Massachusetts, Illinois, Oregon Enact New Privacy Laws

New privacy laws recently enacted in three states address data security breaches, “phishing,” and identity theft.

Security Breach Notice Law

On August 2, Massachusetts Governor Deval Patrick approved legislation that calls for notification of data security breaches, allows residents to place a security freeze on their consumer credit reports, and establishes rules for the disposal of records containing personal information.

The statute requires that a person, business, or government agency that owns or licenses data including personal information about a Massachusetts resident must provide notice when it knows or has reason to know of a breach of security or that the information was acquired or used by an unauthorized person. The notice must be provided to the person involved, the state attorney general, and the Director of Consumer Affairs and Business Regulation. Enforcement actions may be brought by the attorney general.

The law (House Bill No. 4144, Chapter 82, codified at Massachusetts General Laws, Chapter 43H, Sec. 1 through 6) becomes effective on October 1, 2007, except for the records disposal provision, which becomes effective on February 3, 2008. Text of the law appears at CCH Privacy Law in Marketing ¶32,100.

“Phishing”

The Illinois “Anti-Phishing Act” prohibits the use of the Internet—through e-mail, websites, or other means—to represent oneself, without authority or approval, as a business in an effort to solicit or induce a person to provide identifying information. “Identifying information” under the Act includes Social Security Numbers, driver’s license numbers, bank account numbers, credit or debit card numbers, personal identification numbers (PINs), automated or electronic signatures, account passwords, or any other information that can be used to access financial accounts or to obtain goods or services.

The law provides for enforcement actions by the attorney general and state’s attorney and private suits by Internet Service Providers affect by a violation and individuals who are the ultimate targets of identity theft. ISPs may seek to recover the greater of actual damages or statutory damages of $500,000. Individual victims may seek injunctive relief and the greater of three times the amount of actual damages or $5,000 per violation.

The “Anti-Phishing Act” was approved on August 23 and becomes effective on January 1, 2008. The law appears at CCH Privacy Law in Marketing ¶31,340.


Identity Theft

The Oregon Consumer Identity Theft Protection Act requires businesses to notify residents of data security breaches, allows Oregon resident to place security freezes on their credit reports, and prohibits the printing, communicating, or otherwise making available to the public a consumer’s Social Security Number.

Any individual or business that owns or maintains data that includes a consumer’s personal information must give notice of a breach of security to any consumer whose personal information was included in the information breached. Notification must be made in the most expeditious time possible. A consumer may elect to place a security freeze on his or her consumer report by sending a written request to a consumer reporting agency. The agency must place a security freeze on the within five business days of receiving the request.

The legislation (Senate Bill No. 583, Chapter 759) was signed by Governor Theodore R. Kulongoski on July 12 and will become effective on October 1, 2007. The Consumer Identity Theft Protection Act is published at CCH Privacy Law in Marketing ¶33,700.

CCH Privacy Law in Marketing publishes 138 privacy laws from 46 states and the District of Columbia, in addition to U.S. federal privacy laws, and privacy laws from 35 foreign jurisdictions. Further information regarding Privacy Law in Marketing is available at the CCH Online Store.