July 27, 2005

I. Introduction

As identity theft has garnered increasing national attention in the last year, several states have enacted laws that include provisions which may require companies doing business in those states to notify residents of security breaches and unauthorized access to their personal information.  These state laws are based on California law SB 1386 (California Civil Code § 1798.82), which took effect on July 1, 2003.  While all of the state laws use SB 1386 as a guide, many of them differ in important ways. 

In fact, for companies that do business in multiple states that have enacted breach notification laws, the practical result is that the state with the most easily met notification standard controls whether all customers are notified.  Companies have quickly discovered that once news of a security breach becomes public, notifying only a segment of their customers is not feasible from a customer relationship (and likely potential litigation) standpoint.  Given this reality, companies should consider reviewing their current security policies, procedures, systems and controls that are designed to prevent security breaches.  They should also establish a response plan to handle potential breaches in light of these various state laws.

Similarly, several proposed Congressional bills have also been filed to act as markers in the debate on the need for federal legislation in this area.  It is anticipated that these bills will be actively debated later this year culminating with a new federal law.  Issues that need to be resolved include whether the federal law will preempt stricter state laws, in particular, concerning what standard should apply for when customers will need to be notified of a security breach.

With the original California law as a starting point, this newsletter, along with the attached chart [PDF], outlines the various state consumer notification laws.  The newsletter explains the general provisions that these laws share and highlights areas where they differ.  The newsletter and chart also discuss examples of proposed federal laws in this area, as well as the breach notification guidance for banking organizations that has been issued by the federal banking regulators.

Background.  Over the last two decades, many companies have created and maintain extensive databases of information on individuals.  When such information is improperly or illegally accessed or obtained, it can be used to develop profiles on individuals, creating the potential for identity theft.  This illegal practice has become so common that the Federal Trade Commission recently estimated that up to 10 million Americans have been victimized by identity theft over a 12 month period and that these thefts cost businesses and consumers over $52 billion.[1]

Since identity theft involves fraudulently using personal information to obtain credit or to make purchases, it is believed that customers can protect themselves and mitigate the damage from identity theft by notifying financial services providers and consumer reporting agencies when they become aware that their personal information has been improperly accessed or stolen.  California was the first state to require firms conducting business in the state to notify customers after a security breach of unencrypted personal information.[2]

The California lawcame to national prominence in early 2005 when ChoicePoint, a personal database storage firm, announced that it had been deceived into selling personal information on 145,000 individuals to cyber criminals.[3]  The California breach notification law probably played a key roll in ChoicePoint’s decision to notify all of its customers of the security breach.[4]  Soon after, LexisNexis notified its customers that its personal information database had been breached and information of hundreds of thousands of customers had been accessed.[5]  Even more recently, the Federal Deposit Insurance Corporation (FDIC) informed several thousand current and former employees that their personal information had been breached in 2004.[6]  Finally, MasterCard International recently notified its member banks that its third-party service provider processor had suffered a breach of its payment card data with respect to potentially 40 million accounts.[7]

As a result of these and other incidents, as of June 30, 2005, Arkansas, Delaware, Florida, Georgia, Illinois, Indiana, Minnesota, Montana, North Dakota, and Washington have followed California in adopting the consumer notification legislation.  New York City also adopted a notification law, and the legislatures of Connecticut, Louisiana, Nevada, New Jersey, Rhode Island and Tennessee have passed similar laws and sent these bills to their governors’ desks.  Moreover, the Ohio Attorney General recently filed suit against a firm for failure to notify Ohio customers under the state’s general Consumer Sales Practices Act, even though Ohio does not have a breach notification law.[8]  Finally, the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of Thrift Supervision issued joint federal security breach notification guidelines for financial institutions.

II. State Identity Theft Notification Laws: Outline of Key Provisions

A. Entities Covered by the Notification Requirement      

The California law covers an extremely broad scope of firms including “[a]ny person or business that conducts business in California, and that owns or licenses computerized data.”[9]  Many states use similar language.[10]  The Illinois and Nevada laws apply to “data collectors” but define “data collectors” so as to encompass the same firms as the California statute.[11]  Finally, most states include state and local agencies within their definition of covered entities.[12] 

Conversely, some states severely limit the scope of the entities subject to notification requirements.  For example, Georgia’s law is limited to “information brokers,” which only includes “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling... information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.”[13]  Furthermore, Indiana’s notification requirement only applies to state agencies.[14]  Finally, New York City limits its law to companies that are licensed or supervised by the city’s Department of Consumer Affairs.[15]

Some states create a special exemption for entities regulated by federal agencies.  Louisiana, North Dakota, Nevada, and Tennessee explicitly exempt financial institutions covered by the Gramm-Leach-Bliley Act.[16]   Florida’s law achieves this same result by exempting all firms subject to federal notification requirement, and Arkansas and Delaware exempt entities that must already notify customers under either state or federal law.[17]   Finally, Minnesota and Rhode Island exempt both financial institutions and firms subject to the Health Insurance Portability and Accountability Act.[18]

B. Definition of Security Breach and Scope of Information Covered

The California law defines a security breach as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.”[19]  Most states use this same language.[20]  The standard uses in Florida, Montana, Nevada and Tennessee, however, require that the breach be “material” in order to trigger the notification requirement,[21] which limits the scope of these states’ laws.

The California law requires disclosure for all security breaches of non-public, unencrypted “personal information.”[22]  All state laws use a similar requirement, with only Rhode Island, New Jersey and New York City providing no explicit exemption for publicly available information.[23] 

The definition of “personal information” varies significantly among the state notification laws.  In California, “personal information” means:  a person’s first name or first initial and last name and any of (1) social security or (2) driver’s license number or California identification number or (3) “Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.”[24]  Several states follow this same definition.[25]

On the other hand, many states have broadened the definition of personal information.  For example, Arkansas requires notification for the security breach of “medical information.”[26]  Moreover, Georgia’s statute does not require that the person’s first or last name have been breached if “the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.”[27]  North Dakota’s definition also includes items like date of birth, mother’s maiden name, identification number assigned by individual’s employer, and electronic signature.[28]

C. Timing and Method of Notification

The California law requires that firms notify customers about their breached personal information in the “most expedient time possible” and “without unreasonable delay.”[29] Almost every state uses this same type of wording.[30]  The only significant departures are Florida, which specifies that notification must be made within 45 days after the firm discovers the breach, and Connecticut, which requires notification 15 days after the firm learns of the breach.[31] 

Almost every state, including California, allows firms to delay notification if a “law enforcement agency determines that the notification will impede a criminal investigation.”[32]  In a possibly troubling difference, Illinois is the only state that does not have this law enforcement exemption.[33]  This difference could be significant, because a firm that loses personal information of an Illinois resident would have to disclose that breach, regardless of the needs of law enforcement.  This would be problematic because disclosure to Illinois resident could compromise the investigation in all states.  Also, New Jersey requires that firms notify the Division of State Police in Department of Law and Public Safety before notifying customers.[34]

California requires that notice usually be made either in writing or electronically.[35]  Most other states provide these two options,[36] with Delaware, Montana, and New York City also allowing telephonic notice.[37]  Almost all the states also allow “substitute notice” if the costs of notification will exceed $250,000, the class affected is over 500,000 or the firm does not have up-to-date contact information.[38]  Delaware allows substitute notice if notification costs exceed $75,000 or that 100,000 residents are effected,[39] while Rhode Island only requires a $25,000 or 50,000 residents threshold.  Moreover, Connecticut allows substitute notice if there have been as few as 100 affected residents.[40]  Substitute notice consists of e-mail where the company has the customers’ e-mail addresses, “conspicuously posting” on the firm’s website, and notification of major statewide media.[41]  While almost every state requires firms to use all three of these methods, Tennessee appears to say that any one of these three is sufficient.[42]  Moreover, Indiana and Connecticut do not require e-mail notice as part of their substitute notice option.[43]

Finally, New York City has a much less rigid substitute notice provision.  It does not set any cost or scope floor but simply provides that if the usual methods of disclosure are “impracticable or inappropriate” then disclosure can be “made by a mechanism of the licensee’s choosing, provided such mechanism is reasonably targeted to the individual in a manner that does not further compromise the integrity of the personal information disclosed and has been approved, or is in compliance with rules promulgated, by the Commissioner.”[44]

Every state with a notification law offers exemptions from its notification procedures.  California, along with most states, allows a firm to bypass these procedures if the firm complies with its own notification procedure and is “otherwise consistent” with the law’s timing requirements.[45]  Connecticut, Indiana, and New York do not have exemptions for a company that has its own notification procedure.[46]  Moreover, Arkansas and Delaware firms to not notify customers if, after “reasonable investigation,” the firms determines that there no reasonable likelihood of harm to customers.[47]  Similarly, Florida provides that if either “appropriate investigation” or consultation with federal, state or local agencies determines that the breach will “not likely result in harm to the individuals,” notification is not required.[48]  Rhode Island allows firms to consult with law enforcement to determine whether the breach created a “significant risk of identity theft” before requiring notification.[49]  New Jersey has an exemption for when a business entity establishes that misuse of the information is not “reasonably possible.”[50]  Finally, Washington provides an exemption if the firm determines that it is “reasonably likely” that the breach will not increase the “risk of criminal activity.”[51]

While California only requires that firms notify their customers after a security breach, some states also require firms to notify consumer reporting agencies.  Florida, Indiana, Nevada, New Jersey and Tennessee mandate notifying these agencies if the breach affects at least 1,000 customers.[52]  Georgia only requires this notification if more than 10,000 customers’ personal information is breached.[53]  Finally, Minnesota requires notifying these agencies within 48 hours if more than 500 customers’ personal information has been compromised.[54]

D. Duty of Non-Owners Who Maintain Computerized Data

California places a duty on firms that only maintain computerized data but do not own that data to notify the owner or licensees of the information in case of a security breach.[55]  Most states have adopted this same requirement.[56]  On the other hand, non-owners in Florida must come to an agreement with owners about who will provide notice[57] and non-owners in New York City must also inform the Department of Consumer Affairs and the police department of any breach.[58]  Non-owners in Rhode Island must only notify the firms that own the information if there is a “significant risk of identity theft.”[59]  Finally, Connecticut provides no special provision for non-owners, and applies its entire notification requirement to those who “maintain” personal information.[60]

E. Enforcement and Penalties

The California law creates a civil cause of action against firms that do not notify California resident after a security breach.[61]  An action could also be brought under California's Business and Professions Code Section 17200, including for attorneys' fees.  Similarly, Louisiana also creates a private right of action,[62] and both Rhode Island and New York City provide for fines and civil penalties for violations.[63]  The Florida statute provides detailed administrative sanctions for failure to inform customers within specified time-limits.[64]  Meanwhile, Minnesota, Montana and Nevada empower their state attorneys general or departments to get injunctions and other remedies against firms that do not notify customers.[65]

III. Proposed Federal Legislation

Outlined below are proposed Congressional bills that have been filed as of June 30, 2005, and serve as examples of items that will need to considered in this debate.  Also, similar bills continue to be filed in the House and Senate Commerce and Banking/Financial Services Committees, including the recent Pryce-Castle-Moore and LaTourette-Hooley bills.  It is anticipated that these Committees will eventually report comprehensive data security and breach notification bills that will form the basis for a new federal law in this area.

 1. Specter-Leahy Personal Data Privacy And Security Act Of 2005.  Senators Arlen Specter of Pennsylvania and Patrick Leahy of Vermont have introduced a comprehensive bipartisan identity theft bill.  The breach notification portion of the bill is in Title IV, Subtitle B, and differs substantially from the California law and all of the other proposed federal breach notification laws.

There are some standard elements in this proposed legislation.  There is a broad definition of entities required to notify, encompassing firms whose activity “involves collective, accessing, using, transmitting, storing or disposing of personally identifiable information.”[66]The law also includes a jurisdiction element, covering only those businesses that “engaged in interstate commerce.”[67]  The definition of security breach is similar to the California law, covering “compromise of the security, confidentiality, or integrity of computerized data” that results in a reasonable likelihood of unauthorized acquisition of “sensitive personal information.”[68]  Moreover, the bill has a broad definition of “sensitive personal information” that basically includes any combination of information that can be used to “identify a specific individual.”[69]

The requirements for scope and timing of the notification also differ from the California law.  Besides requiring notification of residents whose sensitive personally identifiable information has been breached, the proposed bill requires firms to notify the attorney general of each State affected by the breach.[70]  Moreover, if the breach affects 10,000 residents, impacts a database associated with over one million residents, or impacts a database used by the Federal Government or a database that has information about federal employees or federal contractors, the business must notify the Secret Service.  Secret Service then must notify the FBI if the breach is terrorism or espionage-related and must notify the U.S. Postal Inspection Service if mail fraud is involved.[71]  Also, the proposed bill requires businesses to notify consumer reporting agencies if more than 1,000 residents are affected by the breach.[72]  Finally, although the general timing requirement for notification is the same as California, the required notifications to the Secret Service and State attorneys general must be made within fourteen days.[73]

The required method and content of notice also differ from the California law and the other state laws.  First, the proposed bill requires written notice for breaches effecting less than 1,000 residents- and only allows notice by telephone if the firm does not have the residents’ mailing information.  If the breach affects over 1,000 residents, the bill allows notification through “conspicuous posting” on the company’s website.[74]  If the breach effects over 5,000 residents in a state or jurisdiction, the bill allows notification through major media outlets.  Moreover, unlike the state laws, this proposed bill lays out the required content of the notifications companies must send to affected residents.  The notifications must include available victim protection assistance, guidance on how to place a fraud alert, and identity theft victims’ rights.[75]  The bill also requires a breached business to notify customers that the firm pay for the customers to have monthly access to credit reports and credit monitoring for one year.[76]

The bill also has two exemptions from its notification requirement.  First, a company can be exempt from notifying customers and consumer protection agencies if it conducts a “reasonable risk assessment” in consultation with Federal law enforcement and the attorneys general of each State where residents affected by the security breach live.[77]  Second, a business does not need to notify customers if: (1) the breached information cannot be used to facilitate further transactions, (2) the business has a security procedure “reasonably designed to block the use of sensitive personally identifiable information,” and (3) the business has a policy to provide notice after a breach has resulted in fraud or unauthorized transactions.[78]

The proposed bill also has extensive enforcement provisions.  It provides for civil penalties up to $5,000 per violation per day and up to $55,000 per day, and another $5,000 per violation per day and up to $55,000 per day for intentional or willful violations.  Furthermore, it gives the United State Attorney General authority to obtain injunction relief  and damages in federal district court.  Moreover, it empowers state attorneys general to sue for equitable relief and damages after notifying the United States Attorney General.  However, the Attorney General has the right to stay state actions.[79]

 2.  S.115 and S. 751.  Senator Diane Feinstein of California has proposed these laws to create a uniform notification requirement that would preempt state notification laws.[80]  Their scope is similar to California’s, applying to “[a]ny agency, or person engaged in interstate commerce, that owns or licenses electronic data containing personal information.”[81]  Moreover, for S.115, the definitions of security breach, and timing and methods of notification are almost identical to the California requirements.  This includes an exemption for firms that maintain their own reasonable security and notification programs.[82] 

S.751, on the other hand, is more expansive and requires companies to notify customers for breaches of both encrypted and non-electronic personal information.[83]  S.751 also increases the hurdle for firms that want to take advantage of the substitute notice option, increasing the threshold to $500,000 or 500,000 people.[84]  Further, it explicitly does not include any exception for companies to follow their own notification procedures.  Like the Personal Data Privacy And Security Act, S. 751 also requires firms to notify consumer reporting agencies if more than 1,000 residents are affected by the breach.[85]  Finally, S. 751 includes a detailed provision laying out the contents of the required notification.[86]

Like the Specter-Leahy Personal Data Privacy And Security Act, both S.115 and S. 751 have extensive enforcement provisions.  They each allow the Federal Trade Commission and state attorneys general to enforce the statute.  Moreover, each provides for daily monetary fines for non-compliance, with S. 751 allowing for a higher ceiling for daily fines.[87]  Finally, the duty of non-owners/agents that maintain breached data is the same under both S.115 and S.751 as under the California law.[88]

3. S.758.  Senator Charles Schumer has proposed this general bill which is not very detailed or based on the California law.  It applies to “commercial entities”[89] but does not define “security breach.”  While it has a broad definition of “unencrypted sensitive personal information,” it does not have an exemption for publicly available information and does not provide for substitute notice for large security breaches.[90]  Moreover, under S. 758, consumers whose sensitive personal information has been breached would have the right to have the information expunged from the commercial entity’s database.[91]  Finally, similar to S.115 and S.751, the penalty provision allows for daily monetary fines, as well as enforcement by the Federal Trade Commission and state attorneys general.[92]  The legislation also creates an Office of Identity Theft which can exempt firms from their notification requirements.[93]  Also, if a security breach affects over 1,000 people, the commercial entity must notify this Office.[94]

4.  HR. 1069.  Representative Melissa L. Bean has proposed this bill which is based on the California law.  It defines the firms covered in the same way as the California law, but makes an exemption for financial institutions already covered by the Gramm-Leach-Bliley Act.[95]  HR. 1069 gives these financial institutions a different set of guidelines.[96]  Moreover, like S.115 and S.751, it defines security beach to include the loss of both computerized and non-computerized data.[97]  The information covered[98] and the bill’s timing[99] and method of notification[100] are identical to the California law.

The bill does provide an exemption for companies following their own notification procedures, but requires those companies to have a system that protects customers’ information from unauthorized access.[101]  The bill also requires firms to report all breaches to both consumer reporting agencies and to an information clearing house.  This requirement does not have a minimum number of customers affected threshold.[102]  Finally, its penalty and enforcement provisions are essentially the same as S.115 and S.751.[103]

IV. Federal Banking Agencies

On March 29, 2005, the federal banking agencies[104] jointly issued interpretive guidance, the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, pursuant to§501(b) of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801.[105]  The guidance requires agency and customer notification after certain kinds of breaches of sensitive consumer information.  Unlike state laws, the requirements only apply to a "customer" which is an individual who obtains a financial product or service “from a financial institution to be used primarily for personal, family, or household purposes, and who has a continuing relationship with the institution.”

The guidance adopts a broad definition of “sensitive consumer information” which includes any combination of a customer’s name, address or telephone number with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account.  It also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.

Unlike many of the state laws, the requirements are not limited to computerized data.  At the same time, customer notification is only required when a “reasonable investigation” determines that “misuse of its information about a customer has occurred or is reasonably possible.” [106]  Also, as with almost all state laws, an exemption exists for when notification would interfere with a criminal investigation.  Finally, the notification medium is open-ended, like the New York City law, rather than limited to mail and electronic notice.[107]

Financial institutions must also always notify their primary federal regulator whenever a breach occurs.  Unlike state laws, the guidance outlines the contents of the required notifications- describing what information the notifications must include and requiring that the notifications be made in a “clear and conspicuous manner.”

One other final provision is that agents or service providers that maintain breached data are not directly subject to the guidance.  Financial institutions bear the responsibility for breaches and may contract with agents or service providers to establish a system of prompt notification to the financial institution and its customers, if necessary.


Gibson, Dunn & Crutcher lawyers are available to assist in addressing any questions you may have regarding these matters.  For further information, please contact the Gibson Dunn attorney with whom you work or Christopher J. Bellini in the firm's Washington, D.C. office at (202) 887-3693, cbellini@gibsondunn.com.

Copyright © 2005 Gibson, Dunn & Crutcher LLP

   [1]   Federal Trade Commission, Identity Theft Survey Report (Sept. 2003), available at http://www.ftc.gov/os/2003/09/synovatereport.pdf.

   [2]   California's Office of Privacy Protection has also published Recommended Practices on Notification of Security Breach Involving Personal Information, dated October 10, 2003, http://www.privacy.ca.gov

   [3]   Grant Gross, ChoicePoint's Error Sparks Talk of ID Theft Law, IDG News Service, Feb. 23, 2005, available at http://www.pcworld.com/news/article/0,aid,119790,00.asp.

   [4]   Grant Gross, ChoicePoint's Error Sparks Talk of ID Theft Law, IDG News Service, available at http://www.pcworld.com/news/article/0,aid,119790,00.asp.

   [5]   Associated Press, LexisNexis Theft Much Worse Than Thought, Apr. 12, 2005, available at http://msnbc.msn.com/id/7475594/.

   [6]   Jonathan Krim, FDIC Alerts Employees of Data Breach, Washington Post, June 16, 2005, available at http://www.msnbc.msn.com/id/8235963/.

   [7]   American Banker Staff, Huge Data Breach Seen Spurring Legislation,American Banker, page 2, June 20, 2005.

   [8]   Complaint for Declaratory Judgment, Ohio v. DSW, No. 5:05CVH0 6 (Ohio Court of Common Pleas, June 6, 2005).

   [9]   Cal. Civ. Code §1798.82(d)

  [10]   See e.g.,Fla. Laws 817.5681(1)(a); Minn. Laws 325E.61(1)(1)(a)

  [11]   See Ill. H.B. 1633; Nev. Rev. Stat. 52-20

  [12]   See e.g., Ark. Code §4-110-103(9); Tenn. Code §47-18-21(a)(2).

  [13]   Ga. Code §10-1-911(2). 

  [14]   Ind. Code §4-1-11(2). 

  [15]   New York City §20-117(c).

  [16]   See LA. Rev. Stat. §51:3076; N.D. Cent. Code 51-30-06; Nev. 52-24(5(b)); Tenn. Code 47-18-21(h).

  [17]   See Fla. Laws 817.5681(9)(b); Ark. Code §4-110-106; Del. Code. §12B-102(a).

  [18]   See Minn. Laws 325E.61(1)(4); R.I. Gen. Laws §11-49.2-7.

  [19]   Cal. Civ. Code §1798.82(d). 

  [20]   See e.g.N.D. Cent. Code §51-30-01; Wash. Laws §42.17(2).

  [21]   See Fla. Laws 817.5681(4); Mont. Laws §7(4)(a); Nev. 51-19; Tenn. Code §47-18.

  [22]   Cal. Civ. Code §§1798.82(a) and (f). 

  [23]   See R.I. Gen. Laws §11-49.2-7; New Jersey- Assembly, No. 4001, §12; New York City §20-117. 

  [24]   Cal. Civ. Code §1798.82(e). 

  [25]   See e.g., Fla. Laws 817.5681(5); Ark. Code §4-110-106. 

  [26]   See Ark. Code §4-110-103(5). 

  [27]   See Ga. Laws §10-1-911(5). 

  [28]   See N.D. Cent. Code 51-30-02; see also New York City §20-117.

  [29]   Cal. Civ. Code §1798.82(a). 

  [30]   See e.g., Ark. Code §4-110-105(a)(2); Minn. Laws 325E.61(1)(1)(a); Wash. Laws §42.17(2)(1). 

  [31]   See Fla. Laws 817.5681(a)(1); Conn. S.B. 650 § 4(b).

  [32]   See Cal. Civ. Code §1798.82(c); see alsoMont. Laws §30-14-7(3); Tenn. Code §47-18-21(d).

  [33]   Ill. H.B. 1633; see also Letter from Illinois Banker Association to Rod Blagojevich, governor (May 24, 2005) (commenting on this anomaly in the Illinois bill and urging the governor to veto it), available at http://www.ilbanker.com/Adobe/GR_HB1633_Gov_letter.pdf

  [34]   See New Jersey- Assembly, No. 4001, §12(c).   

  [35]   Cal. Civ. Code §1798.82(g). 

  [36]   See e.g.Ark. Code §4-110-105(e); Ga. Code. §10-1-911(3).  

  [37]   See Del. Code. §12B-102(a); Mont. Laws §7(4)(a); New York City §20-117(f).

  [38]   See Cal. Civ. Code §1798.82(g); see e.g., N.D. Cent. Code 51-30-05; Tenn. Code §47-18-21(e).

  [39]   See Del. Code. §12B-101(4).

  [40]   See Conn. S.B. 650 § 4(a).

  [41]   See Cal. Civ. Code §1798.82(g); see e.g., Fla. Laws 817.5681(5); N.D. Cent. Code 51-30-05.

  [42]   See Tenn. Code §47-18-21(e)(3).

  [43]   See Ind. Code §4-1-11(9); Conn. S.B. 650 § 4(a).

  [44]   New York City §20-117(f).

  [45]   See Cal. Civ. Code §1798.82(g); see e.g., Ark. Code §4-110-105(f); Nev. Rev. Stat. 52-24(4).

  [46]   See Conn. S.B. 650; Ind. Code §4-1-11; New York City §20-117

  [47]   See Ark. Code §4-110-105(d); Del. Code. §12B-102(a).

  [48]   See Fla. Laws 817.5681(10)(a).

  [49]   R.I. Gen. Laws §11-49.2-3.

  [50]   New Jersey- Assembly, No. 4001, §12(a).

  [51]   Wash. Laws §2(10)(d)).

  [52]   SeeFla. Laws 817.5681(12); Ind. Code 4-1-11(§10); Nev. Rev. Stat. 52-24(6); New Jersey- Assembly, No. 4001, §12(c); Tenn. Code §47-18-21.

  [53]   See Ga. Code §10-1-912(d).

  [54]   See Minn. Laws 325E.61(1)(2).

  [55]   See Cal. Civ. Code §1798.82(b).

  [56]   See e.g., Ill. H.B. 1633(10)(b); Minn. Laws 325E.61(1(1)(b)).

  [57]   SeeFla. Laws 817.5681(2)(a)

  [58]   New York City §20-117(b)).

  [59]   See R.I. Gen. Laws §11-49.2-6.

  [60]   See Conn. S.B. 650 §4(a).

  [61]   Cal. Civ. Code §1798.82.

  [62]   La. Rev. Stat. § 51:3075.

[63]   See R.I. Gen. Laws §11-49.2-7; New York City §20-117(b).

[64]   Fla. Laws 817.5681(1)(b).

 [65]   See Minn. Laws 325E.61(1)(1)(b); Mont. Laws §7(2); Nev. Rev. Stat. 52-28.

  [66]   See §241(a).

  [67]   See §241(a).

  [68]   See §3(10).

  [69]   See §3(11).

  [70]   See §421(a)(1)(B).

  [71]   See §421(a)(1).        

  [72]   See §421(b).

  [73]   See §422(b). 

  [74]   See §422(b).

  [75]   See §423.                

  [76]   See §423 and §425.                

  [77]   See §424(a).      

  [78]   See §424(b)(1).

  [79]   See §426.

  [80]   See §5 of both S.115 and S. 751.

  [81]   See §3(a)(1) of both S.115 and S. 751.

  [82]   See §2(2), §3(a) of S. 115.

  [83]   See §3(a)(1) of S. 751

  [84]   See §3(a)(5) of S. 751.

  [85]   See §3(a)(8) of S.751; see supra Section II, part C.

  [86]   See §3(a)(7) of S. 751.

  [87]   See §3 of both S. 115 and S. 751.

  [88]   See §(3)(3) of both S. 115 and S. 751.

  [89]   See §2(1).

  [90]   See §8(a).

  [91]   See §8(d).

  [92]   See §8(c).

  [93]   See §8(b)(3)(B).

  [94]   See §8(a)(2).

  [95]   See §3(a)(1).

  [96]   See §526.

  [97]   See §2(2).

  [98]   See §2(4).

  [99]   See §3(a)(3).

[100]   See §3(a)(5).

[101]   See §3(a)(6)

[102]   See §3(a)(1)(B); §3(a)(8)(B).

[103]   See §3(b); §6.

[104]   These agencies include: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision.

[105]   Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736 (March 29, 2005), available at http://www.occ.treas.gov/consumer/Customernoticeguidance.pdf.  The guidance supplements the Interagency Guidelines Establishing Standards for Safeguarding Information which was renamed the Interagency Guidelines Establishing Information Security Standards.

[106]   See supra Section II, part C.

[107]   See id.