This Act aims to incentivize businesses to adopt cybersecurity standards. It applies to businesses that access, maintain, communicate, or process personal information or restricted information in or through systems, networks, or services located in or outside Connecticut. The Act defines key terms such as ‘business,’ ‘covered entity,’ ‘data breach,’ ‘personal information,’ and ‘restricted information.’ In tort actions alleging a data breach resulting from the failure to implement reasonable cybersecurity controls, the Superior Court shall not assess punitive damages against a covered entity if it has a written cybersecurity program that complies with an industry recognized cybersecurity framework.

This legislative document, Senate Bill No. 2075, creates and enacts chapter 26.1-02.2 of the North Dakota Century Code, which governs insurance data and security. The chapter defines various terms related to insurance data and security, including ‘authorized individual,’ ‘consumer,’ ‘cybersecurity event,’ ‘information security program,’ ‘information system,’ ’licensee,’ ‘multi-factor authentication,’ ’nonpublic information,’ ‘person,’ ‘publicly available information,’ ‘risk assessment,’ and ’third-party service provider.’ The chapter establishes exclusive state standards applicable to licensees for data security, investigation of cybersecurity events, and notification to the commissioner.

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) amends the general business law and the state technology law in relation to notification of a security breach. It applies to any person or business that owns or licenses computerized data containing private information. The act requires the disclosure of any breach of the security system to affected New York residents in a timely manner. There are exemptions for inadvertent disclosures by authorized persons if it is determined that no harm is likely to result.

This section of the Code of Federal Regulations, specifically Regulation H issued by the Board of Governors of the Federal Reserve System, governs the filing of Suspicious Activity Reports (SARs) by member banks. The purpose of this section is to ensure that member banks file SARs when they detect known or suspected violations of federal law, suspicious transactions related to money laundering activities, or violations of the Bank Secrecy Act. The section provides definitions for key terms such as FinCEN (Financial Crimes Enforcement Network) and institution-affiliated party.

This section of the Code of Federal Regulations, under the Fair Credit Reporting (Regulation V), outlines the duties of financial institutions and creditors in detecting, preventing, and mitigating identity theft. It applies to member banks of the Federal Reserve System, their subsidiaries, branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act. The section defines various terms related to identity theft and requires financial institutions and creditors to periodically identify covered accounts and conduct a risk assessment.

The provided legal document content pertains to the Computer-Security Incident Notification for banking organizations. It is governed by the Code of Federal Regulations, specifically Regulation Y issued by the Board of Governors of the Federal Reserve System. The purpose of this subpart is to promote the timely notification of computer-security incidents that may materially and adversely affect Board-supervised entities. The document defines various terms used in the subpart, including banking organization, bank service provider, business line, computer-security incident, covered services, designated financial market utility, and person.

This document governs the submission and review of safety and soundness compliance plans and the issuance of orders to correct safety and soundness deficiencies. It applies to insured state nonmember banks, state-licensed insured branches of foreign banks subject to section 39 of the Federal Deposit Insurance Act, and state savings associations. The document specifies that a bank or state savings association must file a written safety and soundness compliance plan with the FDIC within 30 days of receiving a request, unless a different filing period is specified by the FDIC.

The provided legal document content pertains to the standards for safety and soundness in the banking industry. It states that the Interagency Guidelines Establishing Standards for Safety and Soundness, as set forth in appendix A, apply to insured state nonmember banks, state-licensed insured branches of foreign banks subject to section 39 of the Federal Deposit Insurance Act, and state savings associations. Additionally, the document mentions the Interagency Guidelines Establishing Information Security Standards, which apply to the mentioned entities as well as their subsidiaries, except for brokers, dealers, persons providing insurance, investment companies, and investment advisers.

The provided legal document content pertains to the records preservation program and record retention guidelines for federally insured credit unions. The regulation requires credit unions to establish a written records preservation program to identify, store, and reconstruct vital records in the event of record destruction. It also provides recommendations for restoring vital member services. Credit unions are required to have a written program that includes plans for safeguarding records and reconstructing vital records.

The provided legal document, found in the Code of Federal Regulations under the Federal Trade Commission, establishes standards for safeguarding customer information. It applies to financial institutions, including mortgage lenders, finance companies, collection agencies, and investment advisors, over which the Federal Trade Commission has jurisdiction. The purpose of the document is to ensure the security, confidentiality, and integrity of customer information by requiring financial institutions to develop, implement, and maintain reasonable administrative, technical, and physical safeguards.

The provided legal document content pertains to the proper disposal of consumer information under the Fair Credit Reporting Act. It applies to any person who maintains or possesses consumer information for a business purpose. The document requires such persons to take reasonable measures to protect against unauthorized access or use of the information during its disposal. Reasonable measures include burning, pulverizing, or shredding papers containing consumer information, destroying or erasing electronic media, entering into a contract with a certified record destruction company, and implementing policies and procedures to protect against unauthorized disposal.

The provided legal document content pertains to the protection of information and records within the United States Postal Service (USPS). The document establishes the policy of the Postal Service to maintain definitive and uniform information security safeguards. These safeguards aim to ensure the effective operation of the Postal Service through appropriate controls over critical information and to protect personal privacy, the public interest, and national security by limiting unauthorized access to restricted and national security information.

The provided legal document content pertains to the implementation of standards and requirements related to administrative data standards and related requirements. It applies to health plans, health care clearinghouses, health care providers who transmit health information in electronic form, and business associates. The document does not provide specific exemptions. Violations of the requirements may result in the imposition of civil money penalties. The document also outlines the process for requesting exception determinations, which involves submitting a written request to the Secretary of the Department of Health and Human Services.

This Act, H.B. No. 3746, relates to certain notifications required following a breach of security of computerized data. It amends Section 521.053 of the Business & Commerce Code. The Act requires persons who are required to disclose or provide notification of a breach of system security to notify the attorney general of that breach within 60 days if the breach involves at least 250 residents of Texas. The notification must include a detailed description of the breach, the number of affected residents, measures taken regarding the breach, any intended measures after the notification, and information regarding law enforcement involvement.

This legal document, found in the United States Code under the section for the Federal Deposit Insurance Corporation, establishes standards for safety and soundness in the banking industry. It applies to all insured depository institutions. The document outlines operational and managerial standards that must be followed, including internal controls, loan documentation, credit underwriting, interest rate exposure, asset growth, and compensation. It also requires appropriate Federal banking agencies to prescribe standards related to asset quality, earnings, and stock valuation.

This legal document, as stated in section 6801 of the United States Code, establishes the policy that financial institutions have an obligation to respect the privacy of their customers and protect the security and confidentiality of their nonpublic personal information. The document requires agencies or authorities, excluding the Bureau of Consumer Financial Protection, to establish appropriate standards for financial institutions under their jurisdiction. These standards include administrative, technical, and physical safeguards to ensure the security and confidentiality of customer records and information, protection against threats or hazards to the integrity of such records, and prevention of unauthorized access or use that could harm customers.

This section outlines the enforcement of the subchapter and regulations related to the disclosure of nonpublic personal information. The enforcement is carried out by various entities depending on the type of financial institution or person subject to their jurisdiction. The Bureau of Consumer Financial Protection, Federal functional regulators, State insurance authorities, Federal Trade Commission, Board of the National Credit Union Administration, Securities and Exchange Commission, and applicable State insurance authorities are responsible for enforcing the subchapter and regulations.

These legal documents govern various aspects of consumer reporting agencies, consumer credit protection, credit reporting agencies, and related topics. They establish the framework and terminology for the regulation of consumer credit reporting agencies, define key terms, and outline the permissible purposes for which consumer reports can be furnished. The documents also specify the requirements for information contained in consumer reports, including exclusions and exemptions. They address identity theft prevention, fraud alerts, and active duty alerts, as well as the block of information resulting from identity theft.

This legal document provides definitions for key terms used in the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions. It applies to health care providers, health care clearinghouses, health plans, and other entities involved in the processing of health information. The document defines terms such as ‘code set’, ‘health care clearinghouse’, ‘health care provider’, ‘health information’, ‘health plan’, ‘individually identifiable health information’, ‘standard’, ‘standard setting organization’, and ‘operating rules’.

The West Virginia Consumer Credit and Protection Act governs consumer credit sales, consumer leases, and consumer loans in West Virginia. It applies to natural persons who incur debt or other obligations in these transactions. The act provides definitions for various terms used in the document and establishes the legal framework for consumer credit and protection in West Virginia. It governs the powers of persons making consumer credit sales and consumer loans, as well as others involved in consumer protection.

The provided legal document content pertains to the cybersecurity program within the West Virginia Department of Administration. It establishes the West Virginia Cybersecurity Office within the Office of Technology, which is responsible for setting standards for cybersecurity and managing the cybersecurity framework. The document applies to all state agencies, except for higher education institutions, the State Police, state constitutional officers, the Legislature, and the Judiciary. It defines key terms related to cybersecurity and aims to provide guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber incidents.

This legal document found in the West Virginia Code under the Department of Administration pertains to the reporting of qualified cybersecurity incidents. It applies to all state agencies within the executive branch, constitutional officers, all local government entities, county boards of education, the Judiciary, and the Legislature. The document states that qualified cybersecurity incidents must be reported to the Cybersecurity Office before any citizen notification, but no later than 10 days after determining that the entity experienced a qualifying cybersecurity incident.

This section of the Massachusetts General Law governs the duties of holders maintaining personal data systems. It applies to all holders maintaining personal data systems. The section outlines various responsibilities and requirements for these holders. They are required to designate an individual responsible for ensuring compliance with the requirements of this chapter. Holders must inform their employees about the safeguards, rules, and regulations related to the personal data system. They are not allowed to provide access to personal data to any agency or individual unless authorized by statute or regulations.

This section of the Massachusetts General Law governs the actions that the attorney general can take against individuals or entities using or intending to use methods, acts, or practices declared unlawful. The attorney general can bring an action in the name of the commonwealth to restrain such use through temporary restraining orders, preliminary or permanent injunctions. The action can be brought in the superior court of the county where the person resides or has their principal place of business, or in Suffolk county with consent or if the person has no place of business within the commonwealth.

The legal document addresses various aspects of identity crimes in South Dakota. It defines identity theft as obtaining, possessing, transferring, using, or attempting to obtain identifying information without authorization, or accessing financial resources using identifying information without permission. Identity theft is a Class 6 felony. The document also specifies the types of notice that must be provided in the event of a breach of system security, including written notice, electronic notice, or substitute notice.

(a) A person may not require an individual to disclose the individual’s social security number to obtain goods or services from or enter into a business transaction with the person unless the person: (1) adopts a privacy policy as provided by Subsection (b); (2) makes the privacy policy available to the individual; and (3) maintains under the privacy policy the confidentiality and security of the social security number disclosed to the person.

The provided legal document content includes information on various housing programs in Louisiana. The Louisiana Open Housing Act requires programs seeking exemption to be specifically designed and operated to assist elderly persons. The attorney general or his designee must provide a final administrative disposition of a complaint within one year, unless impractical. The Louisiana Housing Finance Act establishes the Louisiana Housing Finance Agency as the governing body and outlines the requirements for applicants seeking agency moneys or services.

This legal document establishes the Maryland Cybersecurity Council, which is responsible for coordinating and enhancing cybersecurity measures in the state. The Council consists of various government officials, representatives from cybersecurity companies, business associations, institutions of higher education, crime victims organizations, industries susceptible to cybersecurity attacks, and federal agency representatives. The Council is chaired by the Attorney General or their designee, and the University of Maryland Global Campus provides staff support. The Council’s responsibilities include conducting risk assessments for critical infrastructure, assisting infrastructure entities in complying with federal cybersecurity guidance, promoting adoption of cybersecurity frameworks, examining inconsistencies between state and federal laws, recommending a comprehensive state strategic plan for cybersecurity, and suggesting legislative changes.

K.S.A. 75-7236 through 75-7243 , and amendments thereto, shall be known and may be cited as the Kansas cybersecurity act. History: L. 2018, ch. 97, 1; July 1.

This legal document, known as the Internet Security and Privacy Act, governs the notification of data breaches and the protection of private information in the state of New York. It defines ‘private information’ as personal information combined with specific data elements, such as social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, and biometric information. The document requires state entities that own or license computerized data containing private information to disclose any breach of the security system to affected residents of New York state.

The provided legal document pertains to the disclosure of breach of security under the Alaska Statutes’ Trade and Commerce section, specifically the Personal Information Protection Act. It requires covered persons who own or license personal information on a state resident to disclose any breach of the security of the information system containing personal information to each affected state resident. The disclosure must be made in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.

This Article shall be known and may be cited as the ‘Identity Theft Protection Act’. (2005-414, s. 1.)

This legal document pertains to businesses maintaining recognized cybersecurity programs. It defines key terms such as ‘Business’, ‘Covered entity’, ‘Data breach’, ‘Personal information’, and ‘Restricted information’. The document outlines the requirements for covered entities to qualify for an affirmative defense under sections 1354.01 to 1354.05 of the Ohio Revised Code. Covered entities must create, maintain, and comply with a written cybersecurity program that contains safeguards for the protection of personal information or both personal information and restricted information.

This legal document, found in the California Civil Code, pertains to the security of connected devices. It requires manufacturers of connected devices to equip the devices with reasonable security features that are appropriate to the nature and function of the device, as well as the information it may collect, contain, or transmit. These security features should be designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

This chapter shall be known and may be cited as the Delaware Online Privacy and Protection Act. 80 Del. Laws, c. 148, 1;

The South Carolina Insurance Data Security Act establishes standards for data security and the investigation of and notification to the director of a cybersecurity event applicable to licensees. It does not create or imply a private cause of action for violations. The Act applies to licensees, including insurers and producers, subject to certain exemptions. Licensees must comply with notification requirements in the event of a cybersecurity event. The Act also governs the investigation of cybersecurity events, maintenance of records, and the development, implementation, and maintenance of a comprehensive written information security program.

The provided legal document contains definitions related to the Washington cybercrime act, which governs cybercrime activities within the state of Washington. The document defines various terms such as ‘access’, ‘cybercrime’, ‘data’, ‘data network’, ‘data program’, ‘data services’, ‘data system’, ’electronic tracking device’, ‘identifying information’, ‘malware’, ‘white hat security research’, and ‘without authorization’. It does not specify any exemptions or penalties for non-compliance or violation of the Washington cybercrime act. The document also includes provisions for cyber harassment and cyberstalking, outlining the elements of these crimes and the associated penalties.

This legal document establishes the position of the Hawaii cybersecurity, economic, education, and infrastructure security coordinator. The coordinator is responsible for overseeing cybersecurity and cyber resiliency matters, including cybersecurity, economic, education, and infrastructure security for the State of Hawaii. The coordinator is placed within either the state department of defense or the department of law enforcement, depending on the effective date of the subsection. The coordinator partners with various entities, including the Hawaii state fusion center, the Hawaii state cyber resiliency center, federal and state government agencies, the counties of the State, institutions of higher education, and entities within the power, water, communications, transportation, and finance sectors.

The Identity Theft Protection Act of 2015 governs the breach of security of personal information maintained by municipal agencies, state agencies, and persons. It defines ‘breach of the security of the system’ as unauthorized access or acquisition of unencrypted, computerized data information compromising the security, confidentiality, or integrity of personal information. Good-faith acquisition of personal information by an employee or agent of the agency for agency purposes is not considered a breach, provided the information is not used or further disclosed without authorization.

This legal document establishes the statewide information security and privacy office within the department. The office serves as the strategic planning, facilitation, and coordination office for information technology security in the state of Arizona. The individual budget units are responsible for maintaining operational responsibility for information technology security. The document outlines the duties of the statewide information security and privacy office, which include developing and ensuring compliance with a coordinated statewide assurance plan for information security and privacy, conducting compliance reviews, identifying risks, monitoring compliance, and coordinating awareness and training programs.

This legal document pertains to the adoption of cybersecurity controls by businesses in Connecticut. It defines key terms such as ‘business’, ‘covered entity’, ‘data breach’, ‘personal information’, and ‘restricted information’. The document states that in tort actions alleging failure to implement reasonable cybersecurity controls resulting in a data breach, the Superior Court shall not assess punitive damages against a covered entity if it has a written cybersecurity program that complies with an industry recognized cybersecurity framework.