Breaking down EMV and the “Liability Shift”
There has been a lot of talk relating to EMV as well as some confusion as to how it impacts on merchants. As we have reached the magic date of 10/1/15 when the “Liability Shift” is to [...]
There has been a lot of talk relating to EMV as well as some confusion as to how it impacts on merchants. As we have reached the magic date of 10/1/15 when the “Liability Shift” is to [...]
The following is a letter from our CEO and Co-founder, Charles Hoff, to consumer watchdog Clark Howard adding helpful information to his site’s article on EMV’s ability to help fight [...]
As fans a of Uber, I applaud the company’s effort to disrupt and improve the domain of taxi and limousine services. However, what has been painful to observe is Uber’s efforts to also play [...]
Merchants and franchisors now have more access and opportunity to benefit from powerful, innovative education tools that could save them hundreds of thousands of dollars, thanks to a new [...]
Name: Colo. Rev. Stat. 6-1-716 H.B. 18-1128
Effective Date: September 1, 2018
Link to Documentation
Any individual or commercial entity (collectively, Entity) that conducts business in CO and that owns, licenses, or maintains computerized data that includes PI.
The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on CO residents, whether or not the Entity conducts business in CO.
An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity.
Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.
An Entity that conducts business in CO and that owns or licenses computerized data that includes PI about a resident of CO shall, when it becomes aware of a breach of the security of the system, give notice as soon as possible to the affected CO resident.
Notification is not required if after a good-faith, prompt, and reasonable investigation, the Entity determines that misuse of PI about a CO resident has not occurred and is not likely to occur.
If notice is provided to more than 500 CO residents, the Entity must provide notice to the Attorney General not later than 30 days after the date of determination that the breach occurred.
If an Entity is required to notify more than 1,000 CO residents, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. This paragraph shall not apply to a person who is subject to Title V of the Gramm-Leach-Bliley Act.
If an Entity maintains computerized data that includes PI that the Entity does not own or license, the Entity shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of PI about a CO resident occurred or is likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets.
Notice shall be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that the breach occurred, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
“Personal Information” means:
(a) A CO resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
(b) Username or email address, in combination with a password or security question that would permit access to an online account; or
(c) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to that account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Notice may be provided by one of the following methods:
For incidents that involve login credentials of an email account furnished by the Entity, notice may not be given to that email address, but may be given by clear and conspicuous notice delivered to the resident online when connected to the account from an IP address or online location from which the Entity knows the resident customarily accesses the account.
The notice must include:
For a breach of online account credentials, in addition to the information above, the notice must direct the consumer to promptly change his or her password or question and answer, or to take other steps appropriate to protect the online account with the covered Entity and all other online accounts for which the person whose PI has been breached uses the same username or e-mail address and password or security question or answer.
If the Entity demonstrates that the cost of providing notice will exceed $250,000, or that the affected class of persons to be notified exceeds 250,000 CO residents, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected CO customers in accordance with its policies in the event of a breach of the security of the system.
Name: Iowa Code 715C.1-2 2018 S.F. 2177
Effective Date: July 1, 2018
Link to Documentation
Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses computerized data that includes an IA resident’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security.
Unauthorized acquisition of PI maintained in computerized form by an Entity that compromises the security, confidentiality, or integrity of the PI. Also, unauthorized acquisition of PI maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the PI.
Any Entity to which the statute applies shall give notice of the breach of security following discovery of such breach of security, or receipt of notification of such breach, to any IA resident whose PI was included in the information that was breached.
If an Entity owns or licenses computerized data that includes a consumer’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities suffers a security breach requiring notification of more than 500 IA residents than the Entity will give written notice following discovery of such breach, or receipt of notification required by third parties, to the director of the consumer protection division of the Attorney General’s office. Notice or receipt of notice must be provided within 5 business days of giving notice to any consumer.
Any Entity who maintains or otherwise possesses PI on behalf of another Entity shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach if an IA resident’s PI was included in the information that was breached.
The notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with any measures necessary to sufficiently determine contact information for the affected IA residents, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have also been obtained through the breach of security:
PI does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public.
Notice shall include, at a minimum, all of the following:
Notification may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, that the affected class of IA residents to be notified exceeds 350,000 persons, or if the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of the following:
Exception: Own Notification Policy. Any Entity that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under the statute if the Entity’s information privacy policy or security policy is at least as stringent as the disclosure requirements under the statute.
Name: Ind. Code 4-1-11 et seq.; 24-4.9-1 et seq. H.E.A. No. 1121
Effective Date: June 1, 2018
Link to Documentation 1
Link to Documentation 2
Any individual, corporation, business trust, estate, trust, partnership, association, nonprofit corporation or organization, cooperative, state agency or any other legal entity (collectively, Entity) that owns or licenses computerized data that includes PI.
An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity. The term includes the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
Any Entity, after discovering or being notified of a breach of the security of data, shall disclose the breach to an IN resident whose unencrypted PI was or may have been acquired by an unauthorized person or whose encrypted PI was or may have been acquired by an unauthorized person with access to the encryption key if the Entity knows, or should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in Ind. Code § 35-43-5-3.5), identity theft, or fraud affecting the IN resident.
If the Entity makes such a disclosure, the data base owner shall also disclose the breach to the Attorney General.
An Entity required to make a disclosure to more than 1,000 consumers shall also disclose to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis information necessary to assist the consumer reporting agency in preventing fraud, including PI of an IN resident affected by the breach of the security of a system.
An Entity that maintains computerized data that includes PI but that does not own or license the PI shall notify the owner of the PI if the Entity discovers that PI was or may have been acquired by an unauthorized person.
The disclosure notification shall be made without unreasonable delay and consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system.
A Social Security number that is not encrypted or redacted, or an individual’s first and last names, or first initial and last name, and one or more of the following data elements that are not encrypted or redacted:
PI does not include information that is lawfully obtained from publicly available information or from federal, state, or local government records lawfully made available to the general public.
Notice may be provided by one of the following methods:
State agencies are subject to slightly different notice requirements.
If an Entity demonstrates that the cost of the disclosure exceeds $250,000, or that the affected class of subject persons to be notified exceeds 500,000. Substitute notice shall consist of all of the following:
Any Entity that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under the statute if the Entity’s information privacy policy or security policy is at least as stringent as the disclosure requirements under the statute.
This section does not apply to an Entity that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under:
If the Entity’s information privacy, security policy, or compliance plan requires the Entity to maintain reasonable procedures to protect and safeguard from unlawful use or disclosure PI of IN residents that is collected or maintained by the Entity and the Entity complies with the Entity’s information privacy, security policy, or compliance plan.
Name: Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 S.B. 684
Effective Date: January 1, 2020
Link to Documentation
Any individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization, or other entity, whether or not organized to operate at a profit, or a public body as defined in Or. Rev. Stat. § 174.109 (collectively, Entity) that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses PI in the course of the Entity’s business, vocation, occupation or volunteer activities and was subject to the breach of security. This does not include any person or entity that contracts with the Entity to maintain, store, manage, process or otherwise access PI for the purpose of, or in connection with, providing services to or on behalf of the Entity. (Note: The expansion of application to entities that maintain, store, or process information on their own behalf but that they do not own is effective Jan. 1, 2020.)
Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained or possessed by the Entity.
Any Entity to which the statute applies shall give notice of the breach of security following discovery of such breach of security, or receipt of notification, to any consumer to whom the PI pertains.
If an Entity discovers a breach of security affecting more than 1,000 individuals that requires disclosure under this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on individuals on a nationwide basis of the timing, distribution, and content of the notification given by the Entity to the individuals. The Entity shall include the police report number, if available, in its notification to the consumer reporting agencies.
The entity must provide notice to the Attorney General, either in writing or electronically, if the number of OR residents affected exceeds 250. The Entity shall disclose the breach of security to the Attorney General in the same manner as to consumers.
Entities that are otherwise exempt from the requirements of this section by virtue of federal regulation must nonetheless provide to the Attorney General within a reasonable time at least one copy of any notice the person sends to consumers or to the person’s primary or functional regulator in compliance with this section or with other state or federal laws or regulations that apply to the person as a consequence of a breach of security.
Any person that maintains or otherwise possesses PI on behalf of another person shall notify the other person of any breach of security as soon as practicable, [Effective Jan. 1, 2020] but not later than 10 days after discovering the breach of security or having a reason to believe that the breach of security occurred. That person must also notify the Attorney General in writing or electronically if the number of residents affected exceeds 250 or cannot be determined, unless the Entity has already notified the Attorney General.
The disclosure shall be made in the most expedient manner possible and without unreasonable delay, but not later than 45 days after discovering or receiving notice of the breach. In providing the notice, the Entity shall take reasonable measures necessary to determine sufficient contact information for the individuals, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the PI.
1) An OR resident’s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction, or other methods have not rendered the data unusable or if the data elements are encrypted and the encryption key has also been acquired:
[Effective Jan. 1, 2020] 2) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.
PI also includes any PI data element or any combination of the PI data elements without with the consumer’s first name or first initial and last name if encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable and the data element or combination of data elements would enable an individual to commit identity theft. PI does not include publicly available information, other than a Social Security number, that is lawfully made available to the general public from federal, state or local government records.
Notice shall include at a minimum:
Notice may be provided by one of the following methods:
If an Entity offers credit monitoring or identity theft prevention services without charge, the Entity may not require the affected individual to provide a credit or debit card number or accept another service offered by the Entity for free. If services are offered for a fee, the Entity must separately, distinctly, clearly, and conspicuously disclose in the offer that the person will charge the consumer a fee. The entity must require compliance with these terms from any company offering services on the entity’s behalf.
If the Entity demonstrates that the cost of providing notice would exceed $250,000, that the affected class of individuals to be notified exceeds 350,000, or if the Entity does not have sufficient contact information to provide notice. Substitute notice consists of the following:
In each of the following cases, Oregon’s notification requirements do not apply, except that any person claiming one of these exemptions and notifying more than 250 Oregon residents must provide a copy of the individual notice and any notice to any primary or functional regulator, to the Oregon Attorney General:
Name: Wyo. Stat. 40-12-501 et seq. Senate File Nos. 35 and 36
Effective Date: July 1, 2015
Link to Documentation
An individual or commercial entity (collectively, Entity) that conducts business in WY and that owns or licenses computerized data that includes PI about a resident of WY.
Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained by an Entity and causes or is reasonably believed to cause loss or injury to a resident of WY.
Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be misused. If the investigation determines that the misuse of PI about a WY resident has occurred or is reasonably likely to occur, the Entity shall give notice as soon as possible to the affected WY resident.
An Entity that maintains computerized data that includes PI on behalf of another Entity shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The Entity that maintains the data on behalf of another Entity and Entity on whose behalf the data is maintained may agree which Entity will provide any required notice, provided only a single notice for each breach of the security of the system shall be Required If agreement regarding notification cannot be reached, the Entity who has the direct business relationship with the resident of WY shall provide the required notice.
Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
The first name or first initial and last name of a person in combination with one or more of the following data elements when the data elements are not redacted:
PI does not include information, regardless of its source, contained in any federal, state or local government records or in widely distributed media that are lawfully made available to the general public.
Notice shall be clear and conspicuous and shall include, at a minimum:
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $10,000 for WY-based Entities, and $250,000 for all other Entities operating but not based in Wyoming; that the affected class of subject persons to be notified exceeds 10,000 for WY-based Entities and 500,000 for all other businesses operating but not based in WY; or the person does not have sufficient contact information. Substitute notice shall consist of all of the following:
Name: Idaho Code 28-51-104 et seq. H.B. 566
Effective Date: July 1, 2010
Link to Documentation
Any agency, individual or commercial entity (collectively, Entity) that conducts business in ID and that owns or licenses computerized data that includes PI about a resident of ID.
An illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of PI for one or more persons maintained by Entity.
An Entity to which the statute applies shall give notice as soon as possible to the affected ID resident.
When an agency becomes aware of a security breach, it shall, within 24 hours, notify the office of the state Attorney General.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of the breach, if misuse of PI about an ID resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.
Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.
An ID resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Notice may be provided by one of the following methods:
If the Entity required to provide notice demonstrates that the cost of providing notice would exceed $25,000, or that the number of ID residents to be notified exceeds 50,000, or that the Entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
Any Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute is deemed to be in compliance with the notice requirements if the Entity notifies affected ID residents in accordance with its policies in the event of a breach of the security of the system.
Any Entity that intentionally fails to give notice in accordance with the statute shall be subject to a fine of not more than $25,000 per breach of the security of the system.
Any governmental employee that intentionally discloses PI not subject to disclosure otherwise allowed by law shall be subject to a fine of not more than $2,000, by imprisonment in the county jail for a period of not more than 1 year, or both.
Name: Wis. Stat. 134.98 S.B. 164
Effective Date: March 31, 2006
Link to Documentation
Any Entity that maintains or licenses PI in WI or that knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI. “Entity” includes the state of WI and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts; a city, village, town, or county; and a person, other than an individual, that does any of the following:
When an Entity whose principal place of business is located in WI or an Entity that maintains or licenses PI in WI knows that PI in the Entity’s possession has been acquired by a person whom the Entity has not authorized to acquire the PI, or, in the case of an Entity whose principal place of business is not located in WI, when it knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI.
Any Entity to which the statute applies shall make reasonable efforts to notify each subject of the PI.
If, as the result of a single incident, an Entity is required to notify 1,000 or more individuals that PI pertaining to the individuals has been acquired, the Entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices sent to the individuals.
If a person, other than an individual, that stores PI pertaining to a resident of WI, but does not own or license the PI, knows that the PI has been acquired by a person whom the person storing the PI has not authorized to acquire the PI, and the person storing the PI has not entered into a contract with the person that owns or licenses the PI, the person storing the PI shall notify the person that owns or licenses the PI of the acquisition as soon as practicable.
An Entity shall provide the notice within a reasonable time, not to exceed 45 days after the Entity learns of the acquisition of PI. A determination as to reasonableness shall include consideration of the number of notices that an Entity must provide and the methods of communication available to the Entity.
An individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
An element is publicly available if the Entity reasonably believes that it was lawfully made widely available through any media or lawfully made available to the general public from federal, state, or local government records or disclosures to the general public that are required to be made by federal, state, or local law.
The notice shall indicate that the Entity knows of the unauthorized acquisition of PI pertaining to the resident of WI who is the subject of the PI. Notice may be provided by one of the following methods:
If an Entity cannot with reasonable diligence determine the mailing address of the subject of the PI, and if the Entity has not previously communicated with the subject of the PI, the Entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the PI.
Name: VA. Code 46A-2A-101 et seq. S.B. 340
Effective Date: June 6, 2008
Link to Documentation
An individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit, (collectively, Entity) that owns or licenses computerized data that includes PI.
Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals and that causes the Entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of WV.
Any Entity to which the statute applies shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of WV whose unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of WV.
If an Entity is required to notify more than 1,000 persons of a breach of security pursuant to this article, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notices. Nothing in this subsection shall be construed to require the entity to provide to the consumer reporting agency the names or other PI of breach notice recipients.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the PI was or the Entity reasonably believes was accessed and acquired by an unauthorized person.
Except to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay.
The first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of WV, when the data elements are neither encrypted nor redacted:
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
The notice shall include:
Notice may be provided by one of the following methods:
If an Entity demonstrates that the cost of providing notice will exceed $50,000, or that the affected class of residents to be notified exceeds 100,000 persons, or that the Entity does not have sufficient contact information to provide notice. Substitute notice consists of any two of the following:
An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if the Entity notifies residents of WV in accordance with its procedures in the event of a breach of security of the system.
Name: Wash. Rev. Code 19.255.010 et seq., 42.56.590 H.B. 1071
Effective Date: March 1, 2020
Link to Documentation 1
Link to Documentation 2
Any state or local agency or any person or business which conducts business in WA (collectively, Entity) that owns or licenses computerized data that includes PI.
Unauthorized acquisition of data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of WA whose PI was, or is reasonably believed to have been, acquired by an unauthorized person and the PI was not “secured” (i.e., encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the PI is rendered unreadable, unusable, or undecipherable by an unauthorized person).
Any Entity that is required to issue a notification to more than 500 WA residents as a result of a single breach shall, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. The Entity shall also provide to the Attorney General the following information:
[Effective March 1, 2020]
The notice to the attorney general must be updated if any of the information identified above is unknown at the time the notice is due.
Any Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the PI of any breach immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure to affected consumers and to the Attorney General shall be made in the most expedient time possible and without unreasonable delay, no more than 45 [Effective March 1, 2020] 30 calendar days after the breach was discovered, unless the delay is at the request of law enforcement or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
[Additional elements effective March 1, 2020]
(2) Username or email address in combination with a password or security questions and answers that would permit access to an online account; and
(3) Any of the data elements or any combination of the data elements described in (1) above, without the consumer’s first name or first initial and last name if:
(A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
(B) The data element or combination of data elements would enable a person to commit identity theft against a consumer.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by the following methods:
The notification must be written in plain language and must include, at a minimum, the following information:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
[Effective March 1, 2020] If the breach of the security of the system involves personal information including a user name or password, notice may be provided electronically or by email. If the breach involves login credentials of an email account furnished by the Entity, notice may be provided using another method; not to that email address.
The notice must inform the whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the Entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section is in compliance with the notification requirements of this section if the Entity notifies subject persons in accordance with its policies in the event of a breach of security.
In the event of a breach where an Entity held unencrypted account information or was not Payment Card Industry Data Security Standard compliant, payment processors, businesses, and vendors can be liable to a financial institution for the cost of reissuing credit and debit cards in the event of a breach that results in the disclosure of the full, unencrypted account information contained on an identification device, or the full, unencrypted account number on a credit or debit card or identification device plus the cardholder’s name, expiration date, or service code.
Name: Va. Code 18.2-186.6 H.B. 2396
Effective Date: July 1, 2019
Link to Documentation 1
Link to Documentation 2
An individual, corporation, business trust, estate, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality or any other legal entity, whether for profit or not for profit (collectively, Entity) that owns or licenses computerized data that includes PI.
Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals and that causes, or the Entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of VA.
If unencrypted or unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the Entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of VA, an Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any affected resident of VA.
In the event an Entity provides notice to more than 1,000 persons at one time pursuant to the general security breach section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1682(a)(p), of the timing, distribution, and content of the notice.
The state AG must be notified whenever any VA residents are notified under the criteria above. In the event an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the state Attorney General of the timing, distribution, and content of the notice. For health information, the Entity must also notify the Commissioner of Health.
Employers or payroll service providers that own or license computerized data relating to state income tax withheld must notify the Attorney General of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. For employers, the notification obligation applies only to information regarding its employees (not customers or other non-employees).
Such employer or payroll service provider shall provide the Attorney General with the name and federal employer identification number of the employer without unreasonable delay after the discovery of the breach. The Attorney General shall then notify the Department of Taxation of the breach.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the PI was accessed and acquired by an unauthorized person or the Entity reasonably believes the PI was accessed and acquired by an unauthorized person.
Notice required by the statute shall be made without unreasonable delay. Notice may be reasonably delayed to allow the individual or Entity to determine scope of the breach of security and restore the reasonable integrity of the system.
The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of VA, when the data elements are neither encrypted nor redacted:
The health information breach law applies to the first name or first initial and last name with any of the following elements:
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Notice shall include a description of the following:
Notice means:
If the Entity demonstrates that the cost of providing notice will exceed $50,000, the affected class of VA residents to be notified exceeds 100,000 residents, or the individual or the Entity does not have sufficient contact information or consent to provide written, electronic or telephonic notice. Substitute notice consists of all of the following:
An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of VA in accordance with its procedures in the event of a breach of the security of the system.
The state Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. (This provision does not apply to health information breaches.)
Name: 9 V.S.A. 2430, 2435 S. 73
Effective Date: July 1, 2015
Link to Documentation
Any data collector, including, but not limited to, the state, state agencies, political subdivisions of the state, public and private universities, privately and publicly held corporations, limited liability companies, financial institutions, retail operators, and any other entity that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic PI (Entity), that owns or licenses computerized PI that includes PI concerning an individual residing in VT.
Unauthorized acquisition of electronic data or a reasonable belief of such unauthorized acquisition that compromises the security, confidentiality, or integrity of PI maintained by an Entity.
To determine whether this definition applies, any Entity may consider the following factors (among others):
An Entity shall notify affected individuals residing in VT that there has been a security breach following discovery or notification to the Entity of the breach.
In the event an Entity is required to provide notice to more than 1,000 residents of VT at one time, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice. This subsection shall not apply to a person who is licensed or registered under Title 8 by the Department of Banking, Insurance, Securities, and Health Care Administration.
An Entity shall notify the Attorney General or Department of Financial Regulation of any breach within 14 business days of the date the Entity discovers the breach or the date the Entity provides notice to consumers, whichever is sooner.
Any Entity that has, prior to the breach, sworn in writing on a form and in a manner prescribed by the Attorney General that the Entity maintains written policies and procedures to maintain the security of PI and respond to breaches in a manner consistent with state law shall notify the Attorney General before providing notice to consumers. Notice to the Attorney General shall contain the date the breach occurred, the date the breach was discovered, and a description of the breach. If the date of the breach is unknown, then the Entity shall send notice to the Attorney General or the Department as soon as the date becomes known.
If an Entity provides notice of the breach to consumers, the Entity shall notify the Attorney General or the Department of the number of VT residents affected, if known, and shall provide a copy of the notice that was provided to consumers. An Entity may also send the Attorney General or Department a second copy of the notice to consumers that redacts the type of PI breached for any public disclosure of the breach.
Any Entity that maintains or possesses computerized data containing PI of an individual residing in VT that the Entity does not own or license or any Entity that conducts business in VT that maintains or possesses records or data containing PI that the Entity does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.
Notice of the breach shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery of the breach, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:
PI does not mean publicly available information that is lawfully made available to the general public from federal, state, or local government records.
The notice to a consumer shall be clear and conspicuous and include a description of each of the following, if known to the Entity:
Notice may be provided by one or more of the following methods:
If the Entity demonstrates that the cost of providing written or telephonic notice to affected residents would exceed $5,000, or that the affected class of affected residents to be provided written or telephonic notice exceeds 5,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Name: Utah Code 13-44-101, 13-44-202, 13-44-301 S.B. 193
Effective Date: May 14, 2019
Link to Documentation
Any Entity who owns or licenses computerized data that includes PI concerning a UT resident.
Unauthorized acquisition of computerized data maintained by an Entity that compromises the security, confidentiality, or integrity of PI.
If investigation reveals that the misuse of PI for identity theft or fraud has occurred, or is reasonably likely to occur, the person shall provide notification to each affected UT resident.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall notify and cooperate with the owner or licensee of the PI of any breach of system security immediately following the Entity’s discovery of the breach if misuse of the PI occurs or is reasonably likely to occur.
Notification shall be provided in the most expedient time possible without unreasonable delay, after determining the scope of the breach of system security and after restoring the reasonable integrity of the system.
A person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person, when either the name or data element is unencrypted or not protected by another method that renders the data unreadable or unusable:
PI does not include information regardless of its source, contained in federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.
Notice may be provided by one of the following methods:
If notification in the manner described above is not feasible, by publishing notice of the breach of system security in a newspaper of general circulation. Such notice must comply with Utah Code § 45-1-101.
Violators are subject to a civil fine of no more than $2,500 for a violation or series of violations concerning a specific consumer and no more than $100,000 in the aggregate for related violations concerning more than one consumer. The latter limitation does not apply if the violations concern more than 10,000 Utah residents and more than 10,000 residents of other states, or if the Entity agrees to settle for a greater amount.
Name: Tex. Bus. & Com. Code 521.002, 521.053 H.B. 4390
Effective Date: January 1, 2020
Link to Documentation 1
Link to Documentation 2
A person (Entity) that conducts business in TX and owns or licenses computerized data that includes sensitive PI.
Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive PI maintained by an Entity, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Any Entity to which the statute applies shall disclose any breach of system security, after discovering or receiving notification of the breach, to any person, including nonresidents, whose sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person.
[Effective January 1, 2020] Attorney General Notification
Any Entity that is required to provide notification of a security breach to at least 250 Texas residents, shall notify the attorney general of that breach not later than 60 days after the Entity determines that a breach has occurred. The notification must include:
If an Entity is required by this section to notify at one time more than 10,000 persons of a breach of system security, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Any Entity that maintains computerized data that includes sensitive PI that the Entity does not own shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made without unreasonable delay and [effective Jan. 1, 2020] in each case not later than the 60th day after the date on which the person determines that the breach occurred, consistent with the legitimate needs of law enforcement, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
Sensitive PI also includes information that identifies an individual and relates to:
Sensitive PI does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.
Notice may be provided by one of the following methods:
However, if the affected person is a resident of a state that has its own breach notification requirement, the Entity may provide notice under that state’s law or under Texas’s law.
If the Entity demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the Entity does not have sufficient contact information, the notice may be given by any of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of sensitive PI that complies with the timing requirements for notice under this section complies with this section if the Entity notifies affected persons in accordance with that policy.
Name: Tenn. Code 47-18-2107 S.B. 547
Effective Date: April 4, 2017
Link to Documentation
Any person or business that conducts business in TN, or any agency of TN or any of its political subdivisions (collectively, Entity), that owns or licenses computerized data that includes PI.
Acquisition of:
by an unauthorized person that materially compromises the security, confidentiality, or integrity of PI maintained by the Entity. “Encrypted” means computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2.
Any Entity to which the statute applies shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of TN whose PI was, or is reasonably believed to have been, acquired by an unauthorized person. “Unauthorized person” includes an employee of the Entity who is discovered by the Entity to have obtained personal information and intentionally used it for an unlawful purpose.
If an Entity is required to notify more than 1,000 persons at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Any Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the data if the PI was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.
The disclosure shall be made immediately, but no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.
An individual’s first name or first initial and last name, in combination with any one or more of the following data elements:
PI does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted or otherwise made unusable.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
The provisions of this statute shall not apply to any Entity that is subject to:
Name: S.D. CODE 22-40-20 et seq. South Dakota S.B. 62
Effective Date: July 1, 2018
Link to Documentation 1
Link to Documentation 2
Any person or business that conducts business in South Dakota, and that owns or licenses computerized personal or protected information of residents of SD (“Information Holder”).
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information.
Any Information Holder that discovers or is notified of a breach of system security must notify affected individuals and consumer reporting agencies (see below).
If the number of affected individuals exceeds 250 residents, the Information Holder must notify the Attorney General.
The Information Holder must notify, without unreasonable delay, all consumer reporting agencies and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis.
Notice must be given no later than 60 days from when the Information Holder discovers or is notified of a breach.
SD’s statute covers both “personal information” and “protected information.”
“Personal information” means a person’s first name or first initial and last name, in combination with any one or more of the following data elements:
The term does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable.
“Protected information” includes:
Notice may be provided by one of the following methods:
Substitute notice is acceptable if notification will exceed $250,000, the affected class of persons to be notified exceeds 500,000 persons, or the information holder does not have sufficient contact information and the notice consists of each of the following:
Name: S.C. Code 39-1-90 H.B. 3248
Effective Date: April 23, 2013
Link to Documentation
A natural person, an individual, or a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative or association (collectively, Entity) conducting business in SC, and owning or licensing computerized data or other data that includes PI.
Unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of PI maintained by the Entity, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
Any Entity to which the statute applies shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of SC whose unencrypted and unredacted PI was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.
If an Entity provides notice to more than 1,000 persons at one time pursuant to the statute, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notice.
If an Entity provides notice to more than 1,000 SC residents, the Entity shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.
An Entity conducting business in SC and maintaining computerized data or other data that includes PI that the Entity does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of SC, when the data elements are neither encrypted nor redacted:
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice exceeds $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person has insufficient contact information. Substitute notice consists of:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
A person who knowingly and willfully violates this section is subject to an administrative fine of $1,000 for each SC resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.
Name: R.I. Gen. Laws § 11- 49.2-1 et seq.; will be repealed effective June 26, 2016 and replaced by 11- 49.3-1, et seq. S.B. 0134
Effective Date: June 26, 2016
Link to Documentation
A municipal agency, state agency, individual, sole proprietorship, partnership, association, corporation, joint venture, business or legal entity, trust, estate, cooperative, or other commercial entity (collectively, Entity) that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes PI.
Unauthorized access or acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies shall provide notification of any disclosure of PI or any breach of the security of the system that poses a significant risk of identity theft to any resident of RI whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person or entity.
In the event that more than 500 RI residents are to be notified, the Entity shall notify the Attorney General and the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the Attorney General and the major credit reporting agencies shall be made without delaying notice to affected RI residents.
The notification shall be made in the most expedient time possible but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements and shall be consistent with the legitimate needs of law enforcement.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or are in hard copy paper format:
“Encrypted” means the transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data shall not be considered encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by any of the following methods:
The notification to individuals must include the following information to the extent known:
If the Entity demonstrates that the cost of providing notice would exceed $25,000, or that the affected class of subject persons to be notified exceeds 50,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Any Entity that maintains its own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute, shall be deemed to be in compliance with the security breach notification, provided such Entity notifies subject persons in accordance with such Entity’s policies in the event of a breach of security.
Each reckless violation is a civil violation for which a penalty of not more than $100 per record may be adjudged against a defendant. Each knowing and willful violation of this chapter is a civil violation for which a penalty of not more than $200 per record may be adjudged against a defendant. Whenever the Attorney General has reason to believe that a violation has occurred and that proceedings would be in the public interest, the Attorney General may bring an action in the name of the state against the business or person in violation.
Name: 73 Pa. Stat. 2301 et seq. S.B. 712
Effective Date: June 20, 2006
Link to Documentation
Any state agency, political subdivision, or an individual or a business (collectively, Entity) doing business in PA that maintains, stores, or manages computerized data that includes PI of PA residents.
Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of PI maintained by the Entity as part of a database of PI regarding multiple individuals and that causes or the Entity reasonably believes has caused or will cause loss or injury to any resident of PA.
Any Entity to which the statute applies shall provide notice of any breach of the security of the system following discovery of the breach of the security of the system to any individual whose principal mailing address, as reflected in the computerized data that is maintained, stored, or managed by the Entity, is in PA whose unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person.
When an Entity provides notification under this act to more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices.
An Entity that maintains, stores, or manages computerized data on behalf of another Entity shall provide notice of any breach of the security system following discovery to the Entity on whose behalf it maintains, stores or manages the data.
Except to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay.
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by any of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $100,000, the affected class of subject persons to be notified exceeds 175,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security.
Name: 24 Okla. Stat. 161 et seq., 74-3113.1 H.B. 2245
Effective Date: November 1, 2008
Link to Documentation 1
Link to Documentation 2
Any corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit (collectively, Entity) that owns or licenses computerized data that includes PI of OK residents.
Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals and that causes, or the Entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of OK.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of OK whose unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of OK.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the PI was or if the Entity reasonably believes was accessed and acquired by an unauthorized person.
The disclosure shall be made without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
The first name or first initial and last name of an individual in combination with and linked to any one or more of the following data elements that relate to a resident of OK, when the data elements are neither encrypted nor redacted:
PI shall not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Notice means one of the following methods:
If an Entity demonstrates that the cost of providing notice would exceed $50,000, the affected class of residents to be notified exceeds 100,000, or the Entity does not have sufficient contact information or consent to provide notice. Substitute notice consists of any two of the following:
An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and that are consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies residents of OK in accordance with its procedures in the event of a breach of security of the system.
The state Attorney General or a district attorney shall have exclusive authority to bring an action and may obtain either actual damages for a violation of the statute or a civil penalty not to exceed $150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
Name:Ohio Rev. Code, 1347.12,1349.19, 1349.191, 1349.192
Ohio Rev. Code 1349.19 H.B. 104
Effective Date: February 17, 2006
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
Link to Documentation 4
Any individual, corporation, business trust, estate, trust, partnership, or association (collectively, Entity) that conducts business in OH and owns or licenses computerized data that includes PI.
Unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of PI owned or licensed by an Entity and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of OH.
Any Entity to which the statute applies shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any individual whose principal mailing address as reflected in the records of the Entity is in OH and whose PI was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.
If an Entity discovers circumstances that require disclosure under this section to more than 1,000 residents of OH involved in a single occurrence of a breach of the security of the system, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the Entity to the residents of OH. This requirement does not apply to “covered entities” as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Any Entity that, on behalf of or at the direction of another Entity or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes PI shall notify that other Entity or governmental entity of any breach of the security of the system in an expeditious manner, if the PI was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of OH.
The disclosure shall be made in the most expedient time possible but not later than 45 days following discovery or notification of the breach in the security of the system, consistent with any measures necessary to determine the scope of the breach, including which residents’ PI was accessed and acquired, and to restore the reasonable integrity of the data system.
Personal Information Definition An individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or any of the following that are widely distributed:
Notice may be provided by any of the following methods:
If the Entity demonstrates that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed $250,000, that the affected class of subject residents to whom disclosure or notification is required exceeds 500,000 persons, or that it does not have sufficient contact information to provide written, telephonic or electronic notice. Substitute notice under this division shall consist of all of the following:
If the Entity demonstrates it has 10 employees or fewer and that the cost of providing the disclosures or notices to residents to whom disclosure or notification is required will exceed $10,000. Substitute notice under this division shall consist of all of the following:
Disclosure may be made pursuant to any provision of a contract entered into by the Entity with another Entity prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this section and does not waive any provision of this section.
Name: N.D. Cent. Code 51-30-01 et seq. S.B. 2214
Effective Date: August 1, 2015
Link to Documentation
Any Entity that conducts business in ND and that owns or licenses computerized data that includes PI.
Unauthorized acquisition of computerized data when access to PI has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of ND whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Any person that experiences a breach of the security system shall disclose to the Attorney General by mail or email any breach of the security system that exceeds 250 individuals.
Any person that maintains computerized data that includes PI that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the integrity of the data system.
An individual’s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the person demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject individuals to be notified exceeds 500,000, or the person does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notification requirements of this chapter if the Entity notifies subject individuals in accordance with its policies in the event of a breach of security of the system.
Name: N.C. Gen. Stat. 75-61, 75-65
Amended by S.B. 1017
Link to Documentation 1
Link to Documentation 2
Any sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of any state or country, or the parent or the subsidiary of any such financial institution, but not including any government or governmental subdivision or agency (collectively, Entity) that owns or licenses PI of residents of NC or any Entity that conducts business in NC that owns or licenses PI in any form (computerized, paper, or otherwise).
An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing PI where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing PI along with the confidential process or key shall constitute a security breach.
Any Entity to which the statute applies shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach.
In the event an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.
In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the state Attorney General’s office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. The Attorney General’s website contains a form to be used for notification.
Any business that possesses records containing PI of residents of NC that the business does not own or license or conducts business in NC that possesses records containing PI that the business does not own or license, shall notify the owner or licensee of the PI of any security breach immediately following discovery of the breach.
The disclosure shall be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.
A person’s first name or first initial and last name in combination with any of the following identifying information:
Additionally, if (but only if) any of the following information “would permit access to a person’s financial account or resources,” it is considered PI when taken in conjunction with a person’s first name, or first initial and last name:
PI does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records
Notice must be clear, conspicuous, and shall include all of the following:
It may be provided by one of the following methods:
If the business demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to provide notice as required under the statute, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
Name: N.Y. Gen. Bus. Law 899-aa S. 2605-D
Effective Date: March 28, 2013
Link to Documentation
Any person, business, or state entity (excepting the judiciary, cities, counties, municipalities, villages, towns, and other local agencies) (collectively, Entity) that conducts business in New York State and that owns or licenses computerized data that includes private information.
Unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of PI maintained by a business. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, Entities may consider the following factors, among others:
Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.
Any Entity to which the statute applies shall disclose any breach of the security following discovery or notification of the breach in the security of the system to any resident of NY whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
If more than 5,000 NY residents are to be notified at one time, the Entity shall also notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected persons.
If any NY residents are to be notified, the Entity shall notify the state Attorney General, the Consumer Protection Board, the Division of State Police, and the state Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons. The state Attorney General’s website has a form to be used for notifications.
Any Entity that maintains computerized data that includes private information that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
PI consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
“Private information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice shall include:
The notice required shall be directly provided to the affected persons by one of the following methods:
If the Entity demonstrates to the state Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Name: N.M. Stat. 57-12C-1 et seq. H.B. 15
Effective Date: June 16, 2017
Link to Documentation
Any person that owns or licenses elements that include PI of a New Mexico resident (collectively, Entity).
Unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of PI maintained by a person.
Any Entity to which the statute applies shall notify each NM resident whose PI is reasonably believed to have been subject to a security breach. However, notification to NM residents is not required if, after an appropriate investigation, the Entity determines that the security breach does not give rise to a significant risk of identity theft or fraud.
If more than 1,000 NM residents are to be notified as a result of a single security breach, the Entity shall also notify major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the security breach in the most expedient time possible, and no later than 45 calendar days, except if delayed notification is permitted to determine the scope of the breach or for law enforcement investigation purposes.
If more than 1,000 NM residents are to be notified as a result of a single security breach, the Entity shall also notify the Office of the Attorney General of the number of NM residents that received notification pursuant and shall provide a copy of the notification that was sent to affected residents within 45 calendar days following discovery of the security breach, except if delayed notification is permitted to determine the scope of the breach or for law enforcement investigation purposes.
Any business that is licensed to maintain or possess computerized data containing PI of a New Mexico resident that the business does not own or license shall notify the owner or licensee of the security breach in the most expedient time possible, but not later than 45 calendar days following discovery of the breach, except if delayed notification is permitted to determine the scope of the breach or for law enforcement investigation purposes. However, notification to the owner or licensee of the PI is not required if, after an appropriate investigation, the business determines that the security breach does not give rise to a significant risk of identity theft or fraud.
Notification shall be made in the most expedient time possible, but not later than 45 calendar days following discovery of the security breach. Notification may be delayed as necessary to determine the scope of the security breach and restore the integrity, security, and confidentiality of the data system.
An individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:
“Personal information” does not include information lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public.
The notice shall include:
The notice shall be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notification would exceed $100,000; or that the number of residents to be notified exceeds 50,000; or that the Entity does not have a physical address or sufficient contact information for the residents to be notified. Substitute notice shall consist of all of the following:
An Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute is deemed to be in compliance if the Entity notifies affected consumers in accordance with its policies in the event of a security breach.
Name: N.J. Stat. 56:8-161 et seq. Senate Bill No. 52
Effective Date: September 1, 2019
Link to Documentation 1
Link to Documentation 2
NJ, and any county, municipality, district, public authority, public agency, and any other political subdivision or public body in NJ, any sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of NJ, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution, that conducts business in NJ (collectively, Entity), that compiles or maintains computerized records that include PI.
Security Breach Definition
Unauthorized access to electronic files, media or data containing PI that compromises the security, confidentiality, or integrity of PI when access to the PI has not been secured by encryption or by any other method or technology that renders the PI unreadable or unusable.
Any Entity to which the statute applies shall disclose any breach of security of computerized records following discovery or notification of the breach to any customer who is a resident of NJ whose PI was, or is reasonably believed to have been, accessed by an unauthorized person.
If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Any Entity required under this section to disclose a breach of security of a customer’s PI shall, prior to disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.
An Entity that compiles or maintains computerized records that include PI on behalf of another Entity shall notify that Entity of any breach of security of the computerized records immediately following discovery, if the PI was, or is reasonably believed to have been, accessed by an unauthorized person.
The disclosure to a customer shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
An individual’s first name or first initial and last name linked with any one or more of the following data elements:
Dissociated data that, if linked, would constitute PI is PI if the means to link the dissociated data were accessed in connection with access to the dissociated data. PI shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records, or widely distributed media.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject individuals to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the requirements of the statute, shall be deemed in compliance with the notification requirements of the statute if it notifies subject customers in accordance with its policies in the event of a breach of security of the system.
Name: N.H. Rev. Stat. 359-C:19 et seq. H.B. 1660
Effective Date: January 1, 2007
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
Any individual, corporation, trust, partnership, incorporated or unincorporated association, limited liability company, or other form of entity, or any agency, authority, board, court, department, division, commission, institution, bureau, or other state governmental entity, or any political subdivision of the state (collectively, Entity) doing business in NH that owns or licenses computerized data that includes PI.
An unauthorized acquisition of computerized data that compromises the security or confidentiality of PI maintained by an Entity doing business in NH.
Any Entity to which the statute applies, when it becomes aware of a security breach and determines that misuse of PI has occurred or is reasonably likely to occur, or if a determination cannot be made, shall notify the affected individuals.
If an Entity is required to notify more than 1,000 consumers, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of the notification, the approximate number of consumers who will be notified, and the content of the notice. This obligation does not apply to entities subject to Title V of the Gramm-Leach-Bliley Act.
An Entity engaged in trade or commerce that is subject to N.H. Rev. Stat. § 358-A:3(I) (trade or commerce that is subject to the jurisdiction of the Bank Commissioner, the Director of Securities Regulation, the Insurance Commissioner, the Public Utilities Commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices) shall also notify the regulator that has primary regulatory authority over such trade or commerce. All other Entities shall notify the state Attorney General. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in NH who will be notified.
If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity shall notify and cooperate with the owner or licensee of the PI of any breach of the security of the data immediately following discovery if the PI was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.
The Entity shall notify the affected individuals as soon as possible.
An individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Data shall not be considered to be encrypted if it is acquired in combination with any required key, security code, access code, or password that would permit access to the encrypted data.
PI shall not include information that is lawfully made available to the general public from federal, state, or local government records.
Notice shall include at a minimum:
Notice shall be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $5,000, the affected class of subject individuals to be notified exceeds 1,000, or the Entity does not have sufficient contact information or consent to provide written, electronic or telephonic notice. Substitute notice shall consist of all of the following:
Name: Nev. Rev. Stat. 603A.010 et seq., 242.183 A.B. 179
Effective Date: July 1, 2015
Link to Documentation 1
Link to Documentation 2
Any governmental agency, institution of higher education, corporation, financial institution or retail operator, or any other type of business entity or association (collectively, Entity), that owns or licenses computerized data that includes PI.
An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by Entity.
Any Entity to which the statute applies shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of NV whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
If an Entity determines that notification is required to be given to more than 1,000 persons at any one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the time the notification is distributed and the content of the notification.
If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity must notify the owner or licensee of that PI of any breach of the security of the system data immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
PI does not include the last four digits of a Social Security number, the last four digits of a driver’s license or driver authorization card number, or the last four digits of an identification card number or publicly available information that is lawfully made available to the general public from federal, state, or local governmental records.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification policies and procedures as part of an information security policy for the treatment of PI that is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies and procedures in the event of a security breach.
Name: Neb. Rev. Stat. 87-801 et seq. L.B. 835
Effective Date: July 20, 2016
Link to Documentation
An individual, government agency, corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit (collectively, Entity), that conducts business in NE and that owns or licenses computerized data that includes PI about a resident of NE.
An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity.
Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system and determines that the use of information about a NE resident for an unauthorized purpose has occurred or is reasonably likely to occur, give notice to the affected NE resident.
If notice of a security breach to NE residents is required, the Entity shall also, not later than the time when notice is provided to the NE resident, provide notice of the breach of security of the system to the Attorney General.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system when it becomes aware of a breach if use of PI about a NE resident for an unauthorized purpose occurred or is reasonably likely to occur. Cooperation includes, but is not limited to, sharing with the owner or licensee information relevant to the breach, not including information proprietary to the Entity.
Notice shall be made as soon as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
PI means either of the following:
(a) A NE resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:
(b) A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
Data shall not be considered encrypted if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice will exceed $75,000, that the affected class of NE residents to be notified exceeds 100,000 residents, or that the Entity does not have sufficient contact information to provide notice. Substitute notice requires all of the following:
If the Entity has 10 employees or fewer and demonstrates that the cost of providing notice will exceed $10,000. Substitute notice requires all of the following:
An Entity that maintains its own notice procedures which are part of an information security policy for the treatment of PI and which are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected NE residents and Attorney General in accordance with its notice procedures in the event of a breach of the security of the system.
Name: Mont. Code 2-6-1501 et seq,30-14-1701 et seq., 33-19-321 H.B. 74
Effective Date: October 1, 2015
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
Any person or business (collectively, Entity) that conducts business in MT and that owns or licenses computerized data that includes PI.
Any unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by the Entity and causes or is reasonably believed to cause loss or injury to a MT resident.
Any Entity to which the statute applies shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of MT whose unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person.
If a business notifies an individual of a breach and suggests, indicates, or implies that the individual may obtain a credit report, the business must coordinate with the credit reporting agency as to the timing, content and distribution of notice to the individual (but this may not unreasonably delay disclosure of the breach).
Any Entity that is required to issue a notification shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the Attorney General’s Consumer Protection office, excluding any information that personally identifies any individual who is entitled to receive Notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
Insurance entities and support organizations must submit the above information to the Montana Insurance Commissioner (Mont. Code § 33-19-321).
Any Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the PI was or is reasonably believed to have been acquired by an unauthorized person.
Disclosure is to be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of email notice when the Entity has email addresses for the subject persons and one of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and that does not unreasonably delay notice is considered to be in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the data system.
Name: Mo. Rev. Stat. 407.1500 H.B. 62
Effective Date: August 28, 2009
Link to Documentation
Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, governmental agency, governmental instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses PI of residents of MO or any person that conducts business in MO that owns or licenses PI of a resident of MO.
Unauthorized access to and unauthorized acquisition of PI maintained in computerized form by an Entity that compromises the security, confidentiality, or integrity of the PI.
Any Entity to which the statute applies shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach.
In the event an Entity notifies more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.
In the event an Entity provides notice to more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, the state Attorney General’s office of the timing, distribution, and content of the notice.
Any Entity that maintains or possesses records or data containing PI of residents of MO that the Entity does not own or license, or any Entity that conducts business in MO that maintains or possesses records or data containing PI of a resident of MO that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.
The disclosure notification shall be made without unreasonable delay and consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
PI does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public.
Notice may be provided by one of the following methods:
The notice shall at minimum include a description of the following:
If the Entity demonstrates that the cost of providing notice would exceed $100,000, or that the class of affected consumers to be notified exceeds 150,000, or that the Entity does not have sufficient contact information or consent, for only those affected consumers without sufficient contact information or consent, or that the Entity is unable to identify particular affected consumers, for only those unidentifiable consumers. Substitute notice shall consist of all the following:
An Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the Entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system.
The state Attorney General shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed $150,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
Delay for Law Enforcement. The notice required by this section may be delayed if a law enforcement agency informs the Entity that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request by law enforcement is made in writing or the Entity documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the Entity its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
Name: Miss. Code 75-24-29 H.B. 582
Effective Date: July 1, 2011
Link to Documentation
Any person who conducts business in MS and who, in the ordinary course of the person’s business functions, owns, licenses, or maintains the PI of any MS resident.
An unauthorized acquisition of electronic files, media, databases, or computerized data containing PI of any MS resident when access to the PI has not been secured by encryption or by any other method of technology that renders the PI unreadable or unusable.
A person who conducts business in MS shall disclose any breach of security to all affected individuals. Notification is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.
A person who maintains computerized data that includes PI that the person does not own or license shall notify the owner or licensee of the information of any breach of security as soon as practical following its discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes.
Notice shall be provided without unreasonable delay subject to the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $5,000, that the Entity has to provide notice to more than 5,000 residents, or that the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute, shall be deemed to be in compliance with the notification requirements of the statute, if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the system.
Name: Minn. Stat. 325E.61 and 325E.64 H.F. 2121
Effective Date: January 1, 2006
Link to Documentation 1
Link to Documentation 2
Any person or business that conducts business in MN, and that owns or licenses data that includes PI.
An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of MN whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
If an Entity notifies more than 500 persons at one time, the Entity shall also notify, within 48 hours, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Any Entity that maintains data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000 or that the Entity has to provide notice to more than 500,000 residents, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute, shall be deemed to be in compliance with the notification requirements of the statute, if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the system.
Name: Mich. Comp. Laws 445.63, 72 et seq. H.B. 6406
Effective Date: January 20, 2020
Link to Documentation 1
Link to Documentation 2
Any individual, partnership, corporation, limited liability company, association, or other legal entity, or any department, board, commission, office, agency, authority, or other unit of state government of MI (collectively, Entity) that owns or licenses data including PI of a MI resident.
The unauthorized access and acquisition of data that compromises the security or confidentiality of PI maintained by an Entity as part of a database of PI regarding multiple individuals.
An Entity to which the statute applies shall provide notice of the breach to each resident of MI if (i) the resident’s unencrypted and unredacted PI was accessed and acquired by an unauthorized person or (ii) the resident’s PI was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.
This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public.
If an Entity notifies 1,000 or more MI residents, the Entity shall, after notifying those residents, notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the security breach without unreasonable delay. A notification under this subsection shall include the number and timing of notices that the person or agency provided to residents of this state. This subsection does not apply if the person or agency is subject to Title V of the Gramm-Leach-Bliley Act.
An Entity that maintains a database that includes data that the Entity does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach, unless the Entity determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to one or more residents of MI.
The notification shall be given without unreasonable delay following discovery of the breach, consistent with measures necessary to determine the scope of the breach of the security of a system or restore the integrity of the system.
The first name or first initial and last name linked to one or more of the following data elements of a resident of MI:
Notice may be provided by one of the following methods:
A notice under the statute shall:
If the Entity demonstrates that the cost of providing notice would exceed $250,000 or that the Entity has to provide notice to more than 500,000 residents of MI. Substitute notice shall consist of all of the following:
A public utility that sends monthly billing or account statements to its customers may provide notice of a security breach to its customers as provided under the statute or by providing all of the following:
Provides for criminal penalties for notice of a security breach that has not occurred, where such notice is given with the intent to defraud. The offense is a misdemeanor, punishable by imprisonment for not more than 30 days or a fine of not more than $250 per violation (or both). (The penalty is the same for second and third violations, except that the fine increases to $500 per violation and $750 per violation, respectively.) Similarly, Entities who distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient are punishable by imprisonment for not more than 93 days or a fine of not more than $1,000 per violation (or both). (The penalty is the same for second and third violations, except that the fine increases to $2,000 per violation and $3,000 per violation, respectively.)
Entities who fail to provide notice may be ordered to pay a civil fine of not more than $250 for each failure to provide notice, capped at $750,000 per security breach. These penalties do not affect the availability of civil remedies under state or federal law.
Name: Mass. Gen. Laws 93H 1 et seq. 201 C.M.R. 17.00 H.B. 4806
Effective Date: April 11, 2019
Link to Documentation
A natural person, corporation, association, partnership or other legal entity, or any agency, executive office, department, board, commission, bureau, division, or authority of MA, or any of its branches, or any political subdivision thereof (collectively, Entity) that owns, licenses, maintains, or stores data that includes PI about a resident of MA.
An unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI, maintained by an Entity that creates a substantial risk of identity theft or fraud against a MA resident.
An Entity to which the statute applies shall provide notice to the affected residents, as soon as practicable and without unreasonable delay, when the Entity knows or has reason to know of a breach of security, or when the Entity knows or has reason to know that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose. Note: MA may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation, regardless of materiality or ownership of the data.
Notice must be provided to the state Attorney General and the director of consumer affairs and business regulation.
The notice shall include, but not be limited to:
A person who experienced a breach of security shall file a report with the attorney general and the director of consumer affairs and business regulation certifying their credit monitoring services comply with the law’s requirements for providing credit monitoring to individuals if social security numbers are affected.
Note that both agencies currently promulgate online forms containing the required information.
If an agency is within the Executive Department, it shall provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use of the information to the Technology Division and the Division of Public Records as soon as practicable and without unreasonable delay following discovery of the breach of security or unauthorized acquisition or use, and shall comply with all policies and procedures adopted by that division pertaining to the reporting and investigation of such an incident.
An Entity that maintains or stores, but does not own or license data that includes PI about a resident of MA, shall provide notice, as soon as practicable and without unreasonable delay, when such Entity (i) knows or has reason to know of a breach of security or (ii) when the Entity knows or has reason to know that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the owner or licensor.
Such Entity shall cooperate with the owner or licensor of such PI. Cooperation shall include, but not be limited to (i) informing the owner or licensor of the breach of security or unauthorized acquisition or use, (ii) the date or approximate date of such incident and the nature thereof, and (iii) any steps the Entity has taken or plans to take relating to the incident, except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets, or to provide notice to a resident that may not have been affected by the breach of security or unauthorized acquisition or use.
The notification shall be given as soon as practicable and without unreasonable delay following discovery of the breach. Entities cannot delay notification “on the grounds that the total number of residents affected is not yet ascertained.”
A resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relates to such resident:
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Notice provided to the resident shall not include the nature of the breach or unauthorized acquisition or use of the number of residents of MA affected by said breach or unauthorized access or use. It must, however, include:
If the person or agency that experienced a breach of security is owned by another person or corporation, the notice to the consumer shall include the name of the parent or affiliated corporation.
Notice may be provided by one of the following methods:
If the Entity required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of MA residents to be notified exceeds 500,000 residents, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
Name: Md. Code Com. Law 14-3501 et seq. H.B. 974
Effective Date: January 1, 2018
Link to Documentation
A sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit, including a financial institution organized, chartered, licensed, or otherwise authorized under the laws of MD, any other state, the United States, or any other country (collectively, Entity) that owns or licenses computerized data that includes PI of an individual residing in MD.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the PI maintained by an Entity.
An Entity to which the statute applies, when it discovers or is notified of a breach of the security of the system, shall notify the individual of the breach.
Prior to giving the notification required under the statute, an Entity shall provide notice of a breach of the security of a system to the state Office of the Attorney General.
If an Entity must notify 1,000 or more individuals, the Entity also shall notify, without unreasonable delay, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
An Entity that maintains computerized data that includes PI of an individual residing in the state that the Entity does not own or license shall notify the owner or licensee of the PI of a breach of the security of the system if it is likely that the breach has resulted or will result in the misuse of PI of an individual residing in MD.
The notification required shall be given as soon as reasonably practicable, but no later than 45 days after the business concludes the investigation, consistent with measures necessary to determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.
1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:
2) A user name or email address in combination with a password or security question and answer that permits access to an individual’s email account.
“Encrypted” means the protection of data in electronic or optical form using an encryption technology that renders the data indecipherable without an associated cryptographic key necessary to enable decryption of the data.
PI does not include (i) publicly available information that is lawfully made available to the general public from federal, state, or local government records; (ii) information that an individual has consented to have publicly disseminated or listed; or (iii) information that is disseminated or listed in accordance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Notice may be provided by one of the following methods:
Except for breaches involving loss of information that permits access to an email account only, notification shall include:
For breaches involving loss of information that permits access to an email account only (and no other PI), the Entity may provide notice in electronic or other form that directs the individual whose PI has been breached promptly to:
The notification may be given by a clear and conspicuous notice delivered to the individual online while the individual is connected to the affected email account from an IP address or online location from which the business knows the individual customarily accesses the account, but otherwise may not be given to the individual by sending notification by email to the email account affected by the breach.
If the Entity demonstrates that the cost of providing notice would exceed $100,000, or that the affected class of individuals to be notified exceeds 175,000, or the Entity does not have sufficient contact information to give notice. Substitute notice shall consist of all of the following:
Name: 10 ME. REV. STAT. 1346 et seq. H.P. 672
Effective Date: May 19, 2009
Link to Documentation
Any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of state government, the University of Maine System, the Maine Community College System, Maine Maritime Academy, and private colleges and universities, or any information broker, which means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties (collectively, Entity) that maintains computerized data that includes PI. The provisions governing maintenance of PI are applicable to any Entity maintaining information on ME residents, whether or not organized or licensed under the laws of ME.
An unauthorized acquisition, release, or use of an individual’s computerized data that includes PI that compromises the security, confidentiality, or integrity of PI of the individual maintained by an Entity.
If an Entity that maintains computerized data that includes PI becomes aware of a breach of the security of the system, the Entity shall give notice of the breach following discovery or notification of the security breach to a resident of ME whose PI has been, or is reasonably believed to have been, acquired by an unauthorized person.
When notice of a breach of the security of the system is required, the Entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the Department, the state Attorney General.
If an Entity must notify more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.
A third party that maintains, on behalf of another Entity, computerized data that includes PI that the third party does not own shall notify the owner of the PI of a breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The notices must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data in the system. Notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
An individual’s first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
PI does not include information from third-party claims databases maintained by property and casualty insurers or publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Notice may be provided by one of the following methods:
If the Entity maintaining PI demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000, or that the person maintaining PI does not have sufficient contact information to provide written or electronic notice to those individuals. Substitute notice shall consist of all of the following:
Provides for civil penalties in the amount of $500 per violation, up to a maximum of $2,500 per day; equitable relief; or enjoinment from future violations.
Name: La. Rev. Stat. § 51:3071 et seq. La. Admin. Code tit. 16, pt. III, 701 S.B. 361
Effective Date: August 1, 2018
Link to Documentation
Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that conducts business in LA or that owns or licenses computerized data that includes PI, or any agency that owns or licenses computerized data that includes PI (collectively, Entity).
The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on LA residents, whether or not the Entity conducts business in LA.
The compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of and access to PI maintained by an Entity.
Good-faith acquisition of PI by an employee of the Entity for the purposes of the Entity is not a breach of the security of the system, provided that the PI is not used for, or is not subject to, unauthorized disclosure.
Any Entity to which the statute applies shall, following discovery of a breach of the security of the system containing such data, notify any resident of the state whose PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Notification is not required if after a reasonable investigation the Entity determines that there is no reasonable likelihood of harm to LA residents. The Entity shall retain a copy of the written determination and supporting documentation for 5 years and provide a copy to the Attorney General upon request.
When notice to LA citizens is required by the statute, the Entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all LA citizens affected by the breach. Notice to the state Attorney General shall be timely if received within 10 days of distribution of notice to LA citizens. Each day that notice is not received by the state Attorney General shall be deemed a separate violation.
Any individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity that maintains computerized data that includes PI that the agency or person does not own shall notify the owner or licensee of the information if the PI was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of the security system.
The notification required pursuant to the statute shall be made in the most expedient time possible and without unreasonable delay, but not later than 60 days from discovery of the breach, consistent with any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. When notification is delayed by law enforcement request or due to a determination by the Entity that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the Entity shall provide the Attorney General the reasons for the delay in writing within the 60-day notification period. Upon receipt of the written reasons, the Attorney General shall allow a reasonable extension of time to provide the consumer notification.
The first name or first initial and last name of a LA resident in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:
“Personal information” shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If an Entity demonstrates that the cost of providing notification would exceed $100,000, or that the affected class of persons to be notified exceeds 100,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Any Entity that maintains notification procedures as part of its information security policy for the treatment of PI that are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies the subject persons in accordance with the policy and procedures in the event of a breach of a security of the system.
Name: KY REV. STAT. 365.732 H.B. 5
Effective Date: January 1, 2015
Link to Documentation 1
Link to Documentation 2
“Information holder” defined as any person or business entity that conducts business in the state (collectively, Entity). Specific notification obligations also apply to “non-affiliated third parties” (NTP) of state and municipal government agencies and public educational institutions that receive or collect and maintain PI from the agencies and institutions pursuant to a contract.
The unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity as part of a database regarding multiple individuals that actually causes or leads the Entity to believe has caused or will cause, identity theft or fraud against any KY resident.
If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution, and content of the notices.
An individual’s first name or first initial and last name in combination with one or more of the following data elements when the name or data element is not redacted:
For NTPs, PI means an individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one or more of the following data elements:
Obligations under these statutes apply only to unencrypted, unredacted computerized data.
Notice may be provided by one of the following methods:
If the Entity can demonstrate that the cost of providing notice would exceed $250,000, that the number of individuals to be notified exceeds 500,000, or that they do not have sufficient contact information for those affected. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section, if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
The Kentucky Board of Education may promulgate administrative regulations in accordance with KRS Chapter 13A as necessary to carry out the requirements of this section.
Name: Kan. Stat. 50-7a01 et seq. S.B. 196
Effective Date: January 1, 2007
Link to Documentation
Any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency or other entity (collectively, Entity) that conducts business in KS and that owns or licenses computerized data that includes PI.
Any unauthorized access to and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity and that causes, or such Entity reasonably believes has caused or will cause, identity theft to any consumer.
Any Entity to which the statute applies shall, when it becomes aware of any breach of the security of the system, give notice as soon as possible to the affected KS resident.
In the event that an Entity must notify more than 1,000 consumers at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the PI was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.
Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
A consumer’s first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If the Entity required to provide notice demonstrates that the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or that the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system.
Personal Information Protection Act.
Effective Date: January 1, 2017
Link to Documentation
Any data collector, which includes, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic PI (collectively, Entity) that owns or licenses PI concerning an IL resident.
An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies shall notify the resident at no charge that there has been a breach following discovery or notification of the breach. Note: Illinois may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation, regardless of materiality or ownership of the data.
Any state agency that collects PI and has had a breach of security of the system data or written material shall submit a report within 5 business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches. Any agency that has submitted a report under the statute shall submit an annual report listing all breaches of security and the corrective measures that have been taken to prevent future breaches.
State agencies must report security breaches involving more than 250 IL residents to the Attorney General, including the types of PI compromised, the number of IL residents affected, any steps the agency has taken or plans to take to notify consumers, and the date and timeframe of the breach, if known. Such notification must be made within 45 days of the agency’s discovery of the security breach or when the agency provides notice to consumers, whichever is sooner, unless there is good cause for reasonable delay to determine the scope of the breach and restore the integrity, security, and confidentiality of the data system, or when law enforcement requests in writing to withhold disclosure of some or all of the information required in the Notification. If the date or timeframe of the breach is unknown at the time the notice is sent to the Attorney General, the state agency shall send the Attorney General the date or timeframe of the breach as soon as possible.
Any Entity that maintains or stores computerized data that includes PI that the Entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person. In addition, such Entities shall cooperate with the data owner or licensee in matters relating to the breach, including (1) giving notice of the (approximate) date and nature of the breach and (2) informing the owner or licensee of steps taken or planned relating to the breach.
The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
Either of the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:
(2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted, or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
For a breach of PI other than user name/email and password/security question, the notice shall include:
The notice shall not include the number of IL residents affected by the breach.
For a breach of PI involving user name/email and password/security questions, notice may be provided in electronic or other form directing the IL resident whose PI has been breached to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute, shall be deemed in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with its policies in the event of a breach of the security of the system data.
Any Entity that is subject to and in compliance with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) shall be deemed to be in compliance, provided that any Entity required to provide notification of a breach to the Secretary of Health and Human Services pursuant to HITECH also provides such notification to the Attorney General within 5 business days of notifying the Secretary.
Name: H.R.S. 487N-1 et seq. S.B. 2402
Effective Date: April 17, 2008
Link to Documentation
Any sole proprietorship, partnership, corporation, association, or other group, however organized, and whether or not organized to operate at a profit, including financial institutions organized, chartered, or holding a license or authorization certificate under the laws of HI, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution, and any entity whose business is records destruction, or any government agency that collects PI for specific government purposes (collectively, Entity) that owns or licenses PI of residents of HI in any form (whether computerized, paper, or otherwise).
Any unauthorized access to and acquisition of unencrypted or unredacted records or data containing PI where illegal use of the PI has occurred, or is reasonably likely to occur, where such unauthorized access and acquisition creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing PI along with the confidential process or key constitutes a security breach.
Any Entity to which the statute applies shall provide notice to the affected person of a security breach following discovery or notification of the breach.
If more than 1,000 persons are notified at one time under this section, the business shall notify the State of Hawaii’s Office of Consumer Protection of the timing, content, and distribution of the notice.
If more than 1,000 persons are notified at one time pursuant to this section, the Entity shall notify in writing, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.
A government agency shall submit a written report to the legislature within 20 days after discovery of a security breach at the government agency that details information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent, whether the notice was delayed due to law enforcement considerations, and any procedures that have been implemented to prevent the breach from reoccurring. In the event that a law enforcement agency informs the government agency that notification may impede a criminal investigation or jeopardize national security, the report to the legislature may be delayed until 20 days after the law enforcement agency has determined that notice will no longer impede the investigation or jeopardize national security.
Any business located in HI or any business that conducts business in HI that maintains or possesses records or data containing PI of residents of HI that the business does not own or license, shall notify the owner or licensee of the PI of any security breach immediately following discovery of the breach.
The disclosure notification shall be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
The notice shall be clear and conspicuous and shall include a description of the following:
If the Entity demonstrates that the cost of providing notice would exceed $100,000, or that the affected class of persons to be notified exceeds 200,000, or if the Entity does not have sufficient contact information or consent to satisfy the required notice, for only those affected persons without sufficient contact information or consent, or if the Entity is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
Any Entity that violates any provisions of the statute is subject to penalties of not more than $2,500 for each violation.
Name: Ga. Code § 10-1-910 et seq. S.B. No. 236
Effective Date: May 24, 2007
Link to Documentation
Any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties, or any state or local agency or subdivision thereof including any department, bureau, authority, public university or college, academy, commission, or other government entity (collectively, Entity) that maintains computerized data that includes PI of individuals. The statute shall not apply to any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information.
An unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of PI of such individual maintained by an Entity.
Any Entity that maintains computerized data that includes PI of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach to any resident of GA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
In the event an Entity discovers circumstances requiring notification of more than 10,000 residents of GA at one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
If an Entity maintains computerized data on behalf of another Entity that includes PI of individuals that the Entity does not own, it shall notify the other Entity of any breach of the security of the system within 24 hours following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
If an Entity demonstrates that the cost of providing notice would exceed $50,000, that the affected class of individuals to be notified exceeds 100,000, or that the Entity does not have sufficient contact information to provide written or electronic notice to such individuals. Substitute notice shall consist of all of the following:
Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.
Name: FLA. STAT. 501.171, S.B. 1526
Effective Date: July 1, 2014
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
A sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses PI (collectively, Entity).
An entity that has been contracted to maintain, store, or process PI on behalf of an Entity or governmental entity (“third-party agent”).
The unauthorized access of data in electronic form containing PI.
Entity must give notice to each individual in Florida whose PI was, or the Entity reasonably believes to have been, accessed as a result of the breach.
Notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the Entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose PI has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The Entity must provide the written determination to the Department within 30 days after the determination.
Entity must provide notice to the Department of Legal Affairs (“Department”) of any breach of security affecting 500 or more individuals in Florida.
If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Any third-party agent shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Upon receiving notice from a third-party agent, the Entity for which the information is maintained shall provide notices to the Department and Affected Individuals. A third-party agent must provide the Entity with all information that the Entity needs to comply with notice requirements. A third-party agent may provide notice to the Department or Affected Individuals on behalf of the Entity; however, a third-party agent’s failure to provide proper notice shall be deemed a violation against the Entity.
PI does not include publicly available information that is made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of both of the following:
An Entity that violates the statute in the following manner is subject to the following administrative fines:
Name: D.C. Code § 28-3851 et seq. Council Bill 16-810
Effective Date: July 1, 2007
Link to Documentation
Any person or entity (collectively, Entity) who conducts business in D.C. and who, in the course of such business, owns or licenses computerized or other electronic data that includes PI.
An unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies, and who discovers a breach of the security system, shall promptly notify any D.C. resident whose PI was included in the breach.
If any Entity is required to notify more than 1,000 persons of a breach of security, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by section § 603(p) of the federal Fair Credit Reporting Act, of the timing, distribution, and content of the notices. This subsection shall not apply to an Entity who is required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act.
Any Entity that maintains, handles, or otherwise possesses computerized or other electronic data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.
The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(1) Any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account,
(2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements:
PI shall not include information that is lawfully made available to the general public from federal, state, or local government records
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice to persons would exceed $50,000, that the number of persons to receive notice under the statute exceeds 100,000, or that the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if the Entity provides notice, in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given under the statute.
Name: Del. Code Ann. tit. 6 12B-101 et seq. House Substitute 1 for HB 180
Effective Date: April 14, 2018
Link to Documentation
Any person (individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity) who conducts business in DE and who owns or licenses computerized data that includes PI (collectively, Entity).
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI. The unauthorized acquisition of such data is not a breach of security to the extent that PI contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render PI readable or useable.
Any Entity to which the statute applies shall provide notice of any breach of security following determination of the breach of security to any resident of DE whose PI was breached or is reasonably believed to have been breached.
Notification is not required if after an appropriate investigation the Entity reasonably determines that the breach of security is unlikely to result in any harm to the individuals whose PI has been breached.
If the number of DE residents to be notified exceeds 500 residents, the Entity shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
If the breach of security includes Social Security numbers, the Entity shall offer to each resident whose PI, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year. Such person shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze on his or her credit file. Such services are not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose PI has been breached.
An Entity that maintains computerized data that includes PI that the Entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following determination of the breach of security. Cooperation includes sharing with the owner or licensee information relevant to the breach.
Notice must be made without unreasonable delay but not later than 60 days after determination of the breach of security, unless a shorter time is required by federal law. If the Entity cannot, through reasonable diligence, identify within 60 days that the PI of certain DE residents was included in a breach of security, the Entity must provide notice as soon as practicable after the determination that the breach of security included the PI of such residents, unless the Entity provided substitute notice.
A DE resident’s first name or first initial and last name, in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely-distributed media.
Notice may be provided by one of the following methods:
For breaches of login credentials for an email account furnished by the Entity, notice may not be provided to the breached email address, but may be provided via methods otherwise permitted, or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the person knows the resident customarily accesses the account.
If the Entity demonstrates that the cost of providing notice will exceed $75,000, or that the number of DE residents to be notified exceeds 100,000, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected DE residents in accordance with its policies in the event of a breach of the security of the system.
Name: Conn. Gen. Stat. 36a-701b S.B. 472
Effective Date: Oct 1, 2018
Link to Documentation 1
Link to Documentation 2
Any person, business or agency (collectively, Entity) that conducts business in CT and who, in the ordinary course of such Entity’s business, owns, licenses, or maintains computerized data that includes PI.
Unauthorized access to or acquisition of electronic files, media, databases, or computerized data containing PI when access to the PI has not been secured by encryption or by any other method or technology that renders the PI unreadable or unusable.
Any Entity to which the statute applies shall disclose any breach of security following the discovery of the breach to any CT resident whose PI was breached or is reasonably believed to have been breached.
Any Entity that is required under the statute to notify CT residents of any breach of security shall not later than the time when notice is provided to the resident also provide notice of the breach of security to the Attorney General.
If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery if the PI was, or is reasonably believed to have been, breached.
The disclosure shall be made without unreasonable delay, but not later than 90 days after the discovery of such breach, unless a shorter time is required under federal law, consistent with any measures necessary to determine the nature and scope of the breach, to identify individuals affected, or to restore the reasonable integrity of the data system.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Notice may be provided by one of the following methods:
A person who conducts business in CT, and who, in the ordinary course of such person’s business, owns or licenses computerized data that includes PI, shall offer to each resident whose PI that includes Social Security numbers was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than 24 months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident’s credit file.
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000 persons, or the Entity does not have sufficient contact information. Substitute notice shall consist of all the following:
Any Entity that maintains its own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute shall be deemed to be in compliance with the security breach notification requirements of the statute, provided such Entity notifies subject persons in accordance with its policies in the event of a breach of security.
Name: Alaska Stat. 45.48.010 et seq. H.B. 65
Effective Date: July 1, 2009
Link to Documentation
Any person, state, or local governmental agency (excepting the judicial branch), or person with more than 10 employees (collectively, Entity) that owns or licenses PI in any form in AK that includes PI of an AK resident. The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on AK residents, whether or not the Entity conducts business in AK.
An unauthorized acquisition or reasonable belief of unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI maintained by the Entity. Acquisition includes acquisition by photocopying, facsimile, or other paper-based method; a device, including a computer, that can read, write, or store information that is represented in numerical form; or a method not identified in this paragraph. Good-faith acquisition of PI by an employee or agent of the Entity for a legitimate purpose of the Entity is not a breach of the security of the information system if the employee or agent does not use the PI for a purpose unrelated to a legitimate purpose of the Entity and does not make further unauthorized disclosure of the PI.
Any Entity to which the statute applies shall disclose the breach to each AK resident whose PI was subject to the breach after discovering or being notified of the breach. Notification is not required if, after an appropriate investigation and after written notification to the state Attorney General, the Entity determines that there is not a reasonable likelihood that harm to the consumers whose PI has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for 5 years.
If an Entity is required to notify more than 1,000 AK residents of a breach, the Entity shall also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, distribution, and content of the notices to AK residents. Entities subject to the Gramm-Leach-Bliley Act are exempt from this requirement and are not required to notify consumer reporting agencies.
If a breach of the security of the information system containing PI on an AK resident that is maintained by an Entity that does not own or have the right to license the PI occurs, the Entity shall notify the Entity that owns or licensed the use of the PI about the breach and cooperate as necessary to allow the Entity that owns or licensed the use of the PI to comply with the statute.
The disclosure shall be made in the most expeditious time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the information system.
Information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
Notice may be provided by one of the following methods:
If the Entity can demonstrate that the cost of providing notice will exceed $150,000, that the affected class of persons to be notified exceeds 300,000, or that the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:
Name: Cal. Civ. Code 1798.29; 1798.80 et seq. A.B. 964, S.B. 570, S.B. 34
Effective Date: January 1, 2016
Link to Documentation 1
Link to Documentation 2
Any person, business, or state agency (collectively, Entity) that does business in CA and owns or licenses computerized data that contains PI.
An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any CA resident (1) whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person, or (2) whose encrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that PI readable or useable.
If an Entity is required to notify more than 500 CA residents, the Entity shall electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the Attorney General.
If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted (meaning rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security):
(2) User name or email address, in combination with a password or security question and answer that would permit access to an online account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Notice may be provided by one of the following methods:
For breaches of login credentials for an email account furnished by the Entity, notice may not be provided to the breached email address, but may be provided via methods otherwise permitted, or via clear and conspicuous notice delivered to the CA resident online when the CA resident is connected to the online account from an IP address or online location from which the Entity knows the CA resident customarily accesses the account.
The notice shall be written in plain language and shall include a description of the following:
At the Entity’s discretion, the notice may also include:
For breaches of only user name or email address, in combination with a password or security question and answer that would permit access to an online account, notice may be provided in electronic or other form and should direct CA residents to:
The notice shall be titled “Notice of Data Breach,” and shall provide the information above under the headings:
The notice shall be formatted to call attention to the nature and significance of the information it contains, shall clearly and conspicuously display the title and headings, and shall not contain text smaller than 10-point type. (A model security breach notification form is provided in the statute.)
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a security breach.
A covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be deemed to have complied with the notice requirements in this state law if it has complied with the notice requirements in Section 13402(f) of the Health Information Technology for Economic and Clinical Health Act (HITECH).
Name: Ark. Code 4-110-101 et seq. H.B. 1943
Effective Date: June 1, 2018
Link to Documentation
Any person, business or state agency (collectively, Entity) that acquires, owns, or licenses computerized data that includes PI.
An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity.
Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of AR whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
If an Entity maintains computerized data that includes PI that the Entity does not own, that Entity shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, subject to any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
An individual’s first name, or first initial and his or her last name, in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:
Notice may be provided by one of the following methods:
If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
If the affected class of persons to be notified exceeds 1,000, the Entity must disclose the breach to the Attorney General. Notice must be provided at the same time the Entity notifies the affected class, or 45 days after it determines there is a reasonable likelihood of harm to individuals, whichever is first.
Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies affected persons in accordance with its policies in the event of a security breach.
Name: Ariz. Rev. Stat. 18-551 et seq H.B. 2154
Effective Date: August 3, 2018
Link to Documentation
Any person or entity (collectively, Entity) that conducts business in AZ and that owns, maintains, or licenses unencrypted and unredacted computerized PI.
An unauthorized acquisition of and access that materially compromises the security or confidentiality of unencrypted and unredacted computerized PI maintained by an Entity as part of a database of PI regarding multiple individuals.
Any Entity that owns or licenses the PI shall notify the individuals affected within 45 days after its determination that there has been a security breach.
If an Entity is required to notify more than 1,000 AZ residents, the Entity shall notify the Attorney General, in writing, in a form prescribed by rule or order of the Attorney General, or by providing a copy of the individual notification.
If an Entity is required to notify more than 1,000 AZ residents, the Entity shall also notify the three largest nationwide consumer reporting agencies.
If an Entity maintains unencrypted and unredacted computerized PI that the Entity does not own or license, the Entity shall notify, as soon as possible, the owner or licensee of the information, and cooperate with the owner or the licensee of the information. Cooperation shall include sharing information relevant to the breach The Entity that maintains the data under an agreement with the owner or licensee is not required to provide notice to the individual unless the agreement stipulates otherwise.
The disclosure shall be made within 45 days after the Entity’s determination that there has been a security breach.
1. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
2. An individual’s user name or email address, in combination with a password or security question and answer, that allows access to an online account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Notice may be provided by one of the following methods:
The notice shall include at least the following:
If the breach involves only online account credentials and no other PI, the Entity may comply with this section by providing the notification in an electronic or other form that directs the individual whose PI has been breached to promptly change the individual’s password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account with the person and all other online accounts for which the individual whose PI has been breached uses the same user name and email address and password or security question or answer.
For the breach of credentials to an email account furnished by the Entity, the Entity is not required to comply with this section by providing the notification to that email address, but may comply with this section by providing notification by another method described in this subsection or by providing clear and conspicuous notification delivered to the individual online when the individual is connected to the online account from an IP address or online location from which the Entity knows the individual customarily accesses the account. The Entity satisfies the notification requirement with regard to the individual’s account with the person by requiring the individual to reset the individual’s password or security question and answer for that account, if the person also notifies the individual to change the same password or security question and answer for all other online accounts for which the individual uses the same user name or email address and password or security question or answer.
If the Entity can demonstrate that the cost of providing notice will exceed $50,000 or that the affected class of persons to be notified exceeds 100,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
Compliance with Other Laws
Name: Ala. Stat. 8-38-1 et seq. Alabama S.B. 318
Effective Date: June 1, 2018
Link to Documentation
A person or commercial entity (collectively, Entity) that acquires or uses sensitive personally identifying information.
The unauthorized acquisition of data in electronic form containing sensitive personally identifying information. Good-faith acquisition of sensitive personally identifying information by an employee or agent of an Entity is not a security breach, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use. A security breach also does not include the release of a public record not otherwise subject to confidentiality or nondisclosure requirements, nor does it include any lawful, investigative, protective, or intelligence activity of a law enforcement or intelligence agency of the state, or a political subdivision of the state.
Any Entity that determines that, as a result of a breach of security, sensitive personally identifying information has been acquired by an unauthorized person and is reasonably likely to cause substantial harm to an AL resident to whom the information relates, shall give notice of the breach to each AL resident to whom the information relates.
If the number of affected individuals exceeds 1,000, the Entity must notify all consumer reporting agencies without unreasonable delay once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
If the number of affected individuals exceeds 1,000, the Entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, and within 45 days once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
Notice shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and within 45 days of discovering that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.
An AL resident’s first name or first initial and last name, in combination with one or more of the following data elements that relate to the resident, when either the name or the data elements are not truncated, encrypted, secured, or modified in a way that removes elements that personally identify an individual or render the data unusable:
Notice may be provided by one of the following methods:
Compliance with Other Laws
Name: An Act to Protect the Privacy of Online Customer Information
Effective Date: 7/1/20
Link to Documentation
Maine’s (35-A M.R.S. c.94) Privacy Statute prohibits Internet Service Providers (ISPs) from using, disclosing, selling, or permitting access to a significant amount of information generated by customers’ use of their internet service.
The Act only applies to Internet Service Providers (ISPs) serving customers that are physically located and billed for service received in Maine. The statute does not cover search engines or social networks.
Note: Like a number of other state statutes, this law adopts Internet regulations protective of consumer rights that were originally implemented by the Federal Communications Commission, but were overturned by Congress in 2017.
The Statute covers consumers’ personal identifying information, inclusive of a consumer’s web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination Internet protocol addresses, and the content of a customer’s communications.
The Act prohibits ISPs from using, disclosing, selling, or permitting access to most of the consumer information generated by a consumer’s use of the Internet, i.e. web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination Internet protocol addresses, and the content of a customer’s communication.
The Act is silent as to who will enforce the law on behalf of Maine customers or what penalties would apply for noncompliance. Maine’s legislature failed to provide the state’s Attorney General with either the enforcement authority or funding to enforce the statute.
The Act does not specifically enable Internet users to sue ISP’s for noncompliance. However, it remains to be seen if Maine’s courts will interpret the Act to implicitly create a private cause of action for consumers to sue an ISP.
*Opt-In Requirement: For an ISP to use, disclose, sell, or permit access to the customer’s information, the consumer must first “opt-in” by providing their “express, affirmative consent”. ISPs’ are prohibited from offering financial or other incentives to entice their customers to opt-in.
*Customer Notice of Rights: The Act requires ISPs to provide customers with “clear, conspicuous and nondeceptive notice” of the customer’s rights under the Act and the ISPs’ statutory obligations.
*Protection of Consumer Information: The Statute requires ISPs to take “reasonable measures” to protect their customer information from unauthorized use such as being subject to theft and security breaches.
*No discrimination against Customers: ISPs are prohibited from refusing to serve customers who fail to opt-in and have withheld their consent for their ISP to access their customer information.
Name: SB 220
Effective Date: 10/1/19
Link to Documentation
Nevada’s privacy law requires operators of Internet websites and online services to comply with Nevada residents’ Opt out requests not to sell their personal data. Under NRS 603A.340 Website Operators are already required to provide notice to consumers of the categories of covered information the operator collects through its website or service.
SB 220 imposes new obligations on “operators” of websites. The law covers those who own or operate a website or online service for commercial purposes and collects and maintains “covered information” from consumers residing in Nevada and who use or visit the website or online service. However, the definition of an operator excludes i) financial institutions that are subject to the Gramm-Leach- Bliley Act; ii) entities that are subject to HIPAA, and iii) certain manufacturers and repairers of motor vehicles.
1)Website Operators must establish a “designated request address,” through which a consumer may submit an opt-out request. The designated request address must be either an email address, a toll-free phone number, or a website.
2) Operators who receive opt-out requests from consumers must cease making sales of any covered information that the operator has collected, or will collect, about the consumer. Operators need act only on “verified requests,” which are requests submitted to the designated request address, and for which the Operator has been reasonably able to verify the authenticity of the request and the identity of the consumer.
3) Operators are required to respond to verified consumer requests within 60 days of receipt. The Operator may extend the 60-day response deadline for up to 30 days by notifying the consumer, when considered reasonably necessary.
Although there is not a “private right of action” against the Website Operator, Nevada’s AG is able to enforce the law by seeking either a civil penalty of up to $5,000 per violation or injunctive relief.
1) 1) Covered businesses need to conduct Data Audits of their Inventories to determine what data transfers their business engages in that may be defined under SB 220 as a “sale” from which a consumer may opt-out.
2) 2) Organizations need to update their privacy policies to cover consumer opt-out requests and ensure that they have created a designated consumer request address to manage opt-out requests.
Name: California Consumer Privacy Act
Effective Date: 1/1/20
Link to Documentation
The CCPA was created to protect the privacy and security of the personal information of California residents. The law compels organizations conducting business with California residents to make structural changes to their privacy policies while providing California consumers with greater control over the collection, use, and sale of their personal information.
THE CCPA COVERS FOR-PROFIT ORGANIZATIONS OF LEGAL ENTITIES THAT:
AS LONG AS THESE ENTITIES SATISFY ONE OF THE THREE THRESHOLDS SHOWN BELOW:
The CCPA encompasses “Personal Information” which includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Excluded from the Act’s definition of personal information is “aggregated consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device”. Information that is publicly available from federal, state, or local government records is also excluded.
The CCPA is intended to provide California consumers with an effective way to control their personal information by creating the following new data privacy rights that CCPA covered organizations need to facilitate:
Businesses must ensure that personnel responsible for handling consumer inquiries regarding these new privacy rights are properly trained as to the CCPA’s requirements and how to direct consumers to exercise their rights.
The Attorney General may bring a civil action for intentional violations of the CCPA, seeking civil penalties of up to $7,500 per violation. Other violations lacking intent are subject to a $2,500 preset maximum fine. A business will be in violation of the CCPA if it fails to cure the violation within 30 days of being notified of its alleged noncompliance.
A consumer bringing a civil action under the CCPA may recover the greater of (1) statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident, or (2) actual damages. Injunctive relief, and other court-ordered remedies are also available.
The estimated 500,000 companies domiciled inside and outside of California that come under the purview of the Act will need to reassess their collection and use of personal information on California consumers and implement training for their personnel on how to properly accommodate these new consumer rights.
More specifically, organizations will need to conduct internal audits to identify and map where consumer personal information is collected and stored within their business as well as those companies with whom they share consumer personal information. Covered businesses need to carefully consider how they are to fulfill the following obligations: