https://statedatauselaw.com/wp-content/uploads/2019/03/cropped-wbd_logo_rgb_150dpi.png
Record Destruction
Arkansas requires that an entity take all reasonable steps to destroy a customer's records within its custody or control that contain personal information when the records are no longer necessary to be retained by shredding, erasing, or otherwise making the record unreadable or indecipherable by any means.
Information Security
An entity that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
No statutes or regulations addressing affirmative data obligations.
Information Security
Wisconsin prohibits financial institutions, medical businesses, and tax preparation businesses (and businesses or persons under contract with those businesses) from disposing records containing personal information unless it shreds, erases, modifies or takes similar action to the record to prevent unauthorized persons from accessing the personal information.
(e) “Personal information” means any of the following:
(f) “Personally identifiable” means capable of being associated with a particular individual through one or more identifiers or other information or circumstances.
No statutes or regulations addressing affirmative data obligations.
Restrictions on Capture & Use of Biometric Identifiers
Washington prohibits persons from enrolling a biometric identifier in a database for a commercial purpose without providing notice, obtaining consent, or providing a mechanism to prevent subsequent use of the biometric identifier. The biometric identifier may not be sold, leased, or disclosed without proper disclosure made or consent obtained. Person is defined to include individual, partnership, corporation, LLC, organization, association, or other legal or commercial entity. Does not include gov’t entity.
Record Destruction
An entity must take all reasonable steps to destroy, or arrange for destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual’s records within its custody and control when the entity is disposing of records that it will no longer retain. An entity is not liable under this section for records it has relinquished to the custody and control of the individual to whom the records pertain.
Restrictions on SSN Use
State laws provides that a person shall not:
Data Brokers
Vermont applies certain obligations to data brokers, including (i) the duty to protect personally identifiable information by developing, implementing, and maintaining comprehensive info sec programs and (ii) annually register with the Secretary of State. Data broker is a business, or unit of a business, that knowingly collects and sells or licenses to third parties brokered personal information of a consumer with whom the business does not have a direct relationship.
Record Destruction
Vermont requires businesses to take all reasonable steps to destroy or arrange for the destruction of a customer’s records that contain personal information by shredding, erasing, or otherwise modifying personal information to make it unreadable.
Information Security
Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business.
Record Destruction
Utah requires businesses to destroy or arrange for the destruction of records containing personal information that are not to be retained by the person. Destruction must be done by shredding, erasing, or otherwise modifying the personal information to make the information indecipherable.
*Neither of the above apply to financial institutions.
Restrictions on Capture & Use of Biometric Identifiers
Persons who capture biometric identifiers for a commercial purpose may not sell, lease, or disclose the biometric identifier. They must also store, transmite & protect from disclosure the biometric identifier using reasonable care and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the person possesses. It also requires the person to destroy the biometric identifier within a reasonable time, but no later than 1 year after the purpose for collecting the identifier expires.
TX Bus. & Comm. Code § 503.001
Restrictions On Use of SSN
A person may not require an individual to disclose the individual’s SSN to obtain goods / services unless the person adopts a privacy policy, makes that policy available to the disclosing individual, & maintains the confidentiality & security of the SSN disclosed.
TX Bus. & Comm. Code § 501.052
Prohibitions of Displaying & Using SSN & Drivers License Numbers
A person may not print an individual’s driver’s license number on a receipt.
TX Bus. & Comm. Code § 501.1011
A merchant or third party under contract with the merchant may not disclose a consumer’s driver’s license number or SSN to any other third party, and can only use the DLN or SSN to monitor, investigate, or prosecute fraudulent return of merchandise. They must destroy or arrange for the destruction of the DLN and SSN at expiration of six months from the date of the last transaction.
TX Bus. & Comm. Code § 501.101
Record Destruction
When a business disposes of a business record that contains PII of a customer of the business, the business shall modify by shredding, erasing or other means the PII to make the PII unreadable.
TX Bus. & Comm. Code § 72.004
Information Security
(a) A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
TX Bus. & Comm. Code § 521.052
Record Destruction
Notwithstanding any law to the contrary, if a private entity or business maintains a record that contains any of the personal identifying information set out in subdivision (g)(2) concerning one of its customers, and the entity, by law, practice or policy discards such records after a specified period of time, any record containing the personal identifying information shall not be discarded unless the business:
(A) Shreds or burns the customer's record before discarding the record;
(B) Erases the personal identifying information contained in the customer's record before discarding the record;
(C) Modifies the customer's record to make the personal identifying information unreadable before discarding the record; or
(D) Takes action to destroy the customer's personal identifying information in a manner that it reasonably believes will ensure that no unauthorized persons have access to the personal identifying information contained in the customer's record for the period of time between the record's disposal and the record's destruction.
Tenn. Code Ann. § 39-14-150
Restrictions on Use of SSN
The state specifically protects SSNs under its breach notification and record destruction provision.
Any for profit business entity in this state engaged in any business that has obtained a federal social security number for a legitimate business or governmental purpose shall make reasonable efforts to protect that SSN from disclosure to the public. SSNs shall not:
(1) Be posted or displayed in public;
(2) Be required to be transmitted over the Internet, unless the Internet connection used is secure or the SSN is encrypted;
(3) Be required to log onto or access an Internet website, unless used in combination with a password or other authentication device; or
(4) Be printed on any materials mailed to a consumer, unless the disclosure is required by law, or the document is a form or application.
§ 47-18-2110(a).
No statutes or regulations addressing affirmative data obligations.
Restrictions on Publication & Use of SSN
With some exceptions, a business may not:
(1) publicly post or publicly display or otherwise intentionally communicate or make available to the general public a consumer's social security number or a portion of it containing six digits or more;
(2) intentionally print or imbed a consumer's social security number or any portion of it containing six digits or more on any card required for the consumer to access products or services provided by the person;
(3) require a consumer to transmit his social security number or a portion of it containing six digits or more over the Internet, unless the connection is secure or the social security number is encrypted;
(4) require a consumer to use his social security number or a portion of it containing six digits or more to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site;
(5) print a consumer's social security number or a portion of it containing six digits or more on materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed;
(6) sell, lease, loan, trade, rent, or otherwise intentionally disclose a consumer's social security number or a portion of it containing six digits or more to a third party without written consent to the disclosure from the consumer, unless the third party seeking disclosure of the social security number does so for a legitimate business or government purpose or unless authorized or specifically permitted by law to do so or unless the disclosure is otherwise imperative for the performance of the person's duties and responsibilities as prescribed by law. A legitimate business purpose of the third party includes, but is not limited to, locating an individual to provide a benefit to that individual, such as a pension, insurance, or unclaimed property benefit, or to find an individual who is missing or a lost relative, or to serve civil process. A legitimate purpose of the third party does not include the bulk purchase or rental of social security numbers or use in marketing.
S.C. Code Ann. § 37-20-180
Record Destruction
When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
S.C. Code Ann. § 37-20-190
Information Security
An entity that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information. 11 R.I. Gen. Laws Ann. § 11-49.3-2.
An entity shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law. 11 R.I. Gen. Laws Ann. § 11-49.3-2 (West)
Record Destruction
An entity shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.
11 R.I. Gen. Laws Ann. § 11-49.3-2 (West)
Privacy Policy Disclosure Requirements
Website operators and Personal information collectors are required to make their privacy policies available in clear, concise, conspicuous, and unambiguous manners
PR ST T. 10 § 4062
Restrictions on Use of SSN
Pennsylvania laws provide that an entity shall not:
(1) Publicly post or publicly display in any manner an individual's SSN. "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.
(2) Print an individual's SSN on any card required for the individual to access products or services provided by the person, entity or State agency or political subdivision.
(3) Require an individual to transmit his or her SSN over the Internet unless the connection is secure or the SSN is encrypted.
(4) Require an individual to use his or her SSN to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the website.
(5) Print an individual's SSN on any materials that are mailed to the individual unless Federal or State law requires the SSN to be on the document to be mailed. Notwithstanding this provision, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the SSN. A SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
(6) Disclose in any manner, except to the agency issuing the license, the SSN of an individual who applies for a recreational license. 74 Pa. Stat § 201(a).
Information Security & Record Destruction
Covered entities or vendors, that own, maintain, or otherwise possesses or has control over personal information must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the personal information, including safeguards that protect the PI when the person disposes of the PI. This requirement is satisfied if the person complies with GLBA or HIPAA regs, or if it satisfies certain reasonable administrative, technical, and physical safeguards enumerated in the statute.
OR ST § 646A.622
Restrictions on Use of SSN
Oregon laws provide that except as otherwise specifically provided by law a person shall not:
(a) Print a consumer’s SSN on any materials not requested by the consumer or part of the documentation of a transaction or service requested by the consumer that are mailed to the consumer unless redacted;
(b) Print a consumer’s SSN on any card required for the consumer to access products or services provided by the person; or
(c) Publicly post or publicly display a consumer’s SSN unless redacted. As used in this paragraph, “publicly post or publicly display” means to communicate or otherwise make available to the public. § 646A.620(1).
Restrictions on Use of SSN
State laws provide that any employing entity located in this state shall not do any of the following:
Information Security
Covered entities (broadly defined) are required to implement reasonable information security controls. Covered entities can qualify for an affirmative defense if they comply with certain specified standards (e.g., NIST standards, HIPAA regs, GLBA requirements).
Information Security
Subject to some exceptions, no business entity which charges a fee for data processing services performed may disclose in whole or in part the contents of any record, including the disclosure of information contained in the record through inclusion in any composite of information, which is prepared or maintained by such business entity to any person, other than the individual or business entity which is the subject of the record, without the express written consent of such individual or business entity.
N.D. Cent. Code Ann. § 51-22-02
Record Destruction
Any business that conducts business in NC and maintains or possesses personal information of a NC resident must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. § 75-64(a).
Reasonable measures must include: (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed. (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed. (3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity. § 75-64(b).
Restrictions on Use of SSN
The state specifically protects SSNs under its data destruction and breach notification provisions.
Additionally, state laws provide that a business may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's SSN.
(2) Intentionally print or imbed an individual's SSN on any card required for the individual to access products or services provided by the person or entity.
(3) Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the social security number is encrypted.
(4) Require an individual to use his or her SSN to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site.
(5) Print an individual's SSN on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.
(6) Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's SSN to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's SSN. § 75-62(a). Section (b) provides exemptions, including when a SSN is used in an application or documents for enrollment of an account, verification for administrative purposes, required by other law, when a SSN is redacted, and several other specific exceptions.
Publication of Personal Information
State law also prohibits a business from knowingly broadcasting or publishing to the public personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to such disclosure. “Personal information” has the same definition as above with the exception of (14) Parent’s surname prior to marriage. § 75-66.
Information Security
Requires any person or business that owns or licenses computerized data which includes private information of a NY resident develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including, but not limited to the disposal of data.
Record Destruction
When disposing of records containing personal identifying information, must do one of the following:
Information Security
A business that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
N.M. Stat. Ann. § 57-12C-4 (West)
A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure. § 57-12C-5
Restrictions On Use of SSN
(1) make the entirety of a social security number available to the general public. This prohibition includes:
(a) intentionally communicating a social security number to the general public; and
(b) printing a social security number on a receipt issued for the purchase of products or services, including a receipt for the purchase of services from the state or its political subdivisions;
(2) require the use of a social security number:
(a) over the internet without a secure connection or encryption security; or
(b) to access an internet account unless a password or unique personal identification number or other personal authentication device is also required to access the account;
(3) print a social security number on materials mailed to a consumer unless authorized or required by federal or state law; provided that nothing in this paragraph prohibits a business from requiring a consumer, as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security number, to enter a social security number on material to be mailed by the consumer as long as it is not required to be entered, in whole or in part:
(a) on a postcard or other mailer not requiring an envelope;
(b) on the envelope; or
(c) in any other manner in which the number may be visible without the envelope being opened;
(4) transmit material that associates a social security number with an account number for a bank, savings and loan association or credit union, unless both numbers are required as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the social security, bank, savings and loan association or credit union account number; or
(5) refuse to transact business because of a refusal to provide the social security number for use of that number in a manner prohibited by Paragraphs (1) through (4) of this subsection.
N.M. Stat. Ann. § 57-12B-4
Record Destruction
A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
N.M. Stat. Ann. § 57-12C-3 (West)
Record Destruction
A business or public entity shall destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means.
N.J. Stat. Ann. § 56:8-162.
Restrictions On Use of SSN
No person, including any public or private entity, shall:
(1) Publicly post or publicly display an individual's Social Security number, or any four or more consecutive numbers taken from the individual's Social Security number;
(2) Print an individual's Social Security number on any materials that are mailed to the individual, unless State or federal law requires the Social Security number to be on the document to be mailed;
(3) Print an individual's Social Security number on any card required for the individual to access products or services provided by the entity;
(4) Intentionally communicate or otherwise make available to the general public an individual's Social Security number;
(5) Require an individual to transmit his Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; or
(6) Require an individual to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.
N.J. Stat. Ann. § 56:8-164
No statutes or regulations addressing affirmative data obligations.
Information Security
Nevada requires entities that collect data from Nevada residents to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.
Further, the entity to whom the information is disclosed pursuant to a contract must also implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.
Nev. Rev. Stat. Ann. § 603A.210
Data Obligations
Effective on October 1, 2019, consumers will be allowed to opt out of data sales by web operators. Covered businesses must establish a designated request address through which consumers may submit a verified opt-out request
Record Destruction
A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records. “Reasonable measures to ensure the destruction” in Nevada means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, such as shredding or erasing.
Nev. Rev. Stat. Ann. § 603A.
Restrictions On Use of SSN
Nevada prohibits an entity from intentionally, publicly displaying a person’s SSN unless authorized by that person or required to do so by law. To do so is considered a misdemeanor.
However, Nevada allows entities to use an SSN for internal verification or administrative purposes, and the aforementioned restrictions do not apply to documents that are open to the public by law or regulation.
A person whose SSN has been willfully and intentionally posted or displayed in violation of this section can bring a civil cause of action against the violating entity. If successful, the court may award actual damages, reasonable attorney's fees and costs to the person.
Nev. Rev. Stat. Ann. § 205.4605
In Nevada, “post or display in any public manner” means to communicate or otherwise make available to the general public, including, without limitation:(1) printing the SSN of another person on any card required for that person to access products or services provided by the entity; (2) requiring another person to transmit his or her SSN over the Internet unless the connection is secure or the SSN is encrypted; (3) requiring the use of a SSN to access an Internet website, unless a password or other authentication device is also required to access the Internet website; or (4) printing the SSN of another person on any material that is mailed to the person in a way that is visible to the public.
Nev. Rev. Stat. Ann. § 205.4605
PIN Security
If an entity doing business in Nevada accepts a payment card during a sale of goods or services, the entity must comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the PCI Data Security Standard or by the PCI Security Standards Council or its successor organization.
An entity doing business in Nevada that does not fall under the aforementioned is prohibited from the (a) transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a receiving entity outside of the collecting entity’s secure system unless the collecting entity uses encryption to ensure the security of electronic transmission. Further, a collecting entity may not move any data storage device containing personal information beyond the logical or physical controls of the collecting entity, its third party contractors or, if the data storage device is used by or is a component of a multifunctional device, the entity who assumes the obligation of the collecting entity to protect the personal information, unless the collecting entity uses encryption to ensure the security of the information.
Nev. Rev. Stat. Ann. § 603A.215
Information Security
An entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity and its operations, including safeguards that protect the personal information when the entity disposes of the personal information. If an entity discloses computerized data that includes personal information about a resident of Nebraska to a nonaffiliated, third-party service provider, then that entity shall require by contract that such service provider implement and maintain reasonable security procedures and practices that (i) are appropriate to the nature of the personal information disclosed to the service provider; and (ii) are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification or disclosure. This requirement does not apply for contracts entered into prior to July 18, 2018, or if such entity complies with a state or federal law that provides greater protection to personal information than this section or if such entity complies with Gramm-Leach-Bliley Act or HIPAA.
Restrictions On Use of SSN
In Nebraska, an employer cannot do the following: (a) display more than the last four digits of an employee's SSN to the general public or an employee’s coworkers; (b) require an employee to transmit more than the last four digits of his or her SSN over the Internet unless the connection is secure or the information is encrypted; (c) require an employee to use more than the last four digits of his or her SSN to access an Internet web site unless a password or other authentication device is also required to access the Internet web site; or (d) require an employee to use more than the last four digits of his or her SSN as an employee number for any type of employment-related activity.
Neb. Rev. Stat. Ann. § 48-237
Record Destruction
A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records. § 603A.200. “Reasonable measures to ensure the destruction” means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, such as shredding or erasing. § 603A.200.
Record Destruction
A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.
Mont. Code Ann. § 30-14-1703
Restrictions On Use of SSN
An entity, excluding a government agency, is prohibited from doing any of the following in Missouri: (1) intentionally and publicly display in any manner a Social Security number; (2) Require the transmission of a Social Security number over the internet, unless the connection is secure or the Social Security number is encrypted; (3) Require the use of a Social Security number to access an internet website, unless a password or other authentication device is also required to access the internet website; (4) Require the use of a Social Security number as an employee number for any type of employment-related activity; or (5) Require the use of the last four digits of a Social Security number as an employee number for any type of employment-related activity.
Mo. Ann. Stat. § 407.1355
No statutes or regulations addressing affirmative data obligations.
Restrictions On Use of SSN
Minnesota prohibits an entity from doing any of the following: (1) intentionally and publicly posting or displaying an individual's Social Security number; (2) printing a Social Security number on any card required for the individual to access the entity’s products or services; (3) requiring an individual to transmit a Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; (4) requiring an individual to use a Social Security number to access an Internet website, unless a password or other authentication device is also required to access the Internet website; (5) knowingly print a Social Security number on any materials that are mailed to the individual, unless required by law. (5) knowingly printing a Social Security number on any materials that are mailed to the individual, unless required by law or as received by a third party as part of a transaction and the entity does not know it is a social security number; (6) assigning or using a number as the primary account identifier that is identical to or incorporates an individual's complete Social Security number, except in conjunction with an employee or member retirement or benefit plan or human resource or payroll administration; or (7) sell Social Security numbers obtained from individuals in the course of business.
Minn. Stat. Ann. § 325E.59
PIN Security
Minnesota prohibits entities that accept an access device in connection with a transaction from retaining the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, after the authorization of the transaction, or in the case of a PIN debit transaction, more than 48 hours after authorization of the transaction. Even the entity’s service provider is prohibited from retaining the aforementioned data pursuant to the same timelines.
Minn. Stat. Ann. § 325E.64
Record Destruction
Michigan requires that entities destroy any data that contain personal information concerning an individual when that data is removed from the database and not being retained by the entity elsewhere for an other lawful purpose. In Michigan, “destroy” means to destroy the data by shredding, erasing, or otherwise modifying the data to make it unreadable, indecipherable, or otherwise reconstructable.
Mich. Comp. Laws Ann. § 445.72a
Restrictions on Use of SSN
Michigan requires entities that obtain social security numbers in the ordinary course of business to create a privacy policy that does at least all of the following concerning the social security numbers obtained: (a) Ensures to the extent practicable the confidentiality of the social security numbers; (b) Prohibits unlawful disclosure of the social security numbers; (c) Limits who has access to information that contains the social security numbers; (d) Describes how to properly dispose of documents that contain the social security numbers; and (e) Establishes penalties for violation of the privacy policy.
(2) A person that creates a privacy policy under subsection (1) shall publish the privacy policy in an employee handbook, in a procedures manual, or in 1 or more similar documents, which may be made available electronically.
Mich. Comp. Laws Ann. § 445.84 (West)
Record Destruction
Regarding the destruction of personal information, Massachusetts requires that entities must either redact, burn, pulverize or shred documents that contain personal data so they cannot practicably be read or reconstructed.
Electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Mass. Gen. Laws Ann. ch. 93I, § 2
Information Security
Massachusetts requires that entities have a written and comprehensive information security program which indicates the establishment and maintenance of a security system covering its computers, including any wireless systems. The security program must at least include: (1) Secure user authentication protocols; (2) Secure access control measures; (3) Encryption of all transmitted records and files containing personal information; (4) Reasonable monitoring of systems for unauthorized use of or access to personal information; (5) Encryption of all personal information stored on laptops or other portable devices; (6) Up-to-date firewall protection and operating system security patches; (7) Reasonably up-to-date versions of system security agent software which must include malware protection; and (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Duty to Protect and Standards for Protecting Personal Information
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:
(a) Designating one or more employees to maintain the comprehensive information security program;
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
1. ongoing employee (including temporary and contract employee) training;
2. employee compliance with policies and procedures; and
3. means for detecting and preventing security system failures.
(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.
(e) Preventing terminated employees from accessing records containing personal information.
(f) Oversee service providers, by:
1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and
2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.
(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.
(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
201 Mass. Code Regs. 17.03
Information Security
Maryland requires that entities implement and maintain reasonable security procedures and practices reasonably designed to help protect the personal information from unauthorized access, use, modification, disclosure, or destruction.
Md. Code Ann., Com. Law § 14-3503
Record Destruction
When an an entity is destroying a customer's, employee's, or former employee's records that contain personal information, the entity must take reasonable steps to protect against unauthorized access to or use of the personal information.
Md. Code Ann., Com. Law § 14-3502
Restrictions On Use of SSN
Maryland laws provide that a business may not: (1) Publicly post or display an individual's SSN;
(2) Print an individual's SSN on a card required for the individual to access products or services provided by the person; (3) Require an individual to transmit the individual's SSN over the Internet unless the connection is secure or the individual's SSN is encrypted; (4) Initiate the transmission of an individual's SSN over the Internet unless the connection is secure or the SSN is encrypted; (5) Require an individual to use the individual's SSN to access an Internet website, unless a password, unique personal identification number, or other authentication device is also required to access the website; or (6) Unless required by State or federal law: (i) Print an individual's SSN on any material that is mailed to the individual; (ii) Include an individual's SSN in any material that is electronically transmitted to the individual, unless the connection is secure or the individual's SSN is encrypted; or (iii) Include an individual's SSN in any material that is transmitted by facsimile to the individual. § 14-3402.
No statutes or regulations addressing affirmative data obligations.
Information Security
Louisiana law states that any entity that conducts business in Louisiana or owns or licenses computerized data that includes personal information has to implement and maintain reasonable security procedures and practices.
La. Stat. Ann. § 51:3074
Record Destruction
Louisiana requires that any entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information must take all reasonable steps to destroy the records within its custody or control containing personal information that is no longer to be retained by the entity, and such destruction may be by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or indecipherable through any means.
La. Stat. Ann. § 51:3074
Record Destruction
Kentucky requires that when an entity disposes of any customer's records that are not required to be retained, the entity shall take reasonable steps to destroy that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means
Ky. Rev. Stat. Ann. § 365.725
Information Security
Kansas requires that an entity holding personal information shall implement and maintain reasonable procedures and practices appropriate to the nature of the information and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure.
Kan. Stat. Ann. § 50-6,139b
Record Destruction
Kansas requires that entities take reasonable steps to destroy any records within such entity’s custody or control containing any personal information when such holder no longer intends to maintain or possess such records. Further, such destruction shall be by shredding, erasing or otherwise modifying the personal identifying information in the records to make it unreadable or indecipherable through any means.
Kan. Stat. Ann. § 50-6,139b
Restrictions On Use of SSN
No person, including an individual, firm, corporation, association, partnership, joint venture or other business entity, or any employee or agent therefor, shall solicit, require or use for commercial purposes an individual's SSN unless such number is necessary for such person's normal course of business and there is a specific use for such number for which no other identifying number may be used.
§ 75-3520
No statutes or regulations addressing affirmative data obligations.
Record Destruction
In Indiana, any entity that disposes unencrypted, unredacted personal information of a customer without shredding, incinerating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. However, the offense is considered a Class A infraction if: (1) the entity violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or (2) the entity has a prior unrelated judgment for a violation of this section.
Ind. Code Ann. § 24-4-14-8
Information Security
Indiana requires that database owners have an information privacy, security policy, or compliance plan that requires owners to maintain reasonable procedures to protect and safeguard the information on the database from unlawful use or disclosure of personal information.
Ind. Code Ann. § 24-4.9-3-3.5
Restrictions on Capture & Use of Biometric Identifiers and Information Security
A private entity in possession of biometric identifiers or biometric information must develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, an entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
No private entity may collect, purchase, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (i) informs the subject in writing that a biometric identifier or biometric information is being collected or stored; (ii) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (iii) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's biometric identifier or biometric information.
A private entity cannot disclose, redisclose, or otherwise disseminate a person's biometric identifier or biometric information unless the subject of the identifier consents to the disclosure, such disclosure completes a financial transaction requested by the subject of the identifier or information, or such disclosure is required by law, ordinance, valid warrant or subpoena from a court of competent jurisdiction.
A private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry or the standard of care in which the private entity stores, transmits, and protects other confidential and sensitive information, whichever is more protective.
740 Ill. Comp. Stat. Ann. 14/15
Restrictions on Use of SSN
Illinois prohibits entities from (i) intentionally communicating or otherwise make available to the general public a social security number; (ii) printing a social security number on any card, wristband, or file required for the individual to access products or services, except an entity that provides an insurance card must print on the card an identification number unique to the holder of the card in the format prescribed by Section 15 of the Uniform Prescription Drug Information Card Act; (iii) requiring an individual to transmit his or her social security number over the Internet unless the connection is secure or the number is encrypted; (iv) requiring the use of a social security number to access an Internet web site, unless a password or other authentication device is also required to access the Internet Web site; or (v) printing a social security number on any materials that are mailed to the individual, unless State or federal law requires the social security number to be on the document to be mailed.
Illinois does allow for social security numbers to be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the social security number. For these purposes, a social security number being mailed may not be visible on an envelope or visible without the envelope having been opened.
815 Ill. Comp. Stat. Ann. 505/2RR
Record Destruction
Illinois requires that an entity dispose of materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Such disposal methods include redacting, burning, or shredding paper so that personal information cannot practicably be read or reconstructed, or when digital, erasing the media containing the personal information such that the information cannot be practicably read or reconstructed.
Illinois allows entities to contract with a third party to dispose of personal information, so long as the third party that contracts with the entity to dispose of materials containing personal information implements and monitors compliance with policies and procedures that prohibit unauthorized access to, acquisition of, or use of personal information during the collection, transportation, and disposal of materials containing personal information.
815 Ill. Comp. Stat. Ann. 530/40
Information Security
An entity that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident has to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
Contracts for the disclosure of personal information concerning an Illinois resident that is maintained by entity must include a provision requiring the recipient party of the personal information to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
815 Ill. Comp. Stat. Ann. 530/45
No statutes or regulations addressing affirmative data obligations
Information Security and Record Destruction
Any entity or government agency that conducts business in Hawaii or maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.
In Hawaii, reasonable measures include: (i) implementing and ensuring compliance with policies that require the destruction of papers containing personal information so that the papers are no longer practicably readable or reconstructed; (ii) implementing and ensuring compliance with policies that require the destruction or erasure of electronic media containing personal information so that the information cannot practicably be read or reconstructed; and (iii) describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the entity.
Haw. Rev. Stat. Ann. § 487R-2
Restrictions On Use of SSN
An entity may not (i) intentionally communicate or otherwise make available to the general public an entire social security number; (ii) intentionally print or imbed an entire social security number on any card required for the individual to access products or services; (iii) require an individual to transmit the social security number over the Internet, unless the connection is secure or the social security number is encrypted; (iv) require the use of an entire social security number to access an internet website, unless a password or other authentication device is also required to access the internet website; or (v) print an entire social security number on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.
Haw. Rev. Stat. Ann. § 487J-2
Restrictions On Use of SSN
Georgia requires that an entity not (i) intentionally display to the general public in any manner an individual's social security number, (ii) require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted, or (iii) require an individual to use his or her social security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website.
Ga. Code Ann. § 10-1-393.8
Record Destruction
An entity may not discard a record containing personal information unless it first shreds the customer's record, erases the personal information contained in the customer's record, modifies the customer's record to make it unreadable, or takes actions that the entity reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer's record for the period between the record's disposal and the record's destruction.
Ga. Code Ann. § 10-15-2
Information Security
Covered entities, governmental entities, and third-party agents of the aforementioned shall take reasonable measures to protect and secure data in electronic form containing personal information.
Fla. Stat. Ann. § 501.171
Record Destruction
A covered entity or third-party agent shall take all reasonable measures to dispose of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or indecipherable through any means.
Fla. Stat. Ann. § 501.171
No statutes or regulations addressing affirmative data obligations.
Information Security
Any person who conducts business in Delaware and owns, licenses, or maintains PI shall implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of PI collected or maintained in the regular course of business. § 12B-100.
Record Destruction
An employer seeking to permanently dispose of records containing employees' personal identifying information within the employer’s custody and control, such employer shall take all reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.
Del. Code Ann. tit. 19, § 736
Information Security and Record Destruction
Any entity in possession of personal information shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.
Conn. Gen. Stat. Ann. § 42-471
Restrictions On Use of SSN
Any entity that collects SSNs in the course of business shall create a privacy protection policy which shall be published or publicly displayed.
Conn. Gen. Stat. Ann. § 42-471(b).
Information Security
Colorado requires that covered entities that own, maintain, or license personal identifying information of an individual residing in Colorado to implement and maintain reasonable security measures appropriate to the type of information and the size of the business.
Information Security
Unless the covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the entity must contractually require the third-party service provider to implement and maintain reasonable security procedures and practices that are (a) appropriate to the nature of the personal identifying information disclosed and (b) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
Colo. Rev. Stat. Ann. § 6-1-713.5
Record Destruction
Covered entities that maintain paper or electronic documents containing personal identifying information must develop a policy for the destruction or proper disposal such documents. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such documents within its custody or control that contain personal identifying information by shredding, erasing or otherwise modifying the personal identifying information in the documents to make the personal identifying information unreadable or indecipherable through any means. § 6-1-713(1).
Information Security
California requires that any entity that owns, licenses, or maintains personal information about a California resident implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. If an entity discloses this personal information to a third party pursuant to a contract, they must require the third party recipient to implement and maintain its own reasonable security procedures and practices to protect the personal information from the same risks mentioned above.
Cal. Civ. Code § 1798.81.5
Resident Rights Over Their Data
The California Consumer Privacy Act ("CCPA") vests California residents and households (each, a "data subject") with certain rights related to their personal information (which is broadly defined). CCPA gives data subjects, with some exceptions, the rights to (i) be informed if their personal information is sold or disclosed, (ii) approve of the sale of their personal information, (iii) demand deletion of the information, (iv) opt-out and (v) be protected from discrimination if they exercise their privacy rights.
Cal. Civ. Code § 1798
Record Destruction
Businesses shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing PI when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) making it otherwise unreadable or undecipherable. Cal. Civ. Code § 1798.81.
Record Destruction
Arizona requires than an entity not knowingly dispose of records or documents without either redacting the information or destroying the records or documents, if the same contain an individual's first and last name or first initial and last name in combination with a corresponding, complete (i) social security number, (ii) credit, debit, or charge card number, (iii) retirement account number, (iv) savings, checkings, or securities entitlement account number, or (v) drivers license or other identification license number.
Ariz. Rev. Stat. Ann. § 44-7601
Information Security and Record Destruction
Alaska requires that an entity adopt written policies and procedures detailing the reasonable measures taken to destroy and properly dispose of records containing personal information. The business or government agency must also take all reasonable measures to protect against unauthorized access or use of records containing personal information when disposing of such records.
Alaska Stat. Ann. § 45.48.530
Restrictions On Use of SSN
An entity may not intentionally expose a social security number (“SSN”) to the general public, print a SSN on a card required to access products or services, require that a SSN be transmitted over an unsecured Internet connection unless the SSN is encrypted, require that a SSN be used to access an Internet website unless some other authentication device or password is also required for access, or print a SSN on any material that is mailed except where permitted by law or when used in an application or enrollment process and concealed in an envelope.
Alaska Stat. Ann. § 45.48.400
Information Security
Alabama requires that an entity or third-party agent take reasonable measures to implement and maintain security measures, including consideration of the following: (i) designation of an employee to coordinate the entity’s security measures, (ii) identification of risks for security breaches, (iii) adoption of appropriate safeguards to address the identified risks and assess their effectiveness, (iv) contractual retention of service providers to provide appropriate safeguards for personally identifiable information, (v) adjustment of security measures for personally identifiable information to account for changes of circumstance, and (vi) keeping the entities management informed of the security measures.