Security Breach Laws

1,187 views

Published on

Security Breach Notification requirements

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,187
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Breach Laws

  1. 1. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY: UNITED STATES This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  2. 2. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Alaska If a breach of an Notification must be Disclosure to be given Persons that Disclosure is not Violation of the information systems given in the most in one of the following maintain Personal required if, after statute is Alaska Stat. §§ containing Personal expedient manner forms: Information are not an appropriate considered a 45.48.010 to Information occurs the and without 1) written notice; required to comply investigation, and violation of .90 breach must be unreasonable delay. 2) electronic notice with the notice after written Alaska’s unfair or (Effective July, disclosed to each Alaska (only if this is the requirements. notification to the deceptive 2009) resident whose personal Notification may be primary method of Instead, upon attorney general, practices act. information was subject delayed to communication with discovery of the it is determined However, the to the breach. participate in the individual); breach they must that there is not a information connection with a 3) telephonic; or notify the reasonable owner is not Personal information is criminal 4) substitute notice. information owner likelihood that subject to civil an individuals first investigation of the about the breach harm to the penalties and name or first initial and breach. Substitute notice is and cooperate to the consumers whose damages under last name in permissible only if: (i) extent necessary to personal the statute and combination with any of the cost of providing allow the information has instead is liable the following that is not notice would exceed information owner been acquired to the state for a encrypted, redacted, or $150,000; (ii) the to satisfy the notice has resulted or civil penalty of up secured: (1) SSN; (2) effected class exceeds requirements. will result from to $500 for each driver’s or identification 300,000 people; or (iii) the breach. Alaska resident number; (3) financial insufficient contact who was not account number or information. notified in an credit/debit card amount not to number with any Substitute notice must exceed $50,000. required security code, consist of: (a) email Damages that This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  3. 3. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement access code, or notice (if email can be awarded password; (4) addresses are known); under the statute passwords, PINS, or (b) conspicuous posting are limited to other access codes for on website (if one is actual to actual financial accounts. maintained); and (c) economic notification to major damages that do f a security breach statewide media. not exceed $500. requires notice to more than 1,000 individuals notice of the breach must also be provided to all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis and provide the agencies with the timing, No likelihood of distribution, and harm PLUS content of the notices. written Names and personal notification to information of AG. individuals subject to the breach are not required. Notice to Other Entities Includes information “in any form”. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  4. 4. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Arizona Notification must be Notification must be Disclosure to be given Persons that If notification Disclosure is not Actual damages If a person is in given to affected given in the most in one of the following maintain procedures are required if, after a and a civil penalty compliance with Ariz. Rev. Stat. persons by those who expedient manner forms: unencrypted included in a reasonable not to exceed guidelines § 44-7501 own or license and without 1) written notice; Personal person’s security investigation, it is $10,000 per established by the unencrypted data that unreasonable delay. 2) electronic notice Information are policy, that person determined that a breach or series primary or includes Personal (only if this is the obligated to is in compliance breach did not of breaches of a functional federal Information once that primary method of cooperate with the with the occur or is not similar nature regulator, such person becomes aware Notification may be communication with owner of the notification reasonably likely that are person is deemed in of an incident of delayed to the individual); information with requirements in to occur. discovered in a compliance with this unauthorized participate in 3) telephonic; or respect to any Arizona if single law. acquisition AND access connection with a 4) substitute notice. breach. The person individuals are investigation. to unencrypted criminal maintaining the notified in information that investigation of the Substitute notice is information is only accordance with includes Personal breach. permissible only if: (i) required to provide those procedures. Information. the cost of providing notice of a breach if notice would exceed the agreement with Personal Information is $100,000; (ii) the the owner of the any individual’s first effected class exceeds information so name or first initial and 100,000 people; or (iii) requires. last name in insufficient contact combination with any of information. the following element that is not encrypted, Substitute notice must redacted or secured: (1) consist of: (a) email SSN; (2) driver’s license notice (if email number or identification addresses are known); number; (3) financial (b) conspicuous posting account number or on website (if one is credit/debit card maintained); and (c) number with any notification to major This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  5. 5. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement required security code, statewide media. access code or password. Arkansas Breaches of security Notification must be Disclosure to be given Any person that Data owners are No notice is Violators of law Arkansas law does systems that include given in the most in one of the following maintains Personal permitted to utilize required if, after a are guilty of a not apply to Ark. Code §§ Personal Information expedient manner forms: Information must their own reasonable Class A businesses regulated 4-88-113, must be disclosed to and without 1) written notice; give notice to the notification investigation, the misdemeanor. by a state or federal -10-105 the affected parties unreasonable delay. 2) electronic notice (if person that owns procedures if the person Civil enforcement law that provides following discovery of consistent with federal the information procedures are determines there actions may also greater protection to the breach if Notification may be electronic signature immediately part of an is no reasonable be brought. Personal Information unencrypted Personal delayed to laws); or following discovery information likelihood of harm and at least as Information was, or is participate in 3) substitute notice. of a breach. security policy and thorough disclosure reasonably believed to connection with a the policy is requirements than have been, acquired by criminal Substitute notice is otherwise provided by an unauthorized person. investigation of the permissible only if: (i) consistent with the Arkansas Law. breach. the cost of providing timing required by Personal Information notice would exceed Arkansas law. means an individual’s $250,000; (ii) the first name or first initial effected class exceeds and last name in 500,000 people; or (iii) combination with any of insufficient contact the following non- information. redacted or non- encrypted elements: (1) Substitute notice must SSN; (2) driver’s license consist of: (a) email number or Arkansas notice (if email identification card addresses are known); number; (3) account (b) conspicuous posting number or credit/debit on website (if one is This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  6. 6. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement card number with any maintained); and (c) required security code, notification to major access code or statewide media. password; or (4) medical information. PI definition includes health data. California Law applies to any Disclosure to be Disclosure to be given Any person that Data owners may Compliance Any consumer Company that conducts made as in one of the following maintains Personal continue using cannot be waived injured by a Cal. Civ. Code business in California. expediently as forms: Information must their own by the affected violation of this § 1798.82 possible, and 1) written notice; give notice to the disclosure regimes individual. law can bring a If an owner (i) conducts without 2) electronic notice (if person that owns if they are part of a civil action to business in CA; (ii) owns unreasonable delay, consistent with federal the information broader recover damages. or licenses unencrypted unless there is a electronic signature immediately information computer information; concern that laws); or following discovery security policy, but and (iii) the data disclosure will 3) substitute notice. of a breach. only if the policy is contains Personal impede a criminal consistent with the Information regarding a investigation. Substitute notice is timing resident, then permissible only if: (i) requirements of disclosure is required. the cost of providing California law. notice would exceed Also, if there is a $250,000; (ii) the security breach of a effected class exceeds system containing 500,000 people; or (iii) Personal Information insufficient contact and it is known or information. reasonably believed that Personal Information Substitute notice must This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  7. 7. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement has been acquired, then consist of: (a) email disclosure must also be notice (if email made. addresses are known); (b) conspicuous posting Personal Information on website (if one is means an individual’s maintained); and (c) first name or middle notification to major initial combined with a statewide media. last name and any of the following: (1) SSN; (2) CA driver’s license number or identification card number; (3) account number or credit/debit card number with any required security code, access code or password; (4) medical information; (5) health insurance information. PI definition includes health and health insurance information. Cal. Health & A clinic, health facility, Report to State The State Safety Code § home health agency, or Department of Department of 1280.15 hospice licensed under Public Health must Public Health, California law must be made no later after This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  8. 8. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement prevent unlawful or than 5 days after investigation, unauthorized access to, the unlawful or may assess an use of, and disclosure of unauthorized administrative patients’ medical access, use, or penalty for a information. Such disclosure was violation of up to organizations must also detected. $25,000 per report to State patient whose Department of Public Report must be medical Health and to the made to affected information was affected patient or patient or patient’s unlawfully or patient’s representative representative at without any unlawful or last known address authorization unauthorized access, no later than 5 days accessed, used, use, or disclosure of after the unlawful or or disclosed; and medical information. unauthorized up to $17,500 access, use, or per subsequent Medical information disclosure was occurrence of means any individually detected. unlawful or identifiable information, unauthorized in electronic or physical access, use, or form, in possession of disclosure of that or derived from a patient’s medical provider of health care, information. health care service plan, pharmaceutical Following the company, or contractor initial 5 day regarding a patient's reporting period, medical history, mental the State or physical condition, or Department of treatment. Public Health This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  9. 9. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement may assess a Individually identifiable penalty in the means that the medical amount of $100 information includes or for each day that contains any element of the unlawful or personal identifying unauthorized information sufficient to access, use, or allow identification of disclosure is not the individual, such as reported. the patient's name, address, electronic mail The total address, telephone combined penalty number, or social assessed by the security number, or State Department other information that, of Public Health alone or in combination must not exceed with other publicly $250,000 per available information, reported event. reveals the individual's identity. Within 10 days of receipt of a penalty assessment a hearing may be requested to dispute a determination by the State Department of Public Health This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  10. 10. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, use of, or disclosure of patients’ medical information, or the imposition of a penalty. In lieu of disputing the determination of the State Department of Public Health regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, use of, or disclosure of patients’ medical information, transmit to the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  11. 11. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement department 75% of the total amount of the administrative penalty for each violation, within 30 days of receipt of the administrative penalty. The State Department of Public Health may refer violations to the office of Health Information Integrity for enforcement. Colorado Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who No notification is The Attorney Data owner who is apply to entities that made as in one of the following maintains Personal maintain their own required if it is General may regulated by state or Colo. Rev. conduct business in expediently as forms: Information must notification determined (after bring an action to federal law and who Stat. § 6-1- Colorado who own or possible, and 1) written notice; give notice to the procedures which reasonable address violations maintains 716 license computerized without 2) telephonic notice; person that owns are consistent with investigation) that of this section procedures for data that includes unreasonable delay, 3) electronic notice (if it the information the timing the breach did and for other breaches pursuant Personal Information. unless there is a is a primary means of immediately requirements of not occur or is relief that may be to the laws, rules, concern that communication or it is following discovery Colorado law are not reasonably appropriate to regulations, If notification is to be disclosure will consistent with federal of a breach, if deemed to be in likely to occur. ensure guidance or given to more than impede a criminal electronic signature misuse of Personal compliance with compliance with guidelines This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  12. 12. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement 1,000 Colorado investigation. laws); or Information is likely the notice the law. established by the residents, the data 4) substitute notice. to occur. requirements if applicable principal owner must also notify notification is regulator is deemed all consumer reporting Substitute notice is provided in to be in compliance agencies. permissible only if: (i) accordance with its with this statute. the cost of providing policies. Personal Information notice would exceed means an individual’s $250,000; (ii) the first name or first initial effected class exceeds and last name in 250,000 Colorado combination with any of residents; or (iii) the following non- insufficient contact redacted or non- information. encrypted elements: (1) SSN; (2) driver’s license Substitute notice must number or identification consist of: (a) email card number; or (3) notice (if email account number or addresses are known); credit/debit card (b) conspicuous posting number with any on website (if one is required security code, maintained); and (c) access code or notification to major password. statewide media. Notice to Other Entities is Required. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  13. 13. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Connecticut Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who Notice is not Failure to comply apply to entities that made without in one of the following maintains Personal maintain their own required if after with Connecticut Conn. Gen. conduct business in unreasonable delay, forms: Information must notification investigation and law is considered Stat. Ann. Connecticut who own, subject to delay at 1) written notice; give notice to the procedures which consultation with an unfair trade § 36a-701b license or maintain the request of law 2) telephonic notice; person that owns are consistent with relevant federal, practice for computerized data that enforcement 3) electronic notice (if it the information the timing state and local purposes of includes Personal agencies and the is consistent with immediately requirements of agencies section 42-110b Information. completion of federal electronic following discovery Connecticut law are responsible for of Connecticut's investigations to signature laws); or of a breach, if the deemed to be in law enforcement, general statutes determine nature of 4) substitute notice. Personal compliance with the person and will be breach. If notice is Information was, or the notice determines that it enforced by the Personal Information delayed, may only Substitute notice is is reasonably requirements if will not result in Attorney General. means an individual’s be given after permissible only if: (i) believed to have notification is harm to the first name or first initial approval by the the cost of providing been accessed by an provided in affected and last name in applicable law notice would exceed unauthorized accordance with its individuals. combination with any of enforcement $250,000; (ii) the person. policies. the following: (1) SSN; agency. effected class exceeds (2) driver’s license 500,000 persons; or Any business that number or identification (iii) insufficient contact complies with card number; or (3) information. procedures account number or pursuant to GLB credit/debit card Substitute notice must are deemed to be number with any consist of: (a) email in compliance with required security code, notice (if email Connecticut law. access code or addresses are known); password. (b) conspicuous posting on website (if one is maintained); and (c) notification to major statewide media. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  14. 14. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Delaware Notice requirements Disclosure to be Disclosure to be given Any person that Data owners who Enforcement A data owner who is apply to entities that made in the most in one of the following maintains Personal maintain their own actions may be complying with Del. Cod. Ann. conduct business in expedient time and forms: Information must notification brought by provisions of a tit. 6, §§ 12B- Delaware who own, without 1) written notice; give notice to the procedures which Delaware federal or state law 101 to -104 license or maintain unreasonable delay, 2) telephonic notice; person that owns are consistent with residents, in that provide greater computerized data that consistent with 3) electronic notice (if it the information the timing which case protection than includes Personal legitimate needs of is consistent with immediately requirements of damages are Delaware law will be Information. law enforcement federal electronic following discovery Delaware law are tripled and deemed to be in and consistent with signature laws); or of a breach, if the deemed to be in reasonable compliance with A breach of a security any measures 4) substitute notice. Personal compliance with attorneys’ fees Delaware law. system means the necessary to Information was, or the notice are also However, this does unauthorized determine the is reasonably requirements if recoverable. not relieve an acquisition of scope of the breach Substitute notice is believed to have notification is individual or a computerized data that and restore the permissible only if: (i) been acquired by an provided in Attorney General commercial entity compromises the integrity of the the cost of providing unauthorized accordance with its may also bring from a duty to security, confidentiality system. If notice is notice would exceed person. policies. actions to comply with other or integrity of the delayed by law $75,000; (ii) the address requirements of Personal Information enforcement, may effected class exceeds violations. state and federal law maintained by an only be given after 100,000 persons; or regarding the individual. approval by the (iii) insufficient contact protection and applicable law information. privacy of Personal Personal Information enforcement Information. means an individual’s agency. Substitute notice must first name or first initial consist of: (a) email and last name in notice (if email combination with any of addresses are known); the following, when (b) conspicuous posting either the name or the on website (if one is element is not maintained); and (c) This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  15. 15. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement encrypted: (1) SSN; (2) notification to major DE driver’s license statewide media. number or DE identification card number; (3) account number or credit/debit card number with any required security code, access code or password; or (4) individually identifiable information regarding medical history. PI definition includes health data. Florida Notice is required if an Notification is to be Disclosure to be given Any person that Data owners who No notice is The notice must A data owner who is unauthorized person made within 45 in one of the following maintains Personal maintain their own required if, after be given within regulated by federal Fla. Stat. obtains Personal days of the forms: Information for notification consultation with 45 days of the law and who § 817.5681 Information from a discovery of the 1) written notice; others must give procedures which law enforcement, discovery of the maintains system that contains breach, subject to: 2) electronic notice (if it notice to the person are consistent with it is reasonably breach unless procedures for unencrypted (i) legitimate needs is consistent with that owns the the timing determined that one of these two breaches pursuant computerized data. of law enforcement, federal electronic information within requirements of the breach has exceptions to the laws, rules, and (ii) measures signature laws); or 10 days of receiving Florida law are not and will not applies. If notice regulations, A reasonable belief of needed to 3) substitute notice. actual knowledge or deemed to be in likely result in is not given within guidance or breach is sufficient to determine nature, a reasonable belief compliance with harm to the this timeframe guidelines trigger notice presence and scope Substitute notice is of a breach. Either the notice affected there are civil established by the This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  16. 16. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement requirements. of the breach and to permissible only if: (i) the owner of the requirements if individuals. penalties that are applicable principal restore the the cost of providing information or the notification is available, up to a regulator is deemed If the breach affects reasonable integrity notice would exceed party maintaining provided in If this exemption total of to be in compliance more than 1,000 Florida of the system. $250,000; (ii) the the information may accordance with its is relied upon, it $500,000, as with this statute. residents, notification effected class exceeds provide notice, policies. must be put in follows: (i) must also be given to The following civil 500,000 persons; or though if there is no writing and $1,000 per day the appropriate credit penalties apply to (iii) insufficient contact agreement maintained by the for the first 30 reporting agencies. untimely notice: information. regarding obligated Company for a period; (ii) (1) $1,000 per day party the entity with period of 5 years. $50,000 for each Personal Information for the first 30 day Substitute notice must the direct business 30 period means an individual’s period; consist of: (a) email relationship with the thereafter up to first name or middle (2) $50,000 for notice (if email consumer must 180 days; or (iii) initial combined with a each 30 day period addresses are known); provide the notice. up to $500,000 if last name and any of thereafter up to 180 (b) conspicuous posting notice is not the following: (1) SSN; days; or (3) up to on website (if one is given within 180 (2) FL driver’s license $500,000 if notice maintained); and (c) days. number or identification is not given within notification to major card number; or (3) 180 days. statewide media. The penalties account number or apply per breach, credit/debit card Penalties are per not per effected number with any breach, not per individual. These required security code, individual. penalties do not access code or apply to the password. government, but can apply to certain entities Notice within 45 that have entered Notice to other entities days, with a contract with required. exceptions. the government. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  17. 17. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement Georgia A person that maintains Disclosure to be Disclosure to be given Any person that Data owners who Violations computerized data that made in the most in one of the following maintains Personal maintain their own constitute an Ga. Code Ann. includes Personal expedient time and forms: Information must notification unfair or §§ 10-1-912, Information of without 1) written notice; give notice to the procedures which deceptive 46-5-210 individuals must give unreasonable delay, 2) telephonic notice; person that owns are consistent with practice in notice of any breach of consistent with 3) electronic notice (if it the information the timing consumer the security of the legitimate needs of is consistent with within 24 hours requirements of transactions system following law enforcement federal electronic following discovery Georgia law are under the Fair discovery or notification and consistent with signature laws); or of a breach, if the deemed to be in Business of the breach to any any measures 4) substitute notice. Personal compliance with Practices Act. resident of Georgia necessary to Information was, or the notice whose Personal determine the Substitute notice is is reasonably requirements if Information was or is scope of the breach permissible only if: (i) believed to have notification is reasonably believed to and restore the the cost of providing been acquired by an provided in have been, acquired by integrity of the notice would exceed unauthorized accordance with its an unauthorized person. system. If notice is $50,000; (ii) the person. policies. delayed by law effected class exceeds enforcement, may 100,000 persons; or only be given after (iii) insufficient contact If notification must be approval by the information. given to more than applicable law 10,000 Georgia enforcement Substitute notice must residents with respect agency. consist of: (a) email to any single breach, notice (if email notice must also be addresses are known); given to all consumer (b) conspicuous posting reporting agencies. on website (if one is maintained); and (c) A breach is an notification to major unauthorized statewide media. This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  18. 18. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement acquisition of computerized data that compromises the security, confidentiality or integrity of Personal Information. Personal Information means an individual’s first name or first initial and last name in combination with any of the following, when either the name or the element is not encrypted: (1) SSN; (2) GA driver’s license number or GA identification card number; (3) account number or credit/debit card number if they can be used without access codes or passwords; (4) account passwords or personal identification numbers or other access codes; or (5) any of the above when not in connection with the first This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  19. 19. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement name or last name, if the information would be sufficient to perform or attempt to perform identity theft against the person. Notice to Other Entities is Required. Hawaii Notice requirements Disclosure to be Disclosure to be given Any person that The Attorney The following are apply to any business made without in one of the following maintains Personal General or the deemed in Haw. Rev. that owns or licenses unreasonable delay, forms: Information must Director of the compliance: Stat. §§ 487N- Personal Information of subject to delay at 1) written notice; give notice to the Office of 1 to -4 residents of Hawaii, any the request of law 2) telephonic notice; person that owns Consumer 1) a financial business that conducts enforcement 3) electronic notice (if it the information Protection may institution that is business in Hawaii that agencies and the is consistent with immediately bring actions subject to the owns, licenses or completion of federal electronic following discovery under this law. Federal Guidance on maintains computerized investigations to signature laws); or of a breach. Response Programs data that includes determine nature of 4) substitute notice. for Unauthorized Personal Information breach. If notice is Access to Consumer and governmental delayed, may only Information and agencies that collect be given after Customer Notice Personal Information. approval by the Substitute notice is Damages are published by the applicable law permissible only if: (i) limited to actual Federal Register on If notification must be enforcement the cost of providing damages March 29, 2005; given to more than agency. notice would exceed sustained as a and 1,000 Hawaii residents $100,000; (ii) the result of violation. 2) health plans and with respect to any effected class exceeds healthcare providers single breach, notice 200,000 persons; or that are subject to This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.
  20. 20. INTERNATIONAL SECURITY BREACH NOTIFICATION SURVEY (UNITED STATES CONTENT AS OF AUGUST 26, 2009) State Notice Requirements Timing of Form of Disclosure Entities that Existing Policies Exemptions from Damages/ Preemption Disclosure Maintain Data Disclosure Enforcement must also be given to (iii) insufficient contact and in compliance the State of Hawaii’s information. with the standards Office of Consumer for privacy of Protections and all Substitute notice must individually consumer reporting consist of: (a) email identifiable health agencies. notice (if email information and the addresses are known); security standards (b) conspicuous posting for the protection of Personal Information on website (if one is electronic health means an individual’s maintained); and (c) information. first name or first initial notification to major and last name in statewide media. combination with any of the following, when Notice must be clear either the name or the and include the element is not following: (i) the encrypted: (1) SSN; (2) incident in general HI driver’s license terms; (ii) the type of number or HI Personal Information identification card that was subject to the number; or (3) account breach; (iii) the acts of number or credit/debit the business to protect card number with any the Personal required security code, Information; (iv) a access code or telephone number to password. call for further information; and (v) Notice to Other Entities advice that directs the is Required. person to remain vigilant by reviewing This document does not replace review of the applicable laws and the US content is based upon Chapter 22 of Andrew Serwin, Information Security and Privacy: A Guide to Federal and State and Compliance, (3 rd ed. West 2009). It does not constitute legal advice.

×