Numerous states have created laws that require companies to notify consumers in the event of an electronic security breach. The laws include exceptions when the notification would be extremely costly, though the figures differ by state. In Vermont, the amount is $5,000, while in Washington state it is $250,000. And, the laws do not require disclosure if misuse of the data is unlikely to occur. In addition to Vermont and Washington, such laws were passed in Arizona, Hawaii, Indiana, Minnesota,New Hampshire, North Dakota, and Texas.
Three states created the specific crime of phishing in their legislative sessions. (In phishing, scammers send e-mails falsely claiming to be a legitimate enterprise in an attempt to obtain private information from the user.) An Oklahoma law makes phishing illegal and allows Internet service providers (ISPs) to bring civil actions. ISPs may recover actual damages or up to $100,000 for each violation. A Rhode Island law provides that consumers can sue for damages of up to $500 per violation and ISPs can recover actual damages or up to $5,000 in damages. A new Connecticut law allows anyone harmed by phishing to sue the sender for actual damages or $25,000, whichever is greater.
Rhode Island has addressed another aspect of computer crime, amending an existing law that made it a crime to seize a computer, software, or information with the intent to deprive the owner of possession of those items. The new law no longer requires the element of intent for the act to be a crime, thus increasing the scope of the law.
A Kansas law makes it a felony for anyone without authorization to knowingly possess or use a scanning device to access, read, obtain, memorize, or store information encoded on a credit or debit card.