Appendix B

Summary of State Data Breach Notification Laws

Section 1.2 of this book describes the common requirements of the data breach notification laws in forty-seven states and the District of Columbia. These summaries focus on the obligations of private companies; government agencies also often face separate notice obligations if they experience data breaches. For ease of reference, particularly for companies that are dealing with a data breach, this appendix summarizes key provisions of each of these forty-eight laws, including the types of personal information that trigger the breach notice requirement, significant exceptions to that requirement, and notice and format of breach notices.

Note that most state notification laws allow electronic notice; in all of these cases, consent to receive notices electronically must be consistent with the federal E-SIGN Act.

For ease of reference, this appendix includes many of the most important parts of the state laws, rather than merely reprinting the statutes in full. However, the state laws do have additional requirements that are specific to the state. Moreover, the breach notification laws could have been amended since the publication of this book; indeed, typically a few states each year amend their breach notice laws. Accordingly, it always is prudent for legal counsel to review the current version of the applicable breach notice laws to confirm requirements.

Alaska

Alaska Stat. §§ 45.48.010 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name, in combination with at least one of the following elements: Social Security number, driver's license or state ID card number, credit card or debit card number and personal code if applicable, and passwords or PINS or other access codes for financial accounts.
  2. Exceptions to notice requirement: (1) If all of the personal information was encrypted, provided that the encryption key was not also disclosed; and (2) if after an appropriate investigation and a written notification to the Alaska Attorney General, the company determines that “there is not a reasonable likelihood that harm to consumers whose personal information has been acquired has resulted or will result from the breach,” but the company must retain this documentation for five years.
  3. Timing of notice to individuals: Disclosure must be made “in the most expeditious time possible and without unreasonable delay” unless a delay is necessary for law enforcement or to determine the scope of the breach and restore the system's integrity.
  4. Form of notice to individuals: Three options: (1) written document sent to most recent known mailing address; (2) email if that is company's primary method of communication with the individual; or (3) substitute notice if the cost of providing notice would exceed $150,000, the affected class in the state exceeds 300,000, or the company does not have sufficient information to provide notice. Substitute notice consists of email if the address is known, conspicuously posting disclosure on company's website, and notice to major statewide media.
  5. Notice to state regulators or credit bureaus: The State Attorney General must be notified if company determines that there is not a risk of harm and therefore individual notice is unnecessary. Notice to credit bureaus is required if more than 1000 Alaska residents are notified, but this requirement does not apply if the company is subject to the Gramm-Leach-Bliley Act.

Arizona

Ariz. Rev. Stat. § 44-7501

  1. Types of personal information covered: An individual's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or state ID number; or (3) financial account or credit card or debit card number in combination with required security code, access code, or passcode (if necessary for access).
  2. Exceptions to notice requirement: The notice requirement does not apply to (1) information that is encrypted or redacted; (2) if after reasonable investigation the company determines that the breach does not pose a reasonable likelihood of substantial economic loss; (3) if the company is subject to the requirements of GLBA or HIPAA; (4) if the company complies with the notification requirements of its “primary or functional federal regulator,” or (5) if it follows its own notification procedures as part of an information security policy.
  3. Timing of notice to individuals: Companies must provide notice “in the most expedient manner possible and without unreasonable delay subject to the needs of law enforcement” and any measure needed for the company to determine the scope of the breach, identify-affected individuals, and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice if that is the primary method of communicating with the company; (3) telephonic notice; or (4) substitute notice if the cost of other notice would exceed $50,000, more than 100,000 Arizona residents would be notified, or the company does not have sufficient contact information. Substitute notice consists of (1) email notice when available, (2) conspicuous posting of the notice on the company's website, and (3) notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Not required.

Arkansas

Ark. Code §§ 4-110-103, et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver's license or state ID number; (3) financial account number, credit card number or debit card number in combination, with any code or password necessary to access financial account; or (4) medical information.
  2. Exceptions to notice requirement: (1) If personal information is encrypted or redacted; (2) if after a reasonable investigation the company determines there is not a “reasonable likelihood of harm” to customers; (3) if other state or federal laws require equal or greater disclosure of data breaches; or (4) if the business “maintains its own notification procedures as part of an information security policy” and is otherwise consistent with the law's timing requirements, provided that the company follows its internal policies.
  3. Timing of notice to individuals: Individual notice must be made “in the most expedient time and manner possible and without unreasonable delay,” consistent with the needs of law enforcement and to determine the scope of the breach and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) email notice; or (3) substitute notice if the cost of notifying would exceed $250,000, more than 500,000 residents of Arkansas would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company's website, and notification by statewide media.
  5. Notice to state regulators or credit bureaus: Not required.

California

Cal. Civ. Code § 1798.82

  1. Types of personal information covered: (1) An individual's first name or first initial and last name in combination with at least one of the following: (a) Social Security number; (b) driver's license or state ID card number; (c) financial account number, credit or debit card number, in combination with any required code or password; (d) medical information; (e) health insurance information; or (f) information collected through an automated license plate recognition system;

    or

    (2) a user name or email address, in combination with a password or Social Security question and answer that would permit access to an online account.

  2. Exceptions to notice requirement: (1) If the data is encrypted; or (2) if a company complies with its internal information security policy notification procedures, consistent with the timing requirements of the statute. If a HIPAA-covered entity complies with HIPAA's breach notice requirements, it is not required to follow the California breach notice law's requirements for specific content to be included in the notification (described below).
  3. Timing of notice to individuals: In the “most expedient time possible and without unreasonable delay,” consistent with needs of law enforcement or to determine scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) email notice; or (3) substitute notice, if the company demonstrates that the cost of notice would exceed $250,000, that more than 500,000 Californians would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, for at least thirty days; and (3) notification to major statewide media.

    If the breach only involved the credentials for an online account, the company should send password-reset credentials. It should not email the notice to the breached email account.

    The notice must be “written in plain language” and be titled “Notice of Data Breach.”

    The notice must contain: (1) name and contact information of company; (2) list of categories of personal information compromised; (3) if possible, the date or estimated date or ranges of the breach; (4) date of notice; (5) whether notice was delayed due to law enforcement investigation, if possible; (6) general description of the data breach, if possible; (7) toll-free phone numbers and addresses of major credit reporting agencies, and an offer for 12 months of free identity theft prevention and mitigation services, if Social Security or ID card number was exposed.

    Companies also may choose to provide information about what they have done to protect consumers from harm arising from the breach and advice on how the consumers may take steps to protect themselves.

    This notice should be presented under the following headings: “What Happened,” “What Information Was Involved,” “What We are Doing,” “What You Can Do,” and “For More Information.”

  5. Notice to state regulators or credit bureaus: If a company notifies more than 500 California residents due to a single data breach, the company must submit a single sample copy of the notice to the California Attorney General. Note that these sample copies are made publicly available on the California Attorney General's website.

Colorado

Colo. Rev. Stat. § 6-1-716

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company follows its internal notification procedures “as part of an information security policy for the treatment of personal information” and is consistent with the statute's timing requirements; (3) if a company that is regulated by another state or federal law and follows that system's notification rules; or (4) if after an investigation the company concludes that misuse of the information “has not occurred and is not reasonably likely to occur.”
  3. Timing of notice to individuals: Disclosure must be provided “in the most expedient time possible and without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice to mailing address listed in company's records; (2) telephonic notice; (3) electronic notice, if that is the company's primary method of communicating with the individual; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 250,000 Colorado residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. Notice to credit reporting agencies required, provided that more than 1000 Colorado residents are notified, and the company is not covered by the Gramm-Leach-Bliley Act. The notice to credit reporting agencies must state the date that the notice will be provided and the number of Colorado residents who will receive the notices.

Connecticut

Conn. Gen. Stat. § 36A-701b

  1. Types of personal information covered: An individual's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) account number, credit or debit card number, in combination with any required code or password to access the financial account.
  2. Exceptions to notice requirement: (1) Encrypted information; (2) if, after investigation and consultation with relevant law enforcement agencies, the company determines that breach will not “likely result in harm” to individuals whose information was exposed; (3) if the company follows the notification procedures of its internal information security policies, provided that it complies with the statute's timing requirements and notifies the Connecticut Attorney General; and (4) if a company maintains a breach procedure under the rules of the Gramm-Leach-Bliley Act, provided that the company notifies the individuals and the Connecticut Attorney General.
  3. Timing of notice to individuals: Individuals must be notified without unreasonable delay, and within ninety days of discovery of the incident, subject to needs of law enforcement, to identify individuals, and restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the costs of notification would exceed $250,000, more than 500,000 people would be notified, or the company does not have sufficient contact information. Substitute notice consists of email when the address is available, conspicuous posting of the notice on the company's website, and notification to major statewide media, including newspapers, radio, and television.

    Companies must provide “appropriate identity theft protection services, and, if applicable, identity theft mitigation services” for at least twelve months.

  5. Notice to state regulators or credit bureaus: If any Connecticut residents are notified, the Connecticut Attorney General also must receive notification at the same time or earlier.

Delaware

Del. Code tit. 6 § 12B-101, et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted; (2) if, after a good faith and reasonable and prompt investigation, the company determines that misuse of Delaware residents' information has not occurred and is not “reasonably likely to occur”; (3) a company that follows the notification requirements of its information security policy and the timing is consistent with this statute; or (4) a company regulated by state or federal law and maintains notice procedures that are consistent with the rules of its primary regulator.
  3. Timing of notice to individuals: Notice must be provided “in the most expedient time possible and without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, and to restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $75,000, more than 100,000 Delaware residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses, conspicuous posting of the notice on the company's website, and notice to major statewide media.
  5. Notice to state regulators or credit bureaus: Not required.

District of Columbia

D.C. Code §§ 28-3851 et seq.

  1. Types of personal information covered: (1) Individual's first name or first initial and last name, or phone number, or address, and at least one of the following: (a) Social Security number; (b) driver's license or D.C. ID card number; or (c) credit card or debit card number;

    or

    (2) any other number or code or combination of numbers or codes that allows access to or use of a financial or credit account.

  2. Exceptions to notice requirement: (1) If the data is “rendered secure, so as to be unusable by an unauthorized third party” (i.e., encryption); (2) A company that notifies pursuant to notice procedures in its information security policy, provided that the timing is consistent with this law; or (3) a company that notifies pursuant to the Gramm-Leach-Bliley Act.
  3. Timing of notice to individuals: Notice is required in the “most expedient time possible and without unreasonable delay,” consistent with legitimate needs of law enforcement and with the need to determine scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the company's total cost of notification would exceed $50,000, the number of DC residents requiring notification exceeds 100,000, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the website of the company, and notice to major local and, if applicable, national media.
  5. Notice to state regulators or credit bureaus: No notice to D.C. regulators required. Notice to credit reporting agencies required if more than 1000 D.C. residents are notified. The credit reporting agency notices must describe the “timing, distribution and content” of the individual notices.

Florida

Fla. Stat. § 501.171

  1. Types of personal information covered: An individual's first name or first initial and last name in combination with any one or more of the following: (1) Social Security number; (2) driver's license or ID card number, passport number, military ID number, or similar number on a government document used to verify identity; (3) financial account or credit or debit card number, in combination with required code or password; (4) information regarding medical history, mental or physical condition, or medical treatment or diagnosis by healthcare professional; or (5) health insurance policy number or subscriber ID number and any unique identifier used by health insurer to verify identity.

    Separately, Florida's notification law covers a user name or email address, in combination with a password or security question and answer that would permit access to an online account. The notification requirement applies even if the individual's name is not disclosed.

  2. Exceptions to notice requirement: (1) If the information was encrypted; (2) if after investigation and consulting with law enforcement, the company “reasonably determines that the disclosure has not and will not likely result in identity theft or any other financial harm” to individuals, provided that the company documents this determination, provides the written documentation to the Florida Department of Legal Affairs within thirty days, and retains the determination for five years; or (3) if the entity follows the breach notice provisions for its primary or functional federal regulator and provides a copy of this notice to the Florida Department of Legal Affairs.
  3. Timing of notice to individuals: Notice must be made “as expeditiously as practicable and without unreasonable delay,” but no longer than thirty days after determination of a breach or reason to believe the breach has occurred, unless there is a written request from a law enforcement agency.
  4. Form of notice to individuals: (1) Written notice; (2) email notice; or (3) substitute notice if cost of notifying exceeds $250,000, more than 500,000 Florida residents would need to be notified, or the company does not have contact information. Substitute notice consists of a conspicuous notice on the company's website and notice in print and broadcast media, including major media in urban and rural areas where the affected individuals reside.

    Notices to individuals must include the date, estimated date, or date range of the breach, a description of the personal information at issue in the breach, and contact information for the company.

    Third-party agents that suffer a data breach must notify the company whose customers' information is breached within ten days of the breach. When the company receives a notice from a third-party agent, the company should provide the required individual notices.

  5. Notice to state regulators or credit bureaus: If more than 500 Florida residents' personal information is compromised, companies must inform the Florida Department of Legal Affairs within thirty days after a breach is discovered. The written notice must include a synopsis of the events surrounding the breach, the number of Floridians affected, services offered for free to individuals related to the breach, a copy of the individual notice, and the name, address, phone number, and email address of the company for more information about the breach.

    Companies must provide written notice to credit reporting agencies if more than 1000 Florida residents' personal information is compromised.

Georgia

Ga. Code §§ 10-1-910 et seq.

  1. Types of personal information covered: Note that Georgia's breach notice law only applies to breaches of the systems of “information brokers” or companies that maintain data on behalf of information brokers. The statute defines “information broker” as “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.”

    The statute defines “personal information” as an individual's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account number or credit card or debit card number, along with any required access codes or passwords; (4) account passwords or personal ID numbers or other access codes; or (5) any of the previous for items when not in connection with individual's name if the information would be sufficient to conduct identity theft.

  2. Exceptions to notice requirement: (1) Encrypted information; or (2) an information broker that provides notice pursuant to its information security policy, provided that the notice is consistent with this statute's timing requirements.
  3. Timing of notice to individuals: Notice must be provided in the “most expedient time possible and without unreasonable delay,” consistent with needs of law enforcement and needs to determine the scope of the breach and to restore the reasonable integrity, security, and confidentiality of the system.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 Georgia residents would be notified, or the information broker does not have sufficient contact information. Substitute notice consists of email notice if addresses are available, conspicuous posting on the information broker's webpage, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: If more than 10,000 Georgia residents are notified, the information broker must also notify the credit reporting agencies.

Hawaii

Haw. Rev. Stat. §§ 487N-1 et seq.

  1. Types of personal information covered: A person's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license number or state ID card number; or financial account number, credit or debit card number, access code, or password.
  2. Exceptions to notice requirement: (1) If the information was encrypted, and the key was not accessed; (2) if the information was redacted; (3) if the company determines that “illegal use” of the personal information, creating a risk of harm to the person, has not occurred and is not reasonably likely to occur; (4) if the company is a financial institution subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice; or (5) a HIPAA-covered entity that complies with HIPAA's breach notice requirements.
  3. Timing of notice to individuals: Notice should be made “without unreasonable delay,” consistent with needs of law enforcement and with measures necessary to determine contact information and scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the system.
  4. Form of notice to individuals: (1) Written notice to last available address on record; (2) electronic notice; (3) telephone notice as long as contact is made directly with affected person; or (4) substitute notice if the cost of notice would exceed $100,000, the company would need to notify more than 200,000 Hawaii residents, or the business does not have sufficient contact information. Substitute notice consists of email if addresses are available, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Notice must describe the incident in general terms, along with the type of personal information that was breached, the steps the company took to prevent further access, a telephone number for more information, and advice to “remain vigilant by reviewing financial account records and monitoring free credit reports.”

  5. Notice to state regulators or credit bureaus: If the company notifies more than 1000 Hawaii residents, it also must notify the Hawaii Office of Consumer Protection and the major credit reporting agencies. The notices should disclose the timing, distribution, and content of the notice.

Idaho

Idaho Code §§ 28-51-104 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account number, or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the information is encrypted; (2) if an investigation determines that misuse of information has not occurred and is not “reasonably likely to occur”; (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements; or (4) a company regulated by state or federal law that maintains procedures for data breach notification, provided that the company complies with those procedures.
  3. Timing of notice to individuals: Notice must be provided to individuals in the “most expedient time possible and without unreasonable delay,” consistent with needs of law enforcement, measures necessary to determine scope of the breach and identify affected individuals, and to restore the system's reasonable integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice; (3) electronic notice; and (4) substitute notice, if the cost of notice would exceed $25,000, that more than 50,000 Idaho residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice to available addresses, conspicuous posting on the company's website, and notice to major statewide media.
  5. Notice to state regulators or credit bureaus: Not required

Illinois

815 Ill. Comp. Stat. §§ 530/1 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account number or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If data is encrypted or redacted; or (2) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements.
  3. Timing of notice to individuals: Notice must be provided in the “most expedient time possible and without unreasonable delay,” consistent with measures necessary to restore system integrity, confidentiality, and security.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, affected Illinois residents exceeds 500,000 people, or the company does not have sufficient contact information. Substitute notice must be provided via email if an address is available, conspicuous posting on the company's website, and notification to statewide media.

    The notice must include toll-free phone numbers for the credit reporting agencies, toll-free phone number, address, and web address for the FTC, and a statement that these sources can provide information about fraud alerts and credit freezes. The notice must not include the number of Illinois residents whose data was compromised.

  5. Notice to state regulators or credit bureaus: Not required.

Indiana

Ind. Code §§ 24-4.9-1-1 et seq.

  1. Types of personal information covered: First name or first initial and last name, along with at least one of the following: (1) driver's license or state ID card number; (2) credit card number; or (3) financial account number or debit card number in combination with a security code, password, or access code. Separately, an unencrypted and unredacted Social Security number is considered to be personal information, even if it is not disclosed with an individual's name.
  2. Exceptions to notice requirement: (1) If the information was redacted or encrypted and the key had not been acquired; (2) if the company does not know or should not have known that the breach “resulted in or could result in identity deception, … identity theft, or fraud”; (3) companies that maintain disclosure procedures under the USA PATRIOT Act, Executive Order 13224, Driver's Privacy Protection Act, Fair Credit Reporting Act, GLBA, or HIPAA; or (4) a financial institution that complies with the Interagency Guidance.
  3. Timing of notice to individuals: Notice is required without unreasonable delay. A delay is reasonable if necessary to restore system integrity or discovery scope of breach, or in response to a request from the attorney general or a law enforcement agency.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice; (3) fax notice; (4) email; or (5) substitute notice, if the total cost of notice exceeds $250,000 or more than 500,000 Indiana residents would be notified. Substitute notice must be provided via a conspicuous posting on the company's website and notice to major news reporting media in the geographic area where Indiana residents affected by the data breach reside.
  5. Notice to state regulators or credit bureaus: If any individuals are notified, the company must notify the Indiana Attorney General. If more than 1000 Indiana residents are notified, the company also must notify the major credit reporting agencies.

Iowa

Iowa Code §§715c.1 et seq.

  1. Types of personal information covered: An individual's first name or first initial in combination with at least one of the following: (1) Social Security number; (2) driver's license or government identification number; (3) financial account number, credit card number or debit card number, along with any required code or password; (4) “unique electronic identifier or routing code,” combined with any required security code, access code, or password that would enable access to a financial account; or (5) unique biometric data (i.e., retinal image or fingerprint).
  2. Exceptions to notice requirement: (1) If data is encrypted and key is not accessed, or if the data is redacted; (2) the company complies with disclosure requirements of its primary or functional federal regulator, provided that the requirements at least provide equal protection as the state law; (3) the company is covered by GLBA and complies with its notice requirements; or (4) after investigation or consulting with law enforcement, the company determines there is “no reasonable likelihood of financial harm” to the affected individuals, provided that the company documents this determination in writing and retains the documentation for five years.
  3. Timing of notice to individuals: In the “most expeditious manner possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope, identify affected individuals, and restore the data's integrity, security, and confidentiality.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 350,000 Iowa residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Notices must contain a description of the breach, the approximate date of the breach, the type of personal information breached, contact information for consumer reporting agencies, and advice to the consumer to report suspected identity theft to local law enforcement or the Iowa Attorney General.

  5. Notice to state regulators or credit bureaus: If 500 or more Iowa residents are notified, the company must notify the director of the consumer protection division of the Iowa Attorney General's office within five business days of notifying the Iowa residents. The law does not require notification of credit bureaus.

Kansas

Kansas Stat. §§ 50-7a01 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the information is encrypted; (2) if an investigation determines that misuse of information has not occurred and is not “reasonably likely to occur”; (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements; or (4) a company regulated by state or federal law that maintains procedures for data breach notification, provided that the company complies with those procedures.
  3. Timing of notice to individuals: In the “most expedient time possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $100,000, more than 5000 Kansas residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: A company must notify credit reporting agencies of the timing, content, and distribution of notices if the company notified more than 1000 Kansas residents.

Kentucky

Ky. Rev. Stat. § 365.732

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the information is encrypted; (2) if an investigation determines that identity theft or fraud has not occurred and is not reasonably likely to occur; (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements; or (4) a company subject to HIPAA or GLBA.
  3. Timing of notice to individuals: In the “most expedient time possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 Kentucky residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: A company must notify credit reporting agencies of the timing, content, and distribution of notices if the company notified more than 1000 Kentucky residents.

Louisiana

La. Rev. Stat. §§ 51:3071 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the information is encrypted or redacted; (2) if a “reasonable investigation” determines there is not a “reasonable likelihood of harm to customers”; (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements; or (4) a financial institution subject to and in compliance with Interagency Guidance.
  3. Timing of notice to individuals: In the most expedient time possible and without unreasonable delay, consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope, prevent further disclosure, and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 Louisiana residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: A company must notify the Consumer Protection Section of the Office of the Louisiana Attorney General within ten days of notifying Louisiana residents. The notice should include the names of all Louisiana citizens who were notified of the breach.

Maine

Me. Rev. Stat. tit. 10 §§ 1346 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; or (4) account passwords or PIN numbers or other access codes. Alternatively, any of those four data elements, without the individual's name, if the information “would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.”
  2. Exceptions to notice requirement: (1) If the information is encrypted or redacted; (2) if an investigation determines that misuse of information has not occurred and is not reasonably likely to occur (though this exception does not apply to information brokers); (3) if the company follows the security breach notification procedures established by federal or Maine law, provided they are at least as protective as the requirements of this statute.
  3. Timing of notice to individuals: In the most expeditious manner possible and without unreasonable delay, consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $5000, more than 1000 Maine residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: A company that notifies Maine residents must notify the Maine Department of Professional and Financial Regulation or the Maine Attorney General. If the company notified more than 1000 Maine residents, the company must notify credit reporting agencies of the breach date, estimated number of people affected, and date of individual notification.

Maryland

Md. Code, Com. Law §§ 14-3501 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; or (4) an individual taxpayer identification number.
  2. Exceptions to notice requirement: (1) If the information is encrypted or redacted; (2) if an investigation determines there is not a reasonable likelihood of misuse of the information, provided that the company retains written documentation of this determination for three years; (3) if the company is subject to rules of a primary or functional federal or state regulator; or (4) a financial institution subject to GLBA.
  3. Timing of notice to individuals: Notification should be provided “as soon as reasonably practicable,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope, the company must identify individuals whose data was breached, and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; (3) telephone notice; or (4) substitute notice, if the cost of providing notice would exceed $100,000, more than 175,000 Maryland residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Notices must contain descriptions of the types of data breached, the company's contact information, the toll-free phone numbers and addresses for the credit reporting agencies, the toll-free telephone number, addresses, and websites for the FTC and Maryland Attorney General, and a statement that individuals can obtain information about identity theft from these sources.

  5. Notice to state regulators or credit bureaus: A company must notify the Maryland Attorney General before notifying Maryland residents. If more than 1000 Maryland residents are notified, credit bureaus also should be notified, and, the notice should state the timing, content, and distribution of the individual notices.

Massachusetts

Mass. Gen. Laws ch. 93H

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the information is encrypted with at least a 128-bit process and the key was not accessed; or (2) if the company follows the security breach notification procedures required by federal laws or regulations, provided that they notify Massachusetts residents and Massachusetts officials.

    The statute does not have the standard risk-of-harm exception. Instead, it requires notification if a company “(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose.”

  3. Timing of notice to individuals: Notification must be provided “as soon as practicable and without unreasonable delay.”
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 Massachusetts residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    The notice must include the consumer's right to obtain a police report, instructions to request a security freeze, including fees paid to consumer reporting agencies. The notice must not describe the nature of the breach or the number of Massachusetts residents affected.

  5. Notice to state regulators or credit bureaus: A company must notify the Massachusetts Attorney General and Director of Consumer Affairs and Business Regulation. The notice should describe the breach, the number of affected Massachusetts residents, and steps taken to remediate harm.

Michigan

Mich. Comp. Laws §§ 445.63, 445.72

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted and the key was not disclosed; (2) if the company determines that the breach “has not or is not likely to cause substantial loss or injury to, or result in identity theft of” a Michigan resident; (3) a financial institution that is subject to, and has notification procedures that are subject to examination by regulators for compliance with, the Interagency Guidance; or (4) an entity subject to and in compliance with HIPAA.
  3. Timing of notice to individuals: Notice must be provided “without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, and to restore the system's reasonable integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice, subject to consent and format restrictions specified in the statute; (3) electronic notice, subject to consent and format restrictions specified in the statute; or (4) substitute notice, if the total cost of notification will exceed $250,000, more than 500,000 Michigan residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company's website, and notice to major statewide media that includes a telephone number to obtain assistance and information.

    Notices must be written in a “clear and conspicuous manner,” describe the breach in general terms, describe the type of personal information that is the subject of the unauthorized access or use, if applicable, describe remediation steps to prevent further breaches, include phone number for additional information, and remind recipients of the need to remain vigilant for identity theft and fraud.

  5. Notice to state regulators or credit bureaus: Notice to major credit reporting agencies required if more than 1000 Michigan residents receive breach notices (though this does not apply to GLBA-covered companies). The notice must state the date of the notices that were sent to individuals.

Minnesota

Minn. Stat. §§ 325E.61, et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) if the personal information was encrypted, as long as the key was not accessed; (2) a company that follows the notification requirements of its information security policy and the timing is consistent with this statute; or (3) a company that qualifies as a “financial institution” under GLBA.
  3. Timing of notice to individuals: Notice must be provided “in the most expedient time possible and without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, identify-affected individuals, and to restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the total cost of notification will exceed $250,000, more than 500,000 Minnesota residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company's website, and notice to major statewide media.
  5. Notice to state regulators or credit bureaus: If a company determines that more than 500 Minnesota residents must be notified, the company must notify the major consumer reporting agencies, within forty-eight hours of the determination, of the timing, distribution, and content of the notices.

Mississippi

Miss. Code § 75-24-29

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted or rendered unreadable or unusable by any other method or technology; (2) if after “appropriate investigation,” the company “reasonably determines that the breach will not likely result in harm to the affected individuals”; (3) a company that follows the notification requirements of its information security policy and the timing is consistent with this statute; or (4) a company that maintains a breach procedure under the rules of GLBA.
  3. Timing of notice to individuals: Notice must be provided “without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, identify affected individuals, and to restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $5000, more than 5000 Mississippi residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company's website, and notice to major statewide media, including newspapers, radio, and television.
  5. Notice to state regulators or credit bureaus: Not required

Missouri

Mo. Rev. Stat. § 407.1500

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; (4) “unique electronic identifier or routing code,” along with any required code or password to access a financial account; (5) medical information; or (6) health insurance information.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted or redacted; (2) if after an “appropriate investigation” or consultation with law enforcement, the company “determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach,” provided that the company documents this finding in writing and maintains it for five years; (3) a company that follows the notification requirements of its information security policy and the timing is consistent with this statute; or (4) a company that notifies consumers in accordance with mandated procedures of its functional state or federal regulator; (5) a financial institution subject to the Interagency Guidance, GLBA, or the National Credit Union Administration regulations.
  3. Timing of notice to individuals: Notice must be provided “without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, identify affected individuals, and to restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; (3) telephone notice, if affected customers are directly contacted, or (4) substitute notice, if the total cost of notification will exceed $100,000, more than 5000 Missouri residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company's website, and notice to major statewide media.

    The notice should contain a description of the incident “in general terms,” the type of personal information obtained, a phone number for further information and assistance, if one exists, contact information for consumer reporting agencies, and advice that the consumer should “remain vigilant by reviewing account statements and monitoring free credit reports.”

  5. Notice to state regulators or credit bureaus: If a company determines that more than 1000 Missouri residents must be notified, the company must notify the Missouri Attorney General's office and the major consumer reporting agencies of the timing, distribution, and content of the notices.

Montana

Mont. Code §§ 30-14-1701 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; (4) medical record information; (5) taxpayer identification number; or (6) IRS-issued identity protection personal identification number.
  2. Exceptions to notice requirement: (1) If the information is encrypted; (2) if the breach did not cause and is not “reasonably believed to cause” loss or injury to a Montana resident; or (3) if the company follows the security breach notification procedures of its information security policy, and does not unreasonably delay notice.
  3. Timing of notice to individuals: Notice must be provided “without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's reasonable integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; (3) telephone notice; or (4) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 Montana residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: When a company notifies Montana residents of a breach, it must simultaneously submit an electronic copy of the notice and a statement with the date and method of distribution of the individual notices to the Montana Attorney General's consumer protection office. The copy must not contain any personally identifiable information about the individual notice recipients. The statute does not require reports to the consumer reporting bureaus, but if the individual notices state that individuals may obtain copies of their files from the bureaus, the company must coordinate with the bureau on the timing, content, and distribution of the individual notices. The coordination cannot unreasonably delay individual notices.

Nebraska

Neb. Rev. Stat. §§ 87-801 et seq.

  1. Types of personal information covered: (a) An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; (4) unique electronic identification number or routing code, in combination with any required security code, access code, or password; or (5) “unique biometric data,” such as a fingerprint, voice print, or retinal or iris image, or other unique physical representation;

    or

    (b) a user name or email address, along with the password or security question that allows access to an online user account.

  2. Exceptions to notice requirement: (1) If the information is encrypted, provided that the key was not accessed, or if the information was redacted; (2) if an investigation determines that use of information about a Nebraska resident for an unauthorized purpose has not occurred and is not “reasonably likely” to occur; (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements; or (4) a company regulated by state or federal law that requires procedures for data breach notification, provided that the company complies with those procedures.
  3. Timing of notice to individuals: Notice must be made “as soon as possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's reasonable integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; (3) telephone notice, or (4) substitute notice, if the cost of providing notice would exceed $75,000, more than 100,000 Nebraska residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    If the company has ten or fewer employees and the cost of notice would exceed $10,000, substitute notice consists of (1) email to known addresses; (2) notification by a paid advertisement in a local newspaper in the geographic area in which the company is located, provided that the ad covers at least a quarter of a page in the newspaper and is published at least once a week for three consecutive weeks; (3) conspicuous posting on the company's website; and (4) notification to major media outlets in the geographic area in which the company is located.

  5. Notice to state regulators or credit bureaus: If a company notifies Nebraska residents of a data breach, it must also notify the Nebraska Attorney General concurrently or before it notifies the individuals.

Nevada

Nev. Rev. Stat. §§ 603A.010 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with one or more of the following: (1) Social Security number (not including last four digits of number); (2) driver's license or state ID number; (3) financial account number, credit card number, or debit card number, in combination with any code or password necessary to access financial account; (4) medical identification number or health insurance identification number; or (5) a “user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.”
  2. Exceptions to notice requirement: (1) If personal information is encrypted; (2) if the company is subject to and complies with GLBA's breach notice requirements; or (3) if the business maintains its own notification procedures as part of an information security policy and is otherwise consistent with the law's timing requirements, provided that the company follows its internal policies.
  3. Timing of notice to individuals: Individual notice must be made in the “most expedient time possible and without unreasonable delay,” consistent with the needs of law enforcement or needs to determine scope of the breach or restore reasonable integrity of the system data.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice if the cost of notifying would exceed $250,000, more than 500,000 residents of Nevada would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: If more than 1000 Nevada residents are notified for one incident, the company must notify the major consumer reporting agencies of the time the notification was distributed and the content of the notification.

New Hampshire

N.H. Rev. Stat. §§ 359-C:19 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver's license or state ID number; or (3) financial account number, credit card number, or debit card number, in combination with any code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) If personal information is encrypted; (2) if the company determines that misuse of the information has not occurred and is not “reasonably likely” to occur; or (3) a company subject to NH RSA 358-A:3 (e.g., a financial institution) and maintains procedures consistent with rules issued by a state or federal regulator.
  3. Timing of notice to individuals: Individual notice must be made “as quickly as possible” after the company determines there is a risk of harm.
  4. Form of notice to individuals: (1) Written notice; (2) telephone notice; (3) electronic notice, if it was primary means of communication with individual; (4) substitute notice if the cost of notifying would exceed $5000, more than 1000 residents of New Hampshire would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company's website, and notification to major statewide media; or (5) notice under the company's internal notification procedures maintained as part of an information security program.

    The notice must include a description of the incident “in general terms,” the approximate date of the breach, the type of personal information obtained due to the breach, and the telephone contact information for the company.

  5. Notice to state regulators or credit bureaus: If the company notifies any individuals in New Hampshire, it also must notify the New Hampshire attorney general's office of the anticipated date of the individual notice and the approximate number of New Hampshire residents who will be notified. The statute does not require companies to provide names of affected residents. Companies subject to RSA 358-A:3 (e.g., financial institutions) should notify their primary regulator rather than the New Hampshire Attorney General's office.

    If more than 1000 New Hampshire residents are notified for one incident, the company must notify the major consumer reporting agencies of the time the notification was distributed and the content of the notification. (Companies subject to GLBA need not notify credit bureaus.)

New Jersey

N.J. Stat. §§ 56:8-161 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password. “Dissociated” data that, if linked, would be personal information is considered to be personal information “if the means to link the dissociated data were accessed in connection with access to the dissociated data.”
  2. Exceptions to notice requirement: (1) If the information is encrypted; (2) if the company concludes that the information was not, or is not “reasonably believed” to have been, accessed by an “unauthorized person”; or (3) if the company follows the security breach notification procedures of its information security policy, provided that the procedures are “otherwise consistent with the requirements” of the New Jersey law.
  3. Timing of notice to individuals: Notification must be provided “in the most expedient time possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 New Jersey residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: A company must notify the New Jersey Division of State Police before notifying individuals. If a company notifies more than 1000 New Jersey residents, it should, without unreasonable delay, notify all consumer reporting agencies of the timing, distribution, and content of the notices.

New York

N.Y. Gen. Bus. Law § 899-aa

  1. Types of personal information covered: Any “information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) financial account or credit or debit card number, along with any required code or password.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted and the key was not accessed; (2) if the company determines that the unauthorized acquisition did not compromise “the security, confidentiality, or integrity of personal information,” after considering the following factors: (a) indications that the information is in the “physical possession and control of an unauthorized person”; (b) indications that “the information has been downloaded or copied”; and (c) indications that the information was “used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.”
  3. Timing of notice to individuals: Notice must be provided in the “most expedient time possible and without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, identify affected individuals, and to restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $250,000, more than 500,000 New York residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses, conspicuous posting of the notice on the company's website, and notice to major statewide media.

    The notice must include contact information for the company, and a description of the categories of information believed to have been acquired.

  5. Notice to state regulators or credit bureaus: Any time that New York residents are notified of a data breach, the company should notify the New York Attorney General, the New York Department of State, and the New York Division of State Police of the timing, content, and distribution of the notices and the approximate number of New York residents affected. The notice must not delay notification of individuals.

    If more than 5000 New York residents are notified at one time, the company must notify the consumer reporting agencies of the timing, content, and distribution of the notices and approximate number of New York residents affected.

North Carolina

N.C. Gen. Stat §§ 75-61, 75-65

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; or (3) checking account number; (4) savings account number; (5) credit card number; (6) debit card number; (7) personal identification code; (8) electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names; (9) digital signatures; (10) any other numbers or information that can be used to access a person's financial resources; (11) biometric data; (12) fingerprints; (13) passwords; or (14) parent's legal surname prior to marriage.
  2. Exceptions to notice requirement: (1) If the personal information was encrypted and the key has not been accessed; (2) if the company “reasonably determines” that consumers have not been harmed and likely will not be harmed by the incident; or (3) a financial institution that complies with the Interagency Guidance.
  3. Timing of notice to individuals: Notice must be provided “without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, identify affected individuals, and to restore the system's integrity, security, and confidentiality.
  4. Form of notice to individuals: (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $250,000, more than 500,000 North Carolina residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company's website, and notice to major statewide media.

    The notice must contain a description of the incident “in general terms,” a description of the categories of personal information that were subject to unauthorized access, a description of the steps the business took to prevent further unauthorized access, a phone number for further information and assistance, advice to “remain vigilant by reviewing account statements and monitoring free credit reports,” toll-free numbers and addresses for the major consumer reporting agencies, and toll-free numbers, addresses, and website addresses for the FTC and North Carolina Attorney General's office, along with a statement that the individual “can obtain information from these sources about preventing identity theft.”

  5. Notice to state regulators or credit bureaus: If any North Carolina residents are notified, the company must notify the North Carolina Attorney General's Consumer Protection Division, without unreasonable delay, of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

    If a company notifies more than 1000 North Carolina residents at once, the company must notify the consumer reporting agencies of the timing, distribution, and content of the individual notices.

North Dakota

N.D. Cent. Code §§ 51-30-01 et seq.

  1. Types of personal information covered: An individual's first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver's license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; (4) date of birth; (5) mother's maiden name; (6) medical information; (7) health insurance information; (8) employee identification number along with any required code or password; or (9) digitized or other electronic signature.
  2. Exceptions to notice requirement: (1) If the information is encrypted or otherwise rendered unreadable or unusable; (2) a financial institution that complies with the Interagency Guidance; or (3) if the company follows the security breach notification procedures of its information security policy, consistent with this statute's timing requirements.
  3. Timing of notice to individuals: In the “most expedient time possible and without unreasonable delay,” consistent with legitimate law enforcement needs and measures that are necessary to determine the breach's scope and restore the system's integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, more than 500,000 individuals would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: If a company notifies more than 250 individuals of a data breach, it must disclose the breach to the North Dakota Attorney General by mail or email.

Ohio

Ohio Rev. Code §§ 1349.19 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) account number or credit or debit card number, along with code or password necessary to access financial account. Personal information does not include information that already had lawfully been made publicly available by or to the news media.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company is a financial institution, trust company, or credit union or affiliate of such, and is required by federal law to issue breach notices to affected customers; (3) if the company is a covered entity or business associate under HIPAA; or (4) if the company does not “reasonably believe” that the breach will cause a “material risk of identity theft or other fraud” to Ohio residents.
  3. Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible,” but no later than forty-five days after discovery or notification of the breach, subject to legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice; (3) electronic notice, if that is the company's primary method of communicating with the individual; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 500,000 Ohio residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major media outlets, with the cumulative total readership, viewing audience, or listening audience combined is equal to at least 75 percent of Ohio's population.

    Separately, Ohio allows a separate form of substitute notice if the company has ten or fewer employees and the cost of notice would exceed $10,000. In this case, the substitute notice must include (1) notice by a paid advertisement in a local newspaper that is distributed in the area in which the company is located, with the advertisement covering at least one-quarter of a page and published at least weekly for three consecutive weeks; (2) conspicuous posting of the notice on the company's website; and (3) notice to major media outlets in the company's geographic area.

  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. Notice to credit reporting agencies required, provided that more than 1000 Ohio residents are notified. The notice to credit reporting agencies must describe the timing, distribution, and content of the individual breach notices.

Oklahoma

Okla. Stat. tit. 24 §§ 161–165

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Encrypted personal information, provided that the key was not accessed; (2) redacted personal information; (3) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company that is regulated by another state or federal law and follows that system's notification rules; (4) a financial institution that complies with the federal Interagency Guidance on response programs; (5) a company that complies with notification procedures established by its primary or functional federal regulator; or (6) if the breach did not cause and is not reasonably believed to cause “identity theft or other fraud.”
  3. Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” though delay is permitted for law enforcement purposes or to determine the scope of the breach and restore reasonable integrity to the system.
  4. Form of notice to individuals: (1) Written notice to postal address listed in company's records; (2) telephonic notice; (3) electronic notice; (4) substitute notice if the company demonstrates that the cost of notice exceeds $50,000, at least 100,000 Oklahoma residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators or credit bureaus is not required.

Oregon

Or. Rev. Stat. §§ 646A.600 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; (3) passport number or other identification number issued by the United States; (4) financial account number or credit or debit card number, along with code or password necessary to access financial account; (5) data from “automatic measurements of a consumer's physical characteristics” (e.g., fingerprint or retinal scans) that are used to authenticate a consumer's identity for a transaction; (6) health insurance policy number or health insurance subscriber identification number in combination with unique identifiers used by health insurers; or (7) information about medical history, medical or physical condition, medical diagnosis, or treatment. These seven categories of information – without an individual's name – still could be considered personal information if they would enable identity theft.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company follows notification rules from its primary or functional federal regulator – or a state or federal law – provided that they provide greater protection to personal information and contain disclosure requirements that are “at least as thorough” as those in the Oregon law; (4) the company is a financial institution that complies with Gramm-Leach-Bliley; or (5) if, after an appropriate investigation or consultation with law enforcement, the company “reasonably determines” that the consumers are “unlikely to suffer harm.” This determination must be documented in writing and retained for at least five years.
  3. Timing of notice to individuals: Disclosure must be provided in the most “expeditious manner possible” and “without unreasonable delay,” consistent with legitimate needs of law enforcement and measures necessary to determine contact information for affected consumers, the scope of the breach, and restore reasonable integrity, security, and confidentiality of the personal information
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice, if the company directly contacts the consumer; (3) electronic notice, if that is the company's customary method of communicating with the individual; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 350,000 Oregon residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide television and media.

    Notice must contain a description of the data breach “in general terms,” the approximate date of the breach, the type of personal information that was subject to the breach, contact information for the company that was subject to the breach, contact information for credit bureaus, and advice to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.

  5. Notice to state regulators or credit bureaus: If the number of affected Oregon residents exceeds 250, the company, either in writing or electronically, must provide the Oregon Attorney General with the same notice provided to consumers. Notice to credit reporting agencies without unreasonable delay is required, provided that more than 1000 Oregon residents are affected. The notice to credit bureaus should include the notice provided to individuals, and any police report number assigned to the data breach.

Pennsylvania

73 Pa. Stat. §§ 2301 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Encrypted information, if the key was not accessed; (2) redacted information; (3) if the company follows its internal notification procedures; (4) if a company complies with the notification requirements of its primary or functional federal regulator; (5) if the company is a financial institution that complies with the Interagency Guidance procedures; or (6) if the company does not “reasonably” believe that the breach has caused or will cause “loss or injury” to a Pennsylvania resident.
  3. Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” except to determine the scope of the breach and restore the reasonable integrity of the data system, or at the written request of law enforcement.
  4. Form of notice to individuals: (1) Written notice to the last known postal address; (2) telephonic notice, if the individual can be reasonably expected to receive it and the notice clearly and conspicuously describes the incident generally and verifies personal information but does not require the customer to provide personal information, and the customer is provided with a phone number or website for further information or assistance; (3) electronic notice, if a prior business relationship exists and the company has a valid email address for the individual; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $100,000, at least 175,000 Pennsylvania residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. Notice to credit reporting agencies required, provided that more than 1000 Pennsylvania residents are notified. The notice to credit reporting agencies must state the timing, distribution, and number of individual notices.

Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; (4) medical or health insurance information; or (5) email address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
  2. Exceptions to notice requirement: (1) Encrypted personal information (using at least 128-bit process); (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company follows a breach notification procedures under the rules of its primary or functional regulator; (4) the company is a financial institution that complies with the Interagency Guidelines; (5) the company is a health-related company that complies with HIPAA's breach notification procedures; or (6) if the company determines that the breach does not pose “a significant risk of identity theft” to Rhode Island residents.
  3. Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible” but no later than forty-five days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements, subject to the needs of law enforcement.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $25,000, at least 50,000 Rhode Island residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    The individual notices should contain (1) a “general and brief description” of the breach, including how it occurred and the number of affected individuals; (2) the type of information that was breached; (3) date (or estimated date) of the breach; (4) date of discovery of the breach; (5) description of remediation services, including toll-free phone numbers and websites for credit reporting agencies, remediation service providers, and the Rhode Island Attorney General; and (6) a “clear and concise” description of the consumer's ability to file or obtain a police report regarding the data breach, how the individual can request a security freeze on financial accounts, and the fees that consumers may be required to pay to credit bureaus for these remedies.

  5. Notice to state regulators or credit bureaus: Notice to the Attorney General and the major credit bureaus is required if more than 500 Rhode Island residents are notified. The notices should describe the timing, content, and distribution of the individual notices and the approximate number of affected individuals. These notices are not grounds to delay individual notifications.

South Carolina

S.C. Code § 39-1-90

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; or (4) “other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.”
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company follows its internal notification procedures; (3) if a company is a financial institution or bank subject to the Gramm-Leach-Bliley Act; (4) if the company is a financial institution subject to and complying with the Interagency Guidance; or (5) if the company concludes that illegal use of the information has not occurred, is “not reasonably likely to occur,” and does not create a “material risk of harm” to a South Carolina resident.
  3. Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible and without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) telephonic notice; (3) electronic notice, if that is the company's primary method of communicating with the individual; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 500,000 South Carolina residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: If more than 1000 South Carolina residents are notified, the company must notify without unreasonable delay the Consumer Protection Division of the South Carolina Department of Consumer Affairs and the major credit bureaus of the timing, distribution, and content of the notices to individuals.

Tennessee

Tenn. Code § 47-18-2107(a)

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) If the company is a financial institution subject to the Gramm-Leach-Bliley Act; (2) if the company is subject to HIPAA; (3) if the company complies with its internal notification procedures and is consistent with this statute's timing requirements; or (4) if the company determines that the breach did not “materially” compromise the security, confidentiality, or integrity of personal information.

    Note that Tennessee is the only jurisdiction that does not exempt encrypted information from its breach notification law. However, a company would have a strong argument that encryption eliminates the possibility that the breach “materially” compromised the security, confidentiality, or integrity of the information.

  3. Timing of notice to individuals: Disclosure must be provided immediately, but no later than forty-five days from the discovery or notification of the breach, unless the legitimate needs of law enforcement require a delay.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 500,000 Tennessee residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. Notice to credit reporting agencies required, provided that more than 1000 Tennessee residents are notified. The notice to credit reporting agencies must describe the timing, distribution, and content of the individual notices.

Texas

Tex. Bus. & Comm. Code §§ 521.001 et seq.

  1. Types of personal information covered: The Texas statute applies to “sensitive personal information,” which includes two general categories: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account;

    or

    information that identifies an individual and relates to (1) the physical or mental health or condition of the individual; (2) the provision of health care to the individual; or (3) payment for the provision of healthcare to the individual.

    Some commentators have suggested that the Texas statute could be read to suggest that it requires companies to provide notice even if the individuals do not live in Texas, though no court has ruled on this issue.

  2. Exceptions to notice requirement: (1) Encrypted data, provided that the accessor does not have the key or (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements.
  3. Timing of notice to individuals: Disclosure must be made “as quickly as possible,” except if a delay is requested by law enforcement or is necessary to determine the scope of the breach and restore the data system's reasonable integrity.
  4. Form of notice to individuals: (1) Written notice to last known address; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 250,000 people would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification published in or broadcast on major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators is not required. Notice to credit reporting agencies is required, provided that more than 10,000 people are notified under this law. The notice to credit reporting agencies must state the timing, distribution, and content of the individual notices.

Utah

Utah Code §§ 13-44-101 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) If the personal information is encrypted or protected by another method that renders the data unreadable or unusable; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company that is regulated by another state or federal law and follows that system's notification rules; or (4) if a good-faith, reasonable, and prompt investigation determines that identity theft or fraud has not occurred and is not “reasonably likely to occur.”
  3. Timing of notice to individuals: Disclosure must be provided in “the most expedient time possible and without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice via first-class mail to the individual's most recent address; (2) telephonic notice, including via automatic dialing technology that is not legally prohibited; (3) electronic notice, if that is the company's primary method of communicating with the individual; or (4) publishing a notice in a general circulation newspaper.
  5. Notice to state regulators or credit bureaus: Notice to state regulators or credit bureaus is not required.

Vermont

9 V.S.A. §§ 2430, et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; or (4) account passwords, PINS, or other codes that could access a financial account.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if a company is a financial institution that is subject to the Interagency Guidance; or (3) the company determines that misuse of personal information is “not reasonably possible” and notifies the Vermont Attorney General or Vermont Department of Financial Regulation of this determination.
  3. Timing of notice to individuals: Disclosure must be provided “in the most expedient time possible and without unreasonable delay,” but not later than forty-five days after the discovery or notification, subject to the needs of law enforcement and to determine the scope of the breach and restore systems integrity.
  4. Form of notice to individuals: (1) Written notice to the individual's residence; (2) telephonic notice, provided that telephonic contact is made directly with each affected individual and not via a prerecorded message; (3) electronic notice, if the company has a valid email address; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $5,000, at least 5000 Vermont residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of conspicuous posting of the notice on the company's website and notification to major statewide and regional media.

    Individual notices must contain (1) a description of the breach; (2) the type of personal information that was breached; (3) the steps that the company took to protect against further unauthorized access; (4) a toll-free number for more information; (5) advice to “remain vigilant” by reviewing account statements and free credit reports; and (6) date of the breach.

  5. Notice to state regulators or credit bureaus:

    Vermont requires two forms of notice to state regulators.

    First, the Vermont Attorney General or Department of Financial Regulation must be notified of the dates of the breach and discovery, along with a preliminary description, within fourteen business days, consistent with the needs of law enforcement. Companies must notify state regulators no later than when they notify consumers. In other words, if a company notifies consumers seven days after discovering a breach, it must notify Vermont regulators at the same time that it notifies consumers, even though the fourteen-day period has not elapsed. If, before the breach occurs, the company swears in writing to the Attorney General that it maintains written security policies and procedures and responds to breaches in a manner consistent with Vermont law, they need only notify state regulators of the date of the breach and discovery of the breach before they notify individuals.

    Second, when companies notify Vermont residents of data breaches, they also must provide Vermont regulators with a copy of the individual notice and the number of Vermont residents who were notified.

    If more than 1000 consumers are notified, the company shall notify credit bureaus, without unreasonable delay, of the timing, distribution, and content of the notice.

Virginia

Va. Code § 18.2-186.6

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if the company is subject to and complies with the notification requirements of the Gramm-Leach-Bliley Act or the requirements of its primary or functional state or federal regulator; or (4) if the company does not reasonably believe that the breach “has caused or will cause identity theft or other fraud” to a Virginia resident.
  3. Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice to the last known postal address listed in the company's records; (2) telephonic notice; (3) electronic notice; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $50,000, at least 100,000 Virginia residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Notice must describe: (1) the incident “in general terms”; (2) the categories of personal information subject to the breach: (3) the general steps taken to protect the information from further unauthorized access; (4) a phone number for more information, if one exists; and (5) advice to remain vigilant by reviewing account statements and free credit reports.

  5. Notice to state regulators or credit bureaus: Notice to the Virginia Attorney General is required “without unreasonable delay” if any Virginia residents are notified. Notice to credit reporting agencies of the timing, distribution, and content of individual notices is required, provided that more than 1000 Virginia residents are notified.

Washington State

Wash. Rev. Code § 19.255.010

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Personal information is encrypted (meeting NIST standards or similar technological guidelines) or otherwise modified to be rendered unreadable, unusable, or undecipherable by the unauthorized accessor; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if the company is subject to and complies with the notification requirements of HIPAA or the financial institution Interagency Guidelines; or (4) if the company determines that the breach is “not reasonably likely to subject consumers to a risk of harm.”
  3. Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible and without unreasonable delay,” and no later than forty-five days after discovery of the breach, subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 500,000 Washington state residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Notices must be written in plain language and include (1) name and contact information of the company, a list of the categories of personal information at issue, and toll-free telephone numbers of the major credit reporting agencies if personal information was exposed.

  5. Notice to state regulators or credit bureaus: If a company is required to notify more than 500 Washington state residents of a breach, it must electronically submit a sample copy of that notification, without personally identifiable information, to the Washington State Attorney General, along with the number of Washington State residents affected (or an estimate if the exact number is unknown). Credit bureau notification is not required

West Virginia

W. Va. Code §§ 46A-2A-101 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company is subject to and follows the financial institution Federal Intergency Guidance for notifications or the notification requirements of its primary or functional regulator; or (4) if the company does not “reasonably believe that the breach has caused or will cause identity theft or other fraud” to a West Virginia resident.
  3. Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
  4. Form of notice to individuals: (1) Written notice to postal address of the individual; (2) telephonic notice; (3) electronic notice; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $50,000, at least 100,000 West Virginia residents would need to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company's website, and notification to major statewide media.
  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. If more than 1000 West Virginia residents are notified, the company also must notify the credit reporting agencies of the timing, distribution, and content of the notices. This requirement does not apply to financial institutions that are subject to the GLBA.

Wisconsin

Wis. Stat. § 134.98

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; (4) DNA profile; or (5) unique biometric data, including fingerprint, voice print, retinal or iris image, or other unique physical representation.
  2. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if a company is subject to and follows the financial institution Federal Interagency Guidance for notifications or HIPAA's notification procedures; or (3) if the breach “does not create a material risk of identity theft or fraud to the subject of the personal information.”
  3. Timing of notice to individuals: Disclosure must be provided “within a reasonable time,” not to exceed forty-five days after the company learns of the breach. Reasonableness determinations should consider the number of notices required and methods of communication available. Notice may be delayed at the request of law enforcement.
  4. Form of notice to individuals: The notice must be provided by mail or the method the company has previously used to communicate with the individual. If, with reasonable diligence, the company cannot determine the individual's mailing address and has not previously communicated with the individual, the company must use a “method reasonably calculated to provide actual notice to the subject of the personal information.”

    The individual notice should indicate that the company knows of a breach of personal information pertaining to the individual

  5. Notice to state regulators or credit bureaus: Notice to state regulators not required. If more than 1000 Wisconsin residents are notified, the company also must notify the credit reporting agencies of the timing, distribution, and content of the notices.

Wyoming

Wyo. Stat. §§ 40-12-501 et seq.

  1. Types of personal information covered: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver's license number; (3) financial account number, credit card number, or debit card number in combination with any security code or password that would allow access to a financial account; (4) tribal identification card; (5) federal or state government issued ID card; (6) shared secrets or security tokens that are known to be used for data based authentication; (7) username or email address in combination with a password; (8) birth or marriage certificate; (9) medical information; (10) health insurance information; (10) unique biometric data; and (11) individual taxpayer ID number.
  2. Exceptions to notice requirement: (1) Redacted personal information; (2) if the company follows its internal notification procedures and is consistent with the statute's timing requirements; (3) if a company is subject to and follows the financial institution Federal Interagency Guidance for notifications; or (4) if an investigation determines that misuse of the personal information has not occurred and is not “reasonably likely to occur.”
  3. Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible and without unreasonable delay,” consistent with legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore reasonable integrity of the data system.
  4. Form of notice to individuals: (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $10,000 for Wyoming-based businesses or $250,000 for other businesses; at least 10,000 Wyoming residents would need to be notified if the company is Wyoming based, or 500,000 Wyoming residents would be notified if the company is not Wyoming based; or the company does not have sufficient contact information. Substitute notice consists of, conspicuous posting of the notice on the company's website, and notification to major statewide media.

    Individual notices must contain, at minimum, (1) a toll-free phone number to contact the company and learn the contact information for major credit bureaus; (2) the types of personal information that were reasonably believed to have been breached; (3) a general description of the breach; (4) the approximate date of the breach, if determinable; (5) the steps taken by the company to prevent further harm; (6) advice to remain vigilant by reviewing account statements and monitoring credit reports; and (7) whether notification was delayed due to a law enforcement investigation, if that is possible to determine at the time of the notice.

  5. Notice to state regulators or credit bureaus: Notice to state regulators and credit bureaus is not required.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.79.179