U.S. Legislation

Check Clearing for the 21st Century Act
The United States Check Clearing for the 21st Century Act (Check 21), effective October 2004, enables banks to improve check processing by allowing them to handle more checks electronically, making check processing faster and more efficient. The Act allows banks to issue substitute checks in place of original checks. For example, customers who receive cancelled checks with their monthly account statement may begin to receive substitute checks. Substitute checks are considered proof of payment.


Economic Espionage Act
The Economic Espionage Act of 1996 (EEA) made it a criminal offence to steal trade secrets, defined as “all forms and types of financial, business, scientific, technical, economic or engineering information” that the owner has taken reasonable measures to keep secret and that is not known to the public. The legislation applies to information in any form.


Fair and Accurate Credit Transactions Act
The Fair and Accurate Credit Transactions Act, 2003 (FACTA) was enacted in December 2003 with more specific document destruction rules coming into effect on June 1, 2005. FACTA amended the existing Fair Credit Reporting Act providing consumers, companies, consumer reporting agencies and regulators with new tools to expand consumer access to credit, enhance the accuracy of consumer financial information, and help fight identity theft. FACTA is administered by the Federal Trade Commission (FTC).




Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) (20 USC §1232g, 34 CFR Part 99) is a federal U.S. law that protects the privacy of student education records.


Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLB Act), protects the privacy of consumer information held by financial institutions and requires companies to give consumers privacy notices that explain the institutions’ informationsharing practices. The Act also provides consumers with the right to limit some sharing of their information.


Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that requires health care organizations to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” Protected health information (PHI) includes patient medical records, patient logs, insurance, billing and other personally identifiable health information.


Identity Theft Penalty Enhancement Act
The Identity Theft Penalty Enhancement Act of 2004. The law established a new federal crime, aggravated identity theft, outlined under “offenses” in the Act: Offenses – (1) In general – Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years. (2) Terrorism offense – Whoever, during and in relation to any felony violation enumerated in section 2332b(g)(5)(B), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 5 years.




Sarbanes-Oxley Act
Enacted following a series of high-profile accounting scandals in the United States, most notably Enron and Worldcom, the Sarbanes-Oxley Act of 2002 (SOX) is intended to enhance corporate responsibility and financial reporting as well as combat corporate and accounting fraud. It is one of the most complex pieces of legislation passed in the United States in recent years and includes some of the most far reaching reforms of American business practices since the 1930’s.


USA Patriot Act
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act) was enacted in October 2001 in an effort to “deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigator tools and for other purposes.”


US Safe Harbor Program
The European Union’s Directive on Data Protection prohibits the transfer of personal data to US companies which do not meet the Commission’s standards for privacy protection.




Arizona House Bill 2351
The Arizona legislature introduced House Bill 2351, the Identity Theft Omnibus Bill. If enacted, the Bill will amend Arizona’s Revised Statutes to address various identity theft issues.


California Senate Bill 1386
California was the first U.S. state to have an agency, the Office of Privacy Protection, dedicated to promoting and protecting the privacy rights of consumers. The State has a number of laws related to privacy and identity theft including Senate Bill 1386 (SB 1386). Since July 2003, businesses and individuals that maintain computerized data that includes specified personal information must disclose any breach of the security of that data. The legislation is designed to give companies the incentive to take proactive steps to ensure that their customers do not become victims of identity theft.




Florida Unlawful Use of Personal Identification Information Act
The Florida Unlawful Use of Personal Identification Information Act (HB 481) requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties if the breach has or will likely result in harm to the affected individuals. The Act specifies the notification steps businesses must follow in the event of a security breach.


Georgia Senate Bill 475
Georgia is one of the most aggressive states in the United States in fighting identity theft, introducing its first identity theft legislation in 1998 making identity theft a felony. The 1998 law was updated in 2002 by Senate Bill 475
to recognize that people whose identities are stolen are victims even if they do not suffer financial loss. Also, the law requires companies to securely dispose of all consumer identity information.


Illinois Personal Information Protection Act
The Illinois Personal Information Protection Act (HB 1633) requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties. The Act specifies the notification steps businesses must follow in the event of a security breach.


Louisiana Database Security Breach Notification Law
The Louisiana Database Security Breach Notification Law (SB 205) requires businesses to notify Louisiana residents when a security breach results in their unencrypted personal information being released to unauthorized parties and there is reasonable likelihood of harm to customers. The Act specifies the notification steps businesses must follow in the event of a security breach.


Maine Notice of Risk to Personal Data Act
The Maine Notice of Risk to Personal Data Act (LD 1671) requires information brokers to notify individuals when a security breach results in their personal information being released to unauthorized parties. The Act specifies the notification steps information brokers must follow in the event of a security breach.




Minnesota Security Breach Disclosure Act
The Minnesota Bill H.F. No. 2121 requires businesses to notify individuals when a security a breach causes their personal information to be released to unauthorized parties. The Bill specifies the notification steps businesses must follow in the event of a security breach.


Montana Law regarding Identity Theft and Security Breaches
Montana’s Identity Theft Act (HB 732) requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties if that breach causes or is reasonably believed to cause loss or injury to a Montana resident. The Act specifies the notification steps that businesses must follow in the event of a security breach. Additionally, the Act specifies that Montana businesses must take reasonable steps to destroy customer records that are no longer needed, if they contain personal information by “shredding, erasing, or otherwise modifying the personal information”.


Nevada Senate Bill 347
Nevada Senate Bill 347 requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties.The Bill specifies the notification steps businesses must follow in the event of a security breach.


New Jersey Identity Theft Prevention Act
New Jersey’s Identity Theft Prevention Act (ITPA) protects individuals from identity theft in various ways, including:
- requiring consumer credit reporting agencies to place security freezes on consumer reports upon request
- requiring businesses that collect digital records containing personal information to notify individuals whose personal data is compromised
- limiting the use of social security numbers as general identifiers; and requiring businesses to destroy personal information that is no longer needed.




New York Information Security Breach and Notification Act
The New York Information Security Breach and Notification Act (A04254) requires businesses to notify affected individuals when a security breach results in their private information being released to unauthorized parties. The Act specifies the notification steps businesses must follow in the event of a security breach.


North Carolina Identity Theft Protection Act
The North Carolina Identity Theft Protection Act, (Senate Bill 1048) guards against the misuse of North Carolina residents’ personal information. The Act mandates the proper disposal of records containing sensitive information, limits the legal uses of social security numbers, and grants consumers the right to put a credit freeze in place to prevent identity thieves from obtaining false credit.


Pennsylvania Breach of Personal Information Notification Act
Pennsylvania Senate Bill 713 the Breach of Personal Information Notification Act, requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties and the security breach causes or will cause loss or injury to a Pennsylvania resident. The Act specifies the notification steps businesses must follow in the event of a security breach.


Rhode Island Identity Theft Protection Act of 2005
The Rhode Island Identity Theft Protection Act of 2005 (H6191 Substitute A) requires businesses to notify individuals when a security breach results in their personal information being released to unauthorized parties, unless an appropriate investigation determines that the breach has not and will not likely result in a significant risk of identify theft. The Act specifies the notification steps businesses must follow in the event of a security breach.


Texas Information Disposal Act
The Texas Information Disposal Act, House Bill 698 (HB 698), amends the Texas Business and Commerce Code adding document retention and disposal requirements. Specifically, it requires that business records containing personal identifying information be shredded, erased or destroyed by other means prior to disposal.