Exhibit B State-By-State Data Security Overview Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210
State Statute Citation Overview of Statutory Scheme Alabama (None) Alaska Arizona Alaska Stat. 45.48.010 et seq. Ariz. Code 44-7501 Ariz. Rev. Stat. Ann. 44-7304 Violators are liable for a civil penalty of up to $500 for each resident who is not notified of a breach, up to $50,000. Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit "security freeze" system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach. May delay disclosing breach if an appropriate law enforcement agency determines disclosure will interfere with a Notification may be written, electronic or by substitute notice (e-mail, posting on website, media notification) if the first two methods of notification exceed $150,000 or class of individuals exceeds 300,000 people. Upon becoming aware of a breach of personal information, a reasonable investigation must be conducted and individuals notified accordingly. Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $50,000 or class of individuals exceeds 100,000 people. Arizona has adopted anti-spyware law (AG, software providers and website and trademark owners can bring enforcement suits) Arkansas Ark. Code 4-110-101 et seq. Ark. Code. Ann. 4-111-101 et seq. Establishes general security guidelines for those who own and/or manage personal information to follow in the event or suspicion of a breach. Notification of a breach must be made to any resident of Arkansas in the most expedient time and manner possible, without unreasonable delay. www.foleyhoag.com - 2 - All rights reserved.
Notification may be written, electronic or by substitute notice (e-mail, posting on website, media Arkansas has adopted anti-spyware law (AG can enforce) California Cal. Civ. Code 56.06; 1785.11.2; 1798.29; 1798.82 Cal. Bus. & Prof. Code 22947 et seq. 56.06 specifically addresses maintenance and disclosure requirements of personal medical information. Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit security freeze system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach. 1798.82 applies whether computerized consumer records are maintained in or out of the state. Notification may be written, electronic or by substitute notice (e-mail, posting on website, media NOTE: California created California s Office of Privacy Protection (COPP) in 2000 California has adopted anti-spyware law (no enforcement provisions) Colorado Colo. Rev. Stat. 6-1- 716 Awareness of breach requires a good faith, prompt investigation to determine likelihood personal information has been or will be misused. Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $50,000 or class of individuals exceeds 250,000 people. NOTE: Colorado has created the Colorado Office of Cyber Security which focuses on threats to electronic information systems Connecticut Conn. Gen. Stat. 36a- 701b www.foleyhoag.com - 3 - All rights reserved.
Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit security freeze system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach. Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds Delaware Del. Code tit. 6, 12B- 101 et seq. Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $75,000 or class of individuals exceeds 100,000 people. Florida Fla. Stat. 817.5681 Violators are liable for a civil penalty of up to $1,000 for each day the breach goes undisclosed for up to 30 days, and thereafter, $50,000 for each 30-day period or portion thereof for up to 180 days, not to exceed $500,000 total. Notification may be written, electronic or by substitute notice (e-mail, posting on website, media Georgia Ga. Code 10-1-910, 911 Ga. Code. Ann. 16-9- Expressly recognizes the growing risk of identity theft to Georgia citizens due to ever more widespread collection of personal information. www.foleyhoag.com - 4 - All rights reserved.
150 Notification may be written, electronic or by substitute notice (e-mail, posting on website, media Georgia has adopted anti-spyware law (AG, ISP s and telecommunications carriers can bring suits) Hawaii Haw. Rev. Stat. 487N- 2 Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $100,000 or class of individuals exceeds 200,000 people. Idaho Idaho Code 28-51-104 to 28-51- 107; 2010 H.B. 566 Violators are subject to a fine of not more than $25,000 per breach of personal information. Notification may be written, electronic, telephonic or by substitute notice (e-mail, posting on website, media notification) if the first three methods of notification exceed $25,000 or class of individuals exceeds 50,000 people. The Idaho Code was amended in 2010 to include the following provisions: o A governmental agency that becomes aware of a breach shall notify the Idaho Attorney General within 24 hours. o Government employees who violate the provisions of this statute are guilty of a misdemeanor and subject to a fine of not more than $2,000 or imprisonment for not more than 1 year. Illinois 815 ILCS 530/1 et seq. Notification may be written, electronic or by substitute notice (e-mail, posting on website, media www.foleyhoag.com - 5 - All rights reserved.
Indiana Ind. Code 24-4.9 et seq.; 4-1-11 et seq.; 2009 H.B. 1121 Ind. Code Ann. 24-4.8-2-2, 24-4.8-3-1 Establishes general duty of care for database owners, the failure of which is considered a deceptive act actionable only by the attorney general and up to $5,000 per act. The attorney general may also bring an action for a civil penalty for the failure to disclose a breach. The penalty may be up to $150,000 per deceptive act. criminal investigation or jeopardize national security, or if delay is necessary to restore computer system integrity or discover breach scope. Notification may be written, electronic, telephonic, faxed or by substitute notice (e-mail, media notification) if the first four methods of notification exceed $250,000 or class of individuals exceeds Indiana has adopted anti-spyware law (software providers, website owners, and trademark owners can bring civil action for injunctions and damages) Iowa Iowa Code 715C.1 (2008 S.F. 2308) Iowa Code Ann. 715.7 350,000 people. Iowa has adopted anti-spyware law (provides for criminal penalties, but no private right of action) Kansas Kan. Stat. 50-7a01; 50-7a02 www.foleyhoag.com - 6 - All rights reserved.
notification) if the first two methods of notification exceed $100,000 or class of individuals exceeds 5,000 people. Kentucky None Louisiana La. Rev. Stat. 51:3071 et seq. La. Rev. Stat. Ann. 51:1441 to :1449 Louisiana has adopted anti-spyware law (criminal penalties, plus AG, software providers trademark owners, and ISP may bring action for injunctive relief and damages) Maine Me. Rev. Stat. tit. 10 1347 et seq.; 2009 Public Law 161 Violators are subject to a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation. However, this provision does not apply to State Government, the University of Maine System, the Maine Community College System or Maine Maritime Academy. Notification may be delayed for no longer than 7 business days if law enforcement agency advises notification will impede notification) if the first two methods of notification exceed $5,000 or class of individuals exceeds 1,000 people. Maryland Md. Code, Com. Law 14-3501 et seq. Establishes general notification guidelines and duty of care for those who own and/or manage personal www.foleyhoag.com - 7 - All rights reserved.
Massachusetts Mass. Gen. Laws 93H- 1 et seq. 201 CMR 17.00 First time violators may be subject to $1,000 for the first violation, and up to $5,000 for each additional violation. criminal investigation or jeopardize homeland or national security, or to determine the breach scope, identify individuals affected or restore system integrity. website, media notification) if the first three methods of notification exceed $100,000 or class of individuals exceeds 175,000 people. Objectives of this regulation are to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Establishes a duty to protect and standards for protecting personal information. Sets minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Michigan Mich. Comp. Laws 445.72 Mangers/owners of personal information are not required to disclose of a breach if determine[d] that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft. Anyone who provides false notice of a security breach with the intent to defraud is subject to a misdemeanor charge punishable by imprisonment for up to 30 days and/or up to $250 for each violation. Violators of the section are subject to a civil fine up to $250 for each failure to provide notice. The total of civil penalties may not exceed $750,000. criminal investigation or jeopardize homeland or national security, or to determine the breach scope or restore system integrity. website, media notification) if the first three methods of notification exceed $250,000 or class of www.foleyhoag.com - 8 - All rights reserved.
individuals exceeds Minnesota Minn. Stat. 325E.61, 325E.64 Statute also requires ISP s to maintain confidentiality of customers personally identifiable information. Mississippi 2010 H.B. 583 Allows companies to forego notification if they can prove after a reasonable investigation that the breach will not result in harm to affected individuals. criminal investigation or national security. website, media notification) if the first three methods of notification exceed $5,000 or class of individuals exceeds 5,000 people. Missouri Mo. Rev. Stat. 407.1500 Medical information is expressly included and protected under this provision. criminal investigation or jeopardize national or homeland security. website, media notification) if the first three methods of notification exceed $100,000 or class of individuals exceeds 150,000 people. www.foleyhoag.com - 9 - All rights reserved.
Montana Mont. Code 30-14-1701 et seq.; 45-6-332; 2009 H.B. 155, Chapter 163 Establishes general notification guidelines and duty of care for those who own and/or manage personal 45-6-322 defines the crime Theft of identity. Violators who sought economic benefit as a purpose in committing this crime may be subject to a civil penalty for up to $10,000 and/or 10 years in state prison. website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds Nevada Nev. Rev. Stat. 603A.010 et seq. Establishes general notification guidelines and security requirements, including a requirement to destroy old records, for those who own and/or manage personal information to follow in the event or suspicion of a breach. Permits owners/managers of personal information to seek damages and restitution through civil action against the person or persons who unlawfully obtained or benefited from the personal information that was breached. Statute also requires ISP s to maintain confidentiality of all their customers information New Hampshire N.H. Rev. Stat. 359- C:19 to -C:21 N.H. Rev. Stat. 359- H:2 to :3 Any person injured by a violation under this statute may bring a civil action for actual damages. The statute permits that if the violation was willful or knowing, then the court may award as much as 3 times the amount of actual damages, but not less than 2 times the amount, as well as attorney s fees and costs of the suit. www.foleyhoag.com - 10 - All rights reserved.
criminal investigation or jeopardize homeland or national security. website, media notification) if the first three methods of notification exceed $5,000 or class of individuals exceeds 1,000 people. New Hampshire has adopted anti-spyware law (violations are Class A misdemeanors) New Jersey N.J. Stat. 56:8-163 New Mexico None New York N.Y. Gen. Bus. Law 899-aa Permits the attorney general to commence civil action against violators, with damages payable to those affected by the breach. When violated "knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instances of failed notification, provided the latter amount shall not exceed $150,000." website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds NOTE: New York has created the Office of Cyber Security and Critical Infrastructure Coordination, which focuses on threats to electronic information systems www.foleyhoag.com - 11 - All rights reserved.
North Carolina N.C. Gen. Stat 75-65 Establishes specific notification guidelines for those who own and/or manage personal criminal investigation, or jeopardize national or homeland security. website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds North Dakota N.D. Cent. Code 51-30-01 et seq. Ohio Ohio Rev. Code 1347.12, 1349.19, 1349.191, 1349.192 Establishes general notification guidelines and duty of care for those who own and/or manage personal Establishes a set of rights for those who are the subject of personal information held by a state or local agency including the right to know what information systems the person's information is maintained on. Violators may be subject to a civil penalty of up to $1,000 for each day of noncompliance with the provisions of the statute. After 60 days of "intentional or reckless" noncompliance, a civil penalty of up to $5,000 may be assessed, rising to $10,000 after 90 days of such behavior, with no expressed limit. criminal investigation, or jeopardize homeland or national security. website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds www.foleyhoag.com - 12 - All rights reserved.
Oklahoma Okla. Stat. 74-3113.1; 2008 H.B. 2245 Oregon Oregon Rev. Stat. 646A.600 et seq. Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit "security freeze" system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach. website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds 350,000 people. Pennsylvania 73 Pa. Stat. 2303 a criminal or civil investigation. website, media notification) if the first three methods of notification exceed $100,000 or class of individuals exceeds 175,000 people. Rhode Island R.I. Gen. Laws 11-49.2-1 et seq. Violators are subject to a civil penalty for up to $100 per occurrence up to $25,000 total. www.foleyhoag.com - 13 - All rights reserved.
notification) if the first two methods of notification exceed $25,000 or class of individuals exceeds 50,000 people. South Carolina S.C. Code 39-1-90 Permits residents to commence civil actions for damages, with the amount dependent upon the level of mental culpability. Residents are also permitted to seek injunctive relief. website, media notification) if the first three methods of notification exceed $250,000 or class of individuals exceeds 500,000. South Dakota None Tennessee Tenn. Code 47-18- 2107, 2010 S.B. 2793 47-18-2103 proscribes identity theft, or engaging in any unfair, deceptive, misleading act or practice for the purpose of directly or indirectly engaging in identity theft Attorney General may bring action. Penalty: whichever of the following is greater: $10,000, $5,000 per day for each day that a person's identity has been assumed or 10 times the amount obtained or attempted to be obtained by the person using the identity theft Private right of action: damages (treble if willful/knowing), injunctive relief, attorneys fees and costs available Texas Tex. Bus. & Com. Code 521.053 Tex. Bus. & Com. Code Ann. 48.101, 48.102 www.foleyhoag.com - 14 - All rights reserved.
Texas has adopted anti-spyware law. Software providers, webpage or trademark owners, telecommunications carriers, cable operators and ISP s can bring private suits for injunctive relief, damages, attorneys fees and costs. AG can also recover civil penalties in the amount of $100,000 for each violation. Utah Utah Code 13-44-101, 102, 201, 202, 310 Permits the attorney general to pursue $2,500 in civil penalties for a violation concerning one consumer and no more than $100,000 for aggregated violations concerning more than one consumer. Grants the attorney general power to inspect and copy all records related to the business conducted by a person alleged to be in violation of this statute, and requires that person or business to cover the costs related to the inspection. Notification may be written, electronic, by telephone or by publishing notice of the breach in a newspaper. Vermont Vt. Stat. tit. 9 2430 et seq. Also expressly establishes a duty to destroy documents containing personal information. Notification may be delayed if law enforcement agency advises notification impede a law enforcement investigation, or a national or homeland security investigation or jeopardize public safety or national or homeland security interests. website, media notification) if the first three methods of notification exceed $5,000 or class of individuals exceeds 5,000 people. Virginia Va. Code 18.2-186.6; 2010 H.B. 1039 Establishes specific notification guidelines for those who own and/or manage personal Permits the attorney general to impose a civil penalty up to "$150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single www.foleyhoag.com - 15 - All rights reserved.
investigation." Does not prohibit private rights of action for residents affected by a security breach. 2010 H.B. 1039 concerns data breaches involving medical information, with provisions analogous to those of Va. Code 18.2-186.6. a civil or criminal investigation, or will jeopardize national or homeland security. website, media notification) if the first three methods of notification exceed $50,000 or class of individuals exceeds 100,000 people. Washington Wash. Rev. Code 19.255.010; 2010 H.B. 1149 Wash. Rev. Code Ann. 19.270.010 et seq. Permits individuals to commence civil actions against violators for damages and injunctions. Amended effective July 1, 2010 to include credit/debit card theft as security breach that requires notification and also set recommendations to "encourage" financial institutions to "reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data." Washington has adopted anti-spyware law (AG, software provider or website owner may bring action for damages which may be trebled against repeat offenders) West Virginia W.V. Code 46A-2A-101 et seq. Grants exclusive enforcement power to the attorney general, however, "no civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article," and the penalty may not exceed $150,000 per breach of security. Breaches by financial institutions are exclusively enforceable by the financial institution s www.foleyhoag.com - 16 - All rights reserved.
primary functional regulator. a criminal or civil investigation or homeland or national security. website, media notification) if the first three methods of notification exceed $50,000 or class of individuals exceeds 100,000 people. Wisconsin Wis. Stat. 134.98 et seq. Limits time required to give notification of breach to 45 days. an investigation or homeland security. Entity is not required to provide notice of personal information acquisition if it does not create material risk of identity theft or fraud, or was acquired in good faith and used for a lawful purpose. Notification may be by mail or other method the entity has previously employed to communicate with the subject of the personal information. If the mailing address cannot be reasonably obtained and the entity has not previously communicated, entity must provide notice by method calculated to provide actual notice. NOTE: Wisconsin has created the Office of Privacy Protection, focusing on issues of identity theft and consumer protection Wyoming Wyo. Stat. 40-12-501, 502 Also establishes specific guidelines governing theft of and damage to consumer credit, including a credit "security freeze" system by which consumers can attempt to prevent damage to their credit during the process of rectifying the breach. Notification may be delayed if law enforcement agency advises notification will seriously impede Notification may be written, electronic or by substitute notice (posting to website, media notification) if the first two methods of notification exceed $10,000 for Wyoming-based persons/businesses and $250,000 for all other business operating, but not based in Wyoming, or if the affected class exceeds 10,000 for Wyoming-based persons/businesses and 500,000 for all other business operating, but not based in Wyoming. www.foleyhoag.com - 17 - All rights reserved.
www.foleyhoag.com - 18 - All rights reserved.