter 136)

New Mexico: Amends the existing identity theft statute to include the new crime of obtaining identity by electronic fraud. Obtaining information by electronic fraud (commonly known as phishing) is defined as using an e-mail web site or other means of electronic communication to obtain personal information by false pretenses. This new crime is a fourth degree felony. This act also adds a section giving a civil remedy for victims of ID theft or fraud. (Signed by Governor 4/7/05, Chapter 296)

New York: Enacts the "anti-phishing act of 2006", prohibiting the misuse of the internet to obtain identifying information by misrepresenting oneself as a business; authorizes the attorney general, internet service providers, and those owning a web page or trademark, who are adversely affected by such conduct to bring an action for injunctive relief and damages. (Signed by Governor 6/07/2006, Chapter 64)

Oklahoma: Creates the “Anti-Phishing Act”; prohibits persons from creating and using web pages with certain fraudulent intent; allows certain persons to bring civil actions for violations of the act; provides damages; makes unlawful acts under act violations of the Oklahoma Consumer Protection Act; and exempts certain actions by telecommunications providers or Internet service providers from the act. (Signed by Governor 4/17/2006, H.B. 2473)

Tennessee: Creates the “Anti-Phishing Act of 2006”; penalizes persons who, without authorization or permission of subject of identifying information, obtain, record, access or distribute identifying information of another person through use of Internet, e-mail or wireless communication; establishes that any violation shall be construed to be an unfair or deceptive act or practice affecting trade or commerce; and provides for civil relief. (Signed by Governor 5/1/2006, Chapter 566)

Texas: Relating to using the Internet to obtain identifying information of another person for a fraudulent purpose; providing penalties. (Signed by Governor 06/17/2005, Chapter 544)

Utah: Amends the Communication Fraud statute; provides that when an act of communications fraud involves obtaining sensitive personal identifying information, the offense is a second degree felony. (Signed by Governor 03/13/06, Chapter 120)

Virginia: Computer crimes; phishing; penalty. Makes it a Class 6 felony to fraudulently obtain, record, or access from a computer the following identifying information of another: (i) social security number; (ii) driver's license number; (iii) bank account numbers; (iv) credit or debit card numbers; (v) personal identification numbers (PIN); (vi) electronic identification codes; (vii) automated or electronic signatures; (viii) biometric data; (ix) fingerprints; (x) passwords; or (xi) any other numbers or information that can be used to access a person's financial resources, obtain identification, act as identification, or obtain goods or services. Any person who sells or distributes such information or uses it to commit another crime is guilty of a Class 5 felony. (Signed by Governor 03/26/05, Chapter 760)

Updates the Virginia Computer Crimes Act to include recommendations made by the 2004 joint study on Computer Crimes by the Joint Commission on Technology and Science and Virginia State Crime Commission. Modernizes definitions of "computer", "using a computer" and "without authority" to comport with changing technology. Revises provisions regarding computer trespass, a Class 1 misdemeanor, unless the damage to the property of another is $1,000 ($2,500 under current law) or more, in which case it is a Class 6 felony. Provisions regarding computer invasion of privacy are rewritten to include unauthorized gathering of identifying information and Class 6 penalties added for persons with previous convictions, selling or distributing the information to another or using the information in the commission of another crime. Adds as a new Class 6 felony using a computer to fraudulently gather identifying information of another (phishing), unless the information is sold or distributed to another or the information is used in the commission of another crime, in which case it is a Class 5 felony. Statute of limitation and venue provisions are relocated in the Code. (Signed by Governor 03/26/05, Chapter 761)

Adds as a new Class 6 felony using a computer to fraudulently gather identifying information of another (phishing), unless the information is sold or distributed to another or the information is used in the commission of another crime, in which case it is a Class 5 felony. (Signed by Governor 03/26/05, Chapter 827)

Revises provisions in the Virginia Computer Crimes Act relating to computer fraud and redefines computer invasion of privacy by including the unauthorized gathering of identifying information and punishes subsequent offenses and transferring the information to another or use of the information in the commission of another crime as a Class 6 felony. Currently, the offense is punishable as a Class 1 misdemeanor. Additionally, the fraudulent gathering of such information is punished as a Class 6 felony, a new crime, and transferring the information to another or use of the information in the commission of another crime is a Class 5 felony. (Signed by Governor 04/04/05, Chapter 837)

Washington: Provides that no person may solicit, request, or take any action to induce another person to provide personally identifying information by means of a web page, electronic mail message, or otherwise using the internet by representing oneself, either directly or by implication, to be a business or individual without the authority or approval of such business or individual. Provides that damages to a consumer resulting from the practices prohibited by this act are up to five hundred dollars per violation, or actual damages, whichever is greater. (Signed by Governor 5/10/05, Chapter 378)

Federal – Legislation regarding Cyber issues:

H.R.3199 - USA PATRIOT Improvement and Reauthorization Act of 2005 - Rep Sensenbrenner, F. James, Jr. (R-WI)
Became Public Law No: 109-177 on March 9, 2006. Official Title: To extend and modify authorities needed to combat terrorism, and for other purposes.

Summary: This Act extends or makes permanent certain provisions of the USA PATRIOT Act which were scheduled to expire on December 31, 2005.

Legislation/Resolutions introduced during the 109th Congress regarding Cyber issues that passed at least one house:

H.R. 29 – The SPY ACT – Congresswoman Mary Bono (R-CA) Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” Passed the House on May 23, 2005. It was then sent to the Senate Committee on Commerce, Science and Transportation.

Summary: This bill requires that spyware programs be easy to identify and remove. It further requires express user consent for personal information to be collected. It would prevent the tracking of users’ keystrokes for example with key loggers. There are fines for abusers and there is an exemption for legitimate security use.

H.R. 744 – The I-SPY Prevention Act of 2005 – Congressman Bob Goodlatte (R-VA) Also known as the “Internet Spyware (I-SPY) Prevention Act of 2005.” Passed the House on May 23, 2005 and was sent to the Senate and referred to the Committee on the Judiciary.

Summary: This bill makes certain activities relating to spyware criminal offenses including: intentionally accessing a computer without authorization, or intentionally exceeding authorized access, by causing a computer program or code to be copied onto the computer and using that program or code to further another federal crime, obtain or transmit personal information for the purpose of defrauding a person or damaging a computer and for intentionally impairing security protections of a computer. The legislation preempts States from creating civil remedies based on violations of this act.

H. RES. 491 (October 17, 2005) – Expressing the sense of the House of Representatives with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Awareness Month.

[ back to top ]

Copyright © 2008 - Privacy Policy - Contact Us