Since publication (in February) of our interactive guide to state data breach disclosure laws, the following states (and D.C.) have passed new legislation.
Alaska:
Full text of Alaska breach disclosure law [pdf]:
http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF
Notification: As soon as possible, without unreasonable delay
Civil penalty of up to $500 for each resident who was not notified. Total penalty may not exceed $50,000.
Exemption: Publicly available government data
Disclosure not required if it is determined that there is not a reasonable likelihood that harm to the affected consumers will result.
Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.
Iowa:
Full text of Iowa breach disclosure law:
http://coolice.legis.state.ia.us/Cool-ICE/default.asp?category=billinfo&service=billbook&GA=82&hbill=SF2308
Notification: As soon as possible, without unreasonable delay
Disclosure not required if it is determined that there is not a reasonable likelihood that harm to the affected consumers will result.
Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.
South Carolina:
Full text of South Carolina breach disclosure law:
http://www.scstatehouse.net/sess117_2007-2008/bills/453.htm
Notification: As soon as possible, without unreasonable delay
Law allows state residents to place security freezes on their consumer credit reports
Virginia:
Full text of Virginia breach disclosure law:
http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+18.2-186.6
Notification: Without unreasonable delay
Civil penalty not to exceed $150,000 for violations
Exemption: Publicly available government data
Law does not apply to not apply to criminal intelligence maintained by law-enforcement agencies of the state and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN)
Washington D.C.
Full text of Washington D.C. breach disclosure law [pdf]:
http://www.dccouncil.washington.dc.us/images/00001/20061218135855.pdf
Notification: As soon as possible, without unreasonable delay
Civil penalty not to exceed $100 for each violation
West Virginia
Full text of West Virginia breach disclosure law:
http://www.legis.state.wv.us/Bill_Text_HTML/2008_SESSIONS/RS/BILLS/SB340%20SUB1.htm
Notification: Without unreasonable delay
Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.
No civil penalty unless the court finds that the defendant has engaged in a course of repeated and willful violations. Civil penalty shall not exceed $150,000 per breach.