On December 22, 2014, Indiana became the latest state to propose legislation that will provide greater safeguards for personal and financial information online. The move in Indiana follows similar moves in California, New Jersey, New York and Oregon to amend or to propose to amend existing law to provide for greater protection of personal data.

In Indiana, the proposed legislation will include the following provisions: (i) safe data storage provisions requiring online operators that store personal or financial data to store data securely and not retain data beyond what is necessary for business purposes/processes; (ii) data breach harm reduction amendments to existing law, requiring more prompt and informative notification to affected consumers; and (iii) privacy policy transparency obligations, requiring website operators and online entities that collect personal or financial information from Indiana residents to conspicuously post their privacy policies online. The proposed law also would require that the online policies identify what personal information the operator collects from site visitors and whether (and with whom) the operator shares or sells any of that information.

In New Jersey, on December 15, 2014, the state assembly unanimously approved a bill designed to better protect consumers from identity theft. Under the bill, the existing definition of “personal information” would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account. Violators would be subject to the penalty provisions under the existing Identity Theft Prevention Act, which makes violators liable for actual damages, and in the case of willful violations, subject to potential punitive damages.

In New York, in September 2014, the assembly introduced a bill that would amend New York’s data breach notification law. The proposed amendment would require entities that conduct business in New York state to develop, implement and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information. The New York Amendment would impose requirements very similar to those in Massachusetts. Violators of the law would be subject to a court-imposed penalty of up to $150,000 in addition to other civil remedies available to plaintiffs under existing law.

In Oregon, on December 10, 2014, the state attorney general testified before the legislature in support of legislation to better protect personal data. Currently, Oregon is one of only a handful of states that does not give data breach notification enforcement power to the state Department of Justice. The attorney general proposed granting the state Department of Justice enforcement power and expanding the existing theft prevention laws to cover medical, insurance and biometric information.

For recent changes in California, please see here.

Reporter, Andrew K. Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.