• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security Breach Laws
 

Security Breach Laws

on

  • 1,277 views

Security Breach Notification requirements

Security Breach Notification requirements

Statistics

Views

Total Views
1,277
Views on SlideShare
1,276
Embed Views
1

Actions

Likes
0
Downloads
13
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security Breach Laws Security Breach Laws Presentation Transcript

    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY: UNITED STATES This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Alaska If a breach of an Notification must be Disclosure to be given Persons that Disclosure is not Violation of the information systems given in the most in one of the following maintain Personal required if, after statute is Alaska Stat. §§ containing Personal expedient manner forms: Information are not an appropriate considered a 45.48.010 to Information occurs the and without 1) written notice; required to comply investigation, and violation of .90 breach must be unreasonable delay. 2) electronic notice with the notice after written Alaska’s unfair or (Effective July, disclosed to each Alaska (only if this is the requirements. notification to the deceptive 2009) resident whose personal Notification may be primary method of Instead, upon attorney general, practices act. information was subject delayed to communication with discovery of the it is determined However, the to the breach. participate in the individual); breach they must that there is not a information connection with a 3) telephonic; or notify the reasonable owner is not Personal information is criminal 4) substitute notice. information owner likelihood that subject to civil an individuals first investigation of the about the breach harm to the penalties and name or first initial and breach. Substitute notice is and cooperate to the consumers whose damages under last name in permissible only if: (i) extent necessary to personal the statute and combination with any of the cost of providing allow the information has instead is liable the following that is not notice would exceed information owner been acquired to the state for a encrypted, redacted, or $150,000; (ii) the to satisfy the notice has resulted or civil penalty of up secured: (1) SSN; (2) effected class exceeds requirements. will result from to $500 for each driver’s or identification 300,000 people; or (iii) the breach. Alaska resident number; (3) financial insufficient contact who was not account number or information. notified in an credit/debit card amount not to number with any Substitute notice must exceed $50,000. required security code, consist of: (a) email Damages that This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement access code, or notice (if email can be awarded password; (4) addresses are known); under the statute passwords, PINS, or (b) conspicuous posting are limited to other access codes for on website (if one is actual to actual financial accounts. maintained); and (c) economic notification to major damages that do f a security breach statewide media. not exceed $500. requires notice to more than 1,000 individuals notice of the breach must also be provided to all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, No likelihood of distribution, and harm PLUS content of the notices. written Names and personal notification to information of AG. individuals subject to the breach are not required. Notice to Other Entities Includes information “in any form”. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Arizona Notification must be Notification must be Disclosure to be given Persons that If notification Disclosure is not Actual damages If a person is in given to affected given in the most in one of the following maintain procedures are required if, after a and a civil penalty compliance with Ariz. Rev. Stat. persons by those who expedient manner forms: unencrypted included in a reasonable not to exceed guidelines § 44-7501 own or license and without 1) written notice; Personal person’s security investigation, it is $10,000 per established by the unencrypted data that unreasonable delay. 2) electronic notice Information are policy, that person determined that a breach or series primary or includes Personal (only if this is the obligated to is in compliance breach did not of breaches of a functional federal Information once that primary method of cooperate with the with the occur or is not similar nature regulator, such person becomes aware Notification may be communication with owner of the notification reasonably likely that are person is deemed in of an incident of delayed to the individual); information with requirements in to occur. discovered in a compliance with this unauthorized participate in 3) telephonic; or respect to any Arizona if single law. acquisition AND access connection with a 4) substitute notice. breach. The person individuals are investigation. to unencrypted criminal maintaining the notified in information that investigation of the Substitute notice is information is only accordance with includes Personal breach. permissible only if: (i) required to provide those procedures. Information. the cost of providing notice of a breach if notice would exceed the agreement with Personal Information is $100,000; (ii) the the owner of the any individual’s first effected class exceeds information so name or first initial and 100,000 people; or (iii) requires. last name in insufficient contact combination with any of information. the following element that is not encrypted, Substitute notice must redacted or secured: (1) consist of: (a) email SSN; (2) driver’s license notice (if email number or identification addresses are known); number; (3) financial (b) conspicuous posting account number or on website (if one is credit/debit card maintained); and (c) number with any notification to major This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement required security code, statewide media. access code or password. Arkansas Breaches of security Notification must be Disclosure to be given Any person that Data owners are No notice is Violators of law Arkansas law does systems that include given in the most in one of the following maintains Personal permitted to utilize required if, after a are guilty of a not apply to Ark. Code §§ Personal Information expedient manner forms: Information must their own reasonable Class A businesses regulated 4-88-113, must be disclosed to and without 1) written notice; give notice to the notification investigation, the misdemeanor. by a state or federal -10-105 the affected parties unreasonable delay. 2) electronic notice (if person that owns procedures if the person Civil enforcement law that provides following discovery of consistent with federal the information procedures are determines there actions may also greater protection to the breach if Notification may be electronic signature immediately part of an is no reasonable be brought. Personal Information unencrypted Personal delayed to laws); or following discovery information likelihood of harm and at least as Information was, or is participate in 3) substitute notice. of a breach. security policy and thorough disclosure reasonably believed to connection with a the policy is requirements than have been, acquired by criminal Substitute notice is otherwise provided by an unauthorized person. investigation of the permissible only if: (i) consistent with the Arkansas Law. breach. the cost of providing timing required by Personal Information notice would exceed Arkansas law. means an individual’s $250,000; (ii) the first name or first initial effected class exceeds and last name in 500,000 people; or (iii) combination with any of insufficient contact the following non- information. redacted or non- encrypted elements: (1) Substitute notice must SSN; (2) driver’s license consist of: (a) email number or Arkansas notice (if email identification card addresses are known); number; (3) account (b) conspicuous posting number or credit/debit on website (if one is This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement card number with any maintained); and (c) required security code, notification to major access code or statewide media. password; or (4) medical information. PI definition includes health data. California Law applies to any Disclosure to be Disclosure to be given Any person that Data owners may Compliance Any consumer Company that conducts made as in one of the following maintains Personal continue using cannot be waived injured by a Cal. Civ. Code business in California. expediently as forms: Information must their own by the affected violation of this § 1798.82 possible, and 1) written notice; give notice to the disclosure regimes individual. law can bring a If an owner (i) conducts without 2) electronic notice (if person that owns if they are part of a civil action to business in CA; (ii) owns unreasonable delay, consistent with federal the information broader recover damages. or licenses unencrypted unless there is a electronic signature immediately information computer information; concern that laws); or following discovery security policy, but and (iii) the data disclosure will 3) substitute notice. of a breach. only if the policy is contains Personal impede a criminal consistent with the Information regarding a investigation. Substitute notice is timing resident, then permissible only if: (i) requirements of disclosure is required. the cost of providing California law. notice would exceed Also, if there is a $250,000; (ii) the security breach of a effected class exceeds system containing 500,000 people; or (iii) Personal Information insufficient contact and it is known or information. reasonably believed that Personal Information Substitute notice must This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement has been acquired, then consist of: (a) email disclosure must also be notice (if email made. addresses are known); (b) conspicuous posting Personal Information on website (if one is means an individual’s maintained); and (c) first name or middle notification to major initial combined with a statewide media. last name and any of the following: (1) SSN; (2) CA driver’s license number or identification card number; (3) account number or credit/debit card number with any required security code, access code or password; (4) medical information; (5) health insurance information. PI definition includes health and health insurance information. Cal. Health & A clinic, health facility, Report to State The State Safety Code § home health agency, or Department of Department of 1280.15 hospice licensed under Public Health must Public Health, California law must be made no later after This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement prevent unlawful or than 5 days after investigation, unauthorized access to, the unlawful or may assess an use of, and disclosure of unauthorized administrative patients’ medical access, use, or penalty for a information. Such disclosure was violation of up to organizations must also detected. $25,000 per report to State patient whose Department of Public Report must be medical Health and to the made to affected information was affected patient or patient or patient’s unlawfully or patient’s representative representative at without any unlawful or last known address authorization unauthorized access, no later than 5 days accessed, used, use, or disclosure of after the unlawful or or disclosed; and medical information. unauthorized up to $17,500 access, use, or per subsequent Medical information disclosure was occurrence of means any individually detected. unlawful or identifiable information, unauthorized in electronic or physical access, use, or form, in possession of disclosure of that or derived from a patient’s medical provider of health care, information. health care service plan, pharmaceutical Following the company, or contractor initial 5 day regarding a patient's reporting period, medical history, mental the State or physical condition, or Department of treatment. Public Health This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement may assess a Individually identifiable penalty in the means that the medical amount of $100 information includes or for each day that contains any element of the unlawful or personal identifying unauthorized information sufficient to access, use, or allow identification of disclosure is not the individual, such as reported. the patient's name, address, electronic mail The total address, telephone combined penalty number, or social assessed by the security number, or State Department other information that, of Public Health alone or in combination must not exceed with other publicly $250,000 per available information, reported event. reveals the individual's identity. Within 10 days of receipt of a penalty assessment a hearing may be requested to dispute a determination by the State Department of Public Health This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, use of, or disclosure of patients’ medical information, or the imposition of a penalty. In lieu of disputing the determination of the State Department of Public Health regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, use of, or disclosure of patients’ medical information, transmit to the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement department 75% of the total amount of the administrative penalty for each violation, within 30 days of receipt of the administrative penalty. The State Department of Public Health may refer violations to the office of Health Information Integrity for enforcement. Colorado Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who No notification is The Attorney Data owner who is apply to entities that made as in one of the following maintains Personal maintain their own required if it is General may regulated by state or Colo. Rev. conduct business in expediently as forms: Information must notification determined (after bring an action to federal law and who Stat. § 6-1- Colorado who own or possible, and 1) written notice; give notice to the procedures which reasonable address violations maintains 716 license computerized without 2) telephonic notice; person that owns are consistent with investigation) that of this section procedures for data that includes unreasonable delay, 3) electronic notice (if it the information the timing the breach did and for other breaches pursuant Personal Information. unless there is a is a primary means of immediately requirements of not occur or is relief that may be to the laws, rules, concern that communication or it is following discovery Colorado law are not reasonably appropriate to regulations, If notification is to be disclosure will consistent with federal of a breach, if deemed to be in likely to occur. ensure guidance or given to more than impede a criminal electronic signature misuse of Personal compliance with compliance with guidelines This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement 1,000 Colorado investigation. laws); or Information is likely the notice the law. established by the residents, the data 4) substitute notice. to occur. requirements if applicable principal owner must also notify notification is regulator is deemed all consumer reporting Substitute notice is provided in to be in compliance agencies. permissible only if: (i) accordance with its with this statute. the cost of providing policies. Personal Information notice would exceed means an individual’s $250,000; (ii) the first name or first initial effected class exceeds and last name in 250,000 Colorado combination with any of residents; or (iii) the following non- insufficient contact redacted or non- information. encrypted elements: (1) SSN; (2) driver’s license Substitute notice must number or identification consist of: (a) email card number; or (3) notice (if email account number or addresses are known); credit/debit card (b) conspicuous posting number with any on website (if one is required security code, maintained); and (c) access code or notification to major password. statewide media. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Connecticut Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who Notice is not Failure to comply apply to entities that made without in one of the following maintains Personal maintain their own required if after with Connecticut Conn. Gen. conduct business in unreasonable delay, forms: Information must notification investigation and law is considered Stat. Ann. Connecticut who own, subject to delay at 1) written notice; give notice to the procedures which consultation with an unfair trade § 36a-701b license or maintain the request of law 2) telephonic notice; person that owns are consistent with relevant federal, practice for computerized data that enforcement 3) electronic notice (if it the information the timing state and local purposes of includes Personal agencies and the is consistent with immediately requirements of agencies section 42-110b Information. completion of federal electronic following discovery Connecticut law are responsible for of Connecticut's investigations to signature laws); or of a breach, if the deemed to be in law enforcement, general statutes determine nature of 4) substitute notice. Personal compliance with the person and will be breach. If notice is Information was, or the notice determines that it enforced by the Personal Information delayed, may only Substitute notice is is reasonably requirements if will not result in Attorney General. means an individual’s be given after permissible only if: (i) believed to have notification is harm to the first name or first initial approval by the the cost of providing been accessed by an provided in affected and last name in applicable law notice would exceed unauthorized accordance with its individuals. combination with any of enforcement $250,000; (ii) the person. policies. the following: (1) SSN; agency. effected class exceeds (2) driver’s license 500,000 persons; or Any business that number or identification (iii) insufficient contact complies with card number; or (3) information. procedures account number or pursuant to GLB credit/debit card Substitute notice must are deemed to be number with any consist of: (a) email in compliance with required security code, notice (if email Connecticut law. access code or addresses are known); password. (b) conspicuous posting on website (if one is maintained); and (c) notification to major statewide media. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Delaware Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who Enforcement A data owner who is apply to entities that made in the most in one of the following maintains Personal maintain their own actions may be complying with Del. Cod. Ann. conduct business in expedient time and forms: Information must notification brought by provisions of a tit. 6, §§ 12B- Delaware who own, without 1) written notice; give notice to the procedures which Delaware federal or state law 101 to -104 license or maintain unreasonable delay, 2) telephonic notice; person that owns are consistent with residents, in that provide greater computerized data that consistent with 3) electronic notice (if it the information the timing which case protection than includes Personal legitimate needs of is consistent with immediately requirements of damages are Delaware law will be Information. law enforcement federal electronic following discovery Delaware law are tripled and deemed to be in and consistent with signature laws); or of a breach, if the deemed to be in reasonable compliance with A breach of a security any measures 4) substitute notice. Personal compliance with attorneys’ fees Delaware law. system means the necessary to Information was, or the notice are also However, this does unauthorized determine the is reasonably requirements if recoverable. not relieve an acquisition of scope of the breach Substitute notice is believed to have notification is individual or a computerized data that and restore the permissible only if: (i) been acquired by an provided in Attorney General commercial entity compromises the integrity of the the cost of providing unauthorized accordance with its may also bring from a duty to security, confidentiality system. If notice is notice would exceed person. policies. actions to comply with other or integrity of the delayed by law $75,000; (ii) the address requirements of Personal Information enforcement, may effected class exceeds violations. state and federal law maintained by an only be given after 100,000 persons; or regarding the individual. approval by the (iii) insufficient contact protection and applicable law information. privacy of Personal Personal Information enforcement Information. means an individual’s agency. Substitute notice must first name or first initial consist of: (a) email and last name in notice (if email combination with any of addresses are known); the following, when (b) conspicuous posting either the name or the on website (if one is element is not maintained); and (c) This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement encrypted: (1) SSN; (2) notification to major DE driver’s license statewide media. number or DE identification card number; (3) account number or credit/debit card number with any required security code, access code or password; or (4) individually identifiable information regarding medical history. PI definition includes health data. Florida Notice is required if an Notification is to be Disclosure to be given Any person that Data owners who No notice is The notice must A data owner who is unauthorized person made within 45 in one of the following maintains Personal maintain their own required if, after be given within regulated by federal Fla. Stat. obtains Personal days of the forms: Information for notification consultation with 45 days of the law and who § 817.5681 Information from a discovery of the 1) written notice; others must give procedures which law enforcement, discovery of the maintains system that contains breach, subject to: 2) electronic notice (if it notice to the person are consistent with it is reasonably breach unless procedures for unencrypted (i) legitimate needs is consistent with that owns the the timing determined that one of these two breaches pursuant computerized data. of law enforcement, federal electronic information within requirements of the breach has exceptions to the laws, rules, and (ii) measures signature laws); or 10 days of receiving Florida law are not and will not applies. If notice regulations, A reasonable belief of needed to 3) substitute notice. actual knowledge or deemed to be in likely result in is not given within guidance or breach is sufficient to determine nature, a reasonable belief compliance with harm to the this timeframe guidelines trigger notice presence and scope Substitute notice is of a breach. Either the notice affected there are civil established by the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement requirements. of the breach and to permissible only if: (i) the owner of the requirements if individuals. penalties that are applicable principal restore the the cost of providing information or the notification is available, up to a regulator is deemed If the breach affects reasonable integrity notice would exceed party maintaining provided in If this exemption total of to be in compliance more than 1,000 Florida of the system. $250,000; (ii) the the information may accordance with its is relied upon, it $500,000, as with this statute. residents, notification effected class exceeds provide notice, policies. must be put in follows: (i) must also be given to The following civil 500,000 persons; or though if there is no writing and $1,000 per day the appropriate credit penalties apply to (iii) insufficient contact agreement maintained by the for the first 30 reporting agencies. untimely notice: information. regarding obligated Company for a period; (ii) (1) $1,000 per day party the entity with period of 5 years. $50,000 for each Personal Information for the first 30 day Substitute notice must the direct business 30 period means an individual’s period; consist of: (a) email relationship with the thereafter up to first name or middle (2) $50,000 for notice (if email consumer must 180 days; or (iii) initial combined with a each 30 day period addresses are known); provide the notice. up to $500,000 if last name and any of thereafter up to 180 (b) conspicuous posting notice is not the following: (1) SSN; days; or (3) up to on website (if one is given within 180 (2) FL driver’s license $500,000 if notice maintained); and (c) days. number or identification is not given within notification to major card number; or (3) 180 days. statewide media. The penalties account number or apply per breach, credit/debit card Penalties are per not per effected number with any breach, not per individual. These required security code, individual. penalties do not access code or apply to the password. government, but can apply to certain entities Notice within 45 that have entered Notice to other entities days, with a contract with required. exceptions. the government. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Georgia A person that maintains Disclosure to be Disclosure to be given Any person that Data owners who Violations computerized data that made in the most in one of the following maintains Personal maintain their own constitute an Ga. Code Ann. includes Personal expedient time and forms: Information must notification unfair or §§ 10-1-912, Information of without 1) written notice; give notice to the procedures which deceptive 46-5-210 individuals must give unreasonable delay, 2) telephonic notice; person that owns are consistent with practice in notice of any breach of consistent with 3) electronic notice (if it the information the timing consumer the security of the legitimate needs of is consistent with within 24 hours requirements of transactions system following law enforcement federal electronic following discovery Georgia law are under the Fair discovery or notification and consistent with signature laws); or of a breach, if the deemed to be in Business of the breach to any any measures 4) substitute notice. Personal compliance with Practices Act. resident of Georgia necessary to Information was, or the notice whose Personal determine the Substitute notice is is reasonably requirements if Information was or is scope of the breach permissible only if: (i) believed to have notification is reasonably believed to and restore the the cost of providing been acquired by an provided in have been, acquired by integrity of the notice would exceed unauthorized accordance with its an unauthorized person. system. If notice is $50,000; (ii) the person. policies. delayed by law effected class exceeds enforcement, may 100,000 persons; or only be given after (iii) insufficient contact If notification must be approval by the information. given to more than applicable law 10,000 Georgia enforcement Substitute notice must residents with respect agency. consist of: (a) email to any single breach, notice (if email notice must also be addresses are known); given to all consumer (b) conspicuous posting reporting agencies. on website (if one is maintained); and (c) A breach is an notification to major unauthorized statewide media. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement acquisition of computerized data that compromises the security, confidentiality or integrity of Personal Information. Personal Information means an individual’s first name or first initial and last name in combination with any of the following, when either the name or the element is not encrypted: (1) SSN; (2) GA driver’s license number or GA identification card number; (3) account number or credit/debit card number if they can be used without access codes or passwords; (4) account passwords or personal identification numbers or other access codes; or (5) any of the above when not in connection with the first This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement name or last name, if the information would be sufficient to perform or attempt to perform identity theft against the person. Notice to Other Entities is Required. Hawaii Notice requirements Disclosure to be Disclosure to be given Any person that The Attorney The following are apply to any business made without in one of the following maintains Personal General or the deemed in Haw. Rev. that owns or licenses unreasonable delay, forms: Information must Director of the compliance: Stat. §§ 487N- Personal Information of subject to delay at 1) written notice; give notice to the Office of 1 to -4 residents of Hawaii, any the request of law 2) telephonic notice; person that owns Consumer 1) a financial business that conducts enforcement 3) electronic notice (if it the information Protection may institution that is business in Hawaii that agencies and the is consistent with immediately bring actions subject to the owns, licenses or completion of federal electronic following discovery under this law. Federal Guidance on maintains computerized investigations to signature laws); or of a breach. Response Programs data that includes determine nature of 4) substitute notice. for Unauthorized Personal Information breach. If notice is Access to Consumer and governmental delayed, may only Information and agencies that collect be given after Customer Notice Personal Information. approval by the Substitute notice is Damages are published by the applicable law permissible only if: (i) limited to actual Federal Register on If notification must be enforcement the cost of providing damages March 29, 2005; given to more than agency. notice would exceed sustained as a and 1,000 Hawaii residents $100,000; (ii) the result of violation. 2) health plans and with respect to any effected class exceeds healthcare providers single breach, notice 200,000 persons; or that are subject to This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement must also be given to (iii) insufficient contact and in compliance the State of Hawaii’s information. with the standards Office of Consumer for privacy of Protections and all Substitute notice must individually consumer reporting consist of: (a) email identifiable health agencies. notice (if email information and the addresses are known); security standards (b) conspicuous posting for the protection of Personal Information on website (if one is electronic health means an individual’s maintained); and (c) information. first name or first initial notification to major and last name in statewide media. combination with any of the following, when Notice must be clear either the name or the and include the element is not following: (i) the encrypted: (1) SSN; (2) incident in general HI driver’s license terms; (ii) the type of number or HI Personal Information identification card that was subject to the number; or (3) account breach; (iii) the acts of number or credit/debit the business to protect card number with any the Personal required security code, Information; (iv) a access code or telephone number to password. call for further information; and (v) Notice to Other Entities advice that directs the is Required. person to remain vigilant by reviewing This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Applies to all forms of account statements data. and monitoring free credit reports. Specific Notice requirements. Idaho Any agency, individual Disclosure to be Disclosure to be given Persons that Data owners who Enforcement A data owner who is or commercial entity made in the most in one of the following maintain maintain their own actions are regulated by state or Idaho Code that conducts business expedient time and forms: computerized date notification brought by the federal law and who Ann. §§ 28-51- in Idaho that owns or without 1) written notice; owned by others procedures which primary maintains 105 to -107 licenses computerized unreasonable delay, 2) telephonic notice; that includes are consistent with regulator; fines procedures for data that includes consistent with 3) electronic notice (if it Personal the timing may not exceed breaches pursuant Personal Information legitimate needs of is consistent with Information must requirements of more than to the laws, rules, about an Idaho resident law enforcement. If federal electronic give notice to and Idaho law are $25,000 per regulations, must give notice to the notice is delayed by signature laws); or cooperate with the deemed to be in breach. guidance or affected resident if it law enforcement, 4) substitute notice. owner or licensee of compliance with guidelines becomes aware of a notice may only be the information of the notice established by the breach of the security of given after approval Substitute notice is any breach following requirements if applicable principal the system and by the applicable permissible only if: (i) discovery of the notification is regulator is deemed determines the misuse law enforcement the cost of providing breach if misuse of provided in to be in compliance has occurred or is agency. notice would exceed Personal accordance with its with this statute if reasonably likely to $25,000; (ii) the Information is policies. the entity complies occur. effected class exceeds reasonably likely to with the maintained 50,000 persons; or (iii) occur procedures. insufficient contact information. Personal Information means an individual’s Substitute notice must first name or first initial consist of: (a) email This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement and last name in notice (if email combination with any of addresses are known); the following, when (b) conspicuous posting either the name or the on website (if one is element is not maintained); and (c) encrypted: (1) SSN; (2) notification to major driver’s license number statewide media. or ID identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Illinois Anyone that handles, Notification of Disclosure to be given Persons that Data owners who Violations are collects, disseminates breach must be in one of the following maintain maintain their own considered 815 Ill. Comp. or otherwise deals with provided in the forms: computerized date notification unlawful Stat. 530/5 to nonpublic Personal most expedient 1) written notice; owned by others procedures which practices under /25 Information that it time possible and 2) electronic notice (if it that includes are consistent with the Consumer either owns or licenses without is consistent with Personal the timing Fraud and is obligated to notify unreasonable delay, federal electronic Information must requirements of Deceptive residents of any breach consistent with any signature laws); or give notice to and Illinois law are Business of the security of measures necessary 3) substitute notice. cooperate with the deemed to be in Practices Act. system data. to determine the owner or licensee of compliance with A breach means the scope of the breach Substitute notice is the information of the notice unauthorized and restore the permissible only if: (i) any breach following requirements if acquisition of reasonable the cost of providing discovery of the notification is computerized data that integrity, security notice would exceed breach if the provided in compromises the and confidentiality $250,000; (ii) the Personal accordance with its This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement security, confidentiality of the system. effected class exceeds Information was, or policies. or integrity of Personal 500,000 persons; or is reasonably Information. (iii) insufficient contact believed to have information. been, acquired by Personal Information an unauthorized means an individual’s Substitute notice must person. first name or first initial consist of: (a) email and last name in notice (if email combination with any of addresses are known); the following, when (b) conspicuous posting either the name or the on website (if one is element is not maintained); and (c) encrypted: (1) SSN; (2) notification to major driver’s license number statewide media. or state identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Indiana Any business that owns Notification of Disclosure to be given A person that Data owners are The attorney or licenses breach must be in one of the following maintains not required to general may Ind. Code §§ computerized data that provided without forms: computerized data make separate bring an action to 24-4.9-1 to -5 includes Personal unreasonable delay. 1) mail; must notify the disclosures if they obtain any or all Information must 2) telephone; owner or licensee if maintain their own of the following: disclose a breach of the A delay is 3) facsimile; or the person discovers disclosure (1) an injunction security of the system if reasonable if the 4) electronic mail, if the that personal procedures that are to enjoin future This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement unencrypted delay is (1) business has the information was or at least as violations; (2) a information was or may necessary to restore electronic mail address may have been stringent as the civil penalty not have been acquired by the integrity of the of the affected acquired by an disclosure to exceed unauthorized persons or computer system; individual. unauthorized requirements in (1) $150,000 for if encrypted information (2) necessary to person. this statute; (2) the each failure to was or may have been discover the scope Substitute notice is federal USA Patriot make a required acquired by of the breach; or (3) permissible only if: (i) Act; (3) Executive disclosure or unauthorized persons in response to a the cost of providing Order 132254; (4) notification in with access to the request from the notice would exceed the federal Driver’s connection with a encryption key when the attorney general or $250,000; or (ii) the Privacy Protection related series of business knows, should law enforcement to effected class exceeds Act; (5) FACTA; (6) breaches; and (3) know, or should have delay disclosure 500,000 persons.. the federal the attorney known that the because disclosure Financial general’s unauthorized will (A) impede a Substitute notice must Modernization Act; reasonable costs acquisition constituting criminal or civil consist of: (a) or (7) HIPAA; and in (A) the the breach has resulted investigation or (B) conspicuous posting on the procedure is investigation each in or could result in jeopardize national website (if one is complied with and failure to make a identity deception, security. maintained); and (b) requires that required identity theft, or fraud. notification to major Indiana residents disclosure or A business must statewide media. be notified. notification in If the notification is to make a disclosure connection with a be given to more than or notification as Financial related series of 1,000 individuals, the soon as possible institutions are not breaches; and (B) business must disclose after (1) delay is no required to make maintaining the to each consumer longer necessary to disclosures under action. reporting agency restore the integrity this law if they information necessary of the computer comply with the to assist in preventing system or to disclosure fraud, including discover the scope requirements personal information of of the breach; or (2) prescribed under This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement the individuals affected the attorney general the Federal by the breach. or a law Interagency enforcement agency Guidance on A breach is an gives notice that Response unauthorized delay will no longer Programs for acquisition of impede a criminal Unauthorized computerized data that or civil investigation Access to compromises the or jeopardize Customer security, confidentiality national security. Information and or integrity of Personal Customer Notice or Information, including the Guidance the unauthorized Response acquisition of Programs for computerized data that Unauthorized have been transferred to Access to Member another medium, Information and including paper, Member Notice. microfilm, or a similar medium, even if the transferred data are no longer in computerized format. Personal Information means an individual’s SSN that is not encrypted or redacted or an individual’s first name or first initial and last name in This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement combination with any of the following: (1) driver’s license number or state identification card number; (2) state identification card number; (3) credit card number; or (4) financial account number debit card number with any required security code, password, or access code. Notice to Other Entities is Required. Covers non-electronic information if it was originally computerized data. Iowa Any person that owns or Notification must be Disclosure to be given Any person that Notification is not Attorney general A person who licenses computerized made in the most in one of the following maintains Personal required if, after may enforce complies with Iowa Code §§ data that includes expeditious manner forms: Information must an appropriate violations of the security breach 715C.1 to .2 Personal Information possible and 1) written notice; notify the owner or investigation or statute and may notification that is used in the without 2) electronic notice (if it licensor of the after consultation obtain an order requirements that course of that person’s unreasonable delay is consistent with breach immediately with federal, that a party provide greater business, vocation, consistent with the federal electronic following discovery state, or local violating the personal protection occupation, or volunteer legitimate needs of signature laws); or of the breach of agencies statute pay to personal This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement activities must give law enforcement, 3) substitute notice. security contained responsible for damages to the information and at notice of a breach of the any measures Personal law enforcement attorney general least as thorough security system to any necessary to Substitute notice is Information. it is determined on behalf of a disclosure individual whose sufficiently permissible only if: (i) that no likelihood party injured by requirements than Personal Information determine contact the cost of providing of financial harm the violation. that provided by this was breached. information, and to notice would exceed to the consumer law under rules, restore the $250,000; (ii) the whose Personal regulations, Personal Information reasonable effected class exceeds Information was procedures, means an individual’s integrity, security, 350,000 persons; or breached will guidance, or first name or first initial and confidentiality (iii) insufficient contact result from the guidelines and last name in of the data. information. breach. established by that combination with any of person’s primary the following: (1) SSN; Notice requirements Substitute notice must federal regulator or (2) driver’s license or may be delayed if a consist of: (a) email state or law need not identification number; law enforcement notice (if email comply with the (3) financial account, agency determines addresses are known); statute. credit/debit card that notification will (b) conspicuous posting number in combination impede a criminal on website (if one is A person who is with the required investigation and maintained); and (c) subject to complies security code, access the agency makes a notification to major with regulations code, or password for written request that statewide media. promulgated that account; (4) unique notification be pursuant to GLB is electronic identifier or delayed. Notice must include (1) also exempted from routing code; (5) unique a description of the this law. biometric data, such as, breach of security; (2) fingerprints or retina approximate date of the images. breach; (3) type of personal information obtained as a result of the breach; (4) contact This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement information for consumer reporting agencies; (5) advice to the consumer to report suspected identity theft PI definition includes to local law biometric data or enforcement or the unique electronic attorney general. identifier. Notice content requirements. Kansas Any person that Notification of Disclosure to be given Any person that Data owners who Attorney General A data owner who is conducts business in breach must be in one of the following maintains Personal maintain their own may bring claims regulated by state or Kan. Stat. Kansas that owns or provided in the forms: Information must notification under this federal law and who Ann. § 50- licenses computerized most expedient 1) written notice; give notice to the procedures which statute. maintains 7a02 data that includes time possible and 2) electronic notice (if it person that owns are consistent with procedures for Personal Information without is consistent with the information the timing breaches pursuant must disclose a breach unreasonable delay, federal electronic immediately requirements of to the laws, rules, of the security of the consistent with any signature laws); or following discovery Kansas law are regulations, system after measures necessary 3) substitute notice. of a breach, if the deemed to be in guidance or determining that the to determine the Personal compliance with guidelines misuse of information scope of the breach Substitute notice is Information was, or the notice established by the has occurred or is and restore the permissible only if: (i) is reasonably requirements if applicable principal reasonably likely to reasonable the cost of providing believed to have notification is regulator is deemed occur. integrity, security notice would exceed been acquired by an provided in to be in compliance and confidentiality $100,000; (ii) the unauthorized accordance with its with this statute if If the notification is to of the system. effected class exceeds person. policies. the entity complies be given to more than Notice can be 5,000 persons; or (iii) with the maintained 1,000 individuals, it delayed if instructed insufficient contact procedures. must also be given to all by law enforcement information. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement consumer reporting agencies. agencies. Substitute notice must consist of: (a) email Personal Information notice (if email means an individual’s addresses are known); first name or first initial (b) conspicuous posting and last name in on website (if one is combination with any of maintained); and (c) the following when the notification to major data element is not statewide media. encrypted: (1) SSN; (2) driver’s license number or state identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Notice to Other Entities is Required. Louisiana Any person that Notification of Disclosure to be given Persons that If a person No disclosure Affected A financial conducts business in breach must be in one of the following maintain computer maintains a required if, after individuals may institution that is La. Rev. Stat. Louisiana that owns or provided without forms: data that it does not notification reasonable recover actual subject to the Ann. §§ licenses computerized unreasonable delay, 1) written notice; own or license that procedures as part investigation, it is damages. Federal Guidance on 51:3071 data that includes consistent with the 2) electronic notice (if it includes Personal of its information determined that Response Programs to :3077 Personal Information legitimate needs of is consistent with Information must security policy for there is no for Unauthorized This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement must disclose a breach law enforcement federal electronic notify the owner or Personal reasonable Access to Consumer of the security of the and any measures signature laws); or licensee of the Information, it may likelihood of harm Information and system if it is known or necessary to 3) substitute notice. Personal be utilized if it is to the customer. Customer Notice is reasonably believed determine the Information if the otherwise published by the that the data was scope of the breach Substitute notice is Personal consistent with the Federal Register on acquired by an and restore the permissible only if: (i) Information was, or timing March 29, 2005 is unauthorized person. reasonable integrity the cost of providing is reasonably requirements of deemed to be in of the data. notice would exceed believed to have this law. compliance with this Personal Information Notification may be $250,000; (ii) the been, acquired by statute. means an individual’s delayed by law effected class exceeds an unauthorized first name or first initial enforcement. 500,000 persons; or person through a and last name in (iii) insufficient contact breach of a security combination with any of information. system. the following when the data element is not Substitute notice must encrypted: (1) SSN; (2) consist of: (a) email driver’s license number; notice (if email or (3) account number addresses are known); or credit/debit card (b) conspicuous posting number with any on website (if one is required security code, maintained); and (c) access code or notification to major password. statewide media. Maine Any person that Notification of Disclosure to be given Persons that Law is A person that conducts business in breach must be in one of the following maintain computer maintained by the complies with Me. Rev. Stat. Maine that owns or provided in the forms: data that it does not Office of security breach Ann. tit. 10, licenses computerized most expedient 1) written notice; or own or license that Consumer Credit notification §§ 1346 to data that includes time possible and 2 substitute notice. includes Personal Regulation; fines requirements of 1349 Personal Information without Information must are up to $500 rules, regulations, This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement must disclose a security unreasonable delay, Substitute notice is notify the owner or per violation, up procedures, or breach involving consistent with any permissible only if: (i) licensee of the to a maximum of guidelines Personal Information if measures necessary the cost of providing Personal $2,500 per day. established under it is known or is to determine the notice would exceed Information if the Civil actions are federal or Maine law reasonably believed that scope of the breach $250,000; (ii) the Personal also permitted. is deemed to be in the data was acquired and restore the effected class exceeds Information was, or compliance with this by an unauthorized reasonable 500,000 persons; or is reasonably statute as long as person. integrity, security (iii) insufficient contact believed to have the notification and confidentiality information. been, acquired by procedures are at A security breach is the of the system. an unauthorized least as protective compromise of the Notice can be Substitute notice must person through a as the notification security, confidentiality delayed if instructed consist of: (a) email breach of a security requirements of this or integrity of Personal by law enforcement notice (if email system. statute. Information that results agencies. addresses are known); in unauthorized (b) conspicuous posting acquisition of access to Delay of notification on website (if one is Personal Information or pursuant to law maintained); and (c) that creates a enforcement notification to major reasonable basis that request is limited to statewide media. such acquisition has a maximum of 7 occurred. business days. (Maine LD 970, Personal Information enacted May 19, means an individual’s 2009). first name or first initial and last name in combination with any of the following when the data element is not encrypted: (1) SSN; (2) This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement driver’s license number or state identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Maryland Any business that owns Prior to providing Disclosure to be given Persons that If it is reasonably Violation is an A data owner who is or licenses notice the business in one of the following maintain determined that no unfair or regulated by state or Md. Code. computerized data that must provide notice forms: computerized date misuse has deceptive trade federal law and who Ann., Com. includes Personal of the security 1) written notice; owned by others occurred or is practice in maintains Law §§ 14- Information of Maryland breach to the Office 2) telephonic notice; that includes reasonably likely to Maryland. procedures for 3504 to -3508 residents must disclose of the Attorney 3) electronic notice (if it Personal occur, no breaches pursuant a breach of a security General. is consistent with Information must notification is to the laws, rules, system if it is federal electronic give notice to and required. regulations, determined that there Notification must be signature laws and the cooperate with the guidance or has been or is given as soon as individual has so owner or licensee of If it is determined guidelines reasonably likely to practicable after consented or business the information of that no notification established by the occur a misuse of the conclusion of the is conducted primarily any breach following needs to be given, applicable principal individual’s Personal investigation. through internet discovery of the a written record to regulator is deemed Information. Notice can be account transactions); breach if misuse of that affect must be to be in compliance delayed if instructed or Personal maintained by the with this statute if Compliance cannot be by law enforcement 4) substitute notice. Information is Company. the entity complies waived. agencies. reasonably likely to with the maintained Substitute notice is occur procedures. A breach of a security permissible only if: (i) system is an the cost of providing This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement unauthorized notice would exceed acquisition of $100,000; (ii) the computerized data that effected class exceeds compromises the 175,000 persons; or security, confidentiality (iii) insufficient contact or integrity of Personal information. Information. Substitute notice must Personal Information consist of: (a) email means an individual’s notice (if email first name or first initial addresses are known); and last name in (b) conspicuous posting combination with any of on website (if one is the following when the maintained); and (c) data element is not notification to major encrypted: (1) SSN; (2) statewide media. driver’s license number or state identification Disclosure must card number; or (3) include: account number or credit/debit card 1) a description of the number with any information that was, required security code, or reasonably believed access code or to have been, acquired; password. 2) contact information for the person making If a business is required the disclosure; to give notice of a 3) the toll-free numbers breach to 1,000 or and addresses for the more individuals the major reporting This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement business must also Notice to State AG agencies; notify without required before 4) toll-free numbers, unreasonable delay notice goes to addresses and website each consumer individuals. addresses for the FTC reporting agency that and the Office of the complies and maintains Attorney General; and files on consumers on a 5) a statement that an nationwide basis of the individual can obtain timing, distribution, and information from these content of the notices. sources to avoid identity theft. Notice to Other Entities is Required. Notice content required. Massachusetts A person who owns or Must be given as Disclosure to be given Persons that The law does not The Attorney A person who licenses Personal soon as practicable. in one of the following maintain relieve any person General may maintains Mass. Gen. Information of Notice may be forms: computerized data from the duty to bring suits for procedures for Laws ch. 93H Massachusetts delayed at the 1) written notice; owned or licensed comply with any violation. responding to a §§ 1 to 6 residents must provide request of law 2) electronic notice (if it by others that requirements of the breach of security notice as soon as enforcement is consistent with includes Personal law. pursuant to federal practicable once it is agencies. federal electronic Information must laws, rules and known or there is signature laws); or give notice as soon regulations is reason to know of a Notice must 3) substitute notice. as practicable once deemed to be in breach of security or include: it is known or there compliance if the that Personal (1) the consumer’s Substitute notice is is reason to know of person notifies the Information of the right to obtain a permissible only if: (i) a breach of security affected resident was acquired police report; the cost of providing or that Personal Massachusetts or used by an (2) how a consumer notice would exceed Information of the residents in unauthorized person or requests a security $250,000; (ii) the resident was accordance with for an unauthorized freeze; and effected class exceeds acquired or used by maintained or This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement person. (3) fees required to 500,000 persons; or an unauthorized required procedures. be paid to any of (iii) insufficient contact person or for an Must also notify the Notice must also be the consumer information. unauthorized attorney general and given to Attorney reporting agencies. person. the director of the General and the director Substitute notice must office of consumer of consumer affairs and consist of: (a) email affairs and business business regulation. notice (if email regulation of the The notice must include addresses are known); breach as soon as the nature of the breach (b) conspicuous posting practicable. of security or on website (if one is unauthorized maintained); and (c) acquisition or use, the notification to major number of residents statewide media. affected and any steps the person or agency Notification cannot has taken or plans to include the nature of take relating to the the breach or incident. Upon receipt, unauthorized the director of acquisition or use or consumer affairs and the number of residents business regulation of Massachusetts must identify any affected by the breach. relevant consumer reporting agency or state agency, as deemed appropriate by the director, and forward the names of the identified consumer reporting agencies and This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement state agencies to the notifying person or agency. A breach of a security system is an unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of Personal Information. Personal Information means an individual’s first name or first initial Notice content and last name in required. combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or state identification card number; or (3) account number or credit/debit card This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement number with any required security code, access code or password. Notice to Other Entities is Required. Includes non-electronic data. Michigan Any person that Notice must be Disclosure to be given Persons that Notice may be Financial A civil fine of discovers a security given without in one of the following maintain provided pursuant institutions that $250 may be Mich. Comp. breach in a database it unreasonable delay forms: computerized data to an agreement are subject to, ordered for each Laws owns or licenses, or that after an 1) written notice; owned by others with a third-party if and have failure to provide §§ 445.63, .72 receives notice of a investigation has 2) telephonic notice (if that includes the notice does not notification notice, with the security breach, must been completed to not prohibited by Personal conflict with any procedures in aggregate liability provide written notice of determine the federal or state law; Information must requirement of the place that are for multiple the breach to Michigan scope of the message may not be give notice to and law. subject to violations out of residents whose security breach and given by a recorded cooperate with the examination by the same breach Personal Information restore reasonable message; individual owner or licensee of the financial not to exceed was accessed by an integrity of the must have consented to the information of institution’s $750K. unauthorized person or system. Notice may notification via any breach following appropriate that the Personal also be delayed at telephone, or if consent discovery of the regulator for Information was the request of law was not previously breach unless it is compliance with, accessed and acquired enforcement. given the notification is determined that the the interagency in encrypted form by a also followed up with a security breach has guidance on person with written notification if not or is not likely to response unauthorized access to the notice does not cause substantial programs for the encryption key, result in a live loss or injury to, or unauthorized This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement unless it is determined conversation within 3 result in identity access to that the security breach days of the initial theft. customer has not or is not likely attempt); information and to cause substantial 3) electronic notice (if customer notice loss or injury to, or the individual has so prescribed by the result in identity theft. consented, an existing board of business relationship governors of the Personal Information exists that includes federal reserve means an individual’s periodic email system and the first name or first initial communications which other federal and last name in causes the person to bank and combination with any of believe the email regulatory the following when the address is correct or agencies. data element is not the person’s business encrypted: (1) SSN; (2) is conducted primarily Agencies in driver’s license number through internet compliance with or state identification account transactions); HIPAA are also card number; (3) or considered to be demand deposit or 4) substitute notice. in compliance. other financial account number or credit/debit Substitute notice is card number with any permissible only if: (i) required security code, the cost of providing access code or notice would exceed password. $250,000; (ii) the effected class exceeds 500,000 persons; or (iii) insufficient contact information. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement If notice is required to Substitute notice must more than consist of: (a) email 1,000 Michigan notice (if email residents or if the addresses are known); person or entity is not (b) conspicuous posting subject to the GLB must on website (if one is notify each consumer maintained); and (c) reporting agency that notification to major compiles and maintains statewide media, but consumer files on a the notice must include nationwide basis. The a telephone number or notice must include the website to obtain number of notices sent additional information. and the timing of the notices. Notice must be written in a clear and Notice to Other Entities conspicuous manner is Required. and: 1) describe the security breach in general terms; 2) describe the type of Personal Information that is the subject of the unauthorized access or use; 3) generally describe what the agency or person providing the notice has done to This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement protect the information from future breaches; 4) include a telephone number where a recipient may obtain assistance or additional information; and 5) remind recipients the need to remain vigilant for incidents of fraud and identity theft. The above must be communicated if notice is provided via the telephone. Notice content required. Minnesota Any business that owns Notification of Disclosure to be given Persons that If a person Violations are Any financial or licenses breach must be in one of the following maintain maintains a enforced by the institution covered Minn. Stat. computerized data that provided in the forms: computerized data notification Attorney General. by GLB. § 325E.61 includes Personal most expedient 1) written notice; owned by others procedures as part Information of time possible and 2) electronic notice (if it that includes of its information Covered entities Minnesota residents without is consistent with Personal security policy for under HIPAA. must disclose a breach unreasonable delay, federal electronic Information must Personal of a security system to consistent with any signature laws and is give notice to the Information, it may such person if it is measures necessary the primary method of owner or licensee of be utilized if it is determined that such to determine the communication with the information of otherwise This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement person’s Personal scope of the breach the person); or any breach following consistent with the Information was, or is and restore the 3) substitute notice. discovery of the timing reasonably believed to reasonable breach if the requirements of have been, acquired by integrity, security Substitute notice is Personal this law. an unauthorized person. and confidentiality permissible only if: (i) Information was, or of the system. the cost of providing is reasonably Notice can be notice would exceed believed to have If notification is to more delayed if instructed $250,000; (ii) the been, acquired by than 500 persons at one by law enforcement effected class exceeds an unauthorized time, the person giving agencies. 500,000 persons; or person. notice shall also notify, (iii) insufficient contact within 48 hours, all information. consumer reporting agencies that compile Substitute notice must and maintain files on consist of: (a) email consumers on a notice (if email nationwide basis. addresses are known); (b) conspicuous posting A breach of a security on website (if one is system is an maintained); and (c) unauthorized notification to major acquisition of statewide media. computerized data that compromises the security, confidentiality or integrity of Personal Information. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Personal Information means an individual’s first name or first initial and last name in combination with any of the following when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key was also acquired: (1) SSN; (2) driver’s license number or MN identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Missouri Any person that owns or Notice must be At a minimum, the Any person that A person that No notice The attorney A person that is licenses personal made (a) without notice shall include a maintains or maintains its own required if, after general has the regulated by state or H.B. 62, 95th information of residents unreasonable delay; description of the possesses records notice procedures appropriate exclusive federal law and that Gen. Assem., of Missouri or any (b) consistent with following: (a) the or data containing as part of an investigation by authority to bring maintains Reg. Sess. person that conducts the needs of law incident in general personal information the person or an action to procedures for a (Mo. 2009) business in Missouri enforcement; and terms; (b) the type of information of security policy for after consultation obtain actual breach of the (enacted) that owns or licenses (c) consistent with personal information residents of the treatment of with the relevant damages for a security of the personal information in any measures obtained as a result of Missouri that the personal responsible law willful and system under the any form of a resident necessary to the breach of security; person does not own information, and enforcement knowing violation laws, rules, of Missouri shall provide determine sufficient (c) a telephone number or license, or any whose procedures agency, the of this section regulations, notice to the affected contact information the affected consumer person that are otherwise person and may seek a guidance, or consumer that there has and to determine may call for further conducts business consistent with the determines that a civil penalty not guidelines been a breach of the scope of the information and in Missouri that timing risk of identity to exceed established by its security following breach and restore assistance, if one maintains or requirements, is theft or other $150,00 per primary or discovery or notification the reasonably exists; (d) contact possesses records deemed to be in fraud to any breach of the functional state or of the breach. integrity, security, information for or data containing compliance with consumer is not security of the federal regulator is and confidentiality consumer reporting personal the notice reasonably likely system or series deemed to be in Breach of security is an of the data system. agencies; (e) advice information of a requirements if the to occur as a of breaches of a compliance if the unauthorized access to directing the affected resident of Missouri person notifies result of the similar nature person notifies and an unauthorized Notice may be consumer to remain that the person does affected consumers breach. This that are affected consumers acquisition of personal delayed by law vigilant by reviewing not own or license, in accordance with determination discovered in a in accordance with information maintained enforcement. account statements shall notify the its policies in the must be single the maintained in computerized form and monitoring free owner or licensee of event of a breach of documented in investigation. procedures when a by a person that In the event a credit reports. the information of security of the writing and breach occurs. compromises the person provides any breach of system. maintained for security, confidentiality, notice to more Regular notice shall be security five years. A financial or integrity of the 1000 consumers at provided by one of the immediately institution that is: personal information. one time the person following methods: (a) following discovery (a) subject to and in Good faith acquisition of shall notify, without written notice; (b) of the breach, compliance with the personal information by unreasonable delay, electronic notice to consistent with the Federal Interagency This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement a person or that the attorney consumers with a valid legitimate needs of Guidance Response person's employee or general's office and email address and who law enforcement. Programs for agent for a legitimate all consumer have agreed to receive Unauthorized Access purpose of that person reporting agencies electronic to Customer is not a breach of that compile and communications (if it is Information and security, provided that maintain files on consistent with federal Customer Notice, the personal consumers on a electronic signature issued on March 29, information is not used nationwide basis, as laws); (c) telephonic 2005, by the board in violation of applicable defined in 15 U.S.C. notice, if contact is of governors of the law or in a manner that Section 1681a(p), made directly with the Federal Reserve harms or poses an of the timing, affected consumers. System, the Federal actual threat to the distribution, and Deposit Insurance security, confidentiality, content of the Substitute notice is Corporation, the or integrity of the notice. possible if (a) person Office of the personal information. demonstrates that the Comptroller of the costs of providing Currency, and the Personal information is notice would exceed Office of Thrift an individual's first $100,000; (b) the class Supervision, and any name or first initial and of affected consumers revisions, additions, last name in exceeds 150,000; (c) or substitutions combination with any the person does not relating to said one or more of the have sufficient contact interagency following data elements information or consent guidance; or (b) that relate to the to satisfy regular notice subject to and in individual if any of the for those affected compliance with the data elements are not consumers without National Credit encrypted, redacted, or sufficient contact Union otherwise altered by any information or consent; Administration method or technology in or (d) the person is regulations in 12 such a manner that the unable to identify CFR Part 748; or (c) This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement name or data elements particular affected subject to and in are unreadable or consumers, for only compliance with the unusable: (a) SSN; (b) those unidentifiable provisions of GLB driver's license number consumers. shall be deemed to or other unique be in compliance. identification number Substitute notice must created or collected by consist of all of the a government body; (c) following: (a) email financial account notice when the person number, credit card has an email address number, or debit card for the affected number in combination consumer; (b) with any required conspicuous posting of security code, access the notice or a link to code, or password that the notice on the would permit access to website of the person if an individual's financial the person maintains a account; (d) unique website; and (c) electronic identifier or notification to major routing code, in statewide media. combination with any required security code, access code, or password that would permit access to an individual's financial account; (e) medical information; or (f) health insurance information. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Personal information does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public; Montana Any business that owns Notice may be Disclosure to be given Persons that A business that Certain or leases computerized delayed to assist in one of the following maintain maintains its own government Mont. Code data and conducts with law forms: computerized data notification agencies are Ann. § 30-14- business in Montana enforcement, but owned by others procedures can use authorized to 1704 must disclose a breach must be provided 1) written notice; that includes its own policy as bring of a security system if it after law 2) electronic notice (if it Personal long as the policy enforcement reasonably believes enforcement is consistent with Information must does not actions in the there has been an determines it will federal electronic give notice to the unreasonably delay public interest. unauthorized not compromise signature laws); owner or licensee of notice to acquisition of investigation. 3) telephonic notice; or the information of consumers. unencrypted Notice must be 4) substitute notice. any breach following information. consistent with discovery of the measures necessary Substitute notice is breach if the A breach of a security to determine the permissible only if: (i) Personal system is an scope of the breach the cost of providing Information may unauthorized and restore notice would exceed have been acquired acquisition of reasonable integrity $250,000; (ii) the by an unauthorized computerized data that of the system. effected class exceeds person. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement compromises the 500,000 persons; or security, confidentiality (iii) insufficient contact or integrity of Personal information. Information and causes or is reasonably Substitute notice must believed to cause loss or consist of: (a) email injury to a Montana notice (if email resident. addresses are known); (b) conspicuous posting Personal Information on website (if one is means an individual’s maintained); and (c) first name or first initial notification to major and last name in statewide media. combination with any of the following when the If notice provided under data element is not this law suggests or encrypted: (1) SSN; (2) implies that a driver’s license number, consumer can obtain a MT identification card copy of their file from number or trial the CRA the business identification card; or must coordinate with (3) account number or the CRA regarding the credit/debit card timing, content, and number with any distribution of notice to required security code, the Montana consumer access code or as long as the password. cooperation cannot unreasonably delay the notice. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Notice content required. Nebraska Any individual or Notification of Disclosure to be given Persons that If a person The Attorney A data owner who is commercial entity that breach must be in one of the following maintain maintains a General may regulated by state or Neb. Rev. (i) conducts business in provided in the forms: computerized data notification bring federal law and who Stat. §§ 87- Nebraska; and (ii) owns most expedient 1) written notice; owned by others procedures as part enforcement maintains 801 to -806 or licenses time possible and 2) electronic notice (if it that includes of its information actions. procedures for computerized data that without is consistent with Personal security policy for breaches pursuant includes Personal unreasonable delay, federal electronic Information must Personal to the laws, rules, Information about a consistent with any signature laws); give notice to and Information, it may regulations, Nebraska resident, measures necessary 3) telephonic notice; or cooperate with the be utilized if it is guidance or must provide notice of a to determine the 4) substitute notice. owner or licensee of otherwise guidelines security breach of their scope of the breach the information of consistent with the established by the system if it is and restore the Substitute notice is any breach following timing applicable principal determined that the use reasonable permissible only if: (i) discovery of the requirements of regulator is deemed of information has integrity, security the cost of providing breach if use of the this law. to be in compliance occurred or is about to and confidentiality notice would exceed Personal with this statute if occur. of the system. $75,000; (ii) the Information has the entity complies Notice can be effected class exceeds occurred or is with the maintained Personal Information delayed if instructed 100,000 persons; or reasonably likely to procedures. means an individual’s by law enforcement (iii) insufficient contact occur. first name or first initial agencies. information. and last name in combination with any of Substitute notice must the following when the consist of: (a) email data element is not notice (if email encrypted: (1) SSN; (2) addresses are known); driver’s license number (b) conspicuous posting or state identification on website (if one is This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement card number; (3) maintained); and (c) account number or notification to major credit/debit card statewide media. number with any required security code, If the individual has 10 access code or or fewer employees and password; (4) unique the cost of providing electronic identification notice will exceed number or routing code, $10,000, substitute in combination with any notice is also available, required security code, which must be provided access code or as set forth above and password; or (5) unique with the additional biometric data requirement that notice (fingerprint, voice print, be set forth in a paid or retina or iris image or advertisement in a local other unique physical newspaper (at least ¼ representation). page) in the geographic area once a PI definition includes week for three weeks. biometric data. Nevada Any business that owns Notification of Disclosure to be given Persons that If a person The Attorney A data collector who or licenses breach must be in one of the following maintain maintains a General may is subject to and Nev. Rev. Stat computerized data that provided in the forms: computerized data notification bring actions for complies with the § 603A includes Personal most expedient 1) written notice; owned by others procedures as part injunctive relief security provisions Information of Nevada time possible and 2) electronic notice (if it that includes of its information for violations. of GLB is deemed to residents must disclose without is consistent with Personal security policy for be in compliance. a breach of a security unreasonable delay, federal electronic Information must Personal Data collectors system to such person if consistent with the signature laws); or give notice to the Information, it may who provide This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement it is determined that legitimate needs of 3) substitute notice. owner or licensee of be utilized if it is timely notice may such person’s Personal law enforcement or the information of otherwise bring actions for Information was, or is any measures Substitute notice is any breach following consistent with the damages against reasonably believed to necessary to permissible only if: (i) discovery of the timing a person that have been, acquired by determine the the cost of providing breach if the requirements of unlawfully an unauthorized person. scope of the breach notice would exceed Personal this law. obtained or and restore the $250,000; (ii) the Information was, or benefited from If notification is to more reasonable effected class exceeds is reasonably Personal than 1,000 persons at integrity, security 500,000 persons; or believed to have Information one time, the person and confidentiality (iii) insufficient contact been, acquired by maintained by the giving notice shall also of the system. information. an unauthorized data collector. notify all consumer Notice can be person. Damages, costs reporting agencies that delayed if instructed Substitute notice must of the action, compile and maintain by law enforcement consist of: (a) email attorneys’ fees, files on consumers on a agencies. notice (if email costs of nationwide basis. addresses are known); notification as (b) conspicuous posting well as punitive A breach of a security on website (if one is damages are system is an maintained); and (c) recoverable. unauthorized notification to major acquisition of statewide media. computerized data that compromises the security, confidentiality or integrity of Personal Information. Personal Information means an individual’s first name or first initial and last name in This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or NV identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Notice to other entities required. New Any agency, individual Notice must be Disclosure to be given Persons that Any person Any person engaged Hampshire or commercial entity given as soon as in one of the following maintain computer injured may bring in trade or that conducts business possible, but may forms: data that it does not an action for commerce which N.H. Rev. Stat. in New Hampshire that be delayed by a law 1) written notice; own or license that damages and for maintains Ann. §§ 359- owns or licenses enforcement 2) electronic notice (if it includes Personal equitable relief. If procedures for C:19 to -C:21 computerized data that agency. is the primary means of Information must the act was a security breach includes Personal communication with notify the owner or willful or knowing notifications Information about a affected individual); licensee of the violation, it shall pursuant to the New Hampshire 3) telephonic notice Personal award as much laws, rules and resident must give (provided a log is kept); Information if the as 3 times, but regulations issued notice to the affected or Personal not less than 2 by the applicable resident if it becomes 4) substitute notice. Information was, times, this federal or state aware of a breach of the acquired by an amount. The regulator are security of the system unauthorized prevailing party is deemed to be in This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement and determines the person. also to be compliance. misuse has occurred or Substitute notice is awarded costs of is reasonably likely to permissible only if: (i) the suit and occur. Notice is also the cost of providing reasonable required if the person notice would exceed attorneys’ fees. cannot determine if the $5,000; (ii) the effected misuse of information class exceeds 1,000 has occurred or is persons; or (iii) reasonably likely to insufficient contact occur. information. If notification is to more Substitute notice must than 1,000 persons at consist of: (a) email one time, the person notice (if email giving notice shall also addresses are known); notify all consumer (b) conspicuous posting reporting agencies of on website (if one is the anticipated date of maintained); and (c) the notification to the notification to major consumers, the statewide media. appropriate number of consumers who will be Notice must include: notified and the content 1) a description of the of the notification. incident in general terms; Personal Information 2) the approximate means an individual’s date of the breach; first name or first initial 3) the type of Personal and last name in Information obtained; combination with any of and This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement the following when the 4) telephonic contact data element is not information of the encrypted: (1) SSN; (2) person whose system driver’s license number was breached. or government identification card number; or (3) account number or credit/debit card number with any required security code, Notice content access code or required. password. Notice to Other Entities is Required. New Jersey Any entity that conducts Notification of Disclosure to be given Persons that If a person Disclosures not A knowing or business in New Jersey breach must be in one of the following maintain maintains a required if the reckless violation N.J. Stat. Ann. that owns or licenses provided in the forms: computerized data notification entity establishes of this law is an §§ 56:8-161, computerized data that most expedient 1) written notice; owned by others procedures as part that misuse of the unlawful business -163 includes Personal time possible and 2) electronic notice (if it that includes of its information information is not practice in New Information of New without is consistent with Personal security policy for reasonably Jersey. Jersey residents must unreasonable delay, federal electronic Information must Personal possible. Any disclose a breach of a consistent with the signature laws); or give notice to the Information, it may determination security system to such legitimate needs of 3) substitute notice. owner or licensee of be utilized if it is shall be person if it is law enforcement or the information of otherwise documented in determined that such any measures Substitute notice is any breach following consistent with the writing and person’s Personal necessary to permissible only if: (i) discovery of the timing maintained for Information was, or is determine the the cost of providing breach if the requirements of five years. reasonably believed to scope of the breach notice would exceed Personal this law. have been, acquired by and restore the $250,000; (ii) the Information was, or This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement an unauthorized person. reasonable effected class exceeds is reasonably integrity, security 500,000 persons; or believed to have A breach of a security and confidentiality (iii) insufficient contact been, acquired by means unauthorized of the system. information. an unauthorized access to electronic Notice can be person. files, media or data delayed if instructed Substitute notice must containing Personal by law enforcement consist of: (a) email Information a that agencies. notice (if email compromises the addresses are known); security, confidentiality Notice must also be (b) conspicuous posting or integrity of Personal provided (in on website (if one is Information when advance of maintained); and (c) access to the Personal disclosure to the notification to major Information has not consumer) to the statewide media. been secured by Division of State encryption or by any Police in the other method or Department of Law technology that renders and Public Safety the Personal for investigation or Information unreadable handling. or unusable. If notification is to more than 1,000 persons at one time, the person giving notice shall also notify all consumer reporting agencies that compile and maintain files on consumers on a This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement nationwide basis. Personal Information means an individual’s first name or first initial and last name in combination with any of the following data element: (1) SSN; (2) driver’s license number or government identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. Dissociated data that, if linked, would constitute State Police must Personal Information is be notified before Personal Information if consumers are the means to link the notified. dissociated data were accessed in connection with access to the dissociated data. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement New York Any entity that conducts Notification of Disclosure to be given Persons that Actions may be business in New York breach must be in one of the following maintain brought by the N.Y. Gen. Bus. that owns or licenses provided in the forms: computerized data Attorney General. Law § 899-aa computerized data that most expedient 1) written notice; owned by others Injunctive relief includes Personal time possible and 2) electronic notice (if that includes and Information of New York without consent is provided and Personal consequential residents must disclose unreasonable delay, a log is kept); Information must damages a breach of a security consistent with the 3) telephonic notice; or give notice to the (including system to such person if legitimate needs of 4) substitute notice. owner or licensee of reasonable it is determined that law enforcement or the information of attorneys’ fees) such person’s Personal any measures Substitute notice is any breach following are recoverable. Information was, or is necessary to permissible only if: (i) discovery of the reasonably believed to determine the the cost of providing breach if the Civil Penalties are have been, acquired by scope of the breach notice would exceed Personal the greater of an unauthorized person. and restore the $250,000; (ii) the Information was, or $5,000 or $10 reasonable effected class exceeds is reasonably per failed notice, If more than 5,000 New integrity, security 500,000 persons; or believed to have but not to exceed York residents are to be and confidentiality (iii) insufficient contact been, acquired by $150,000. notified at one time, the of the system. information. an unauthorized consumer reporting Notice can be person. agencies must also be delayed if instructed Substitute notice must notified as to the by law enforcement consist of: (a) email timing, content and agencies. notice (if email distribution the notices addresses are known); and approximate (b) conspicuous posting number of affected on website (if one is persons. This notice maintained); and (c) must be made without notification to major delaying notice to statewide media. affected New York This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement residents. A breach of a security Notice must provide system is an contact information for unauthorized the person or business acquisition of making the notification computerized data that and a description of the compromises the categories of security, confidentiality information that were, or integrity of Personal or are reasonably Information. believed to have been, acquired by a person Personal Information without valid means an individual’s authorization, including first name or first initial specification of which and last name in of the elements of combination with any of Personal Information the following data and private information element: (1) SSN; (2) were, or are reasonably driver’s license number believed to have been, or government acquired. identification card number; or (3) account Notice must also be number or credit/debit provided to the State card number with any Attorney General, the required security code, Consumer Protection access code or Board, the State Office password. of Cyber Security and Critical Infrastructure Coordination Board as This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement to the timing, content and distribution of the notice and the approximate number of affected persons. Notice to other entities Notice content required. required. New York City Any business subject to As soon as Disclosure to be given Entities that Punishable by a the jurisdiction of the practicable by a in one of the following maintain data must fine of not more N.Y. City Department of method reasonable forms: give notice of the than $500 and a Admin. Code Consumer Affairs that under 1) written notice; breach to the owner person or entity § 20-117 also owns, leases or circumstances, 2) electronic notice; or of the data. that violates this maintains data that provided that the 3) substitute notice if law is liable for a includes Personal timing is not either of the above is civil penalty of Information must inconsistent with impracticable. If $100 for each disclose to the the legitimate needs impracticable, then by violation. Department of of law enforcement a mechanism chosen Consumer Affairs and to or any other by the licensee that is the police department investigate or reasonably targeted to any breach of security if protective measures the individual. it is reasonably believed necessary to restore to have been acquired the reasonable by an unauthorized integrity of the person. Notice must system. also be provided to the residents. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Personal Information is any person’s date of birth, SSN, drivers license number, non- driver photo identification card, financial services account (bank, credit card, debit card, broker account, ATM, etc.) number or code, mother’s maiden name, computer system password, electronic signature or unique biometric data that is a fingerprint, voice print, retinal image or iris image of another person. PI definition includes biometric data. Notice to other entities required and the law may cover all forms of data.. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement North Carolina Any business that owns Must be made Disclosure to be given Persons that The law does not Entities in or licenses without in one of the following maintain create a private compliance with the N.C. Gen. computerized data that unreasonable delay, forms: computerized data right of action, Federal Interagency Stat. §§ 75-61, includes North Carolina consistent with the 1) written notice; owned by others unless the person Guidance Response -65 resident’s Personal legitimate needs of 2) electronic notice (if that includes is actually Programs for Information, or any law enforcement, consented to); Personal injured. Unauthorized Access business that conducts with any measures 3) telephonic notice Information must Violation of this to Consumer business in North necessary to (provided a log is kept); give notice to the law is a violation Information and Carolina that owns or determine sufficient or owner or licensee of of § 75-1.1. Consumer Notice, licenses Personal contact information, 4) substitute notice. the information of are governed by the Information in any form and to determine any breach following Board of Governors must provide notice to the scope of the Substitute notice is discovery of the of the Federal the affected person of a breach and restore permissible only if: (i) breach if the Reserve, the Federal breach. the reasonable the cost of providing Personal Deposit Insurance integrity of the notice would exceed Information was, or Corporation, the If notice is given to system. $250,000; (ii) the is reasonably Office of the more than 1,000 effected class exceeds believed to have Comptroller of the persons at one time, the 500,000 persons; or been, acquired by Currency and the business must also (iii) insufficient contact an unauthorized Office of Thrift notify the Consumer information. person. Supervision are Protection Division of deemed to be in the Attorney General’s Substitute notice must compliance. Office and all consumer consist of: (a) email reporting agencies that notice (if email compile data on a addresses are known); nationwide basis. (b) conspicuous posting on website (if one is Personal information maintained); and (c) means a person's first notification to major name or first initial and statewide media. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement last name in combination with any of Notice must include a the following identifying description of the information: (1) SSN or following: employer taxpayer ID 1) the incident in number; (2) drivers general terms; license, State 2) the type of Personal identification card, or Information subject to passport numbers; (3) breach; checking account 3) general acts of the numbers; (4) savings business to protect account numbers; (5) information from credit card numbers; (6) further breaches; debit card numbers; (7) 4) a telephone number personal identification that a person may call code; (8) electronic for further information; identification numbers, and electronic mail names 5) advice that directs or addresses, internet the person to remain account numbers, or vigilant in reviewing internet identification account statements names; (9) digital and monitoring free signatures; (10) any credit reports. other numbers or information that can be Notice content used to access a required. person's financial resources; (11) 2009 N.C. Sess. Laws biometric data; (12) page no. 355 fingerprints; (13) (amending N.C. Gen. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement passwords; or (14) Stat. § 75-65), effective parent’s legal surname October 1, 2009: prior to marriage. Notice must include all Personal information of the following: does not include 1) a description of the publicly available incident in general directories containing terms; information an 2) a description of the individual has type of Personal voluntarily consented to Information subject to have publicly breach; disseminated or listed, 3) a description of the including name, general acts of the address, and telephone business to protect number, and does not information from include information further breaches; made lawfully available 4) a telephone number to the general public for the business that a from federal, state, or person may call for local government further information; records. 5) advice that directs the person to remain Personal Information vigilant in reviewing DOES NOT include account statements electronic identification and monitoring free numbers, electronic credit reports; mail names or 6) the toll-free numbers addresses, Internet and addresses for the account numbers, major consumer This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Internet identification reporting agencies; and names, parent’s legal 7) the toll-free surname prior to numbers, addresses, marriage, or a password and website addresses unless this information for the Federal Trade would permit access to Commission and the a person’s financial North Carolina Attorney account or resources. General’s Office, along with a statement that Notice to Other Entities the individual can is Required. obtain information from these sources about Disclosure includes all preventing identity forms of data, including theft. paper. In the event a business provides notice to an affected person under this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. North Dakota Any business that owns Notification of Disclosure to be given A licensor of If a person The Attorney A financial or licenses breach must be in one of the following personal data must maintains a General may institution, trust N.D. Cent. computerized data that provided in the forms: also give notice to notification bring company or credit Code §§ 51- includes Personal most expedient 1) written notice; the owner of the procedures as part enforcement unit that is subject 30-01 to -07 Information of North time possible and 2) electronic notice (if it data if the Personal of its information actions. to, examined for and Dakota residents must without complies with Information was, or security policy for in compliance with disclose a breach of a unreasonable delay, electronic signature); or is reasonably Personal the federal security system to such consistent with the 3) substitute notice. believed to have Information, it may interagency person if it is legitimate needs of been, acquired by be utilized if it is guidance on determined that such law enforcement or Substitute notice is an unauthorized otherwise response programs person’s Personal any measures permissible only if: (i) person. consistent with the for unauthorized Information was, or is necessary to the cost of providing timing access to customer reasonably believed to determine the notice would exceed requirements of information and have been, acquired by scope of the breach $250,000; (ii) the this law. customer notice is an unauthorized person. and restore the effected class exceeds deemed to be in reasonable 500,000 persons; or compliance with integrity, security (iii) insufficient contact North Dakota law. A breach of a security and confidentiality information. system is an of the system. unauthorized Notice can be Substitute notice must acquisition when access delayed if instructed consist of: (a) email to Personal Information by law enforcement notice (if email has not been secured by agencies. addresses are known); encryption that renders (b) conspicuous posting This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement the files, media or data on website (if one is bases unreadable or maintained); and (c) unusable. notification to major statewide media. Personal Information means an individual’s first name or first initial and last name in combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or North Dakota identification card number; (3) account number or credit/debit card number with any required security code, access code or password; (4) the individual’s date of birth; (5) the maiden name of the individual’s mother; (7) an identification number assigned to the individual by the individual’s employer; or (8) the individual’s This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement digitized or other electronic signature. PI definition includes electronic signatures and other electronic identifiers. Ohio Any business that owns Notice to be Disclosure to be given A licensor of The Attorney Financial or licenses provided in most in one of the following personal data must General may institutions, trust Ohio Rev. computerized data that expedient time forms: also give notice to bring companies, credit Code Ann. includes Personal possible but no 1) written notice; the owner of the enforcement unions that are § 1349.19 Information of Ohio later than 45 days 2) electronic notice (if data if the Personal actions. required by federal residents must disclose following discovery, consented to); Information was, or law to notify its a breach of a security subject to the 3) telephonic notice; or is reasonably customers of an system to such person if legitimate needs of 4) substitute notice. believed to have information security it is determined that law enforcement been, acquired by breach is exempt such person’s Personal and consistent with Substitute notice is an unauthorized from compliance. Information was, or is any measures permissible only if: (i) person, if it is reasonably believed to necessary to the cost of providing reasonably believed have been, accessed determine the notice would exceed the acquisition will and acquired by an scope of the breach, $250,000; (ii) the cause a material unauthorized person if including which effected class exceeds risk of identity theft the access and residents’ Personal 500,000 persons; or or other fraud to a acquisition causes or is Information was (iii) insufficient contact resident of Ohio. reasonably believed to accessed and information. cause a material risk of acquired. identity theft or other Substitute notice must fraud. consist of: (a) email If notice is given to notice (if email This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement more than 1,000 addresses are known); persons at one time, the (b) conspicuous posting business must also on website (if one is notify the Consumer maintained); and (c) Protection Division of notification to major the Attorney General’s statewide media. Office and all consumer reporting agencies that Substitute notice is compile data on a also permitted if the nationwide basis. person giving notice is a business with 10 or A breach of the security fewer employees and of the system means costs will exceed unauthorized access to $10,000, in which case and acquisition of the notice will consist computerized data that of a paid advertisement compromises the in a local newspaper security or distributed in the confidentiality of geographic area at Personal Information least once a week for owned or licensed by a three consecutive person and that causes, weeks, posting on the reasonably is believed businesses website and to have caused, or notification to major reasonably is believed media outlets in the will cause a material area. risk of identity theft. Personal Information means an individual's This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data Notice in 45 days elements are unreadable: (1) SSN; (2) driver's license number or state identification card number; or (3) account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Oklahoma An individual or entity The disclosure must Disclosure to be given An entity that An entity that There is no A financial that owns or licenses be made without in one of the following maintains data that maintains its own private right or institution that Okla. Stat. tit. computerized unreasonable delay forms: includes personal notification action. Instead, a complies with the 24, §§ 161 to information that consistent with the 1) written notice; information must procedures as part violation of the notification 166 includes Personal need to take any 2) electronic notice (if notify the owner or of an information law may be requirements (Effective Information of measure to consented to); licensee of the privacy or security enforced by the prescribed by the November Oklahoma residents determine the 3) telephonic notice; or information of any policy for the Attorney General Federal Interagency 2008) must disclose any scope of the breach 4) substitute notice. breach of security treatment of or a district Guidance on breach of the security of and to restore the as soon as practical information that is attorney as an Response Programs such a system to that reasonable integrity Substitute notice is if it is believed that consistent with the unlawful practice for Unauthorized person if that person’s of the system. permissible only if: (i) personal timing under the Access to Customer unencrypted or the cost of providing information was requirements of Oklahoma Information and unredacted personal Notice may be notice would exceed accessed and this law is deemed Consumer Customer Notice is information was or is delayed if a law $50,000; (ii) the acquired by an to be in compliance Protection Act. deemed to be reasonably believed to enforcement agency effected class exceeds unauthorized with the Actual damages compliance with this have been accessed and determines and 100,000 persons; or person. notification resulting from a law. acquired by an advises the (iii) insufficient contact requirements of the violation of the unauthorized person individual or entity information. law if it provides act or a civil An entity that and that access has that notice will notice in a manner penalty not to complies with the caused or it is believed impede a criminal Substitute notice must consistent with the exceed $150,000 notification will cause identity theft or civil investigation consist of any two of law in the event of per breach of the requirements or or fraud. or homeland or the following : (a) email a security breach. security of the procedures pursuant national security. notice (if email systems or series to the rules, The disclosure of addresses are known); of breaches of a regulations, encrypted personal (b) conspicuous posting similar nature procedures, or information must be on website (if one is that are guidelines disclosed if the maintained); and (c) discovered in a established by the information is acquired notification to major single primary or and accessed in statewide media. investigation. functional federal unencrypted form regulator of the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement during a security breach Violations of the entity shall be or if the breach was act by state deemed to be in accomplished by chartered or state compliance with the someone with access to licensed financial law. a encryption key and institutions may the individual or entity only be enforced believes that such by the primary breach has or will cause state regulator of identity theft or fraud. the institution. Personal information includes information the unencrypted or unredacted first name or first initial and last name of a person in combination with: (1) SSN; (2) driver’s license or identification number; (3) financial account number or credit credit/debit card number in combination with any required security code, access code or password. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Oregon Any person that owns or Disclosure must be Disclosure to be given A licensor of No notice is Law does not apply licenses information made in the most in one of the following personal data must required if, after to a person with Or. Rev. Stat. that includes Personal expeditious time forms: also give notice to investigation and notification §§ 646A.602 Information of Oregon possible and 1) written notice; the owner of the consultation with requirements or to .604 residents must disclose without 2) electronic notice (if data of the authorities, the breach of security a breach of a security unreasonable delay, consented to); occurrence of any person procedures that system to such person. consistent with 3) telephonic notice (if breach of security if determines there provide greater legitimate needs of given directly); or Personal is no reasonable protection to If notice is given to law enforcement, 4) substitute notice. Information was likelihood of harm Personal Information more than 1,000 and consistent with included in the to the person and at least as persons at one time, the any measures Substitute notice is breach. whose through disclosure business must also necessary to permissible only if: (i) information was requirements notify the Consumer determine sufficient the cost of providing acquired. pursuant to the Protection Division of contact information notice would exceed Documentation rules, regulations, the Attorney General’s for the consumers, $250,000; (ii) the must be procedures, Office and all consumer determine the effected class exceeds maintained for 5 guidance or reporting agencies that scope of the breach 350,000 persons; or years if no notice guidelines compile data on a and restore the (iii) insufficient contact is provided. established by the nationwide basis. reasonable information. person’s primary or integrity. functional federal Personal Information Substitute notice must regulator; a person means a consumer’s consist of: (a) email that complies with a first name or first initial notice (if email state or federal law and last name in addresses are known); that provides greater combination with any (b) conspicuous posting protection to one or more of the on website (if one is Personal Information following data elements, maintained); and (c) and at least as when the data elements notification to major thorough disclosure are not rendered statewide media. requirements for a unusable through breach of security of This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement encryption, redaction or Personal Information other methods, or when than that provided the data elements are A notice must contain by this law; or a encrypted and the at a minimum: (1) a person that encryption key has also description of the complies with GLB. been acquired: (1) SSN; incident in general (2) driver license terms; (2) the number or state approximate date of the identification card breach; (3) type of number issued by the personal information Department of obtained; (4) contact Transportation; (3) information of a person passport number or subject to the law; (5) other United States contact information for issued identification national consumer number; or (4) financial reporting agencies; (6) account number, credit advice to the consumer or debit card number, in concerning the combination with any reporting of identity required security code, theft. access code or password that would permit access to a consumer’s financial account. It also means any of the data elements or any combination of these data elements when not combined with the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised. It does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public. Redacted means altered or truncated so that no more than the last four digits of a Social Security number, driver license number, state identification card This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement number, account number or credit or Notice content debit card number is required. accessible as part of the data. Encryption means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key. Notice to Other Entities is Required. Pennsylvania Any business that owns Notice may be Disclosure to be given A licensor of An entity that Violations are an A financial or licenses delayed at the in one of the following personal data must maintains its own unfair or institution that 73 Pa. Stat. computerized data that request of law forms: also give notice to notification deceptive act or complies with the Ann. §§ 2301 includes Personal enforcement. 1) written notice; the owner of the procedures that is practice in notification to 2329 Information of 2) electronic notice (if a data if the Personal consistent with the violation of the requirements Pennsylvania residents prior business Information was, or notice act of the Unfair prescribed by must disclose a breach relationship exists and is reasonably requirements are Trade Practices Federal Interagency of a security system to the person or entity has believed to have deemed to be in and Consumer Guidance on such person if it is a valid email address been, acquired by compliance. Protection Law. Response Programs determined that such for the individual); or an unauthorized for Unauthorized person’s Personal 3) telephonic notice (if person. Access to Customer This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Information was, or is the customer can Information and reasonably believed to reasonably be expected Customer Notice is have been, accessed to receive it and the deemed to be in and acquired by an notice is given in a compliance with the unauthorized person. clear and conspicuous law. manner, describes the incident in general terms and verifies Encryption alone does Personal Information An entity that not necessarily obviate but does not require complies with the the need for notice. An the customer to provide notification entity must provide Personal Information requirements or notice of the breach if and the customer is procedures pursuant encrypted information is provided with a to the rules, accessed and acquired telephone number to regulations, in an unencrypted form, call or Internet website procedures, or if the security breach is to visit for further guidelines, linked to a breach of the information or established by the security of the assistance); or entity’s primary or encryption or if the 4) substitute notice. functional Federal security breach involves regulator will be in a person with access to Substitute notice is compliance with the the encryption key. permissible only if: (i) act. the cost of providing If notice is given to notice would exceed more than 1,000 $100,000; (ii) the persons at one time, the effected class exceeds business must also 175,000 persons; or notify all consumer (iii) insufficient contact reporting agencies that information. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement compile and maintain files on consumers on a Substitute notice must nationwide basis. consist of: (a) email notice (if email A breach is the addresses are known); unauthorized access (b) conspicuous posting and acquisition of on website (if one is computerized data that maintained); and (c) materially compromises notification to major the security or statewide media. confidentiality of Personal Information maintained by the entity and that causes or reasonably believes has or will cause the loss or injury to any residents. Personal Information means an individual’s first name or first initial and last name in combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or PA identification card number; (3) account number or credit/debit This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement card number with any required security code, access code or password. Notice to Other Entities is Required. Puerto Rico Owners or custodians of Notification to Disclosure to be given All entities that The Secretary commercial databases clients must be in one of the following resell or provide may impose fines P.R. Laws which contain a performed in the forms: access to digital from $500 to Ann. tit. 10, Personal Information most expedited databases which $5,000 for each §§ 4051 to archive of citizens manner considering (1) Written Notice; contain personal violation of the 4055 residing in Puerto Rico the need of public (2) Electronic Mail or information archives law. These fines must notify those order agencies to Electronic Media of citizens must do not preclude a citizens of a security maintain crime pursuant to the Digital notify the owner, consumer from breach if the database scenes and Signature Act; custodian or holder suing for contains a personal evidence and the (3) Substitute notice. of the information of damages. information archive that need to reinstate any security breach is not protected with a Security. Substitute notice is of the system that crypto-graphical code permissible only if: (i) allowed access by beyond a password. the costs of the other unauthorized forms of notice is too persons. Personal information expensive due to the archive is a file amount of effected containing at least a individuals, the name or first initial and difficulty of locating all the last name of a effected individuals, the person, combined with economic situation of any of the following data the company or entity; This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement without the need to use or a special cryptographic (ii) the costs of code to access it: (1) providing notices SSN; (2) Driver’s license exceeds $100,000; (iii) number, electoral card, or the number of or an official effected individuals identification; (3) exceeds 100,000. banking or financial account numbers with or without the password; (4) name of Substitute notice can users and passwords to be made through: (1) public or private prominent posting on computer systems; (5) the entity’s website; (2) Medical information inside any brochure protected by HIPAA; (6) published and sent tax information; (7) through postal or labor evaluations. electronic mail; (3) or through a press release The party must inform that gives information the Department of concerning the Consumer Affairs within situation and contact 10 days after a breach information. If the of the security system is information is relevant detected. The in a specific Department is required commercial or to make an public professional sector, the announcement within ad must be published the next working day of through publication or receiving the programming targeted This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement information. to the biggest circulation sector. Notice to Other Entities Is Required Notice must include, as far as possible: PI definition includes health, health (1) needs of any insurance, tax and current investigation or certain employment court case; (2) nature data. of the situation; (3) number of clients Could be read to affected; include non- (4) if criminal computerized data, complaints have been though it may only filed; (5) what apply to computerized measures are being data. taken and an estimate of cost and time to rectify the situation; and (6) if it known how the information was breached the right to know which information was compromised. Notice content required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Rhode Island Any person that owns or Notification must be Disclosure to be given Persons that If a person Notification is not Each violation is a A person that licenses computerized prompt and in one of the following maintain maintains a required if, after civil violation for maintains a security R.I. Gen. Laws data that includes reasonable forms: computerized data notification an appropriate which a penalty of policy that complies §§ 11-49.2-1 Personal Information of following 1) written notice; owned by others procedures as part investigation or not more than with GLB, HIPAA or to -7 Rhode Island residents determination of the 2) electronic notice (if that includes of its information after consultation $100 per certain other federal must disclose a breach breach. consistent with federal Personal security policy for with relevant occurrence and requirements is of a security system to law); or Information must Personal authorities, a not more than deemed to be in such person if it is Notification of 3) substitute notice. give notice to the Information, it may determination is $25,000 may be compliance. determined that such breach must be owner or licensee of be utilized if it is made that the granted against a person’s Personal provided in the Substitute notice is the information of otherwise breach has not defendant. Information was, or is most expedient permissible only if: (i) any breach consistent with the and will not likely reasonably believed to time possible and the cost of providing immediately timing result in a have been, accessed without notice would exceed following discovery requirements of significant risk of and acquired by an unreasonable delay, $25,000; (ii) the of such breach if this law. identity theft. unauthorized person. consistent with the effected class exceeds such breach poses a legitimate needs of 50,000 persons; or (iii) significant risk of A breach is the law enforcement or insufficient contact identity theft and unauthorized access any measures information. the Personal and acquisition of necessary to Information was, or computerized data that determine the Substitute notice must is reasonably materially compromises scope of the breach consist of: (a) email believed to have the security or and restore the notice (if email been, acquired by confidentiality of reasonable addresses are known); an unauthorized Personal Information integrity, security (b) conspicuous posting person. maintained by the and confidentiality on website (if one is entity. of the system. maintained); and (c) Notice can be notification to major Personal Information delayed if instructed statewide media. means an individual’s by law enforcement first name or first initial agencies. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement and last name in combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or RI identification card number; or (3) account number or credit/debit card number with any required security code, access code or password. South Carolina A person that conducts Notice of the breach Disclosure to be given A person that A person that The Department This law does not business in South must be provided in in one of the following conducts business maintains its own of Consumer apply to bank or S.C. Code Carolina that owns or the most expedient forms: in South Carolina notification affairs may other financial Ann. § 39-1-90 licenses computerized time possible and 1) written notice; and that maintains procedures as part impose a fine in institution that is (Effective information containing within the most 2) electronic notice (if computerized data of an information the amount of subject to and in July, 2009) Personal Identifying expedient time. the primary method of which includes security policy for $1,000 for each compliance with the Information must communication or is personal identifying the treatment of resident whose GLB. disclose a breach of This notification consistent with federal information must personal identifying information was security to a resident of may be delayed if a law); or notify the owner or information that is accessed by the A institution that is South Carolina whose law enforcement 3) telephone notice; or licensee of the otherwise breach in the in compliance with information that not agency determines 4) substitute notice. information consistent with the case of a willful the federal rendered unusable that the notice immediately upon timing and knowing Interagency through encryption, impedes a criminal Substitute notice is discovery of a requirements of violation of the Guidance Response redaction, or other investigation. permissible only if: (i) security breach. this law is statute. Programs for methods was, or is the cost of providing considered to be in Unauthorized Access reasonably believed to notice would exceed compliance with A resident of to Consumer This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement have been, acquired by $250,000; (ii) the the law if the South Carolina Information and unauthorized person, effected class exceeds person notifies injured by a Customer Notice, when illegal use of 500,000 persons; or subject persons in willful and issued March 7, information has (iii) insufficient contact accordance with its knowing violation 2005, by the board occurred or reasonably information. policies. of this act may of Governors of the likely to occur or use of bring an action Federal Reserve the information creates Substitute notice must for actual System, the Federal a material risk of harm consist of: (a) email damages Deposit Insurance to the resident. notice (if email resulting from a Corporation, and the addresses are known); negligent Office of Thrift Personal Identifying (b) conspicuous posting violation of the Supervision is Information is defined in on website (if one is law saw, seek an considered to be in SC Code Ann. § 16-13- maintained); and (c) injunction to compliance with this 501. SC Code 16-13- notification to major enforce law. 501 currently lists statewide media. compliance, and specific types of may recover identifying information attorneys fees. however an amendment currently passed by the Treble damages South Carolina Senate are available for amends the statute to willful violations define personal of the act not to information consistent exceed $1,000 with other states. The for each incident. amendment defines personal identifying If the injury is to information as: the first the consumers name or first initial and credit capacity, last name in character, combination with general This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement unencrypted or reputation, unredacted (1) SSN; (2) employment driver’s license number options, or or identification eligibility for number; (3) financial insurance, and account number, results from the credit/debit card failure to enforce number in combination a security freeze with a security code, and the failure is access code, or not corrected by password that permits the consumer access to the account; credit reporting (4) other numbers or agency within 10 information that may be days after then used to access the entry of judgment account or numbers or of damages, the information issued by a assessed governmental or damages must be regulatory agency entity increased to not that uniquely identifies more than an individual (Amended $1,000 each day by 2008 South Carolina until the security Laws Act 190 (S.B. fee is imposed. 453). If a business provides notice to more than 1,000 person at one, under this law, the business must notify This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement without unreasonable delay, the Consumer Protection Division and all consumer reporting agencies that compile and maintain files on a nationwide basis. Notice to other entities required. Amendment was effective July 1, 2009. Applies to computerized and “other data”. Tennessee Breaches of security Notification of Disclosure to be given Persons that If a person Residents injured Does not apply to must be disclosed breach must be in one of the following maintain maintains by a violation persons who are Tenn. Code following discovery or provided in the forms: computerized data notification may recover subject to the Ann. § 47-18- notification of the most expedient 1) written notice; owned by others procedures as part damages, as well provisions of GLB. 2107 breach to any time possible and 2) electronic notice (if that includes of its information as injunctive Tennessee resident without consistent with federal Personal security policy for relief, to enjoin whose unencrypted unreasonable delay, law); or Information must Personal from further Personal Information consistent with the 3) substitute notice. give notice to the Information, it may actions in was, or is reasonably legitimate needs of owner or licensee of be utilized if it is violation of law. believed to have been, law enforcement or Substitute notice is the information of otherwise acquired by an any measures permissible only if: (i) any breach consistent with the unauthorized person. necessary to the cost of providing immediately timing determine the notice would exceed following discovery requirements of This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement If notice is given to scope of the breach $250,000; (ii) the of such breach if the this law. more than 1,000 and restore the effected class exceeds Personal persons at one time, the reasonable 500,000 persons; or Information was, or business must also integrity, security (iii) insufficient contact is reasonably notify all consumer and confidentiality information. believed to have reporting agencies that of the system. been, acquired by compile and maintain Notice can be Substitute notice must an unauthorized files on consumers on a delayed if instructed consist of: (a) email person. nationwide basis. by law enforcement notice (if email agencies. addresses are known); Personal Information (b) conspicuous posting means an individual’s on website (if one is first name or first initial maintained); and (c) and last name in notification to major combination with any of statewide media. the following when the data element is not encrypted: (1) SSN; (2) driver’s license number; or (3) account number or credit/debit card number with any required security code, access code or password. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Texas Any person that owns or Notice should be Disclosure to be given Any person that If a person Violations are licenses computerized made as quickly as in one of the following maintains maintains punishable by not Tex. Bus. & data that includes possible, though it forms: computerized data notification less than $2,000 Com. Code sensitive Personal may be delayed if 1) written notice; that includes procedures as part but not more Ann. Information of Texas instructed by law 2) electronic notice (if sensitive Personal of its information than $50,000 for § 521.053 residents must disclose enforcement consistent with federal Information that the security policy for each violation. a breach of a security agencies. law); or person does not own Personal The attorney system to such person if 3) substitute notice. must notify the Information, it may general may it is determined that owner or license be utilized if it is bring suits to such person’s sensitive Substitute notice is holder of the otherwise recover damages. Personal Information permissible only if: (i) information of any consistent with the was, or is reasonably the cost of providing breach immediately timing Injunctive relief believed to have been, notice would exceed after discovering the requirements of and attorneys’ accessed and acquired $250,000; (ii) the breach, if the this law. fees may also be by an unauthorized effected class exceeds sensitive Personal obtained. person. 500,000 persons; or Information was, or (iii) insufficient contact is reasonably Other equitable If notice is given to information. believed to have relief may be more than 10,000 been, acquired by granted by the persons at one time, the Substitute notice must an unauthorized court, in its business must also consist of: (a) email person. discretion. notify all consumer notice (if email reporting agencies that addresses are known); A violation of this compile and maintain (b) conspicuous posting law is also files on on website (if one is considered to be consumers on a maintained); OR (c) a deceptive trade nationwide basis. notification to major practice under statewide media. Section 48.101 of Personal Information the Texas means an individual’s Business and This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement first name or first initial Commercial and last name in Code. combination with (A) any of the following Victims of identity when the data element theft may seek a is not encrypted: (1) declaration from SSN; (2) driver’s license the Texas courts number; or (3) account that they were number or credit/debit victims of identity card number with any theft. required security code, access code or password or (B) information that identifies an individual and relates to physical or mental health or payment for the provision of health care to the individual. “Breach of system security” means “unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity … including data that is encrypted if the person accessing the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement data has the key required to decrypt the data.” Italics effective Sept. 1, 2009. Notice to Other Entities is Required. Utah Any person that owns or Notification of Notice must be given in Any person that Existing security Law does not licenses computerized breach must be writing by first-class maintains Personal policies that create a private Utah Code data that includes provided in the mail, electronically if Information must include notice in right of action. Ann. §§ 13-44- Personal Information most expedient that is the primary give notice to the the event of a Civil penalties of 101 to -301 concerning a Utah time possible and method of person that owns security breach can $2,500 per resident must, after without communication with the information be followed if they violation or series becoming aware of a unreasonable delay, the person (if it immediately are otherwise of violations, up breach, conduct a good consistent with the complies with federal following discovery consistent with this to $100,000 in faith investigation to legitimate needs of law), by telephone, of a breach, if law and the aggregate are determine the likelihood law enforcement or including through the misuse of Personal compliance with available. that Personal any measures use of automatic Information is likely any federal law Information has been or necessary to dialing systems, or by to occur. requiring notice is will be misused for determine the publishing notice in a in compliance with identity fraud or a theft scope of the breach newspaper of general this statute. or fraud purpose, and restore the circulation. provide notice to all reasonable affected Utah residents. integrity, security and confidentiality A breach is the of the system. unauthorized access Notice can be and acquisition of delayed if instructed This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement computerized data that by law enforcement materially compromises agencies. the security or confidentiality of Personal Information maintained by the entity. Personal Information means an individual’s first name or first initial and last name in combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number; or (3) account number or credit/debit card number with any required security code, access code or password. Vermont Any person that owns or Notification of Disclosure to be given Any person that Notice is not Attorney General A financial licenses computerized breach must be in one of the following maintains required if it can and State institution that is Vt. Stat. Ann. Personal Information provided in the forms: computerized data be established Attorney have subject to the tit. 9, §§ 2430 that includes Personal most expedient 1) written notice; that includes that misuses of enforcement following guidances, to 2435 Information concerning time possible and 2) electronic notice; Personal Personal power. and any revisions, a Vermont resident shall without 3) telephonic notice; or Information that the Information is not additions, or This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement notify the consumer that unreasonable delay, 4) substitute notice. person does not own possible and substitutions there has been a breach consistent with the must notify the notice of such relating to the of security. legitimate needs of Electronic notice is only owner or license determination is following law enforcement or permissible if a valid holder of the Vermont attorney interagency If notice is given to any measures email address exists information of any general or the guidance is exempt more than 1,000 necessary to and the person does breach immediately department of from this law: The persons at one time, the determine the not have certain after discovering the banking, Federal Interagency business must also scope of the breach contact information breach. Notification insurance, Guidance Response notify all consumer and restore the and email is the may be delayed at securities and Programs for reporting agencies that reasonable primary means of the request of law health care Unauthorized Access compile and maintain integrity, security communication enforcement. administration in to Consumer files on consumers on a and confidentiality between the parties, the event that Information and nationwide basis. of the system. the notice does not they are licensed Customer Notice, Notice can be include a hypertext link in Vermont. issued on March 7, A breach is the delayed if instructed to a request that 2005, by the Board unauthorized access by law enforcement Personal Information of Governors of the and acquisition of agencies. be provided and the Federal Reserve computerized data that notice conspicuously System, the Federal materially compromises warns consumers not Deposit Insurance the security or to provide Personal Corporation, the confidentiality of Information in response Office of the Personal Information to the communication. Comptroller of the maintained by the Currency, and the entity. Office of Thrift Supervision; or Final Guidance on Personal Information Telephonic notice must Response Programs means an individual’s be direct (i.e, no for Unauthorized first name or first initial prerecorded Access to Member and last name in messages). Information and This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement combination with any of Member Notice, the following when the Substitute notice is issued on April 14, data element is not permissible only if: (i) 2005, by the encrypted: (1) SSN; (2) the cost of providing National Credit driver’s license number; notice would exceed Union (3) account number or $5,000; (ii) the effected Administration credit/debit card class exceeds 5,000 number if they can be persons; or (iii) used without any access insufficient contact codes; or (4) account information. passwords or personal identification numbers Substitute notice must or other access codes consist of: (a) email for a financial account. notice (if email addresses are known); Notice to Other Entities (b) conspicuous posting is Required. on website (if one is maintained); OR (c) notification to major statewide media. Notification must include a description of the following: 1) the incident in general terms; 2) the type of Personal Information subject to This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement access or acquisition; 3) the general acts of the business to protect the Personal Information from further unauthorized access or acquisition; 4) a toll-free number that the consumer may call for further information and assistance; and 5) advice that directs the consumer to remain vigilant by reviewing account information and monitoring credit reports. Notice content required. Virginia Any individual or entity Notice must be Disclosure to be given An individual or An entity that There is no notice The Attorney An entity subject to that owns or licenses given without in one of the following entity that maintains maintains is own obligation if the General may GLB that maintains Va. Code. Ann. computerized data that unreasonable delay. forms: computerized data notification entity or bring an action to procedures for § 18.2-186.6 includes personal that includes procedures as part individual enforce this notification of a information must Notice may be (1) writing personal of an information concludes that section. A civil breach in provide notification if reasonably delayed (2) electronic notice information that the policy for the there was no penalty of not to accordance with the unencrypted or to allow the (3) telephone individual or entity treatment of reasonable belief exceed $150,000 provisions of the Act unredacted Personal individual or entity (4) substitute service does not own or personal that the breach per breach or a and any rules, This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Information was or is to determine the license must notify information that is has caused or will series of regulations, or reasonably believed to scope of the breach Substitute notice is the owner of consistent with the cause, identity breaches are guidelines have been accessed and of the security permissible only if: (i) licensee of the timing theft or another discovered in a promulgated there is acquired by an system and restore the cost of providing breach without requirements of the fraud. single deemed to be in unauthorized person the reasonable notice would exceed unreasonable delay law shall be investigation. compliance. and causes or is integrity of the $50,000; (ii) the following discovery deemed to be in reasonably believed to system. effected class exceeds of the breach. compliance with An individual may An entity that cause identity theft or 100,000 persons; or this law if it also bring an complies with the another fraud to a Notice may be (iii) insufficient contact provides action to recover notification resident of Virginia. reasonably delayed information. notifications in direct economic requirements or Disclosure is also if a law enforcement accordance with its damages procedures pursuant required if encrypted agency determines Substitute notice must procedures. resulting from a to the rules, personal information is and advises the consist of: (a) email violation of this regulations, accessed and acquired entity or person that notice (if email law. procedures, or in unencrypted form or the notice will addresses are known); guidelines if the security breach impede a criminal (b) conspicuous posting established by the involves a person with or civil on website (if one is entity’s primary or access to the encryption investigation, or maintained); OR (c) functional state or key and this access has homeland or notification to major federal regulator or it is reasonably national security. statewide media. shall be in believed that the breach compliance with this will cause identity theft law. or fraud. Notification must also be provided to the Office of the Attorney General. If an individual or entity This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement provides notice to 1,000 persons at one time under this law the individual or entity must notify, without unreasonable delay, the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice. Notice to Other Entities Is Required. Washington Any person that Notification of Disclosure to be given Persons that Existing security No disclosure is Any customer conducts business in breach must be in one of the following maintain policies that required of a injured by a Wash. Rev. Washington that owns provided in the forms: computerized data include notice in technical breach violation of this Code or licenses most expedient 1) written notice; owned by others the event of a that does not statute may § 19.225.010 computerized data that time possible and 2) electronic notice (if that includes security breach can seem reasonably institute civil includes Personal without consistent with federal Personal be followed if they likely to subject actions to recover Information about a unreasonable delay, law); or Information must are otherwise customers to a damages. Washington resident consistent with the 3) substitute notice. give notice to the consistent with this risk of criminal must give notice to the legitimate needs of owner or licensee of law and activity. Any business that affected resident if it law enforcement or Substitute notice is the information of compliance with violates this becomes aware that any measures permissible only if: (i) any breach any federal law statute may be Personal Information necessary to the cost of providing immediately requiring notice is enjoined. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement was, or is reasonably determine the notice would exceed following discovery in compliance with believed to have been, scope of the breach $250,000; (ii) the of such breach if the this statute. Waivers of this acquired by an and restore the effected class exceeds Personal statute are unauthorized person. reasonable integrity 500,000 persons; or Information was, or unenforceable. of the system. (iii) insufficient contact is reasonably Personal Information Notice can be information. believed to have means an individual’s delayed if instructed been, acquired by first name or first initial by law enforcement Substitute notice must an unauthorized and last name in agencies. consist of: (a) email person. combination with any of notice (if email the following when the addresses are known); data element is not (b) conspicuous posting encrypted: (1) SSN; (2) on website (if one is driver’s license number maintained); and (c) or state identification notification to major card number; or (3) statewide media. account number or credit/debit card number with any required security code, access code or password. Washington A person or entity that Notification must be Disclosure to be given Any person or entity A person or A resident injured A person or entity D.C. conducts business in made in the most in the following forms: who maintains business that by a violation of that maintains Washington D.C. who expedient time computerized data maintains its own this law may procedures for a D.C. Code owns or licenses possible consistent 1) Written notice; or that includes notification bring a civil breach notification § 28-3851 to computerized data that with the needs of 2) Electronic notice (if personal procedures as part action to recover system under GLB -3853 includes Personal law enforcement the customer has information that the of an information actual damages, and provides notice Information who and the need to consented to receipt of person does not own security policy for the costs of the in accordance with This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement discovers a breach of a determine the electronic notice shall notify the the treatment of action, and GLB rules, security system must scope of the breach consistent with owner or licensee of personal reasonable regulations, notify any District of and restore the provisions regarding the information of information and is attorneys fees. guidance and Columbia whose reasonable integrity electronic records any breach. otherwise Dignitary guidelines is personal information of the data system. under Federal law); or consistent with the damages deemed to be in was included in the 3) Substitute notice. timing including pain compliance with the breach. Notification may requirements of and suffering may law. delayed if a law Substitute notice is this law is deemed not be recovered. Personal information enforcement agency permissible only if: (i) to be in compliance means an individuals determines that the the cost of providing with the The Attorney first name or first initial notification will notice would exceed notification General may and last name, or phone impede a criminal $50,000; (ii) the requirements of petition the number, or address and investigation. effected class exceeds this law if the Superior Court of any combination of the 100,000 persons; or person or business the District of following: (1) SSN; (2) (iii) insufficient contact provides notice in Columbia for Drivers license number information. compliance with its temporary or or customer policy reasonably permanent identification number; Substitute notice must calculated to give injunctive relief (3) credit/debit card consist of: (a) email actual notice. The and an award of number; (4) any other notice (if email notice may be restitution number or code or addresses are known); given by electronic resulting from a combination of numbers (b) conspicuous posting mail if that is the violation of the or codes that allows on website (if one is primary means of law. The Attorney access to or use of an maintained); and (c) communication General may individual’s financial or notification to major with the resident. recover a civil credit account. statewide and if penalty not to appropriate national exceed $100 for If more than 1,000 media. each violation, persons must be the costs of the notified of a breach action, and This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement notification must also reasonable be given to all consumer attorney fees. reporting agencies that compile and maintain A waiver of this files on consumers on a provision is null nationwide basis, of the and void. timing, distribution and content of the notices. Notice to other entities required. West Virginia An individual or entity Notice must be Disclosure to be given An individual or An entity that Failure to comply A financial that owns or licenses made without in the following forms: entity that maintains maintains it owns with the notice institution that W. Va. Code computerized data that unreasonable delay computerized data notification provisions of this provides notification §§ 46A-2A-101 includes unencrypted or unless steps are 1) Written notice; or that includes procedures as part law is a violation in accordance with to -105 unredacted personal necessary to 2) Electronic notice (if personalized data of an information of West Virginia’s the notification information must give determine the the notice is provided that the individual privacy or security unfair and guidelines notice of a breach of scope of the breach consistent with Federal or entity does not policy for the deceptive prescribed by the any breach of the and to restore the law); own must give treatment of business practice Federal Interagency security of the system reasonable integrity 3) telephonic notice; or notice to the owner personal law. The attorney Guidance on following discovery or of the system. 3) Substitute notice. or licensee of the information and general has Response Programs notification of the information of any that are consistent exclusive for Unauthorized breach to any resident Notice may be Substitute notice is breach of security with the timing authority to Access to Customer of West Virginia whose delayed if a law permissible only if: (i) as soon as requirements of the enforce the law Information and information was or is enforcement agency the cost of providing practicable after the law is deemed to and a civil penalty Customer Notice is reasonably believed to determines and notice would exceed discovery if the be in compliance cannot be deemed to be in have been accessed and advises the $50,000; (ii) the personal with the law if it assessed unless compliance with this acquired by individual or entity effected class exceeds information was or notifies residents in the court finds law. unauthorized individual that the notice will 100,000 persons; or is reasonably accordance with its that the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement or the entity reasonably impede a criminal (iii) insufficient contact believed to have procedures in the defendant has An entity that believes has caused or or civil investigation information. been accessed and event of a security engaged in a complies with the will cause identity theft or homeland or authorized by an breach. course of notification or other fraud. national security. Substitute notice must unauthorized repeated and requirements or consist of any two of person. willful violations. procedures pursuant the following: (a) email A civil penalty to the rules, notice (if email may not exceed procedure, or addresses are known); $150,000 per guidelines (b) conspicuous posting breach or series established by the on website (if one is of related entity’s primary or maintained); and (c) breaches. functional regulator notification to major is deemed to be in statewide media. compliance with this law. Notice must include to the extent possible: (1) a description of the categories of information that were reasonably believed to have accessed or acquired by an unauthorized person; (2) a telephone number or website address that the individual may use to contact the entity or their agent regarding the breach; (3) a toll- free telephone number This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement and addresses for major credit organizations and information on how to place a fraud alert or security freeze. Notice content required. Wisconsin If an entity has a Must be given By mail or via a method If an entity stores No notice is Certain entities, principal place of within a reasonable that the entity has data regarding a required if the including financial Wis. Stat. business in Wisconsin, time, but not to previously used to Wisconsin resident, acquisition does institutions § 134.98 the entity maintains or exceed 45 days, communicate with the but does not own or not create a regulated by GLB or licenses Personal after learning of consumer. If a mailing license it, then the material risk of certain other Information in acquisition. Notice address cannot person must give identity theft of regulators are Wisconsin or the may be delayed at reasonably be found, notice as soon as fraud or the exempt. information pertains to request of law and there have been no practicable to the Personal a Wisconsin resident, enforcement prior communications, owner of the data if Information was and it knows there has agencies, in which then the entity may use the person knows acquired in good been an unauthorized case, the 45 days a method reasonably there was an faith by an acquisition of Personal begins to run calculated to provide unauthorized employee or Information, the entity following actual notice to the acquisition. agent if used for a must take reasonable authorization of law consumer. lawful purpose. steps to notify each enforcement to consumer. provide notice. Personal Information means an individual’s first name or first initial and last name in This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement combination with any of the following when the data element is not encrypted: (1) SSN; (2) driver’s license number or state identification card number; (3) account number or credit/debit card number with any required security code, access code or password; (4) the individual’s deoxyribunocleic acid Notice in 45 days. profile; or (5) the individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation. PI definition includes biometric data and genetic data. May include non- computerized data. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Wyoming Any commercial entity Notification of Disclosure to be given Persons that The attorney Financial institutions that conducts business breach must be in one of the following maintain general may who comply with Wyo. Stat. in Wyoming that owns provided in the forms: computerized data bring an action in requirements of Ann. §§ 40-12- or licenses most expedient 1) written notice; owned by others law or equity to applicable federal 501 to -502 computerized data that time possible and 2) electronic notice (if that includes address any laws (15 U.S.C.A. § includes Personal without consistent with federal Personal violation of the 6809 or 12 U.S.C.A. Information about a unreasonable delay, law); or Information must law and for other § 1752) are deemed Wyoming resident must consistent with the 3) substitute notice. give notice to the relief that may be to be in compliance give notice of a breach legitimate needs of owner or licensee of appropriate. with this statute. to the affected resident law enforcement or Substitute notice is the information of if, after conducting an any measures permissible only if: (i) any breach investigation, necessary to the cost of providing immediately determines the misuse determine the notice would exceed following discovery of Personal Information scope of the breach $10,000 for Wyoming of such breach if the of a Wyoming resident and restore the businesses, and Personal has occurred or is reasonable integrity $250,000 for all other Information was, or reasonably likely to of the system. businesses; (ii) the is reasonably occur. Notice can be effected class exceeds believed to have delayed if instructed 10,000 Wyoming based been, acquired by A Breach means an by law enforcement persons and 500,000 an unauthorized unauthorized agencies. persons for all other person. The person acquisition of entities; or (iii) who maintains that computerized data that insufficient contact date and the owner materially compromises information. of the information the security, may agree which confidentiality or Substitute notice must person will provide integrity of personal consist of: (a) email any required notice. identifying information notice (if email maintained by a person addresses are known); or business and causes (b) conspicuous posting This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
    • INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement or is reasonably on website (if one is believed to cause loss or maintained); and (c) injury to a resident of notification to major Wyoming. statewide media (must include a toll-free Personal Information phone number where means an individual’s an individual can learn first name or first initial whether or not the and last name in individual’s personal combination with any of data is include in the the following when the security breach). data element is not encrypted: (1) SSN; (2) driver’s license number or state identification Notices to individuals card number; (3) must include a toll-free account number or number that the credit/debit card individual may use to number with any contact the person required security code, collecting the data, or access code or his agent, and from password; (4) tribal which the individual identification card; or may learn the toll-free (5) federal or state contact numbers and government issued addresses for the major identification card. credit reporting agencies. PI definition includes tribal, federal or state Notice content identification cards. required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.