Mo-mentum on centralized breach reporting?
A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
As reported in the St. Louis Business Journal on April 1:
Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
[…]
f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
The legislation needs a second vote of approval before moving to the House for similar consideration.
St. Louis Business Journal
Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.
Which states?
Davi:
See http://datalossdb.org/us_states for details on states with (and without) centralized reporting. As you might expect, there is some variation across states as to the scope of who must report, and under what circumstances.
The National Council of State Legislatures has excellent details on legislation across states as well:
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm