Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

Minneapolis

New York

Washington, D.C.

The California Consumer Privacy Act of 2018 (CCPA) provides California residents with a broad range of data privacy rights and is one of the most comprehensive data protection laws in the United States.

contentpilot/introduction

Pursuant to the CCPA, California residents now have rights related to <strong>accessing</strong> personal data, requesting the <strong>deletion</strong> of personal data, receiving <strong>notice</strong> of data processing activities, and <strong>opting out</strong> from the sale of data.

core/paragraph

On November 3, 2020, California voters approved Proposition 24, also known as the&nbsp;<strong>California Privacy Rights Act of 2020</strong>&nbsp;(CPRA), which amends and expands upon the CCPA. In particular, the CPRA establishes new data privacy rights for California residents (e.g., rectification, do not “share” rights, limits on use of sensitive data), imposes new obligations and liabilities on businesses and service providers, and creates a regulatory agency empowered to enforce California privacy law and prosecute noncompliance. The new regulatory agency, the&nbsp;<strong>California Privacy Protection Agency</strong>, is vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA (as amended by the CPRA).

The CPRA becomes operative on January 1, 2023, and, with some exceptions, will apply to California residents’ personal information collected by organizations after January 1, 2022.

<em><strong>California is one of the largest economies in the world. Is your business impacted by the CCPA?</strong></em> If so, here are just a few ways that Thompson Hine can help:

core/heading

core/list-item

Verifying and responding to data requests

core/list

<a href="https://admin.thompsonhine.com/wp-content/uploads/2024/02/The-California-Pen-Trap-Law-and-Website-Privacy-Litigation.pdf" target="_blank" rel="noreferrer noopener">Open Letter to Business Leaders &amp; Corporate Counsel: California’s Pen/Trap Law Inapplicable to Web Ad Cookies &amp; Pixels</a>

<a href="https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&amp;division=3.&amp;title=1.81.5.&amp;part=4.&amp;chapter=&amp;article=" target="_blank" rel="noreferrer noopener">CCPA Statute</a><a href="https://oag.ca.gov/privacy/ccpa/regs" target="_blank" rel="noreferrer noopener"></a>

<a href="https://oag.ca.gov/privacy/ccpa/regs" target="_blank" rel="noreferrer noopener">CCPA Regulations</a>

<a href="https://cppa.ca.gov/regulations/" target="_blank" rel="noreferrer noopener">CPRA Regulations</a><a href="https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf" target="_blank" rel="noreferrer noopener"></a>

<a href="https://admin.thompsonhine.com/wp-content/uploads/2022/09/2023-U.S.-State-Data-Protection-Laws_A-Summary-of-Opt-Out-Rights-and-Preference-Signal-Requirements_Thompson-Hine.pdf" target="_blank" rel="noreferrer noopener">Summary of Opt-Out Rights &amp; Preference Signal Requirements</a>

core/image

core/column

core/columns

<strong>If your organization has suffered a data breach or incident, please contact us at any time (24/7) at <a href="mailto:DataBreachResponse@ThompsonHine.com">DataBreachResponse@ThompsonHine.com</a> or fill out our online form below.</strong>

core/separator

Have a question regarding privacy or cybersecurity issues? 

Privacy and Cybersecurity form

gravityforms/form

We respect your privacy. For a summary of what information we collect about you, the limited times when we may share it with others, and how we protect your privacy, please click on <a href="https://www.thompsonhine.com/privacy-policy/" target="_blank" rel="noreferrer noopener">“Privacy Policy.”</a>

contentpilot/accordion

California Consumer Privacy Act (CCPA) Compliance

Opting In to CIPA Risk Mitigation After New Precedent

Judge Reverses Ruling on Punitive Damages in California Invasion of Privacy Act (CIPA) Case

New Ruling on Punitive Damages and Attorney Fees in California Invasion of Privacy Act (CIPA) Case

Recent Holdings on the California Invasion of Privacy Act (CIPA)

California Has A Duty To Curtail Frivolous CIPA Suits

CPPA Releases First Enforcement Advisory

California Pen/Trap Law and Website Privacy Litigation

Effective Immediately: California Privacy Protection Agency Resumes Authority to Enforce Privacy Regulations

Major Changes to California Privacy Laws

California Announces Privacy Audits of Connected Vehicles and Related Technologies

California Investigates Employee/HR Data Processing in Privacy Enforcement Actions

California Privacy Law Enforcement Delayed Until 2024

California and Colorado Finalize Privacy Regulations

California Consumer Privacy Act Enforcement and Preparing for 2023 Data Privacy Rules

CCPA Enforcement and Preparing for 2023 Data Privacy Rules

California Issues New Draft Privacy Regulations

California Voters Approve New Data Privacy Law

California Legislature Extends CCPA’s Exemptions for Personal Information in the Employment and Business-to-Business Context

Final CCPA Regulations Approved Effective Immediately

California Releases Final CCPA Regulations Ahead of July 1 Enforcement Deadline

California Attorney General Publishes Modifications to CCPA Regulations

California’s New Data Privacy Law Coming into Focus

California’s New Privacy Law: Recent Amendments and Approaching Compliance Deadlines

Practices

Data Protection Management & Compliance

<p><strong>A survey of U.S. Federal and State Laws, Statutes, and Regulations Governing Data Breach Notification, Biometric Information, Cybersecurity, and Data Privacy*</strong></p>
<p><em>*The content is for general information purposes only and does not constitute legal or professional advice.</em></p>



<h2 class="wp-block-heading">Data Breach Requirements: Wyo. Stat. Ann. §§ 40-12-501 &#8211; 502, and 6-3-901(b)(iii) to (xiv).</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal identifying information” means the first name or first initial and last name of a person in combination with one (1) or more of the data elements specified in W.S. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>W.S. 6-3-901(b):<br>(iii) Social Security number;<br>(iv) Driver’s license number;<br>(v) Account, credit card, or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person;<br>(vi) Tribal identification card;<br>(vii) Federal or state government issued identification card;<br>(viii) Shared secrets or security tokens that are known to be used for databased authentication;<br>(ix) A username or email address, in combination with a password or security question and answer that would permit access to an online account;<br>(x) A birth or marriage certificate;<br>(xi) Medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;<br>(xii) Health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history;<br>(xiii) Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; or<br>(xiv) An individual taxpayer identification number.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the data system” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal identifying information by an employee or agent of a person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal identifying information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An individual who or commercial entity that conducts business in Wyoming and owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give the breach notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall include, at a minimum:<br>(i) A toll-free number: (A) That the individual may use to contact the person collecting the data, or his agent; and (B) From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.<br>(ii) The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;<br>(iii) A general description of the breach incident;<br>(iv) The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;<br>(v) In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;<br>(vi) Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports;<br>(vii) Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(i) Written notice;<br>(ii) Electronic mail notice;<br>(iii) Substitute notice, if the person demonstrates: (A) That the cost of providing notice would exceed $10,000 for Wyoming-based persons or businesses, and $250,000 for all other businesses operating but not based in Wyoming; (B) That the affected class of subject persons to be notified exceeds 10,000 for Wyoming-based persons or businesses and 500,000 for all other businesses operating but not based in Wyoming; or (C) The person does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>“Substitute notice” means:<br>(A) An email notice when the person or business has an email address for the subject persons;<br>(B) Conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; and<br>(C) Publication in applicable local or statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Substitute notice shall consist of all of the following: (A) Conspicuous posting of the notice on the internet, the world wide web or a similar proprietary or common carrier electronic system site of the person collecting the data, if the person maintains any of those public online outlets; and (B) Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether that individual’s personal information is included in the security breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any financial institution as defined in 15 U.S.C. 6809 or federal credit union as defined by 12 U.S.C. 1752 that maintains notification procedures subject to the requirements of 15 U.S.C. 6801(b)(3) and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B, is deemed to be in compliance with this section if the financial institution notifies affected Wyoming customers in compliance with the requirements of 15 U.S.C. 6801 through 6809 and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the regulations promulgated under that act, is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of HIPAA.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person who maintains computerized data that includes personal identifying information on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The person who maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree which person or entity will provide any required breach notice, provided only a single notice for each breach shall be required. If agreement regarding notification cannot be reached, the person who has the direct business relationship with the resident of this state shall provide the breach notice.</p>


Wyoming (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Wis. Stat. § 134.98.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(b) The term “personal information” means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:</p>



<ol><li>The individual’s Social Security number.</li><li>The individual’s driver’s license number or state identification number.</li><li>The individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account.</li><li>The individual’s deoxyribonucleic acid (DNA) profile, as defined in s. 939.74(2d)(a).</li><li>The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>An entity is not required to provide a breach notice if the personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An entity is not required to provide a breach notice if the acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notice shall be provided within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness herein shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a breach notice that is otherwise required for any period of time, and the notification process shall begin at the end of that time period. Notwithstanding, if an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Upon written request by a person who has received a breach notice, the entity that provided the notice shall identify the personal information that was acquired.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>An entity shall provide the breach notice by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods (reasonably calculated standard).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If, as the result of a single incident, an entity is required to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies of the timing, distribution, and content of the notices sent to the individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The law does not apply to any of the following:<br>(a) An entity that is subject to, and in compliance with, the privacy and security requirements of 15 USC 6801 to 6827, or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security.<br>(b) An entity that is described in 45 CFR 164.104(a), if the entity complies with the requirements of 45 CFR part 164.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>If a person, other than an individual, who stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>(b) If an entity whose principal place of business is not located in this state knows that personal information pertaining to a resident of this state has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each resident of this state who is the subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the resident of this state who is the subject of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Wis. Stat. § 134.97.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “dispose” does not include a sale of a record or the transfer of a record for value.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means any of the following:</p>



<ol><li>Personally identifiable data about an individual’s medical condition, if the data are not generally considered to be public knowledge.</li><li>Personally identifiable data that contain an individual’s account or customer number, account balance, balance owing, credit balance, or credit limit, if the data relate to an individual’s account or transaction with a financial institution.</li><li>Personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit.</li><li>Personally identifiable data about an individual’s federal, state, or local tax returns.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personally identifiable” means capable of being associated with a particular individual through one or more identifiers or other information or circumstances.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A financial institution, medical business, or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business, or other person under contract with the financial institution, medical business, or tax preparation business does any of the following:<br>(a) Shreds the record before the disposal of the record.<br>(b) Erases the personal information contained in the record before the disposal of the record.<br>(c) Modifies the record to make the personal information unreadable before the disposal of the record.<br>(d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record’s disposal and the record’s destruction.</p>


Wisconsin (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: W. Va. Code § 46A-2A-101 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:<br>(A) Social Security number;<br>(B) Driver’s license number or state identification card number issued in lieu of a driver’s license; or<br>(C) Financial account number, or credit card, or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of a system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An individual or entity must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>Except as provided in subsection (e) (law enforcement exception) or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notice may be delayed if a law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notice shall include:<br>(1) To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including Social Security numbers, driver’s licenses, or state identification numbers and financial data;<br>(2) A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn: (A) What types of information the entity maintained about that individual or about individuals in general; and (B) Whether or not the entity maintained information about that individual.<br>(3) The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(A) Written notice to the postal address in the records of the individual or entity;<br>(B) Telephonic notice;<br>(C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act).<br>(D) Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000 or that the affected class of residents to be notified exceeds 100,000 persons, or that the individual or the entity does not have sufficient contact information or to provide notice as described in paragraph (A), (B) or (C).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of any two of the following:<br>(i) Email notice if the individual or the entity has email addresses for the members of the affected class of residents;<br>(ii) Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; or<br>(iii) Notice to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If an entity is required to notify more than 1,000 persons of a breach, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution and content of the notices. Nothing in this subsection shall be construed to require the entity to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to an entity who is subject to Title V of the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>See Consumer Reporting Agencies (GLBA exception).</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional regulator shall be in compliance with this article.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person.</p>


West Virginia (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: RCW § 19.255.005 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(2)(a) The term “personal information” means:<br>(i) An individual’s first name or first initial and last name in combination with any one or more of the following data elements:<br>(A) Social Security number;<br>(B) Driver’s license number or Washington identification card number;<br>(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other numbers or information that can be used to access a person’s financial account;<br>(D) Full date of birth;<br>(E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record;<br>(F) Student, military, or passport identification number;<br>(G) Health insurance policy number or health insurance identification number;<br>(H) Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or<br>(I) Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual;</p>



<p>(ii) Username or email address in combination with a password or security questions and answers that would permit access to an online account; and</p>



<p>(iii) Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer’s first name or first initial and last name if: (A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and (B) The data element or combination of data elements would enable a person to commit identity theft against a consumer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification to affected consumers must be made in the most expedient time possible, without unreasonable delay, and no more than 30 calendar days after the breach was discovered, unless the delay is at the request of law enforcement, or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if the data owner or licensee contacts a law enforcement agency after discovery of a breach of the security of the system and a law enforcement agency determines that the notification will impede a criminal investigation. The notification shall be made after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>Any person or business that is required to issue a breach notification shall meet all of the following requirements:<br>(a) The notification must be written in plain language; and<br>(b) The notification must include, at a minimum, the following information:<br>(i) The name and contact information of the reporting person or business subject to this section;<br>(ii) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;<br>(iii) A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; and<br>(iv) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice;<br>(b) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(c) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information; or<br>(d)(i) If the breach of the security of the system involves personal information including a username or password, notice may be provided electronically or by email. The notice must also inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer; (ii) However, when the breach of the security of the system involves login credentials of an email account furnished by the person or business, the person or business may not provide the notification to that email address, but must provide notice using another method described in this subsection (4). The notice must also inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:<br>(i) Email notice when the person or business has an email address for the subject persons;<br>(ii) Conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and<br>(iii) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>(a) Any person or business that is required to issue a breach notification to more than 500 Washington residents as a result of a single breach shall notify the attorney general of the breach no more than 30 days after the breach was discovered. The notice to the attorney general shall include the following information:<br>(i) The number of Washington consumers affected by the breach, or an estimate if the exact number is not known;<br>(ii) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;<br>(iii) A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach;<br>(iv) A summary of steps taken to contain the breach; and<br>(v) A single sample copy of the security breach notification, excluding any personally identifiable information.<br>(b) The notice to the attorney general must be updated if any of the information identified herein is unknown at the time notice is due.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>(1) A covered entity under the federal health insurance portability and accountability act of 1996, 42 U.S.C. Sec. 1320d et seq., is deemed to have complied with the requirements of this chapter with respect to protected health information if it has complied with section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015. Covered entities shall notify the attorney general pursuant to RCW 19.255.010(7) in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015, notwithstanding the timeline in RCW 19.255.010(7).</p>



<p>(2) A financial institution under the authority of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, or the Federal Reserve System is deemed to have complied with the requirements of this chapter with respect to “sensitive customer information” as defined in the interagency guidelines establishing information security standards, 12 C.F.R. Part 30, Appendix B, 12 C.F.R. Part 208, Appendix D-2, 12 C.F.R. Part 225, Appendix F, and 12 C.F.R. Part 364, Appendix B, and 12 C.F.R. Part 748, Appendices A and B, as they existed on July 24, 2015, if the financial institution provides notice to affected consumers pursuant to the interagency guidelines and the notice complies with the customer notice provisions of the interagency guidelines establishing information security standards and the interagency guidance on response programs for unauthorized access to customer information and customer notice under 12 C.F.R. Part 364 as it existed on July 24, 2015. The entity shall notify the attorney general pursuant to RCW 19.255.010 in addition to providing notice to its primary federal regulator.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or business that maintains or possesses data that may include personal information that the person or business does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: RCW § 19.215.010 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “destroy personal information” means shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal financial” and “health information” mean information that is identifiable to an individual and that is commonly used for financial or health care purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal identification number issued by a government entity” means a taxpayer identification number, Social Security number, driver’s license or permit number, state identification card number issued by the department of licensing, or any other number or code issued by a government entity for the purpose of personal identification that is protected and is not available to the public under any circumstances.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “record” includes any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>An entity must take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual’s records within its custody or control when the entity is disposing of records that it will no longer retain. This requirement does not apply to the disposal of records by a transfer of the records, not otherwise prohibited by law, to another entity, including a transfer to archive or otherwise preserve public records as required by law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>An entity is not liable under these requirements for records it has relinquished to the custody and control of the individual to whom the records pertain.</p>


Washington (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/">https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Va. Code Ann. § 18.2-186.6.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a Virginia resident, when the data elements are neither encrypted nor redacted:</p>



<ol><li>Social Security number;</li><li>Driver’s license number or state identification card number issued in lieu of a driver’s license number;</li><li>Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts;</li><li>Passport number; or</li><li>Military identification number.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any Virginia resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any Virginia resident, an individual or entity that owns or licenses computerized data that includes personal information shall disclose the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any Virginia resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be provided without unreasonable delay, provided a notification may be reasonably delayed to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if, after the individual or entity notifies a law-enforcement agency, the law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>A breach notification shall include a description of the following:<br>(1) The incident in general terms;<br>(2) The type of personal information that was subject to the unauthorized access and acquisition;<br>(3) The general acts of the individual or entity to protect the personal information from further unauthorized access;<br>(4) A telephone number that the person may call for further information and assistance, if one exists; and<br>(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<ol><li>Written notice to the last known postal address in the records of the individual or entity;</li><li>Telephone notice;</li><li>Electronic notice; or</li><li>Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of Virginia residents to be notified exceeds 100,000 residents, or the individual or the entity does not have sufficient contact information or consent to provide notice as described in subdivisions 1, 2, or 3 of this definition.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of all of the following:<br>a. Email notice if the individual or the entity has email addresses for the members of the affected class of residents;<br>b. Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; and<br>c. Notice to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>A breach notification shall be provided to the Office of the Attorney General and any affected resident of the commonwealth without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In the event an individual or entity provides notice to more than 1,000 persons at one time, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>As part of the notification, the Virginia Attorney General’s Office requests the following information from the individual or entity making the notification:</p>



<ol><li>A cover letter on official letterhead to the Virginia Attorney General’s Office as notification of the breach; 2. Approximate date of the incident to include how the breach was discovered; 3. Cause of breach; 4. Number of Virginia residents affected by the breach; 5. The steps taken to remedy the breach; 6. If an organization’s employees’ tax identification numbers and amount of tax withheld are breached, the Federal Employer Identification Number (FEIN) of the organization; and 7. A sample of the notification made to the affected parties, to include any possible offers of free credit monitoring.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event an individual or entity provides notice to more than 1,000 persons at one time, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>An entity that is subject to Title V of the Gramm-Leach-Bliley Act and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional state or federal regulator shall be in compliance with this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>Nothing in this law shall apply to an individual or entity regulated by the State Corporation Commission’s Bureau of Insurance.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The provisions of this section shall not apply to criminal intelligence systems subject to the restrictions of 28 C.F.R. Part 23 that are maintained by law enforcement agencies of the commonwealth and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN), established pursuant to Chapter 2 (§ 52-12 et seq.) of Title 52.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Notwithstanding any other provision of this section, any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld pursuant to Article 16 (§ 58.1-460 et seq.) of Chapter 3 of Title 58.1 shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this subsection applies only to information regarding the employer’s employees, and does not apply to information regarding the employer’s customers or other non-employees. Such employer or payroll service provider shall provide the Office of the Attorney General with the name and federal employer identification number of the employer as defined in § 58.1-460 that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Office of the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: See the Virginia Consumer Data Protection Act (Appendix 5).</h2>


Virginia (Data Protected Map)

Vermont (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://le.utah.gov/~2022/bills/sbillenr/SB0227.pdf">https://le.utah.gov/~2022/bills/sbillenr/SB0227.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Utah Code § 13-44-102 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means a person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the data unreadable or unusable:<br>(i) Social Security number;<br>(ii)(A) financial account number, or credit or debit card number, and (B) any required security code, access code, or password that would permit access to the person’s account; or<br>(iii) Driver’s license number or state identification card number.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of system security” means an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of system security” does not include the acquisition of personal information by an employee or agent of the person possessing unencrypted computerized data unless the personal information is used for an unlawful purpose or disclosed in an unauthorized manner.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A person who owns or licenses computerized data that includes personal information concerning a Utah resident shall, when the person becomes aware of a breach of system security, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes. If such an investigation reveals that the misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur, the person shall provide notification to each affected Utah resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be provided in the most expedient time possible without unreasonable delay: considering legitimate investigative needs of law enforcement, after determining the scope of the breach of system security, and after restoring the reasonable integrity of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A person may delay providing the breach notification at the request of a law enforcement agency that determines that notification may impede a criminal investigation. A person who delays providing notification under subsection (4)(a) shall provide notification in good faith without unreasonable delay in the most expedient time possible after the law enforcement agency informs the person that notification will no longer impede the criminal investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>5(a) A breach notice may be provided by one of the following methods:<br>(i) in writing by first-class mail to the most recent address the person has for the resident;<br>(ii) electronically, if the person’s primary method of communication with the resident is by electronic means, or if provided in accordance with the consumer disclosure provisions of 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(iii) by telephone, including through the use of automatic dialing technology not prohibited by other law; or<br>(iv) for residents of the state for whom notification in a manner described in subsections (5)(a)(i) through (iii) is not feasible, by publishing notice of the breach of system security: (A) in a newspaper of general circulation; and (B) as required in Section 45-1-101 (See Other Information).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The data breach notification law does not apply to a financial institution or an affiliate, as defined in 15 U.S.C. Sec. 6809, of a financial institution.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person who is regulated by state or federal law and maintains procedures for a breach of system security under applicable law established by the primary state or federal regulator is considered to be in compliance with this part if the person notifies each affected Utah resident in accordance with the other applicable law in the event of a breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person who maintains computerized data that includes personal information that the person does not own or license shall notify and cooperate with the owner or licensee of the information of any breach of system security immediately following the person’s discovery of the breach if misuse of the personal information occurs or is reasonably likely to occur. Cooperation includes sharing information relevant to the breach with the owner or licensee of the information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>§ 45-1-101. Legal notice publication requirements:<br>(1) As used in this section:<br>(a) “Average advertisement rate” means:<br>(i) in determining a rate for publication on the public legal notice website or in a newspaper that primarily distributes publications in a county of the third, fourth, fifth, or sixth class, a newspaper’s gross advertising revenue for the preceding calendar quarter divided by the gross column-inch space used in the newspaper for advertising for the previous calendar quarter; or<br>(ii) in determining a rate for publication in a newspaper that primarily distributes publications in a county of the first or second class, a newspaper’s average rate for all qualifying advertising segments for the preceding calendar quarter for an advertisement:<br>(A) published in the same section of the newspaper as the legal notice; and<br>(B) of the same column-inch space as the legal notice.<br>(b) “Column-inch space” means a unit of space that is one standard column wide by one inch high.<br>(c) “Gross advertising revenue” means the total revenue obtained by a newspaper from all of its qualifying advertising segments.<br>(d)(i) “Legal notice” means:<br>(A) a communication required to be made public by a state statute or state agency rule; or<br>(B) a notice required for judicial proceedings or by judicial decision.<br>(ii) “Legal notice” does not include:<br>(A) a public notice published by a public body in accordance with the provisions of Sections 52-4-202 and 63A-16-601; or<br>(B) a notice of delinquency in the payment of property taxes described in Section 59-2-1332.5.<br>(e) “Local district” is as defined in Section 17B-1-102.<br>(f) “Public legal notice website” means the website described in Subsection (2)(b) for the purpose of publishing a legal notice online.<br>(g)(i) “Qualifying advertising segment” means, except as provided in Subsection (1)(g)(ii), a category of print advertising sold by a newspaper, including classified advertising, line advertising, and display advertising.<br>(ii) “Qualifying advertising segment” does not include legal notice advertising.<br>(h) “Special service district” is as defined in Section 17D-1-102.<br>(2) Except as provided in Subsections (8) and (9), notwithstanding any other legal notice provision established by law, a person required by law to publish legal notice shall publish the notice:<br>(a)(i) as required by the statute establishing the legal notice requirement; or<br>(ii) by serving legal notice, by certified mail or in person, directly on all parties for whom the statute establishing the legal notice requirement requires legal notice, if:<br>(A) the direct service of legal notice does not replace publication in a newspaper that primarily distributes publications in a county of the third, fourth, fifth, or sixth class;<br>(B) the statute clearly identifies the parties;<br>(C) the person can prove that the person has identified all parties for whom notice is required; and<br>(D) the person keeps a record of the service for at least two years; and<br>(b) on a public legal notice website established by the combined efforts of Utah’s newspapers that collectively distribute newspapers to the majority of newspaper subscribers in the state.<br>(3) The public legal notice website shall:<br>(a) be available for viewing and searching by the general public, free of charge; and<br>(b) accept legal notice posting from any newspaper in the state.<br>(4) A person that publishes legal notice as required under Subsection (2) is not relieved from complying with an otherwise applicable requirement under Title 52, Chapter 4, Open and Public Meetings Act.<br>(5) If legal notice is required by law and one option for complying with the requirement is publication in a newspaper, or if a local district or a special service district publishes legal notice in a newspaper, the newspaper:<br>(a) may not charge more for publication than the newspaper’s average advertisement rate; and<br>(b) shall publish the legal notice on the public legal notice website at no additional cost.<br>(6) If legal notice is not required by law, or if legal notice is required by law and the person providing legal notice, in accordance with the requirements of law, chooses not to publish the legal notice in a newspaper, or if a local district or a special service district with an annual operating budget of less than $250,000 chooses to publish a legal notice on the public notice website without publishing the complete notice in the newspaper, a newspaper:<br>(a) may not charge more than an amount equal to 15% of the newspaper’s average advertisement rate for publishing five column lines in the newspaper to publish legal notice on the public legal notice website;<br>(b) may not require that the legal notice be published in the newspaper; and<br>(c) at the request of the person publishing on the legal notice website, shall publish in the newspaper up to five column lines, at no additional charge, that briefly describe the legal notice and provide the web address where the full public legal notice can be found.<br>(7) If a newspaper offers to publish the type of legal notice described in Subsection (5), it may not refuse to publish the type of legal notice described in Subsection (6).<br>(8) Notwithstanding the requirements of a statute that requires the publication of legal notice, if legal notice is required by law to be published by a local district or a special service district with an annual operating budget of $250,000 or more, the local district or special service district shall satisfy its legal notice publishing requirements by:<br>(a) mailing a written notice, postage prepaid:<br>(i) to each voter in the local district or special service district; and<br>(ii) that contains the information required by the statute that requires the publication of legal notice; or<br>(b) publishing the legal notice in a newspaper and on the legal public notice website as described in Subsection (5).<br>(9) Notwithstanding the requirements of a statute that requires the publication of legal notice, if legal notice is required by law to be published by a local district or a special service district with an annual operating budget of less than $250,000, the local district or special service district shall satisfy its legal notice publishing requirements by:<br>(a) mailing a written notice, postage prepaid:<br>(i) to each voter in the local district or special service district; and<br>(ii) that contains the information required by the statute that requires the publication of legal notice; or<br>(b) publishing the legal notice in a newspaper and on the public legal notice website as described in Subsection (5); or<br>(c) publishing the legal notice on the public legal notice website as described in Subsection (6).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Utah Code § 13-44-201.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means a person’s first name or first initial and last name, combined with any one or more of the following data elements relating to that person when either the name or date element is unencrypted or not protected by another method that renders the data unreadable or unusable:<br>(i) Social Security number;<br>(ii)(A) Financial account, credit, or debit card number; and (B) Any required security code, access code, or password that would permit access to the person’s account; or<br>(iii) Driver’s license number or state identification card number.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<p>Data Disposal</p>



<p>Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to destroy, or arrange for the destruction of, records containing personal information that are not to be retained by the person. The destruction of records shall be by:<br>(a) Shredding;<br>(b) Erasing; or<br>(c) Otherwise modifying the personal information to make the information indecipherable.</p>


Utah (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm">https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Texas Bus. &amp; Com. Code §§ 521.002, 521.053, 521.151.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “sensitive personal information” means</p>



<p>(A) An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:<br>(i) Social Security number;<br>(ii) Driver’s license number or government-issued identification number; or<br>(iii) Account, credit, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or</p>



<p>(B) Information that identifies an individual and relates to:<br>(i) The physical or mental health or condition of the individual;<br>(ii) The provision of health care to the individual; or<br>(iii) Payment for the provision of health care to the individual.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred, except as provided by subsection (d) (law enforcement exception) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions.</h3>



<p>A person may delay providing a breach notice at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Notice to Government Agencies.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice at the last known address of the individual;<br>(2) Electronic notice, if the notice is provided in accordance with 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(3) Substitute notice if the person required to give notice demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information,</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of the following:<br>(1) Electronic mail, if the person has electronic mail addresses for the affected persons;<br>(2) Conspicuous posting of the notice on the person’s website; or<br>(3) Notice published in or broadcast on major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>A person who is required to disclose or provide notification of a breach of system security shall notify the attorney general of that breach as soon as reasonably practicable and later than the 30th day after the date on which the person determines that the breach occurred if it involves at least 250 residents of this state. The notification must be submitted electronically using a form accessed through the attorney general&#8217;s Internet website and must include:<br>(1) A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;<br>(2) The number of residents of this state affected by the breach at the time of notification;<br>(3) The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;<br>(4) The measures taken by the person regarding the breach;<br>(5) Any measures the person intends to take regarding the breach after the notification under this subsection; and<br>(6) Information regarding whether law enforcement is engaged in investigating the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person is required to notify, at one time, more than 10,000 persons of a breach, the person shall also notify each consumer reporting agency that maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notices. The person shall provide the notice required by this subsection without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If the individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person is a resident of a state that requires an organization to provide a breach notice, the notice under Texas law may be provided under that state’s law or under Texas law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The attorney general shall post on its publicly accessible Internet website a listing of the notifications it received pursuant to this law, excluding any sensitive personal information, any information that may compromise a data system’s security, and any other information reported to the attorney general that is made confidential by law. The attorney general shall:<br>(1) Update the listing not later than the 30th day after the date the attorney general receives notification of a new breach of system security;<br>(2) Remove a notification from the listing not later than the first anniversary of the date the attorney general added the notification to the listing if the person who provided the notification has not notified the attorney general of any additional breaches; and<br>(3) Maintain only the most recently updated listing on the attorney general’s website.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Texas Bus. &amp; Com. Code. §§ 521.002, 521.052.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means information that alone or in conjunction with other information identifies an individual, including an individual’s:<br>(A) Name, social security number, date of birth, or government-issued identification number;<br>(B) Mother’s maiden name;<br>(C) Unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;<br>(D) Unique electronic identification number, address, or routing code; and<br>(E) Telecommunication access device as defined by Section 32.51, Penal Code.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “sensitive personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:<br>(i) Social Security number;<br>(ii) Driver’s license number or government-issued identification number; or<br>(iii) Account, credit, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or<br>(B) Information that identifies an individual and relates to:<br>(i) The physical or mental health or condition of the individual;<br>(ii) The provision of health care to the individual; or<br>(iii) Payment for the provision of health care to the individual.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “sensitive personal information” does not include publicly available information that is lawfully made available to the public from the federal government or a state or local government.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business’s custody or control that are not to be retained by the business by:<br>(1) Shredding;<br>(2) Erasing; or<br>(3) Otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.</p>


Texas (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://publications.tnsosfiles.com/acts/113/pub/pc0408.pdf">https://publications.tnsosfiles.com/acts/113/pub/pc0408.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Tenn.C.A. § 47-18-2107 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>Personal information (A) Means an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements:<br>(i) Social Security number;<br>(ii) Driver’s license number; or<br>(iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of system security” means the acquisition of unencrypted computerized data; or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of system security” does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, it must be made no later than 45 days after the law enforcement agency determines that notification will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act) or if the information holder’s primary method of communication with the resident of this state has been by electronic means; or<br>(3) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed $250,000, that the affected class of subject persons to be notified exceeds 500,000 persons, or the information holder does not have sufficient contact information and the notice consists of all of the following:<br>(A) Email notice, when the information holder has an email address for the subject persons;<br>(B) Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and<br>(C) Notification to major statewide media</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If an information holder discovers circumstances requiring breach notification to more than 1,000 persons at one time, the information holder must also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>This law does not apply to any information holder that is subject to: (1) Title V of the Gramm-Leach-Bliley Act; or (2) The Health Insurance Portability and Accountability Act of 1996, as amended.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any information holder that maintains computerized data that includes personal information that the information holder does not own shall notify the owner or licensee of the information of any breach of system security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made no later than 45 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>“Unauthorized person” includes an employee of the information holder who is discovered by the information holder to have obtained personal information with the intent to use it for an unlawful purpose.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Tenn.C.A. § 39-14-150.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means a customer’s:<br>(A) Social Security number;<br>(B) Driver license identification number;<br>(C) Savings account number;<br>(D) Checking account number;<br>(E) PIN (personal identification number) or password;<br>(F) Complete credit or debit card number;<br>(G) Demand deposit account number;<br>(H) Health insurance identification number; or<br>(I) Unique biometric data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>If a private entity or business maintains a record that contains any personal identifying information concerning one of its customers, and the entity, by law, practice, or policy discards such records after a specified period of time, any record containing the personal identifying information shall not be discarded unless the business:<br>(A) Shreds or burns the customer’s record before discarding the record;<br>(B) Erases the personal identifying information contained in the customer’s record before discarding the record;<br>(C) Modifies the customer’s record to make the personal identifying information unreadable before discarding the record; or<br>(D) Takes action to destroy the customer’s personal identifying information in a manner that it reasonably believes will ensure that no unauthorized persons have access to the personal identifying information contained in the customer’s record for the period of time between the record’s disposal and the record’s destruction.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The methods of destroying the personal identifying information set forth herein shall be considered the minimum standards. If a private entity or business by law, practice or policy currently is required to have or otherwise has in place more stringent methods and procedures for destroying the personal identifying information in a customer’s record, the private entity or business may continue to destroy the identifying information in the more stringent manner.</p>


Tennessee (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: South Dakota CL § 22-40-19 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means a person’s first name or first initial and last name, in combination with any one or more of the following data elements:<br>(a) Social Security number;<br>(b) Driver’s license number or other unique identification number created or collected by a government body;<br>(c) Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;<br>(d) Health information as defined in 45 CFR 160.103; or<br>(e) An identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “protected information” includes:<br>(a) A username or email address, in combination with a password, security question answer, or other information that permits access to an online account; and<br>(b) Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account;</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of system security” means the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of system security” does not include the good faith acquisition of personal or protected information by an employee or agent of the information holder for the purposes of the information holder if the personal or protected information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An information holder is not required to make a data breach notification if, following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person. The information holder shall document the determination under this section in writing and maintain the documentation for not less than three years.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made not later than 60 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. If the notification is delayed, the notification shall be made not later than 30 days after the law enforcement agency determines that notification will not compromise the criminal investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Electronic notice, if the electronic notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act) in effect as of January 1, 2018, or if the information holder’s primary method of communication with the resident of this state has been by electronic means; or<br>(3) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed $250,000, that the affected class of persons to be notified exceeds 500,000 persons, or that the information holder does not have sufficient contact information and the notice consists of each of the following:<br>(a) Email notice, if the information holder has an email address for the subject persons;<br>(b) Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and<br>(c) Notification to statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any information holder that experiences a breach of system security shall disclose to the attorney general by mail or electronic mail any breach that exceeds 250 state residents.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If an information holder discovers circumstances that require a breach notification, the information holder shall also notify, without unreasonable delay, all consumer reporting agencies and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any information holder that is regulated by federal law or regulation, including the Health Insurance Portability and Accountability Act of 1996 or the Gramm-Leach-Bliley Act and that maintains procedures for a breach of system security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional federal regulator is deemed to be in compliance with this law if the information holder notifies affected South Dakota residents in accordance with the provisions of the applicable federal law or regulation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>“Unauthorized person,” any person not authorized to acquire or disclose personal information, or any person authorized by the information holder to access personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure established by the information holder.</p>


South Dakota (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: S.C. Code Ann. § 39-1-90.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal identifying information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted:<br>(a) Social Security number;<br>(b) Driver’s license number or state identification card number issued instead of a driver’s license;<br>(c) Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account; or<br>(d) Other numbers or information which may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A covered entity shall disclose a breach of the security of the system following discovery or notification of the breach of the data to a resident of this state whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification must be made after the law enforcement agency determines that it no longer compromises the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification to the South Caroline Consumer Protection Division should include all the following: (1) Date of the breach; (2) Date business became aware of the breach; (3) Date notice was/will be sent to affected consumers; (4) Method of consumer notification (i.e., direct mail, electronic mail, etc.); (5) Number of affected South Carolina consumers; (6) Content of the consumer notice (i.e., copy of the letter sent to consumers); and (7) Action taken to avoid future breaches.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Electronic notice, if the person’s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(3) Telephonic notice; or<br>(4) Substitute notice, if the person demonstrates that the cost of providing notice exceeds $250.000 or that the affected class of subject persons to be notified exceeds 500,000 or the person has insufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of:<br>(a) Email notice when the person has an email address for the subject persons;<br>(b) Conspicuous posting of the notice on the website page of the person, if the person maintains one; or<br>(c) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If a business provides breach notices to more than 1,000 persons at one time, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a business provides breach notices to more than 1,000 persons at one time, the business shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>This law does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice is considered to be in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person conducting business in this state and maintaining computerized data, or other data that includes personal identifying information that the person does not own, shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: S.C. Code Ann. §§ 37-20-110 and 37-20-190.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means personal identifying information as defined in Section 16-13-510(D). It does not mean information about vehicular accidents, driving violations, and driver’s status.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Section 16-13-510(D): The term “personal identifying information” includes, but is not limited to:<br>(1) Social Security numbers;<br>(2) Driver’s license numbers or state identification card numbers issued instead of a driver’s license;<br>(3) Checking account numbers;<br>(4) Savings account numbers;<br>(5) Credit card numbers;<br>(6) Debit card numbers;<br>(7) Personal identification (PIN) numbers;<br>(8) Electronic identification numbers;<br>(9) Digital signatures;<br>(10) Dates of birth;<br>(11) Current or former names, including first and last names, middle and last names, or first, middle, and last names, but only when the names are used in combination with, and linked to, other identifying information provided in this section;<br>(12) Current or former addresses, but only when the addresses are used in combination with, and linked to, other identifying information provided in this section; or<br>(13) Other numbers, passwords, or information which may be used to access a person’s financial resources, numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual or an individual’s financial resources.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “disposal” means the (a) discarding or abandonment of records containing personal identifying information; or (b) sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal identifying information, other non-paper media upon which records of personal identifying information are stored, or other equipment for non-paper storage of information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business is considered to comply with this law if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with this law.</p>


South Carolina (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: R.I. Gen. Laws § 11-49.3-1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy, paper format:<br>(i) Social Security number;<br>(ii) Driver’s license number, Rhode Island identification card number, or tribal identification number;<br>(iii) Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account;<br>(iv) Medical or health insurance information; or<br>(v) Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>The good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system; provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A covered entity shall provide notification of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements, and shall be consistent with the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a federal, state, or local law enforcement agency determines that the notification will impede a criminal investigation. The federal, state, or local law enforcement agency must notify the person of the request to delay notification without unreasonable delay. If notice is delayed due to such determination, then, as soon as the federal, state, or local law enforcement agency determines and informs the person that notification no longer poses a risk of impeding an investigation, notice shall be provided as soon as practicable. The person shall cooperate with federal, state, or local law enforcement in its investigation of any breach of security or unauthorized acquisition or use, which shall include the sharing of information relevant to the incident; provided however, that such disclosure shall not require the disclosure of confidential business information or trade secrets.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>(d) The notification to individuals must include the following information to the extent known:<br>(1) A general and brief description of the incident, including how the security breach occurred and the number of affected individuals;<br>(2) The type of information that was subject to the breach;<br>(3) Date of breach, estimated date of breach, or the date range within which the breach occurred;<br>(4) Date that the breach was discovered;<br>(5) A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; (ii) Remediation service providers; (iii) The attorney general; and<br>(6) A clear and concise description of the consumer’s ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(i) Written notice;<br>(ii) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(iii) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $25,000, or that the affected class of subject persons to be notified exceeds 50,000, or the person does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:<br>(A) Email notice when the person has an email address for the subject persons;<br>(B) Conspicuous posting of the notice on the municipal agency, state agency, or person’s website page, if the person maintains one; and<br>(C) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>In the event that more than 500 Rhode Island residents are to be notified, the covered entity shall notify the attorney general as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the attorney general shall be made without delaying notice to affected Rhode Island residents. (See timeline above: the most expedient time possible 45 days.)</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event that more than 500 Rhode Island residents are to be notified, the covered entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals. Notification to the major credit reporting agencies shall be made without delaying notice to affected Rhode Island residents. (See timeline above: the most expedient time possible 45 days.)</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A covered entity shall be deemed to be in compliance with the security breach notification requirements of § 11-49.3-4 if the person maintains a security breach procedure pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional regulator, as defined in 15 U.S.C. § 6809(2), and notifies subject persons in accordance with the policies or the rules, regulations, procedures, or guidelines established by the primary or functional regulator in the event of a breach of security of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A financial institution, trust company, credit union, or its affiliates that is subject to and examined for, and found in compliance with, the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed in compliance with this chapter.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A provider of health care, health care service plan, health insurer, or a covered entity governed by the medical privacy and security rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed in compliance with this chapter.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>N/A (See State Specific Information Security Requirements and third-party contracting obligations)</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A “remediation service provider” means any person who, in the usual course of business, provides services pertaining to a consumer credit report including, but not limited to, credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Notification to the attorney general and the major credit reporting agencies by a covered entity shall be made without delaying notice to affected Rhode Island residents.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: R.I. Gen. Laws §§ 11-49.3-2 and 11-49.3-3.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted or are in hard copy, paper format:<br>(i) Social Security number;<br>(ii) Driver’s license number, Rhode Island identification card number, or tribal identification number;<br>(iii) Account, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual’s financial account;<br>(iv) Medical or health insurance information; or<br>(v) Email address with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A person who or that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person who discloses personal information about a Rhode Island resident to a nonaffiliated third party shall require by written contract that the third party implement and maintain reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>See Security Requirements (written retention policy).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.</p>


Rhode Island (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: PA St. 73 P.S. § 2302 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means:<br>(1) An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:<br>(i) Social Security number.<br>(ii) Driver’s license number or a state identification card number issued in lieu of a driver’s license.<br>(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.<br>(iv) Medical information.<br>(v) Health insurance information.<br>(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this commonwealth.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>Except for the law enforcement exception (See Security and Investigations Exceptions) or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the breach notice shall be made without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines and advises the entity in writing specifically referencing this breach notification law that the notification will impede a criminal or civil investigation. The notification required by this act shall be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Delivery Methods (content requirements for telephonic notices).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice to the last known home address for the individual.<br>(2) Telephonic notice, if the individual can be reasonably expected to receive the notice and it is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the individual to provide personal information, and the individual is provided with a telephone number to call or Internet website to visit for further information or assistance.<br>(3) Email notice, if a prior business relationship exists and the person or entity has a valid email address for the individual.<br>(3) (i) Electronic notice, if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person&#8217;s password and security question or answer, as applicable, or to take other steps appropriate to protect the person&#8217;s online account to the extent the entity has sufficient contact information for the person<br>(4)(i) Substitute notice, if the entity demonstrates one of the following:<br>(A) The cost of providing notice would exceed $100,000.<br>(B) The affected class of subject persons to be notified exceeds 175,000.<br>(C) The entity does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:<br>(A) Email notice when the entity has an email address for the subject persons.<br>(B) Conspicuous posting of the notice on the entity’s Internet website if the entity maintains one.<br>(C) Notification to major Statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>When an entity provides notification under this act to more than 1,000 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and number of notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional federal regulator shall be in compliance with this act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A vendor that maintains, stores, or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores, or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.</p>



<p>Electronic notification: In the case of a breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the entity, to the extent that it has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person&#8217;s password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer.</p>


Pennsylvania (Data Protection Map)

Oregon (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Okla. Stat. tit. 24, § 162 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted:<br>a. Social Security number;<br>b. Driver’s license number or state identification card number issued in lieu of a driver’s license; or<br>c. Financial account number, credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of a system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An individual or entity must disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>Except as provided in subsection D (security and investigation exceptions) or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>a. Written notice to the postal address in the records of the individual or entity;<br>b. Telephone notice;<br>c. Electronic notice; or<br>d. Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000.00, or that the affected class of residents to be notified exceeds 100,000 persons, or that the individual or the entity does not have sufficient contact information or consent to provide notice as described in subparagraph a, b or c of this paragraph.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of any two of the following:<br>(1) Email notice if the individual or the entity has email addresses for the members of the affected class of residents;<br>(2) Conspicuous posting of the notice on the Internet website of the individual or the entity if the individual or the entity maintains a public Internet website; or<br>(3) Notice to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A (other state sector laws may apply).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the provisions of this act. An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the primary or functional federal regulator of the entity shall be deemed to be in compliance with the provisions of this act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system. This should be done as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.</p>



<p></p>


Oklahoma (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Ohio R.C. § 1349.19.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s name, consisting of the individual’s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:<br>(i) Social Security number;<br>(ii) Driver’s license number or state identification card number;<br>(iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of an Ohio resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach of the security of the system, provided that the personal information is not used for an unlawful purpose or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made in the most expedient time possible, but not later than 45 days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities and consistent with any measures necessary to determine the scope of the breach, including which residents’ personal information was accessed and acquired, and to restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation or jeopardize homeland or national security, in which case the person shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation or jeopardize homeland or national security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(1) Written notice;</p>



<p>(2) Electronic notice, if the person’s primary method of communication with the resident to whom the disclosure must be made is by electronic means;</p>



<p>(3) Telephone notice;</p>



<p>(4) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person does not have sufficient contact information to provide notice in a manner described in division (E)(1), (2), or (3) of this section, or that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed $250,000, or that the affected class of subject residents to whom disclosure or notification is required exceeds 500,000 persons. Substitute notice under this division shall consist of all of the following: (a) Email notice if the person has an email address for the resident to whom the disclosure must be made; (b) Conspicuous posting of the disclosure or notice on the person’s website, if the person maintains one; (c) Notification to major media outlets, to the extent that the cumulative total of the readership, viewing audience, or listening audience of all of the outlets so notified equals or exceeds 75 percent of the population of this state.</p>



<p>(5) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person is a business entity with ten employees or fewer and that the cost of providing the disclosures or notices to residents to whom disclosure or notification is required will exceed $10,000. Substitute notice under this division shall consist of all of the following: (a) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the business entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks; (b) Conspicuous posting of the disclosure or notice on the business entity’s website, if the entity maintains one; (c) Notification to major media outlets in the geographic area in which the business entity is located.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person discovers circumstances that require disclosure under this section to more than 1,000 residents of this state involved in a single occurrence of a breach of the security of the system, the person shall notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the disclosure given by the person to the residents of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>This law does not apply to any person or entity that is a covered entity as defined in 45 C.F.R. 160.103, as amended.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person that, on behalf of or at the direction of another person or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes personal information, shall notify that other person or governmental entity of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The data breach notification may be made pursuant to any provision of a contract entered into by the person with another person prior to the date the breach of the security of the system occurred if that contract does not conflict with any provision of this law and does not waive any provision of this law.</p>


Ohio (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: N.D.C.C. § 51-30-01 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted:<br>(1) The individual’s Social Security number;<br>(2) The operator’s license number assigned to an individual by the department of transportation under Section 39-06-14;<br>(3) A nondriver color photo identification card number assigned to the individual by the Department of Transportation under Section 39-06-03.1;<br>(4) The individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts;<br>(5) The individual’s date of birth;<br>(6) The maiden name of the individual’s mother;<br>(7) Medical information;<br>(8) Health insurance information;<br>(9) An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password; or<br>(10) The individual’s digitized or other electronic signature.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security system” means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good-faith acquisition of personal information by an employee or agent of the person is not a breach of the security of the system, if the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The breach notification must be made after the law enforcement agency determines that the notification will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<ol><li>Written notice;</li><li>Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or</li><li>Substitute notice, if the person demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person does not have sufficient contact information.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of the following:<br>a. Email notice when the person has an email address for the subject persons;<br>b. Conspicuous posting of the notice on the person’s website page, if the person maintains one; and<br>c. Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any person that experiences a breach of the security system shall disclose to the attorney general by mail or email any breach which exceeds 250 individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the federal interagency guidance on response programs for unauthorized access to customer information and customer notice is in compliance with this chapter. A covered entity, business associate, or subcontractor subject to breach notification requirements under Title 45, Code of Federal Regulations, Subpart D, Part 164 (HIPAA), is considered to be in compliance with this chapter.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>


North Dakota (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: N.C.G.S. §§ <a>75-61</a>, 75-65. </h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means a person’s first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b).</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>G.S. 14-113.20(b):<br>(b) The term “identifying information” includes the following:<br>(1) Social Security or employer taxpayer identification numbers.<br>(2) Driver’s license, state identification card, or passport numbers.<br>(3) Checking account numbers.<br>(4) Savings account numbers.<br>(5) Credit card numbers.<br>(6) Debit card numbers.<br>(7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).<br>(8) Electronic identification numbers, electronic mail names or addresses, internet account numbers, or internet identification names.<br>(9) Digital signatures.<br>(10) Any other numbers or information that can be used to access a person’s financial resources.<br>(11) Biometric data.<br>(12) Fingerprints.<br>(13) Passwords.<br>(14) Parent’s legal surname prior to marriage.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>However, personal information shall not include electronic identification numbers, electronic mail names or addresses, internet account numbers, internet identification names, parent’s legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” means an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>See Security Breach Definition (illegal use and material risk of harm standard).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The breach notice shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notice shall be clear and conspicuous and include all of the following:<br>(1) A description of the incident in general terms.<br>(2) A description of the type of personal information that was subject to the unauthorized access and acquisition.<br>(3) A description of the general acts of the business to protect the personal information from further unauthorized access.<br>(4) A telephone number for the business that the person may call for further information and assistance, if one exists.<br>(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.<br>(6) The toll-free numbers and addresses for the major consumer reporting agencies.<br>(7) The toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice.<br>(2) Electronic notice, for those persons for whom it has a valid email address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing, set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act).<br>(3) Telephonic notice provided that contact is made directly with the affected persons.<br>(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all the following:<br>a. Email notice when the business has an electronic mail address for the subject persons.<br>b. Conspicuous posting of the notice on the website page of the business, if one is maintained.<br>c. Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>In the event a business provides notice to an affected person of a breach, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event a business provides notice to more than 1,000 persons at one time of a breach, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice shall be deemed to be in compliance with this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license, shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: N.C.G.S. § 75-61, and 75-64.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<p>Key Terms</p>



<p>The term “disposal” includes the following: a. The discarding or abandonment of records containing personal information. b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other non-paper media upon which records of personal information are stored, or other equipment for non-paper storage of information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means a person’s first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>G.S. 14-113.20(b):<br>(b) The term “identifying information” includes the following:<br>(1) Social Security or employer taxpayer identification numbers.<br>(2) Driver’s license, state identification card, or passport numbers.<br>(3) Checking account numbers.<br>(4) Savings account numbers.<br>(5) Credit card numbers.<br>(6) Debit card numbers.<br>(7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).<br>(8) Electronic identification numbers, electronic mail names or addresses, internet account numbers, or internet identification names.<br>(9) Digital signatures.<br>(10) Any other numbers or information that can be used to access a person’s financial resources.<br>(11) Biometric data.<br>(12) Fingerprints.<br>(13) Passwords.<br>(14) Parent’s legal surname prior to marriage.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>However, personal information shall not include electronic identification numbers, email names or addresses, internet account numbers, internet identification names, parent’s legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>See Data Disposal (implementing and monitoring compliance with policies and procedures).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. The reasonable measures must include:<br>(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.<br>(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed.<br>(3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include one or more of the following:<br>(1) Reviewing an independent audit of the disposal business’s operations or its compliance with this statute or its equivalent.<br>(2) Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review.<br>(3) Reviewing and evaluating the disposal business’s information security policies or procedures or taking other appropriate measures to determine the competency and integrity of the disposal business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A disposal business that conducts business in North Carolina or disposes of personal information of residents of North Carolina must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.</p>


North Carolina (Data Protection Map)

New York (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: NMSA 1978, § 57-12C-1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal identifying information” means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:<br>(a) Social Security number;<br>(b) Driver’s license number;<br>(c) Government-issued identification number;<br>(d) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or<br>(e) Biometric data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A security breach does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person, provided that the personal identifying information is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made in the most expedient time possible, but not later than 45 calendar days following discovery of the security breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed:<br>A. if a law enforcement agency determines that the notification will impede a criminal investigation; or<br>B. as necessary to determine the scope of the security breach and restore the integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall contain:<br>A. The name and contact information of the notifying person;<br>B. A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;<br>C. The date of the security breach, the estimated date of the breach, or the range of dates within which the security breach occurred, if known;<br>D. A general description of the security breach incident;<br>E. The toll-free telephone numbers and addresses of the major consumer reporting agencies;<br>F. Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and<br>G. Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(1) United States mail;</p>



<p>(2) Electronic notification, if the person required to make the notification primarily communicates with the New Mexico resident by electronic means or if the notice provided is consistent with the requirements of 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or (3) A substitute notification, if the person demonstrates that: (a) the cost of providing notification would exceed $100,000; (b) the number of residents to be notified exceeds 50,000; or (c) the person does not have on record a physical address or sufficient contact information for the residents that the person or business is required to notify.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notification shall consist of:<br>(1) Sending electronic notification to the email address of those residents for whom the person has a valid email address;<br>(2) Posting notification of the security breach in a conspicuous location on the website of the person required to provide notification if the person maintains a website; and<br>(3) Sending written notification to the office of the attorney general and major media outlets in New Mexico.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>A person who is required to issue a breach notification to more than 1,000 New Mexico residents as a result of a single security breach shall notify the Office of the Attorney General in the most expedient time possible, and no later than 45 calendar days, subject to the security and investigation exceptions.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>A person that is required to issue a breach notification to more than 1,000 New Mexico residents as a result of a single security breach shall notify the office of the major consumer reporting agencies in the most expedient time possible, and no later than 45 calendar days, subject to the security and investigation exceptions.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The breach notification requirements shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996 (HIPAA).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than 45 calendar days following discovery of the breach, except as provided in Section 9 of the Data Breach Notification Act, provided that notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A person required to notify the attorney general and consumer reporting agencies of a security breach shall notify the attorney general of the number of New Mexico residents that received a breach notification and shall provide a copy of the notification that was sent to affected residents within 45 calendar days following discovery of the security breach, subject to the security and investigation exceptions.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: NMSA 1978, §§ 57-12c-2 &#8211; 57-12c-5.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:<br>(a) Social Security number;<br>(b) Driver’s license number;<br>(c) Government-issued identification number;<br>(d) Account, credit, or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or<br>(e) Biometric data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “proper disposal” means shredding, erasing, or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “service provider” means any person that receives, stores, maintains, licenses, processes, or otherwise is permitted access to personal identifying information through its provision of services directly to a person that is subject to regulation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes.</p>


New Mexico (Data Protection Map)


<h2 class="wp-block-heading">Data Disposal and Security: N.J.S.A. § 56:8-161 and 56:8-162.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name linked with any one or more of the following data elements:<br>(1) Social Security number;<br>(2) Driver’s license number or State identification card number;<br>(3) Account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or<br>(4) Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.</p>



<p>Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business or public entity shall destroy, or arrange for the destruction of, a customer’s records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable, or nonreconstructable through generally available means.</p>


New Jersey (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: N.H. RSA § 359-C:19 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:<br>(1) Social Security number.<br>(2) Driver’s license number or other government identification number.<br>(3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person’s business shall not be considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>Any person doing business in this state who owns or licenses computerized data that includes personal information shall, when it becomes aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made as soon as possible or as quickly as possible.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>A breach notice shall include at a minimum:<br>(a) A description of the incident in general terms.<br>(b) The approximate date of breach.<br>(c) The type of personal information obtained as a result of the security breach.<br>(d) The telephonic contact information of the person subject to this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice.<br>(b) Electronic notice, if the agency or business’ primary means of communication with affected individuals is by electronic means.<br>(c) Telephonic notice, provided that a log of each such notification is kept by the person or business who notifies affected persons.<br>(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $5,000, that the affected class of subject individuals to be notified exceeds 1,000, or the person does not have sufficient contact information or consent to provide notice pursuant to subparagraphs I(a)-I(c).<br>(e) Notice pursuant to the person’s internal notification procedures maintained as part of an information security policy for the treatment of personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:<br>(1) Email notice when the person has an email address for the affected individuals.<br>(2) Conspicuous posting of the notice on the person’s business website, if the person maintains one.<br>(3) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any person engaged in trade or commerce that is subject to RSA 358-A:3, Section I, shall also notify the regulator that has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office as soon as possible or as quickly as possible. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in this state who will be notified. The person is not required to provide to any regulator or the New Hampshire attorney general’s office the names of the individuals entitled to receive the notice or any personal information relating to them.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person is required to notify more than 1,000 consumers of a breach, the person shall also notify, without unreasonable delay, all consumer reporting agencies of the anticipated date of the notification to the consumers, the approximate number of consumers who will be notified, and the content of the notice. Nothing in this paragraph shall be construed to require the person to provide to any consumer reporting agency the names of the consumers entitled to receive the notice or any personal information relating to them. This requirement does not apply to a person who is subject to Title V of the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any person engaged in trade or commerce that is subject to RSA 358-A:3 and who maintains procedures for security breach notification pursuant to the laws, rules, regulations, guidances, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if he or she acts in accordance with such laws, rules, regulations, guidances, or guidelines.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify and cooperate with the owner or licensee of the information of any breach of the security of the data immediately following discovery if the personal information was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.</p>


New Hampshire (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Nev. R.S. § 603A.010 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:<br>(a) Social Security number.<br>(b) Driver’s license number, driver authorization card number, or identification card number.<br>(c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the person’s financial account.<br>(d) A medical identification number or a health insurance identification number.<br>(e) A username, unique identifier, or email address in combination with a password, access code, or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The <a>term “breach of the security of the system data” </a>means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the data collector.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>The term “breach of the security of the system data” does not include the good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, so long as the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The breach notification must be made after the law enforcement agency determines that the notification will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notification.<br>(b) Electronic notification, if the notification provided is consistent with the provisions in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act).<br>(c) Substitute notification, if the data collector demonstrates that the cost of providing notification would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notification must consist of all the following:<br>(1) Notification by email when the data collector has electronic mail addresses for the subject persons.<br>(2) Conspicuous posting of the notification on the internet website of the data collector, if the data collector maintains an internet website.<br>(3) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a data collector determines that notification is required to be given pursuant to the provisions of this section to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, of the time the notification is distributed and the content of the notification.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A data collector which is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act shall be deemed to be in compliance with the notification requirements of this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any data collector that maintains computerized data which includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Nev. R.S. §§ 603A.040, 603A.100, 603A.200, 603A.210, and 603A.215.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:<br>(a) Social Security number.<br>(b) Driver’s license number, driver authorization card number or identification card number.<br>(c) Account, credit, or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.<br>(d) A medical identification number or health insurance identification number.<br>(e) A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “reasonable measures to ensure the destruction” means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, including, without limitation: (1) Shredding of the record containing the personal information; or (2) Erasing of the personal information from the records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A data collector that maintains records which contain personal information of a resident of this state shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A contract for the disclosure of the personal information of a Nevada resident which is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business that maintains records that contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<ol><li>If a data collector doing business in Nevada accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the PCI Data Security Standard or by the PCI Security Standards Council or its successor organization.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<ol start="2"><li>A data collector doing business in Nevada to whom subsection 1 does not apply shall not: (a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or (b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector, its data storage contractor or, if the data storage device is used by or is a component of a multifunctional device, a person who assumes the obligation of the data collector to protect personal information, unless the data collector uses encryption to ensure the security of the information.</li></ol>


Nevada (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Neb. Rev. St. § 87-802 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means either of the following:<br>(a) A Nebraska resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:<br>(i) Social Security number;<br>(ii) Motor vehicle operator’s license number or state identification card number;<br>(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;<br>(iv) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or<br>(v) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or<br>(b) A username or email address, in combination with a password or security question and answer, that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system if the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>An individual or a commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice;<br>(b) Telephonic notice;<br>(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(d) Substitute notice, if the individual or commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $75,000, that the affected class of Nebraska residents to be notified exceeds 100,000 residents, or that the individual or commercial entity does not have sufficient contact information to provide notice. Substitute notice under this subdivision requires all of the following: (i) Email notice if the individual or commercial entity has email addresses for the members of the affected class of Nebraska residents; (ii) Conspicuous posting of the notice on the website of the individual or commercial entity if the individual or commercial entity maintains a website; and (iii) Notice to major statewide media outlets; or<br>(e) Substitute notice, if the individual or commercial entity required to provide notice has ten employees or fewer and demonstrates that the cost of providing notice will exceed $10,000. Substitute notice under this subdivision requires all of the following: (i) Email notice if the individual or commercial entity has email addresses for the members of the affected class of Nebraska residents; (ii) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the individual or commercial entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks; (iii) Conspicuous posting of the notice on the website of the individual or commercial entity if the individual or commercial entity maintains a website; and (iv) Notification to major media outlets in the geographic area in which the individual or commercial entity is located.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If a breach notice <a>is required under this law, </a>the individual or commercial entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with Section 87-803 if the individual or commercial entity notifies affected Nebraska residents and the attorney general in accordance with the maintained procedures in the event of a breach of the security of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>An individual or a commercial entity that maintains computerized data that includes personal information that the individual or commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system when it becomes aware of a breach if use of personal information about a Nebraska resident for an unauthorized purpose occurred or is reasonably likely to occur. Cooperation includes, but is not limited to, sharing with the owner or licensee information relevant to the breach, not including information proprietary to the individual or commercial entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Neb. Rev. Stat. §§ 87-802 and 87-808.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means either of the following:<br>(a) A Nebraska resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:<br>(i) Social Security number;<br>(ii) Motor vehicle operator’s license number or state identification card number;<br>(iii) Account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;<br>(iv) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or<br>(v) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or</p>



<p>(b) A username or email address, in combination with a password or security question and answer, that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations. This includes safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that: (i) Are appropriate to the nature of the personal information disclosed to the service provider; and (ii) Are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. This does not apply to any contract entered into before July 19, 2018. Any such contract renewed on or after July 19, 2018, shall comply with the requirements of this subsection.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>See Security Requirements (safeguards when disposing personal information).</p>


Nebraska (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf">https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Mont. Code Ann. § 30-14-1702; 1704. </h2>



<p>The numbering and internal citations herein are derived from the applicable state statute</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:<br>(A) Social Security number;<br>(B) Driver’s license number, state identification card number, or tribal identification card number;<br>(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;<br>(D) Medical record information as defined in 33-19-104;<br>(E) Taxpayer identification number; or<br>(F) Identity protection personal identification number issued by the United States Internal Revenue Service.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>A “breach of the security of the data system” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>See Security Breach Definition (loss or injury standard).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay in notification. The breach notification must be made after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Other Information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(i) Written notice;<br>(ii) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(iii) Telephonic notice; or<br>(iv) Substitute notice, if the person or business demonstrates that: (A) the cost of providing notice would exceed $250,000; (B) the affected class of subject persons to be notified exceeds 500,000; or (C) the person or business does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice must consist of the following:<br>(i) An electronic mail notice when the person or business has an electronic mail address for the subject persons; and<br>(ii) Conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; or<br>(iii) Notification to applicable local or statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any person or business that is required to issue a breach notification shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general’s Office of Consumer Protection, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>No express provision.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If a business discloses a security breach to any individual and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual. The coordination may not unreasonably delay the notice to the affected individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Mont. Code Ann. §§ 30-14-1702 and 30-14-1703.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means an individual’s name, signature, address, or telephone number, in combination with one or more additional pieces of information about the individual, consisting of the individual’s passport number, driver’s license or state identification number, insurance policy number, bank account number, credit card number, debit card number, passwords or personal identification numbers required to obtain access to the individual’s finances, or any other financial information as provided by rule. A Social Security number, in and of itself, constitutes personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.</p>


Montana (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Mo. Ann. Stat. § 407.1500. </h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:<br>(a) Social Security number;<br>(b) Driver’s license number or other unique identification number created or collected by a government body;<br>(c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;<br>(d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;<br>(e) Medical information; or<br>(f) Health insurance information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of security” or “breach” means the unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by a person or that person’s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be: (a) Made without unreasonable delay; (b) Consistent with the legitimate needs of law enforcement; and (c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notice may be delayed if a law enforcement agency informs the person that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request by law enforcement is made in writing or the person documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The breach notice shall be provided without unreasonable delay after the law enforcement agency communicates to the person its determination that notice will no longer impede the investigation or jeopardize national or homeland security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>A breach notice shall at minimum include a description of the following:<br>(a) The incident in general terms;<br>(b) The type of personal information that was obtained as a result of the breach of security;<br>(c) A telephone number that the affected consumer may call for further information and assistance, if one exists;<br>(d) Contact information for consumer reporting agencies;<br>(e) Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice;<br>(b) Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act) regarding electronic records and signatures for notices legally required to be in writing;<br>(c) Telephonic notice, if such contact is made directly with the affected consumers; or<br>(d) Substitute notice, if:<br>a. The person demonstrates that the cost of providing notice would exceed $100,000; or<br>b. The class of affected consumers to be notified exceeds 150,000; or<br>c. The person does not have sufficient contact information or consent to satisfy paragraphs (a), (b), or (c) of this subdivision, for only those affected consumers without sufficient contact information or consent; or<br>d. The person is unable to identify particular affected consumers, for only those unidentifiable consumers.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>(7) Substitute notice shall consist of all the following:<br>(a) Email notice when the person has an electronic mail address for the affected consumer;<br>(b) Conspicuous posting of the notice or a link to the notice on the internet website of the person if the person maintains an internet website; and<br>(c) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>In the event a person provides notice to more than 1,000 consumers at one time, the person shall notify, without unreasonable delay, the attorney general’s office of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event a person provides notice to more than 1,000 consumers at one time, the person shall notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A person that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section if the person notifies affected consumers in accordance with the maintained procedures when a breach occurs.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(3) A financial institution that is: (a) Subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 29, 2005, by the board of governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and any revisions, additions, or substitutions relating to said interagency guidance; or (b) Subject to and in compliance with the National Credit Union Administration regulations in 12 CFR Part 748; or (c) Subject to and in compliance with the provisions of Title V of the Gramm-Leach-Bliley Act; shall be deemed to be in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in the law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>


Missouri (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Miss. Code § 75-24-29 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:<br>(i) Social Security number;<br>(ii) Driver’s license number, state identification card number, or tribal identification card number; or<br>(iii) An account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of security” means unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach disclosure shall be made without unreasonable delay, subject to the provisions of subsections (4) (data processor obligations) and (5) (security and investigation exceptions) of this section and the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation or national security and the law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after the law enforcement agency determines that notification will not compromise the criminal investigation or national security and so notifies the person of that determination.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice;<br>(b) Telephone notice;<br>(c) Electronic notice, if the person’s primary means of communication with the affected individuals is by electronic means or if the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(d) Substitute notice, provided the person demonstrates that the cost of providing notice in accordance with paragraph (a), (b) or (c) of this subsection would exceed $5,000, that the affected class of subject persons to be notified exceeds 5,000 individuals, or the person does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of the following: email notice when the person has an email address for the affected individuals; conspicuous posting of the notice on the website of the person if the person maintains one; and notification to major statewide media, including newspapers, radio, and television.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures, or guidelines established by the primary or federal functional regulator, as defined in <a>15 USCS 6809(2</a>), shall be deemed to be in compliance with the security breach notification requirements of this section, provided the person notifies affected individuals in accordance with the policies or the rules, regulations, procedures, or guidelines established by the primary or federal functional regulator in the event of a breach of security of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person who conducts business in this state that maintains computerized data which includes personal information that the person does not own or license shall notify the owner or licensee of the information of any breach of the security of the data as soon as practicable following its discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes.</p>


Mississippi (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Minn. Stat. § 325E.61.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired:<br>(1) Social Security number;<br>(2) Driver’s license number or Minnesota identification card number; or<br>(3) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed to a date certain if a law enforcement agency affirmatively determines that the notification will impede a criminal investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) written notice to the most recent available address the person or business has in its records;<br>(2) electronic notice, if the person’s primary method of communication with the individual is by electronic means, or if the notice provided is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(3) substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice must consist of all of the following:<br>(i) Email notice when the person or business has an email address for the subject persons;<br>(ii) Conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and<br>(iii) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person discovers circumstances requiring breach notification of more than 500 persons at one time, the person shall also notify, within 48 hours, all consumer reporting agencies of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>This law does not apply to any “financial institution” as defined by United States Code, Title 15, <a>Section 6809(3).</a></p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<p></p>


Minnesota (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Mich.C.L.A. § 445.63 and 445.72..</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state:<br>(i) Social Security number.<br>(ii) Driver’s license number or state personal identification card number.<br>(iii) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident’s financial accounts.</p>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of a database” or “security breach” means the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “security breach” does not include unauthorized access to data by an employee or other individual if the access meets all of the following: (i) The employee or other individual acted in good faith in accessing the data. (ii) The access was related to the activities of the agency or person. (iii) The employee or other individual did not misuse any personal information or disclose any personal information to an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notice is not required if a person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In determining whether a security breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of this state, a person or agency shall act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A person or agency shall provide the breach notice without unreasonable delay.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A person or agency may delay providing a breach notification if either of the following is met:<br>(a) A delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or person shall provide the notice required under this subsection without unreasonable delay after the person or agency completes the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database.<br>(b) A law enforcement agency determines and advises the agency or person that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>A breach notice shall do all of the following:<br>(a) For a notice provided under subsection (5)(a) or (b) (postal and electronic notice), be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g).<br>(b) For a notice provided under subsection (5)(c) (telephone), clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call.<br>(c) Describe the security breach in general terms.<br>(d) Describe the type of personal information that is the subject of the unauthorized access or use.<br>(e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches.<br>(f) Include a telephone number where a notice recipient may obtain assistance or additional information.<br>(g) Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>5) Except as provided in subsection (11) (a public utilities exception), an agency or person shall provide any notice required under this section by providing one or more of the following to the recipient:<br>(a) Written notice sent to the recipient at the recipient’s postal address in the records of the agency or person.<br>(b) Written notice sent electronically to the recipient if any of the following are met: (i) The recipient has expressly consented to receive electronic notice. (ii) The person or agency has an existing business relationship with the recipient that includes periodic email communications and, based on those communications, the person or agency reasonably believes that it has the recipient’s current email address. (iii) The person or agency conducts its business primarily through internet account transactions or on the internet.<br>(c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met: (i) The notice is not given in whole or in part by use of a recorded message. (ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within three business days after the initial attempt to provide telephonic notice.<br>(d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000 or that the person or agency has to provide notice to more than 500,000 residents of this state.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>A person or agency provides substitute notice under this subdivision by doing all of the following:<br>(i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents.<br>(ii) If the person or agency maintains a website, conspicuously posting the notice on that website.<br>(iii) Notifying major statewide media. A substitute notification shall include a telephone number or a website address that a person may use to obtain additional assistance and information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>Except as provided in this subsection, after a person or agency provides a notice under this section, the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the security breach without unreasonable delay. A notification under this subsection shall include the number of notices that the person or agency provided to residents of this state and the timing of those notices. This subsection does not apply if either of the following is met: (a) The person or agency is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state. (b) The person or agency is subject to <a>15 USC 6801 </a>to 6809 (Gramm-Leach-Bliley Act).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution’s appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, and its affiliates, is considered to be in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person or agency that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and with regulations promulgated under that act for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A person that provides notice of a security breach when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:<br>(a) Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250 for each violation, or both.<br>(b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500 for each violation, or both.<br>(c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750 for each violation, or both.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Mich.C.L.A. §§ 445.63 and 445.72a.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person’s financial accounts, including, but not limited to, a person’s name, address, telephone number, driver license or state personal identification card number, Social Security number, place of employment, employee identification number, employer or taxpayer identification number, government passport number, health insurance identification number, mother’s maiden name, demand deposit account number, savings account number, financial transaction device account number or the person’s account password, any other account password in combination with sufficient information to identify and access the account, automated or electronic signature, biometrics, stock or other security certificate or account number, credit card number, vital record, or medical records or information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means the first name or first initial and last name linked to one or more of the following data elements of a resident of this state:<br>(i) Social Security number.<br>(ii) Driver license number or state personal identification card number.<br>(iii) Demand deposit or other financial account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident’s financial accounts.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “destroy” means to destroy or arrange for the destruction of data by shredding, erasing, or otherwise modifying the data so that they cannot be read, deciphered, or reconstructed through generally available means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A person or agency that maintains a database that includes personal information regarding multiple individuals shall destroy any data that contain personal information concerning an individual when that data is removed from the database and the person or agency is not retaining the data elsewhere for another purpose not prohibited by state or federal law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The data disposal requirements shall not prohibit a person or agency from retaining data that contain personal information for purposes of an investigation, audit, or internal review.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person or agency is considered to be in compliance with this section if the person or agency is subject to federal law concerning the disposal of records containing personal identifying information and the person or agency is in compliance with that federal law.</p>


Michigan (Data Protection Map)

Massachusetts (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Md. Code Ann., Com. Law § 14-3501 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means:<br>(i) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:</p>



<ol><li>A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;</li><li>A driver’s license number or state identification card number;</li><li>An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account;</li><li>Health information, including information about an individual’s mental health;</li><li>A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information; or</li><li>Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or<br>(ii) A username or email address in combination with a password or security question and answer that permits access to an individual’s email account.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of a system” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A breach of the security of a system does not include the good faith acquisition of personal information by an employee or agent of a business for the purposes of the business, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A business that owns, licenses, or maintains computerized data that includes personal information of an individual residing in the state, when it discovers or is notified that it incurred a breach of the security of a system, shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. Unless the business reasonably determines that the breach of the security of the system does not create a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data shall notify the individual of the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be given as soon as reasonably practicable, but not later than 45 days after the business discovers or is notified of the breach of the security of a system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed:<br>(i) If a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security; or<br>(ii) To determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.<br>(2) If notification is delayed under paragraph (1)(i) of this subsection, notification shall be given as soon as reasonably practicable, but not later than 30 days after the law enforcement agency determines that it will not impede a criminal investigation and will not jeopardize homeland or national security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall include:<br>(1) To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired;<br>(2) Contact information for the business making the notification, including the business’ address, telephone number, and toll-free telephone number if one is maintained;<br>(3) The toll-free telephone numbers and addresses for the major consumer reporting agencies; and<br>(4)(i) The toll-free telephone numbers, addresses, and website addresses for: the Federal Trade Commission; and the Office of the Attorney General; and (ii) a statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice shall be provided by one of the following methods:<br>(1) By written notice sent to the most recent address of the individual in the records of the business;<br>(2) By email to the most recent email address of the individual in the records of the business, if: (i) the individual has expressly consented to receive electronic notice; or (ii) the business conducts its business primarily through internet account transactions or the internet;<br>(3) By telephonic notice, to the most recent telephone number of the individual in the records of the business; or<br>(4) By substitute notice if the business does not have sufficient contact information to give notice in accordance with item (1), (2), or (3) of this subsection.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of:<br>(1) Emailing the notice to an individual entitled to notification under subsection (b) of this section, if the business has an email address for the individual to be notified;<br>(2) Conspicuous posting of the notice on the website of the business, if the business maintains a website; and<br>(3) Notification to major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Prior to giving the breach notification (and subject to subsection to the timeline delay exceptions), a business shall provide notice of a breach of the security of a system to the Office of the Attorney General. The notice required under paragraph (1) of this subsection shall include, at a minimum: (i)&nbsp;the number of affected individuals residing in the state; (ii)&nbsp;a description of the breach of the security of a system, including when and how it occurred; (iii)&nbsp;any steps the business has taken or plans to take relating to the breach of the security of a system; and (iv) the form of notice that will be sent to affected individuals and a sample notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a business is required to give notice of a breach of the security of a system to 1,000 or more individuals, the business also shall notify, without unreasonable delay, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices. This does not require the inclusion of the names or other personal identifying information of recipients of notices of the breach of the security of a system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A business that complies with the requirements for notification procedures, the protection or security of personal information, or the destruction of personal information under the rules, regulations, procedures, or guidelines established by the primary or functional federal or state regulator of the business shall be deemed to be in compliance with this subtitle.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business that is subject to and in compliance with § 501(b) of the federal Gramm-Leach-Bliley Act, § 216 of the federal Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681w, the federal Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and any revisions, additions, or substitutions, shall be deemed to be in compliance with this subtitle. An affiliate that complies with § 501(b) of the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, § 216 of the federal Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681w, the federal Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and any revisions, additions, or substitutions, shall be deemed to be in compliance with this subtitle.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed to be in compliance with this subtitle. An affiliate that is in compliance with HIPAA shall be deemed to be in compliance with this subtitle.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>(c)(1) A business that maintains computerized data that includes personal information of an individual residing in the state that the business does not own or license, when it discovers or is notified of a breach of the security of a system, shall notify, as soon as practicable, the owner or licensee of the personal information of the breach of the security of a system.<br>(2) Except as provided in subsection (d) of this section, the notification required under paragraph (1) of this subsection shall be given as soon as reasonably practicable, but not later than 10 days after the business discovers or is notified of the breach of the security of a system.<br>(3) A business that is required to notify an owner or licensee of personal information of a breach of the security of a system under paragraph (c)(1) of this subsection shall share with the owner or licensee information relative to the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>In the case of a breach of the security of a system involving personal information that permits access to an individual’s email account under § 14-3501(e)(1)(ii) of this subtitle and no other personal information under § 14-3501(e)(1)(i) of this subtitle, the business may comply with the breach notification requirement by providing the notification in electronic or other form that directs the individual whose personal information has been breached promptly to: (i) change the individual’s password and security question or answer, as applicable; or (ii) take other steps appropriate to protect the email account with the business and all other online accounts for which the individual uses the same username or email and password or security question or answer. Notwithstanding, the breach notification provided here may be given to the individual by any method, except the notification may not be given to the individual by sending notification by email to the email account affected by the breach. The breach notification described here may be given by a clear and conspicuous notice delivered to the individual online while the individual is connected to the affected email account from an internet protocol address or online location from which the business knows the individual customarily accesses the account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(4)(i) If the business that incurred the breach of the security of a system is not the owner or licensee of the computerized data, the business may not charge the owner or licensee of the computerized data a fee for providing information that the owner or licensee needs to make a notification under subsection (b)(2) of this section.<br>(ii) The owner or licensee of the computerized data may not use information relative to the breach of the security of a system for purposes other than:</p>



<ol><li>Providing notification of the breach;</li><li>Protecting or securing personal information; or</li><li>Providing notification to national information security organizations created for information-sharing and analysis of security threats, to alert and avert new or expanded breaches.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Md. Code Ann., Com. Law §§ 14-3501 to 14-3503.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means:<br>(i) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:</p>



<ol><li>A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;</li><li>A driver’s license number or state identification card number;</li><li>An account, credit, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account;</li><li>Health information, including information about an individual’s mental health;</li><li>A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information;</li><li>Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or</li><li>For purposes of the notifications required under section 14-3504(b)(2), (c), (d), (e), (f), and (g) of this subtitle, genetic information with respect to an individual;<br>(ii) A username or email address in combination with a password or security question and answer that permits access to an individual’s email account; or<br>(iii) For the purposes of the requirements of this title other than the notifications required under section 14-3504(b)(2), (c), (d), (e), (f), and (g) of this subtitle, genetic information with respect to an individual when the genetic information is not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns, maintains or licenses personal information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained or licensed and the nature and size of the business and its operations.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business that uses a nonaffiliated third party as a service provider to perform services for the business and discloses personal information about an individual residing in the state under a written contract with the third party shall require by contract that the third party implement and maintain reasonable security procedures and practices that:<br>(i) Are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and<br>(ii) Are reasonably designed to help protect the personal information from unauthorized access, use, modification, disclosure, or destruction.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>When a business is destroying a customer’s, an employee’s, or a former employee’s records that contain personal information of the customer, employee, or former employee, the business shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account:<br>(1) The sensitivity of the records;<br>(2) The nature and size of the business and its operations;<br>(3) The costs and benefits of different destruction methods; and<br>(4) Available technology.</p>


Maryland (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: 10 M.R.S.A § 1346 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:<br>A. Social Security number;<br>B. Driver’s license number or state identification card number;<br>C. Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;<br>D. Account passwords or personal identification numbers or other access codes; or<br>E. Any of the data elements contained in paragraphs A to D when not in connection with the individual’s first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” or “security breach” means unauthorized acquisition, release, or use of an individual’s computerized data that includes personal information that compromises the security, confidentiality, or integrity of personal information of the individual maintained by a person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition, release, or use of personal information by an employee or agent of a person on behalf of the person is not a breach of the security of the system if the personal information is not used for or subject to further unauthorized disclosure to another person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>See Other Information (a “misuse” standard for non-information brokers).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data in the system. If there is no delay of notification due to law enforcement investigation, the notices must be made no more than 30 days after the person becomes aware of a breach of security and identifies its scope.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>If, after the completion of an investigation (see Other Information), a breach notification is required, the notification may be delayed for no longer than seven business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Consumer Reporting Agencies.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>A. Written notice;<br>B. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>C. Substitute notice, if the person maintaining personal information demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000, or that the person maintaining personal information does not have sufficient contact information to provide written or electronic notice to those individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice must consist of all of the following:<br>(1) Email notice, if the person has email addresses for the individuals to be notified;<br>(2) Conspicuous posting of the notice on the person’s publicly accessible website, if the person maintains one; and<br>(3) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>When notice of a breach is required by this law, the person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, consumer reporting agencies. Notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A person that complies with the security breach notification requirements of rules, regulations, procedures, or guidelines established pursuant to federal law or the law of this state is deemed to be in compliance with the requirements of section 1348 as long as the law, rules, regulations, or guidelines provide for notification procedures at least as protective as the notification requirements of section 1348.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A third-party entity that maintains, on behalf of a person, computerized data that includes personal information that the third-party entity does not own, shall notify the person maintaining personal information of a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>An “information broker” means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties. “Information broker” does not include a governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this state whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this state if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.</p>


Maine (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: La. R.S. § 51:3073 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<p>Personal Information</p>



<p>The term “personal information” means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:<br>(i) Social Security number.<br>(ii) Driver’s license number or state identification card number.<br>(iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(iv) Passport number.<br>(v) Biometric data, which means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means the compromise of the security, confidentiality, or integrity of computerized data that results in, or has a reasonable likelihood to result in, the unauthorized acquisition of and access to personal information maintained by an agency or person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an agency or person for the purposes of the agency or person is not a breach of the security of the system, provided that the personal information is not used for, or is subject to, unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification shall not be required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state. The person or business shall retain a copy of the written determination and supporting documentation for five years from the date of discovery of the breach of the security system. If requested in writing, the person or business shall send a copy of the written determination and supporting documentation to the attorney general no later than 30 days from the date of receipt of the request. The provisions of R.S. 51:1404(A)(1)(c) shall apply to a written determination and supporting documentation sent to the attorney general pursuant to this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made in the most expedient time possible and without unreasonable delay, but not later than 60 days from the discovery of the breach, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>If a law enforcement agency determines that the breach notification would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notification.<br>(2) Electronic notification, if the notification provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act).<br>(3) Substitute notification, if an agency or person demonstrates that the cost of providing notification would exceed $100,000, or that the affected class of persons to be notified exceeds 100,000, or the agency or person does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notification shall consist of all of the following:<br>(a) Email notification when the agency or person has an email address for the subject persons.<br>(b) Conspicuous posting of the notification on the internet site of the agency or person, if an internet site is maintained.<br>(c) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>See Louisiana Breach Notice Regulation (16 LA Code ch 7, § 701)</p>



<p>A. When notice to Louisiana citizens is required pursuant to R.S. 51:3074, the person or agency shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice shall include the names of all Louisiana citizens affected by the breach.</p>



<p>B. Failure to provide timely notice may be punishable by a fine not to exceed $5,000 per violation. Notice to the attorney general shall be timely if received within 10 days of distribution of notice to Louisiana citizens. Each day notice is not received by the attorney general shall be deemed a separate violation.</p>



<p>C. Written notification shall be mailed to:</p>



<p>Louisiana Department of Justice<br>Office of the Attorney General<br>Consumer Protection Section<br>1885 N. Third Street<br>Baton Rouge, LA 70802</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A financial institution that is subject to and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed to be in compliance with this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any agency or person that maintains computerized data that includes personal information that the agency or person does not own shall notify the owner or licensee of the information if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person through a breach of security of the system containing such data, following discovery by the agency or person of a breach of security of the system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>When a breach notification is delayed because of the security and investigation exceptions, or due to a determination by the person or agency that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system, the person or agency shall provide the attorney general the reasons for the delay in writing within the 60-day notification period provided in this subsection. Upon receipt of the written reasons, the attorney general shall allow a reasonable extension of time to provide the breach notification.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: La. R.S. §§ 51:3073 and 51:3074.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:<br>(i) Social Security number.<br>(ii) Driver’s license number or state identification card number.<br>(iii) Account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(iv) Passport number.<br>(v) Biometric data, which means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.</p>


Louisiana (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Kentucky R.S. § 365.732.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personally identifiable information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not redacted:</p>



<ol><li>Social Security number;</li><li>Driver’s license number; or</li><li>Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual’s financial account.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good-faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system if the personally identifiable information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>See Security Breach Definition.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The breach notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice;<br>(b) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(c) Substitute notice, if the information holder demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the information holder does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<ol><li>Email notice, when the information holder has an email address for the subject persons;</li><li>Conspicuous posting of the notice on the information holder’s internet website page, if the information holder maintains a website page; and</li><li>Notification to major statewide media.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a person discovers circumstances requiring breach notification to more than 1,000 persons at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The provisions of this section and the requirements for nonaffiliated third parties in KRS Chapter 61 shall not apply to any person who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act, or the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, or any agency of the Commonwealth of Kentucky or any of its local governments or political subdivisions.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any information holder that maintains computerized data that includes personally identifiable information that the information holder does not own shall notify the owner or licensee of the information of any breach of the security of the data as soon as reasonably practicable following discovery, if the personally identifiable information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Kentucky R.S. §§ 365.720 and 365.725. </h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personally identifiable information” means data capable of being associated with a particular customer through one (1) or more identifiers, including but not limited to a customer’s name, address, telephone number, electronic mail address, fingerprints, photographs or computerized image, Social Security number, passport number, driver identification number, personal identification card number or code, date of birth, medical information, financial information, tax information, and disability information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>When a business disposes of, other than by storage, any customer’s records that are not required to be retained, the business shall take reasonable steps to destroy, or arrange for the destruction of, that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.</p>


Kentucky (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Kansas S.A. § 50-7a01 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means a consumer’s first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted:<br>(1) Social Security number;<br>(2) Driver’s license number or state identification card number; or<br>(3) Financial account number, or credit or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” means the unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A person that conducts business in this state who owns or licenses computerized data that includes personal information shall, when he or she becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(3) Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $100,000, or that the affected class of consumers to be notified exceeds 5,000, or that the individual or the commercial entity does not have sufficient contact information to provide notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice means:<br>(1) Email notice if the individual or the commercial entity has email addresses for the affected class of consumers;<br>(2) conspicuous posting of the notice on the website page of the individual or the commercial entity if the individual or the commercial entity maintains a website; and<br>(3) notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event that a person discovers circumstances requiring breach notification to more than 1,000 consumers at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section. This section does not relieve an individual or a commercial entity from a duty to comply with other requirements of state and federal law regarding the protection and privacy of personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<p>Data Processor Obligations</p>



<p>An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Kansas S.A. § <a></a><a>50-6</a>,139b.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “holder of personal information” or “holder” means a person who, in the ordinary course of business, collects, maintains, or possesses, or causes to be collected, maintained, or possessed, the personal information of any other person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means personal information as defined by K.S.A. 50-7a01(g), and amendments thereto, and any other information which identifies an individual for which an information security obligation is imposed by federal or state statute or regulation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>K.S.A. 50-7a01(g) defines personal information as a consumer’s first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted:<br>(1) Social security number;<br>(2) Driver’s license number or state identification card number; or<br>(3) Financial account, credit, or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account. The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A holder of personal information shall implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A holder of personal information shall, unless otherwise required by federal law or regulation, take reasonable steps to destroy or arrange for the destruction of any records within such holder’s custody or control containing any person’s personal information when such holder no longer intends to maintain or possess such records. Such destruction shall be by shredding, erasing, or otherwise modifying the personal identifying information in the records to make it unreadable or undecipherable through any means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If federal or state law or regulation governs the procedures and practices of the holder of personal information for such protection of personal information, then compliance with such federal or state law or regulation shall be deemed compliance with this paragraph and failure to comply with such federal or state law or regulation shall be prima facie evidence of a violation of this law.</p>


Kansas (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://www.legis.iowa.gov/docs/publications/LGE/90/SF262.pdf">https://www.legis.iowa.gov/docs/publications/LGE/90/SF262.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Iowa Code Ann. § 715C.1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security:<br>(1) Social Security number.<br>(2) Driver’s license number or other unique identification number created or collected by a government body.<br>(3) Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account.<br>(4) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(5) Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of security” means unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. A “breach of security” also means unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by a person or that person’s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification requirements may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and the agency has made a written request that the notification be delayed. The breach notification shall be made after the law enforcement agency determines that the notification will not compromise the investigation and notifies the person required to give notice in writing.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall include, at a minimum, all of the following:<br>a. A description of the breach of security.<br>b. The approximate date of the breach of security.<br>c. The type of personal information obtained as a result of the breach of security.<br>d. Contact information for consumer reporting agencies.<br>e. Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>a. Written notice to the last available address the person has in the person’s records.<br>b. Electronic notice if the person’s customary method of communication with the consumer is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act).<br>c. Substitute notice, if the person demonstrates that the cost of providing notice would exceed $250,000, that the affected class of consumers to be notified exceeds 350,000 persons, or if the person does not have sufficient contact information to provide notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of the following:<br>(1) Email notice when the person has an email address for the affected consumers.<br>(2) Conspicuous posting of the notice or a link to the notice on the internet site of the person if the person maintains an internet site.<br>(3) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any person who was subject to a breach requiring notification to more than 500 residents of this state shall give written notice of the breach of security to the director of the Consumer Protection Division of the Office of the Attorney General within five business days after giving notice of the breach of security to any consumer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The breach notification requirements do not apply to any of the following:<br>a. A person who complies with notification requirements or breach of security procedures that provide greater protection to personal information and at least as thorough disclosure requirements than that provided by this section pursuant to the rules, regulations, procedures, guidance, or guidelines established by the person’s primary or functional federal regulator.<br>b. A person who complies with a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breach of security or personal information than that provided by this section.<br>c. A person who is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act.<br>d. A person who is subject to and complies with regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Health Information Technology for Economic and Clinical Health Act of 2009.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person who maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer’s personal information was included in the information that was breached.</p>


Iowa (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://iga.in.gov/pdf-documents/123/2023/senate/bills/SB0005/SB0005.05.ENRH.pdf">https://iga.in.gov/pdf-documents/123/2023/senate/bills/SB0005/SB0005.05.ENRH.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Ind. Code § 24-4.9-1-1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means:<br>(1) A Social Security number that is not encrypted or redacted; or<br>(2) An individual’s first and last names, or first initial and last name, and one or more of the following data elements that are not encrypted or redacted:<br>(A) A driver’s license number.<br>(B) A state identification card number.<br>(C) A credit card number.<br>(D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person’s account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of data” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A breach does not include the good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A data breach notification must be provided if the database owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>For purposes of this section, a delay is reasonable if the delay is: (1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) if in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security. </p>



<p>A person required to make a breach disclosure or notification shall make the disclosure or notification as soon as possible after: (1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>(a) Except as provided in subsection (b), a database owner required to make a disclosure under this chapter shall make the disclosure using one (1) of the following methods:<br>(1) Mail.<br>(2) Telephone.<br>(3) Facsimile (fax).<br>(4) Electronic mail, if the database owner has the electronic mail address of the affected Indiana resident.<br>(5) Substitute Notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<p>Substitute Notice</p>



<p>(b) If a database owner required to make a disclosure under this chapter is required to make the disclosure to more than five hundred thousand (500,000) Indiana residents, or if the database owner required to make a disclosure under this chapter determines that the cost of the disclosure will be more than two hundred fifty thousand dollars ($250,000), the database owner required to make a disclosure under this chapter may elect to make the disclosure by using both of the following methods:<br>(1) Conspicuous posting of the notice on the website of the database owner, if the database owner maintains a website.<br>(2) Notice to major news reporting media in the geographic area where Indiana residents affected by the breach of the security of a system reside.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If a database owner makes a data breach disclosure, the database owner shall also disclose the breach to the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>A database owner required to make a breach disclosure to more than 1,000 consumers shall also disclose to each consumer reporting agency information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>(a) Except as provided in subsection (b), this section does not apply to a database owner that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under:<br>(1) The federal USA PATRIOT Act (P.L. 107-56);<br>(2) Executive Order 13224;<br>(3) The federal Driver’s Privacy Protection Act (18 U.S.C. 2721 et seq.);<br>(4) The federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);<br>(5) The Gramm-Leach-Bliley Act; or<br>(6) The Health Insurance Portability and Accountability Act of 1996 (HIPAA).</p>



<p>(b) This section applies to a current or former health care provider (as defined by IC 4-6-14-2) who is a database owner or former database owner: (1) to which an exemption under subsection (a)(6) applies or applied; and (2) whose information privacy, security policy, or compliance plan: (A) does not require the database owner or former database owner to maintain and implement reasonable procedures; or (B) is not implemented by the database owner or former database owner; to ensure that the personal information described in subsection (a), including health records (as defined by IC 4-6-14-2.5), is protected and safeguarded from unlawful use or disclosure after the database owner or former database owner ceases to be a covered entity under the Health Insurance Portability and Accountability Act.</p>



<p>A financial institution that complies with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or the Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, as applicable, is not required to make a disclosure under this chapter.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person that maintains computerized data but that is not a database owner shall notify the database owner if the person discovers that personal information was or may have been acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A database owner that maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan under:<br>(1) The federal USA PATRIOT Act (P.L. 107-56);<br>(2) Executive Order 13224;<br>(3) The federal Driver’s Privacy Protection Act (18 U.S.C. 2781 et seq.);<br>(4) The federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);<br>(5) The Gramm-Leach-Bliley Act; or<br>(6) The Health Insurance Portability and Accountability Act of 1996 (HIPAA);<br>is not required to make a disclosure under this chapter if the database owner’s information privacy, security policy, or compliance plan requires that Indiana residents be notified of a breach of the security of data without unreasonable delay and the database owner complies with the database owner’s information privacy, security policy, or compliance plan.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Ind. Code §§ 24-4.9-2-3, 24-4.9-2-10, and 24-4.9-3-3.5.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “database owner” means a person that owns or licenses computerized data that includes personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means:<br>(1) A Social Security number that is not encrypted or redacted; or<br>(2) An individual’s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted:<br>(A) A driver’s license number.<br>(B) A state identification card number.<br>(C) A credit card number.<br>(D) A financial account or debit card number in combination with a security code, password, or access code that would permit access to the person’s account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A database owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the database owner.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A database owner shall not dispose of or abandon records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable.</p>


Indiana (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: 815 ILCS § 530/1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means either of the following:<br>(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:<br>(A) Social Security number.<br>(B) Driver’s license number or state identification card number.<br>(C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(D) Medical information.<br>(E) Health insurance information.<br>(F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.<br>(2) Username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A breach does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A data breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the data collector with a written request for the delay. However, the data collector must notify the Illinois resident as soon as notification will no longer interfere with the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The disclosure notification to an Illinois resident shall include, but need not be limited to, information as follows:<br>(1) With respect to personal information as defined in Section 5 in paragraph (1) of the definition of “personal information”:<br>(A) The toll-free numbers and addresses for consumer reporting agencies;<br>(B) The toll-free number, address, and website address for the Federal Trade Commission; and<br>(C) A statement that the individual can obtain information from these sources about fraud alerts and security freezes.</p>



<p>(2) With respect to personal information defined in Section 5 in paragraph (2) of the definition of “personal information,” notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her username or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same username or email address and password or security question and answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing as set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(3) Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<p>(i) email notice if the data collector has an email address for the subject persons;</p>



<p>(ii) conspicuous posting of the notice on the data collector’s website page if the data collector maintains one; and (iii) notification to major statewide media or, if the breach impacts residents in one geographic area, to prominent local media in areas where affected individuals are likely to reside if such notice is reasonably calculated to give actual notice to persons whose notice is required.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>Any data collector required to issue a data breach notice to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the attorney general of the breach, including:</p>



<p>(A) A description of the nature of the breach of security or unauthorized acquisition or use.</p>



<p>(B) The number of Illinois residents affected by such incident at the time of notification.</p>



<p>(C) Any steps the data collector has taken or plans to take relating to the incident. Such notification must be made in the most expedient time possible and without unreasonable delay, but in no event later than when the data collector provides notice to consumers. If the date of the breach is unknown at the time the notice is sent to the attorney general, the data collector shall send the attorney general the date of the breach as soon as possible.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A to private sector.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to Health Insurance Portability and Accountability HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) shall be deemed to be in compliance with the provisions of this act, provided that any covered entity or business associate required to provide notification of a breach to the secretary of Health and Human Services pursuant to HITECH also provides such notification to the attorney general within five business days of notifying the secretary of Health and Human Services.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The notification “delivery” requirements to consumers do not apply to data collectors that are covered entities or business associates and are in compliance with the above.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector’s cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A data breach notification must be given at no charge.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The breach notification to Illinois residents must not include information concerning the number of Illinois residents affected by the breach</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Upon receiving notification from a data collector of a breach of personal information, the attorney general may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: 815 ILCS §§ 530/5, 530/40, and 530/45.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “person” means: a natural person; a corporation, partnership, association, or other legal entity; a unit of local government or any agency, department, division, bureau, board, commission, or committee thereof; or the State of Illinois or any constitutional officer, agency, department, division, bureau, board, commission, or committee thereof.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means either of the following:<br>(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security:<br>(A) Social Security number.<br>(B) Driver’s license number or state identification card number.<br>(C) Account, credit, or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(D) Medical information.<br>(E) Health insurance information.<br>(F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.<br>(2) Username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username, email address, password, or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A data collector that owns, licenses, maintains, or stores but does not own or license records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>See Data Disposal (third <a>parties must implement and monitor </a>compliance with policies and procedures).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following:<br>(1) Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.<br>(2) Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(c) Any person disposing of materials containing personal information may contract with a third party to dispose of such materials. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If a state or federal law requires a data collector to provide greater protection to records that contain personal information concerning an Illinois resident that are maintained by the data collector and the data collector is in compliance with the provisions of that state or federal law, the data collector shall be deemed to be in compliance with the provisions herein.</p>


Illinois (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Idaho Code § 28-51-104 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an Idaho resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:</p>



<p>(a) Social Security number;</p>



<p>(b) Driver’s license number or Idaho identification card number; or (c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons maintained by an agency, individual, or a commercial entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of an agency, individual or a commercial entity for the purposes of the agency, individual, or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>When an individual or commercial entity becomes aware of a breach of the security of the system, it must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall provide notice of the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A data breach notice may be delayed if a law enforcement agency advises the individual or commercial entity that the notice will impede a criminal investigation. The breach notice must be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency advises the agency, individual, or commercial entity that notification will no longer impede the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(a) Written notice to the most recent address the agency, individual, or commercial entity has in its records;<br>(b) Telephonic notice;<br>(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or<br>(d) Substitute notice, if the agency, individual, or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $25,000, or that the number of Idaho residents to be notified exceeds 50,000, or that the agency, individual, or the commercial entity does not have sufficient contact information to provide notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of all of the following:<br>(i) Email notice if the agency, individual, or the commercial entity has email addresses for the affected Idaho residents; and<br>(ii) Conspicuous posting of the notice on the website page of the agency, individual, or the commercial entity if the agency, individual, or the commercial entity maintains one; and<br>(iii) Notice to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>(2) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>An agency, individual, or a commercial entity that maintains computerized data that includes personal information that the agency, individual, or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach.</p>



<p></p>


Idaho (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: HRS § 487N-1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:<br>(1) Social Security number;<br>(2) Driver’s license number or Hawaii identification card number; or<br>(3) Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>See Security Breach Definition (creates a risk of harm to a person).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notice shall be delayed if a law enforcement agency informs the business or government agency that notification may impede a criminal investigation or jeopardize national security and requests a delay, provided that such request is made in writing, or the business or government agency documents the request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The breach notice shall be provided without unreasonable delay after the law enforcement agency communicates to the business or government agency its determination that notice will no longer impede the investigation or jeopardize national security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>(d) The breach notice shall be clear and conspicuous. The notice shall include a description of the following:<br>(1) The incident in general terms;<br>(2) The type of personal information that was subject to the unauthorized access and acquisition;<br>(3) The general acts of the business or government agency to protect the personal information from further unauthorized access;<br>(4) A telephone number that the person may call for further information and assistance, if one exists; and<br>(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice to the last available address the business or government agency has on record;<br>(2) Electronic mail notice, for those persons for whom a business or government agency has a valid email address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(3) Telephonic notice, provided that contact is made directly with the affected persons; and<br>(4) Substitute notice, if the business or government agency demonstrates that the cost of providing notice would exceed $100,000 or that the affected class of subject persons to be notified exceeds 200,000, or if the business or government agency does not have sufficient contact information or consent to satisfy paragraph (1), (2), or (3), for only those affected persons without sufficient contact information or consent, or if the business or government agency is unable to identify particular affected persons, for only those unidentifiable affected persons.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all the following:</p>



<p>(A) Email notice when the business or government agency has an email address for the subject persons;</p>



<p>(B) Conspicuous posting of the notice on the website page of the business or government agency, if one is maintained; and (C) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>In the event a business provides a breach notice to more than 1,000 persons at one time, the business shall notify in writing, without unreasonable delay, the State of Hawaii’s Office of Consumer Protection.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event a business provides a breach notice to more than 1,000 persons at one time, the business shall notify in writing, without unreasonable delay, the State of Hawaii’s Office of Consumer Protection and all consumer reporting agencies of the timing, distribution, and content of the notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The following businesses shall be deemed to be in compliance with this section:<br>(1) A financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice; and<br>(2) Any health plan or health care provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any business located in Hawaii or any business that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: HRS §§ 487R-1 to 487R-3.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “disposal” means the discarding or abandonment of records containing personal information or the sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other non-paper media upon which records of personal information are stored, or other equipment for non-paper storage of information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:<br>(1) Social Security number;<br>(2) Driver’s license number or Hawaii identification card number; or<br>(3) Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>See Data Disposal (official written policies; implementing and monitoring compliance with policies and procedures).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>The reasonable security requirements in connection with disposal include:<br>(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed;<br>(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed; and<br>(3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business or government agency may satisfy its obligation hereunder by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include one or more of the following: (1) Reviewing an independent audit of the disposal business’ operations or its compliance with this chapter; (2) Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; or (3) Reviewing and evaluating the disposal business’ information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information.</p>


Hawaii (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: O.C.G.A. § 10-1-910 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(6) The term “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:<br>(A) Social Security number;<br>(B) Driver’s license number or state identification card number;<br>(C) Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;<br>(D) Account passwords or personal identification numbers or other access codes; or<br>(E) Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition or use of personal information by an employee or agent of an information broker or data collector for the purposes of such information broker or data collector is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will compromise a criminal investigation. The notification shall be made after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(A) Written notice;</p>



<p>(B) Telephone notice;</p>



<p>(C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or (D) Substitute notice, if the information broker or data collector demonstrates that the cost of providing notice would exceed $50,000, that the affected class of individuals to be notified exceeds 100,000, or that the information broker or data collector does not have sufficient contact information to provide written or electronic notice to such individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<p>(i) Email notice, if the information broker or data collector has an email address for the individuals to be notified;</p>



<p>(ii) Conspicuous posting of the notice on the information broker’s or data collector’s website page, if the information broker or data collector maintains one; and </p>



<p>(iii) Notification to major state-wide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>In the event that an information broker or data collector discovers circumstances requiring notification of more than 10,000 residents of this state at one time, the information broker or data collector shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>No express provision.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The term “information broker” means any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: O.C.G.A. § 10-15-1 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “discard” means to throw away, get rid of, or eliminate.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “dispose” means the sale or transfer of a record for value to a company or business engaged in the business of record destruction.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means:<br>(A) Personally identifiable data about a customer’s medical condition, if the data are not generally considered to be public knowledge;<br>(B) Personally identifiable data which contain a customer’s account or identification number, account balance, balance owing, credit balance, or credit limit, if the data relate to a customer’s account or transaction with a business;<br>(C) Personally identifiable data provided by a customer to a business upon opening an account or applying for a loan or credit; or<br>(D) Personally identifiable data about a customer’s federal, state, or local income tax return.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personally identifiable” means capable of being associated with a particular customer through one or more identifiers, including, but not limited to, a customer’s fingerprint, photograph, or computerized image, Social Security number, passport number, driver identification number, personal identification card number, date of birth, medical information, or disability information. A customer’s name, address, and telephone number shall not be considered personally identifiable data unless one or more of them are used in conjunction with one or more of the identifiers listed here.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “record” means any material on which written, drawn, printed, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business may not discard a record containing personal information unless it:<br>(1) Shreds the customer’s record before discarding the record;<br>(2) Erases the personal information contained in the customer’s record before discarding the record;<br>(3) Modifies the customer’s record to make the personal information unreadable before discarding the record; or<br>(4) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer’s record for the period between the record’s disposal and the record’s destruction.</p>


Georgia (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Fla. Stat. § 501.171.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(g)1. The term “personal information” means either of the following:</p>



<p>a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:</p>



<p>(I) A Social Security number;</p>



<p>(II) A driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;</p>



<p>(III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;</p>



<p>(IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;</p>



<p>(V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;</p>



<p>(VI) An individual&#8217;s biometric data as defined in s. 501.702; or Any information regarding an individual’s geolocation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term a “breach of security” or “breach” means unauthorized access of data in electronic form containing personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five years. The covered entity shall provide the written determination to the department within 30 days after the determination.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notice shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached. A breach notice shall be made no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to a delay authorized under paragraph (b) (security and investigation exceptions) or waiver under paragraph (c) (risk of harm analysis).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>If a federal, state, or local law enforcement agency determines that notice to individuals required under this subsection would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request made under this paragraph to a specified date if further delay is necessary.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The notice to an individual with respect to a breach of security shall include, at a minimum:</p>



<ol><li>The date, estimated date, or estimated date range of the breach of security.</li><li>A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security.</li><li>Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<ol><li>Written notice sent to the mailing address of the individual in the records of the covered entity; or</li><li>Email notice sent to the email address of the individual in the records of the covered entity.</li><li>A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>The substitute notice shall include the following:</p>



<ol><li>A conspicuous notice on the internet website of the covered entity if the covered entity maintains a website; and</li><li>Notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>(a) A covered entity shall provide notice to the department of any breach of security affecting 500 or more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. A covered entity may receive 15 additional days to provide notice as required in subsection (4) if good cause for delay is provided in writing to the department within 30 days after determination of the breach or reason to believe a breach occurred.</p>



<p>(b) The written notice to the department must include:</p>



<ol><li>A synopsis of the events surrounding the breach at the time notice is provided.</li><li>The number of individuals in this state who were or potentially have been affected by the breach.</li><li>Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services.</li><li>A copy of the notice required under subsection (4), or an explanation of the other actions taken pursuant to subsection (4).</li><li>The name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.</li></ol>



<p>(c) The covered entity must provide the following information to the department upon its request:</p>



<ol><li>A police report, incident report, or computer forensics report.</li><li>A copy of the policies in place regarding breaches.</li><li>Steps that have been taken to rectify the breach.</li></ol>



<p>(d) A covered entity may provide the department with supplemental information regarding a breach at any time.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a covered entity discovers circumstances requiring a breach notice to more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution, and content of the notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Under this paragraph, a covered entity that provides a copy of such notice to the department in a timely manner is deemed to be in compliance with the notice requirement herein.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The “Department” means the Department of Legal Affairs.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Fla. Stat. § <a>501.171</a>.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means either of the following:</p>



<p>a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:</p>



<p>(I) A Social Security number;</p>



<p>(II) A driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;</p>



<p>(III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;</p>



<p>(IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or</p>



<p>(V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. b. A username or email address, in combination with a password or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.</p>


Florida (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: D.C. Code § 28-3851 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(3)(A) The term “personal information” means:</p>



<p>(i) An individual’s first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person’s information:</p>



<p>(I) Social Security number, individual taxpayer identification number, passport number, driver’s license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;</p>



<p>(II) Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account;</p>



<p>(III) Medical information;</p>



<p>(IV) Genetic information and deoxyribonucleic acid (DNA) profile;</p>



<p>(V) Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual’s health and billing information;</p>



<p>(VI) Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or</p>



<p>(VII) Any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of this sub-subparagraph that would enable a person to commit identity theft without reference to a person’s first name or first initial and last name or other independent personal identifier. (ii) A username or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of sub-subparagraph (i) that permits access to an individual’s email account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of the security of the system” does not include a good-faith acquisition of personal information by an employee or agency of the person or entity for the purposes of the person or entity if the personal information is not used improperly or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A “breach of the security of the system” does not include acquisition of personal information of an individual that the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, will likely not result in harm to the individual.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation but shall be made as soon as possible after the law enforcement agency determines that the notification will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall include:<br>(1) To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired;<br>(2) Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained;<br>(3) The toll-free telephone numbers and addresses for the major consumer reporting agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge pursuant to 15 U.S.C. § 1681c-1 and information on how a resident may request a security freeze; and<br>(4) The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft: (A) The Federal Trade Commission; and (B) The Office of the Attorney General for the District of Columbia.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(A) Written notice;</p>



<p>(B) Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or (C)(i) Substitute notice, if the person or entity demonstrates that the cost of providing notice to persons subject to this subchapter would exceed $50,000, that the number of persons to receive notice under this subchapter exceeds 100,000, or that the person or entity does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<p>(I) Email notice when the person or entity has an email address for the subject persons;</p>



<p>(II) Conspicuous posting of the notice on the website page of the person or entity if the person or entity maintains one; and (III) Notice to major local and, if applicable, national media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>In addition to giving the breach notification required under subsection (a) of this section, and subject to subsection (d) of this section (security and investigation exceptions), the person or entity required to give notice shall promptly provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents. This notice shall be made in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided under subsection (a) of this section. The written notice shall include:<br>(1) The name and contact information of the person or entity reporting the breach;<br>(2) The name and contact information of the person or entity that experienced the breach;<br>(3) The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach;<br>(4) The types of personal information compromised by the breach;<br>(5) The number of District residents affected by the breach;<br>(6) The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known;<br>(7) The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach;<br>(8) The date and time frame of the breach, if known;<br>(9) The address and location of corporate headquarters, if outside of the District;<br>(10) Any knowledge of foreign country involvement; and<br>(11) A sample of the notice to be provided to District residents.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>This notice shall not be delayed on the grounds that the total number of District residents affected by the breach has not yet been ascertained.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If any person or entity is required by subsection (a) or (b) of this section to notify more than 1,000 persons of a breach, the person shall also notify, without unreasonable delay, all consumer reporting agencies of the timing, distribution and content of the notices. Nothing in this subsection shall be construed to require the person to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to a person or entity who is required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A person or entity that maintains procedures for a breach notification system under Title V of the Gramm-Leach-Bliley Act, or the breach notification rules issued pursuant to the Health Insurance Portability Accountability Act of 1996 (HIPAA), or the Health Information Technology for Economic and Clinical Health Act (HITECH), and provides notice in accordance with such acts, and any rules, regulations, guidance, and guidelines thereto, to each affected resident in the event of a breach, shall be deemed to be in compliance with this section with respect to the notification of residents whose personal information is included in the breach. The person or entity shall, in all cases, provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>Notwithstanding subsection (a-1) of this section, in the case of a breach of the security of the system that only involves personal information as defined in § 28-3851 (3)(A)(ii), the person or entity may comply with this section by providing the notification in electronic format or other form that directs the person to change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the email account with the person or entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>When a person or entity experiences a breach of the security of the system and such breach includes or is reasonably believed to include a Social Security number or taxpayer identification number, the person or entity shall offer to each District resident whose Social Security number or taxpayer identification number was released identity theft protection services at no cost for a period of not less than 18 months. The person or entity that experienced the breach of the security of its system shall provide all information necessary for District residents to enroll in the services.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: D.C. Code § 28-3852.01</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means:<br>(i) An individual’s first name, first initial, and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person’s information:<br>(I) Social security number, individual taxpayer identification number, passport number, driver’s license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;<br>(II) Account number, credit card number, or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account;<br>(III) Medical information;<br>(IV) Genetic information and deoxyribonucleic acid (DNA) profile;<br>(V) Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual’s health and billing information;<br>(VI) Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or<br>(VII) Any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of this sub-subparagraph that would enable a person to commit identity theft without reference to a person’s first name or first initial and last name or other independent personal identifier.<br>(ii) A username or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of sub-subparagraph (i) that permits access to an individual’s email account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>To protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat, a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices that: (1) Are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and (2) Are reasonably designed to protect the personal information from unauthorized access, use, modification, and disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account:</p>



<p>(1) The sensitivity of the records;</p>



<p>(2) The nature and size of the business and its operations;</p>



<p>(3) The costs and benefits of different destruction and sanitation methods; and (4) Available technology.</p>


District of Columbia (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href=" https://legis.delaware.gov/json/BillDetail/GenerateHtmlDocumentEngrossment?engrossmentId=35877&amp;docTypeId=6">https://legis.delaware.gov/json/BillDetail/GenerateHtmlDocumentEngrossment?engrossmentId=35877&amp;docTypeId=6</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: 6 Del. C. § 12B-101 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(7) a. The term “personal information” means a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to that individual:</p>



<p>1. Social Security number.</p>



<p>2. Driver’s license number or state or federal identification card number.</p>



<p>3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.</p>



<p>4. Passport number.</p>



<p>5. A username or email address, in combination with a password or security question and answer that would permit access to an online account.</p>



<p>6. Medical history, medical treatment by a health care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid (DNA) profile.</p>



<p>7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.</p>



<p>8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes. 9. An individual taxpayer identification number.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>A “breach of security” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information is not a breach of security to the extent that personal information contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of any person for the purposes of such person is not a breach of security, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>Any person who conducts business in this state and who owns or licenses computerized data that includes personal information shall provide notice of any breach of security following determination of the breach of security to any resident of this state whose personal information was breached or is reasonably believed to have been breached, unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification must be made without unreasonable delay but not later than 60 days after determination of the breach of security, unless a shorter time is required under federal law or an exception applies. When a person could not, through reasonable diligence, identify within 60 days that the personal information of certain residents of this state was included in a breach of security, such person must provide the breach notice to such residents as soon as practicable after the determination that the breach of security included the personal information of such residents, unless such person provides or has provided substitute notice in accordance with § 12B-101(5)d. of this title.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and such law enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Other Information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>a. Written notice.</p>



<p>b. Telephonic notice.</p>



<p>c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act) or if the person’s primary means of communication with the resident is by electronic means. d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of all of the following:</p>



<p>1. Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.</p>



<p>2. Conspicuous posting of the notice on a website page of the person if the person maintains one or more website pages. 3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If the affected number of Delaware residents to be notified exceeds 500 residents, the person required to provide notice shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this law if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person that maintains computerized data that includes personal information that the person does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of security immediately following determination of the breach of security. For purposes of this subsection, “cooperation” includes sharing with the owner or licensee information relevant to the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If the breach of security includes a Social Security number, the person shall offer to each resident, whose personal information, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of one year. Such person shall provide all information necessary for such resident to enroll in the services and shall include information on how such resident can place a credit freeze on such resident’s credit file. Such services are not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In the case of a breach of security involving personal information defined in § 12B-101(7)a.5. of this title for login credentials of an email account, if the person cannot comply with this section by providing the security breach notification to such email address, the person may instead comply with this section by providing notice by another method described in § 12B-101(5) of this title or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the person knows the resident customarily accesses the account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: 6 Del. C. §§ 5001C to 5004C; § 12B-100.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to that individual:</p>



<ol><li>Social Security number.</li><li>Driver’s license number or state or federal identification card number.</li><li>Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.</li><li>Passport number.</li><li>A username or email address, in combination with a password or security question and answer that would permit access to an online account.</li><li>Medical history, medical treatment by a health care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid (DNA) profile.</li><li>Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.</li><li>Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.</li><li>An individual taxpayer identification number.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal identifying information” means a consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: Social Security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number; bank account number; credit card number; debit card number; tax or payroll information; or confidential health-care information, including all information relating to a patient’s health care history, diagnosis, condition, and treatment, or evaluation obtained from a health care provider who has treated the patient, that explicitly or by implication identifies a particular patient.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “record” means information that is inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved. “Record” does not include publicly available directories or sources containing information a consumer has voluntarily consented to have publicly disseminated or listed, or that is disseminated as provided for by applicable law or regulation, such as name, address, or telephone number, or other directories or sources as are derived solely from such directories or sources.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Any person who conducts business in Delaware and owns, licenses, or maintains personal information shall implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>In the event that a commercial entity seeks permanently to dispose of records containing consumers’ personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.</p>


Delaware (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: &nbsp;<a href="https://www.cga.ct.gov/2022/act/pa/pdf/2022PA-00015-R00SB-00006-PA.pdf">https://www.cga.ct.gov/2022/act/pa/pdf/2022PA-00015-R00SB-00006-PA.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Conn. Gen. Stat. <a>§ 36a-701b.</a></h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>The term “personal information” means an individual’s</p>



<p>(A) first name or first initial and last name in combination with any one, or more, of the following data:</p>



<p>(i) Social Security number;</p>



<p>(ii) Taxpayer identification number;</p>



<p>(iii) Identity protection personal identification number issued by the Internal Revenue Service;</p>



<p>(iv) Driver’s license number, state identification card number, passport number, military identification number, or other identification number issued by the government that is commonly used to verify identity;</p>



<p>(v) Credit or debit card number;</p>



<p>(vi) Financial account number in combination with any required security code, access code, or password that would permit access to such financial account;</p>



<p>(vii) Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;</p>



<p>(viii) Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or,</p>



<p>(ix) Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or (B) Username or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.</p>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of security” means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification is not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired or accessed.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notification shall be made without unreasonable delay but not later than sixty (60) days after the discovery of such breach, unless a shorter time is required under federal law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>A breach notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>See Other Information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:<br>(1) Written notice;<br>(2) Telephone notice;<br>(3) Electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act);<br>(4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2), or (3) of this subsection would exceed $250,000, that the affected class of subject persons to be notified exceeds 500,000 persons, or that the person does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of the following:</p>



<p>(A) Electronic mail notice when the person has an electronic mail address for the affected persons;</p>



<p>(B) Conspicuous posting of the notice on the website of the person if the person maintains one; and (C) Notification to major state-wide media, including newspapers, radio, and television.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>The person who owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when a breach notice is provided to the resident, also provide notice of the breach of security to the Attorney General.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures, or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the attorney general not later than the time when notice is provided to the resident.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Any person that is subject to and in compliance with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) shall be deemed to be in compliance with this section, provided that (1) any person required to provide notification to Connecticut residents pursuant to HITECH shall also provide notice to the attorney general not later than the time when notice is provided to such residents if notification to the attorney general would otherwise be required under the law, and (2) the person otherwise complies with the other requirements of the law (i.e., identify theft protection).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The person who owns or licenses computerized data that includes personal information shall offer to each resident whose personal information under clause (i) or (ii) of subparagraph (A) of subdivision (2) of subsection (a) of this section (i.e., Social Security number; taxpayer identification number) was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twenty-four (24) months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident’s credit file.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In the event of a breach of login credentials, notice to a resident may be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same username or email address and password or security question and answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Any person that furnishes an electronic mail account shall not comply with this section by providing notification to the email account that was breached or reasonably believed to have been breached if the person cannot reasonably verify the affected resident’s receipt of such notification. In such an event, the person shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the person knows the resident customarily accesses the account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Conn. Gen. Stat. § 42-471, 42-471a.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, a health insurance identification number, or any military identification information, and does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media, and (2) “military identification information” means information identifying a person as a member of the armed forces, as defined in Section 27-103, or a veteran, as defined in said section, including, but not limited to, a selective service number, military identification number, discharge document, military identification card, or military retiree identification card.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “publicly displayed” includes, but is not limited to, posting on an Internet web page.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Any person in possession of personal information of another person shall safeguard the data, computer files, and documents containing the information from misuse by third parties.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. The policy shall: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>Any person in possession of personal information of another person shall destroy, erase, or make unreadable such data, computer files, and documents prior to disposal.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>Each employer shall obtain and retain employment applications in a secure manner and shall employ reasonable measures to destroy or make unreadable such employment applications upon disposal. Such measures shall, at a minimum, include the shredding or other means of permanent destruction of such employment applications in a secure setting. For purposes of this section, “employer” has the meaning provided in Section 31-128a (“Employer” means an individual, corporation, partnership, or unincorporated association).</p>


Connecticut (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: <a href="https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf">https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Colo. Rev. Stat. § 6-1-716.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(g)(I)(A) The term “personal information” means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: Social Security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data;</p>



<p>(B) A Colorado resident’s username or email address, in combination with a password or security questions and answers, that would permit access to an online account; or (C) A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “security breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity’s business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>Notice of the security breach must be made in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>Notice of a data breach may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the covered entity that conducts business in Colorado not to send the breach notice. The breach notice must be made in good faith, in the most expedient time possible, and without unreasonable delay, but not later than thirty days after the law enforcement agency determines that notification will no longer impede the investigation and has notified the covered entity that conducts business in Colorado that it is appropriate to send the breach notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>In the case of a breach of personal information, notice to affected Colorado residents must include, but need not be limited to, the following information:</p>



<p>(I) The date, estimated date, or estimated date range of the security breach;</p>



<p>(II) A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;</p>



<p>(III) Information that the resident can use to contact the covered entity to inquire about the security breach;</p>



<p>(IV) The toll-free numbers, addresses, and websites for consumer reporting agencies;</p>



<p>(V) The toll-free number, address, and website for the Federal Trade Commission; and (VI) A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(I) Written notice to the postal address listed in the records of the covered entity;</p>



<p>(II) Telephonic notice;</p>



<p>(III) Electronic notice, if a primary means of communication by the covered entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or (IV) Substitute notice, if the covered entity required to provide notice demonstrates that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 250,000 Colorado residents, or the covered entity does not have sufficient contact information to provide notice.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of all of the following:</p>



<p>(A) Email notice if the covered entity has email addresses for the members of the affected class of Colorado residents;</p>



<p>(B) Conspicuous posting of the notice on the website page of the covered entity if the covered entity maintains one; and (C) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>The covered entity that must notify Colorado residents of a data breach shall provide notice of any security breach to the Colorado attorney general in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred, if the security breach is reasonably believed to have affected 500 Colorado residents or more, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur. The Colorado attorney general shall designate a person or persons as a point of contact for these functions and shall make the contact information for the person or persons public on the attorney general’s website and by any other appropriate means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a covered entity is required to notify more than 1,000 Colorado residents of a security breach, the covered entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. Nothing in this subsection (2)(d) requires the covered entity to provide to the consumer reporting agency the names or other personal information of security breach notice recipients. This subsection (2)(d) does not apply to a covered entity who is subject to Title V of the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A covered entity that is regulated by state or federal law and that maintains procedures for a security breach pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section; notice to the attorney general is still required pursuant to subsection (2)(f) of this section. In the case of a conflict between the time period for notice to individuals that is required pursuant to law and the applicable state or federal law or regulation, the law or regulation with the shortest time frame for notice to the individual controls.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The law’s content requirements shall not be interpreted to prohibit data breach notifications from containing additional information, including any information that may be required by state or federal law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>If a covered entity uses a third-party service provider to maintain computerized data that includes personal information, then the third-party service provider shall give notice to and cooperate with the covered entity in the event of a security breach that compromises such computerized data, including notifying the covered entity of any security breach in the most expedient time possible, and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the covered entity information relevant to the security breach; except that such cooperation does not require the disclosure of confidential business information or trade secrets.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If an investigation by the covered entity into the security breach determines that the type of personal information described in subsection (1)(g)(I)(B) of this section has been misused or is reasonably likely to be misused, then the covered entity shall, in addition to the notice otherwise required by subsection (2)(a.2) of this section and in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system:<br>(I) Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the covered entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.<br>(II) For log-in credentials of an email account furnished by the covered entity, the covered entity shall not comply with this section by providing the security breach notification to that email address, but may instead comply with this section by providing notice through other methods, as defined in subsection (1)(f) of this section, or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the covered entity knows the resident customarily accesses the account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity that is required to provide a breach notification to affected Colorado residents is prohibited from charging the cost of providing such notice to such residents.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Colo. Rev. Stat. § 6-1-713 and 713.5.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal identifying information” means a Social Security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in Section 6-1-716(1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in Section 18-5-701(3).</p>



<p>The term “biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “financial transaction device” means any instrument or device whether known as a credit card, banking card, debit card, electronic fund transfer card, or guaranteed check card, or account number representing a financial account or affecting the financial interest, standing, or obligation of or to the account holder, that can be used to obtain cash, goods, property, or services or to make financial payments, but shall not include a “check,” a “negotiable order of withdrawal,” and a “share draft” as defined in Section 18-5-205.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “third-party service provider” means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>To protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are: (a) appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and (b) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.</p>



<p>A disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to: (a) Help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or (b) Effectively eliminate the third party’s ability to access the personal identifying information, notwithstanding the third party’s physical possession of the personal identifying information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policy</h3>



<p>Yes (See Data Disposal).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>Each covered entity in the state that maintains paper or electronic documents during the course of business that contain personal identifying information shall develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A covered entity that is regulated by state or federal law and that maintains procedures for disposal of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Unless an entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing in the law shall require a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of as required by this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity that is regulated by state or federal law and that maintains procedures for protection of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<p>See Colorado Privacy Act (Appendix 2).</p>


Colorado (Data Protection Map)


<h2 class="wp-block-heading">Consumer Data Privacy Law</h2>



<p>Consumer Data Privacy and Online Monitoring</p>



<p>Available at: &nbsp;<a href="https://cppa.ca.gov/regulations/pdf/cppa_act.pdf">https://cppa.ca.gov/regulations/pdf/cppa_act.pdf</a></p>



<h2 class="wp-block-heading">Data Breach Requirements: Cal. Civ. Code § 1798.82.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(h) The term “personal information” means either of the following:<br>(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:<br>(A) Social Security number.<br>(B) Driver’s license number, California identification card number, taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.<br>(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(D) Medical information.<br>(E) Health insurance information.<br>(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.<br>(G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.<br>(H) Genetic data.<br>(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>The data breach notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>(d) A person or business that is required to issue a security breach notification shall meet all of the following requirements:</p>



<p>(1) The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.</p>



<p>(A) The format of the notice shall be designed to call attention to the nature and significance of the information it contains.</p>



<p>(B) The title and headings in the notice shall be clearly and conspicuously displayed.</p>



<p>(C) The text of the notice and any other notice provided shall be no smaller than 10-point type.</p>



<p>(D) For a written notice described in paragraph (1) of subdivision (j), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>[NAME OF INSTITUTION / LOGO]</p>



<p class="has-text-align-right">Date: [insert date]</p>



<p class="has-text-align-center">NOTICE OF DATA BREACH</p>



<p>What Happened?</p>



<p>What Information Was Involved?</p>



<p>What We Are Doing.</p>



<p>What You Can Do.</p>



<p>Other Important Information.</p>



<p>[insert other important information]</p>



<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call [telephone number] or go to [internet website]</p>



<p>For More Information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(E) For an electronic notice described in paragraph (2) of subdivision (j), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.</p>



<p>(2) The security breach notification described in paragraph (1) shall include, at a minimum, the following information:</p>



<p>(A) The name and contact information of the reporting person or business subject to this section.</p>



<p>(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.</p>



<p>(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.</p>



<p>(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.</p>



<p>(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.</p>



<p>(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver’s license or California identification card number.</p>



<p>(G) If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information defined in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).</p>



<p>(3) At the discretion of the person or business, the security breach notification may also include any of the following:</p>



<p>(A) Information about what the person or business has done to protect individuals whose information has been breached.</p>



<p>(B) Advice on steps that people whose information has been breached may take to protect themselves. (C) In breaches involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>(j) For purposes of this section, “notice” may be provided by one of the following methods:</p>



<p>(1) Written notice.</p>



<p>(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act). (3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<p>(A) Email notice when the person or business has an email address for the subject persons.</p>



<p>(B) Conspicuous posting, for a minimum of 30 days, of the notice on the internet website page of the person or business, if the person or business maintains one. For purposes of this subparagraph, conspicuous posting on the person’s or business’ internet website means providing a link to the notice on the home page or first significant page after entering the internet website that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link. (C) Notification to major statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>A person or business that is required to issue a breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will be deemed to have complied with the breach notice requirements if it has complied completely with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (HITECH). However, nothing in this subdivision shall be construed to exempt a covered entity from any other provision of this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (h) for an online account, and no other personal information defined in paragraph (1) of subdivision (h), the person or business may comply with this section by providing the security breach notification in electronic or other form. The notification should direct the person whose personal information has been breached promptly to change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (h) for login credentials of an email account furnished by the person or business, the person or business shall not comply with this section by providing the security breach notification to that email address, but may, instead, comply with this section by providing notice by another method described in this subdivision or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the person or business knows the resident customarily accesses the account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Cal. Civ. Code § 1798.80 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The terms “own” and “license” include personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “maintain” includes personal information that a business maintains but does not own or license.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(1) The term “personal information” means either of the following:<br>(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:<br>(i) Social Security number.<br>(ii) Driver’s license number, California identification card number, taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.<br>(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.<br>(iv) Medical information.<br>(v) Health insurance information.<br>(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.<br>(vii) Genetic data.<br>(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(2) “Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(3) “Health insurance information” means an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(5) “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to these security requirements shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>See the California Consumer Privacy Act, as amended.</p>


California (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Ark. Code Ann. § 4-110-101 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(7) The term “personal information” means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:<br>(A) Social Security number;<br>(B) Driver’s license number or Arkansas identification card number;<br>(C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;<br>(D) Medical information; and<br>(E)(i) Biometric data.</p>



<p>(ii) As used in this subdivision (7)(E), “biometric data” means data generated by automatic measurements of an individual’s biological characteristics, including without limitation: (a) Fingerprints; (b) Faceprint; (c) A retinal or iris scan; (d) Hand geometry; (e) Voiceprint analysis; (f) Deoxyribonucleic acid (DNA); or (g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account;</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of the security of the system” does not include the good faith acquisition of personal information by an employee or agent of the person or business for the legitimate purposes of the person or business if the personal information is not otherwise used or subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A breach notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>Any person or business that acquires, owns, or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any Arkansas resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The breach notification required shall be made after the law enforcement agency determines that it will not compromise the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice may be provided by one of the following methods:</p>



<p>(1) Written notice;</p>



<p>(2) Electronic mail notice if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act), as it existed on January 1, 2005; or (3)(A) Substitute notice if the person or business demonstrates that: (i) The cost of providing notice would exceed $250,000; (ii) The affected class of persons to be notified exceeds 500,000; or (iii) The person or business does not have sufficient contact information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall consist of all of the following:</p>



<p>(i) Electronic mail notice when the person or business has an electronic mail address for the subject persons;</p>



<p>(ii) Conspicuous posting of the notice on the website of the person or business if the person or business maintains a website; and (iii) Notification by statewide media.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If a breach affects the personal information of more than one thousand (1,000) individuals, the person or business required to make a breach notification shall, at the same time the security breach is disclosed to an affected individual or within 45 days after the person or business determines that there is a reasonable likelihood of harm to customers, whichever occurs first, disclose the security breach to the attorney general.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>The law does not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this law. Compliance with the state or federal law shall be deemed compliance with this chapter with regard to the subjects covered by this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee that there has been a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>A person or business shall retain a copy of the written determination of a breach of the security of a system and supporting documentation for five (5) years from the date of determination of the breach of the security of the system. If the attorney general submits a written request for the written determination of the breach of the security of the system, the person or business shall send a copy of the written determination of the breach of the security of the system and supporting documentation to the Attorney General no later than thirty (30) days after the date of receipt of the request.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Ark. Code Ann. §§ 4-110-103, 4-110-104, 4-110-106.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “personal information” means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted:<br>(A) Social Security number;<br>(B) Driver’s license number or Arkansas identification card number;<br>(C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;<br>(D) Medical information; and<br>(E)(i) Biometric data.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “biometric data” means data generated by automatic measurements of an individual’s biological characteristics, including without limitation:<br>(a) Fingerprints;<br>(b) Faceprint;<br>(c) A retinal or iris scan;<br>(d) Hand geometry;<br>(e) Voiceprint analysis;<br>(f) Deoxyribonucleic acid (DNA); or<br>(g) Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>A person or business that acquires, owns, or licenses personal information about an Arkansas resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.</p>


Arkansas (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Ariz. R.S. § 18-551 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(7) The term “personal information” (a) means any of the following: (i) An individual’s first name or first initial and last name in combination with one or more specified data elements. (ii) An individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<ol start="11"><li>The term “specified data element” means any of the following:<br>(a) An individual’s Social Security number.<br>(b) The number on an individual’s driver’s license issued pursuant to § 28-3166 or nonoperating identification license issued pursuant to § 28-3165.<br>(c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record.<br>(d) An individual’s financial account number or credit or debit card number in combination with any required security code, access code, or password that would allow access to the individual’s financial account.<br>(e) An individual’s health insurance identification number.<br>(f) Information about an individual’s medical or mental health treatment or diagnosis by a health care professional.<br>(g) An individual’s passport number.<br>(h) An individual’s taxpayer identification number or an identity protection personal identification number issued by the United States Internal Revenue Service.<br>(i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach” or “security system breach”: (a) means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A “security incident” means an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach” or “security system breach” does not include a good faith acquisition of personal information by a person’s employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A person is not required to make a breach notification if the person, an independent third-party forensic auditor, or a law enforcement agency determines after a reasonable investigation that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>If a person that conducts business in this state and who owns, maintains, or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident, the person shall conduct an investigation to promptly determine whether there has been a security system breach. If the investigation results in a determination that there has been a security system breach, the person that owns or licenses the computerized data shall provide the breach notification within forty-five days after the determination.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>The breach notification may be delayed if a law enforcement agency advises the person that the notifications will impede a criminal investigation. On being informed by the law enforcement agency that the notifications no longer compromise the investigation, the person shall make the required notifications, as applicable, within forty-five days.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notification shall include at least the following:</p>



<ol><li>The approximate date of the breach.</li><li>A brief description of the personal information included in the breach.</li><li>The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies.</li><li>The toll-free number, address, and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>The breach notification shall be provided by one of the following methods:</p>



<ol><li>Written notice.</li><li>An email notice if the person has email addresses for the individuals who are subject to the notice.</li><li>Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.</li><li>Substitute notice if the person demonstrates that the cost of providing notice pursuant to paragraphs 1, 2, or 3 would exceed $50,000, that the affected class of subject individuals to be notified exceeds one hundred thousand (100,000) individuals, or that the person does not have sufficient contact information.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice consists of all of the following:</p>



<p>(a) A written letter to the attorney general that demonstrates the facts necessary for substitute notice. </p>



<p>(b) Conspicuous posting of the notice for at least forty-five days on the website of the person if the person maintains one.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If the breach requires notification of more than 1,000 individuals, the affected person must notify the <a>attorney general and the director of the Arizona </a>department of homeland security, in writing, in a form prescribed by rule or order of the attorney general or by providing the attorney general with a copy of the notification provided pursuant to paragraph 1 of this subsection.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If the breach requires notification of more than one thousand individuals, the affected person must notify the three largest nationwide consumer reporting agencies.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>A person who complies with the notification requirements or security system breach procedures pursuant to the rules, regulations, procedures, guidance, or guidelines established by the person’s primary or functional federal regulator is deemed to be in compliance with these breach notification requirements.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The breach notification requirements do not apply to either of the following:</p>



<ol><li>A person that is subject to Title V of the Gramm-Leach-Bliley Act.</li><li>A covered entity or business associates as defined under regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 Code of Federal Regulations section 160.103 (2013), or a charitable fund-raising foundation or nonprofit corporation whose primary purpose is to support a specified covered entity, if the charitable fund-raising foundation or nonprofit corporation complies with any applicable provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>A person that maintains unencrypted and unredacted computerized personal information that the person does not own or license shall notify, as soon as practicable, the owner or licensee of the information on discovering any security system breach and cooperate with the owner or the licensee of the personal information, including sharing information relevant to the breach with the owner or licensee. The person that maintains the data under an agreement with the owner or licensee is not required to provide the notifications required by subsection B of this section unless the agreement stipulates otherwise.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If a breach involves personal information as prescribed in § 18-551, paragraph 7, subdivision (a), item (ii) for an online account (i.e., an individual’s username or email address, in combination with a password or security question and answer, that allows access to an online account) and does not involve personal information as defined in § 18-551, paragraph 7, subdivision (a), item (i), the person may comply with this law by providing the notification in an electronic or other form. The notification should direct the individual whose personal information has been breached to promptly change the individual’s password and security question or answer, as applicable, or to take other steps that are appropriate to protect the online account of the person and all other online accounts for which the individual whose personal information has been breached uses the same username and email address and password or security question or answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>If the breach of personal information as prescribed in § 18-551, paragraph 7, subdivision (a), item (ii) is for login credentials of an email account furnished by the person, the person is not required to comply with this section by providing the notification to that email address, but may comply with this section by providing notification by another method described in this subsection or by providing clear and conspicuous notification delivered to the individual online when the individual is connected to the online account from an internet protocol address or online location from which the person knows the individual customarily accesses the account. The person satisfies the notification requirement with regard to the individual’s account by requiring the individual to reset the individual’s password or security question and answer for that account if the person also notifies the individual to change the same password or security question and answer for all other online accounts for which the individual uses the same username or email address and password or security question or answer.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Ariz. R.S. § 44-7601.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>See Data Disposal.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A. An entity shall not knowingly discard or dispose of records or documents without redacting the information or destroying the records or documents if the records or documents contain an individual’s first and last name or first initial and last name in combination with a corresponding complete:</p>



<ol><li>Social Security number.</li><li>Credit card, charge card, or debit card number.</li><li>Retirement account number.</li><li>Savings, checking, or securities entitlement account number.</li><li>Driver’s license number or nonoperating identification license number.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An entity that maintains and complies with the entity’s own procedures for the discarding or disposing of records or documents containing the information listed in Subsection A of this section that is consistent with the requirements of this section shall be deemed to be in compliance with this section.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>The data disposal requirements only apply to paper records and paper documents.</p>


Arizona (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: Alaska Stat. Ann. § 45.48.010 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(7) The term “personal information” means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of</p>



<p>(A) An individual’s name; and (B) one or more of the following information elements:</p>



<p>(i) The individual’s Social Security number;</p>



<p>(ii) The individual’s driver’s license number or state identification card number;</p>



<p>(iii) Except as provided in (iv) of this subparagraph, the individual’s account number, credit card number, or debit card number;</p>



<p>(iv) If an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, “personal code” means a security code, an access code, a personal identification number, or a password; (v) Passwords, personal identification numbers, or other access codes for financial accounts.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of the security” means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “acquisition” includes acquisition by </p>



<p>(A) photocopying, facsimile, or other paper-based method; </p>



<p>(B) a device, including a computer, that can read, write, or store information that is represented in numerical form; or </p>



<p>(C) a method not identified by (A) or (B) of this paragraph.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>The good faith acquisition of personal information by an employee or agent of an information collector for a legitimate purpose of the information collector is not a breach of the security of the information system if the employee or agent does not use the personal information for a purpose unrelated to a legitimate purpose of the information collector and does not make further unauthorized disclosure of the personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A data breach notification is not required if, after an appropriate investigation and after written notification to the state attorney general, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. The notification required by this subsection may not be considered a public record open to inspection by the public.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>An information collector shall make the breach notification disclosure in the most expeditious time possible and without unreasonable delay and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>An information collector may delay disclosing the breach if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation. However, the information collector shall disclose the breach to the state resident in the most expeditious time possible and without unreasonable delay after the law enforcement agency informs the information collector in writing that disclosure of the breach will no longer interfere with the investigation.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>An information collector shall make the breach notification disclosure </p>



<p>(1) by a written document sent to the most recent address the information collector has for the state resident; </p>



<p>(2) by electronic means if the information collector’s primary method of communication with the state resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing under 15 U.S.C. § 7001 (The Electronic Signatures in Global and National Commerce Act); or </p>



<p>(3) if the information collector demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents to be notified exceeds 300,000, or that the information collector does not have sufficient contact information to provide notice, by </p>



<div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:100%">
<p>(A) electronic mail if the information collector has an electronic mail address for the state resident; </p>



<p>(B) conspicuously posting the disclosure on the internet website of the information collector if the information collector maintains an internet website; and </p>



<p>(C) providing a notice to major statewide media.</p>
</div>
</div>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>See Delivery Methods.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>See Risk of Harm Analysis.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>(a) If an information collector is required notify more than 1,000 state residents of a breach, the information collector shall also notify without unreasonable delay all consumer credit reporting agencies and provide the agencies with the timing, distribution, and content of the notices to state residents. </p>



<p>(b) This section may not be construed to require the information collector to provide the consumer reporting agencies identified under (a) of this section with the names or other personal information of the state residents whose personal information was subject to the breach. </p>



<p>(c) This section does not apply to an information collector who is subject to the Gramm-Leach-Bliley Act.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>N/A</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>Immediately after the information recipient discovers the breach, the information recipient shall give notification of the breach to the information distributor who owns the personal information or who licensed the use of the personal information to the information recipient. The information recipient shall cooperate with the information distributor as necessary to allow the information distributor to comply with its legal obligations. In this subsection “cooperate” means sharing with the information distributor information relevant to the breach, except for confidential business information or trade secrets.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading">Data Disposal and Security: Alaska Stat. Ann. § 45.48.500 et seq.</h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “dispose” means:</p>



<p>(A) the discarding or abandonment of records containing personal information;</p>



<p>(B) the sale, donation, discarding, or transfer of </p>



<p>(i) any medium, including computer equipment or computer media, that contains records of personal information; </p>



<p>(ii) non-paper media, other than that identified under (i) of this subparagraph, on which records of personal information are stored; and </p>



<p>(iii) equipment for non-paper storage of information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The term “personal information” means: (A) an individual’s passport number, driver’s license number, state identification number, bank account number, credit card number, debit card number, other payment card number, financial account information, or information from a financial application; or (B) a combination of an individual’s (i) name; and (ii) medical information, insurance policy number, employment information, or employment history.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Written Policies</h3>



<p>A business or governmental agency shall adopt written policies and procedures that relate to the adequate destruction and proper disposal of records containing personal information.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>See Data Disposal (implementing and monitoring compliance with policies and procedures).</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>When disposing of records that contain personal information, a business and a governmental agency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>The measures that may be taken to comply with the data disposal requirements include:</p>



<p>(1) implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of paper documents containing personal information so that the personal information cannot practicably be read or reconstructed;<br>(2) implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the personal information cannot practicably be read or reconstructed;<br>(3) after due diligence, entering into a written contract with a third party engaged in the business of record destruction to dispose of records containing personal information in a manner consistent with AS 45.48.500-45.48.590. The term “due diligence” ordinarily includes performing one or more of the following:</p>



<p>(i) reviewing an independent audit of the third party’s operations and its compliance with AS 45.48.500-45.48.590;<br>(ii) obtaining information about the third party from several references or other reliable sources and requiring that the third party be certified by a recognized trade association or similar organization with a reputation for high standards of quality review; or<br>(iii) reviewing and evaluating the third party’s information security policies and procedures, or taking other appropriate measures to determine the competency and integrity of the third party.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If a business or governmental agency has otherwise complied with the provisions of AS 45.48.500-45.48.590 in the selection of a third party engaged in the business of record destruction, the business or governmental agency is not liable for the disposal of records under AS 45.48.500-45.48.590 after the business or governmental agency has relinquished control of the records to the third party for the destruction of the records.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A business or governmental agency is not liable for the disposal of records under AS 45.48.500-45.48.590 after the business or governmental agency has relinquished control of the records to the individual to whom the records pertain.</p>


Alaska (Data Protection Map)


<h2 class="wp-block-heading">Data Breach Requirements: <a>Ala. Code 1975 § 8-38-1 et seq.</a></h2>



<p>The numbering and internal citations herein are derived from the applicable state statute.</p>



<h3 class="wp-block-heading">Personal Information</h3>



<p>(6) The term “sensitive personally identifying information” means:<br>a. Except as provided in paragraph b., an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:</p>



<ol><li>A non-truncated Social Security number or tax identification number.</li><li>A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual.</li><li>A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.</li><li>Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.</li><li>An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.</li><li>A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Breach Definition</h3>



<p>The term “breach of security” or “breach” means the unauthorized acquisition of data in electronic form containing sensitive personally identifying information. Acquisition occurring over a period of time committed by the same entity constitutes one breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Good Faith Exception</h3>



<p>A “breach of security” or “breach” does not include any of the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Risk of Harm Analysis</h3>



<p>A covered entity that determines that sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates, must give notice of the breach to each impacted individual.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Timeline</h3>



<p>A breach notice shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation. The breach notification must be provided within 45 days of identifying that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security and Investigation Exceptions</h3>



<p>If a federal or state law enforcement agency determines that a breach notice to individuals would interfere with a criminal investigation or national security, the notice shall be delayed upon the receipt of written request of the law enforcement agency for a period that the law enforcement agency determines is necessary. A law enforcement agency, by a subsequent written request, may revoke the delay as of a specified date or extend the period set forth in the original request made under this section if further delay is necessary.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notification Content Requirements</h3>



<p>The breach notice shall include, at a minimum, all of the following:<br>(1) The date, estimated date, or estimated date range of the breach.<br>(2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach.<br>(3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach.<br>(4) A general description of steps an affected individual can take to protect himself or herself from identity theft.<br>(5) Information that the individual can use to contact the covered entity to inquire about the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Delivery Methods</h3>



<p>A breach notice shall be given in writing and sent to the mailing address of the individual in the records of the covered entity or sent to the email address of the individual in the records of the covered entity.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity required to provide a breach notice to any individual may provide substitute notice in lieu of direct notice, if direct notice is not feasible due to any of the following:<br>a. Excessive cost: (1) Excessive cost to the covered entity relative to the resources of the covered entity. (2) The cost to the covered entity exceeds $500,000.<br>b. Lack of sufficient contact information for the individual required to be notified.<br>c. The affected individuals exceed 100,000 persons.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Substitute Notice</h3>



<p>Substitute notice shall include both of the following:</p>



<ol><li>A conspicuous notice on the internet website of the covered entity, if the covered entity maintains a website, for a period of 30 days.</li><li>Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside.<br>b. An alternative form of substitute notice may be used with the approval of the attorney general.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Notice to Government Agencies</h3>



<p>If the number of individuals a covered entity is required to notify of a breach exceeds 1,000, the entity shall provide written notice of the breach to the attorney general as expeditiously as possible and without unreasonable delay, and within 45 days of identifying a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates. Written notice to the attorney general shall include all of the following:<br>(1) A synopsis of the events surrounding the breach at the time that notice is provided.<br>(2) The approximate number of individuals in the state who were affected by the breach.<br>(3) Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals and instructions on how to use the services.<br>(4) The name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity may provide the attorney general with supplemental or updated information regarding a breach at any time.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Consumer Reporting Agencies</h3>



<p>If a covered entity discovers circumstances requiring notice of the breach to more than 1,000 individuals at a single time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies and provide the timing, distribution, and content of the breach notices.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Preemption and Compliance</h3>



<p>An entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government is exempt from this law, as long as the entity does all of the following:<br>(1) Maintains procedures pursuant to those laws, rules, regulations, procedures, or guidance.<br>(2) Provides notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.<br>(3) Provides a copy of the notice to the attorney general in a timely manner when the number of individuals the entity notified exceeds 1,000.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Processor Obligations</h3>



<p>In the event a third-party agent has experienced a breach of security in the system maintained by the agent, the agent shall notify the covered entity of the breach of security as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A third-party agent, in cooperation with a covered entity, shall provide information in the possession of the third-party agent so that the covered entity can comply with its notice requirements.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>A covered entity may enter into a contractual agreement with a third-party agent whereby the third-party agent agrees to handle notifications required under this law.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Other Information</h3>



<p>If a covered entity determines that a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity, the covered entity shall conduct a good faith and prompt investigation that includes all of the following:<br>(1) An assessment of the nature and scope of the breach.<br>(2) Identification of any sensitive personally identifying information that may have been involved in the breach and the identity of any individuals to whom that information relates.<br>(3) A determination of whether the sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person and is reasonably likely to cause substantial harm to the individuals to whom the information relates.<br>(4) Identification and implementation of measures to restore the security and confidentiality of the systems compromised in the breach.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>In determining whether sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person without valid authorization, the following factors may be considered:<br>(1) Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information.<br>(2) Indications that the information has been downloaded or copied.<br>(3) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.<br>(4) Whether the information has been made public.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>If a covered entity determines that notice is not required under this section, the entity shall document the determination in writing and maintain records concerning the determination for no less than five years.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h2 class="wp-block-heading"><a>Data Disposal and Security</a><strong>: </strong><a>Ala. Code 1975 § 8-38-2, -3, -10.</a></h2>



<p>The numbering and internal citations herein are derived from the applicable state statute. See statute for any applicable exceptions or exemptions.</p>



<h3 class="wp-block-heading">Key Terms</h3>



<p>The term “sensitive personally identifying information” means<br>a. Except as provided in paragraph b, an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:</p>



<ol><li>A non-truncated Social Security number or taxpayer identification number.</li><li>A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual.</li><li>A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account.</li><li>Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.</li><li>An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.</li><li>A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.<br>b. The term does not include either of the following:</li><li>Information about an individual which has been lawfully made public by a federal, state, or local government record or a widely distributed media.</li><li>Information that is truncated, encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable, including encryption of the data, document, or device containing the sensitive personally identifying information, unless the covered entity knows or has reason to know that the encryption key or security credential that could render the personally identifying information readable or useable has been breached together with the information.</li></ol>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Security Requirements</h3>



<p>Each covered entity and third-party agent shall implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>(b) Reasonable security measures means security measures practicable for the covered entity subject to subsection (c), to implement and maintain, including consideration of all of the following:<br>(1) Designation of an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security. An owner or manager may designate himself or herself.<br>(2) Identification of internal and external risks of a breach of security.<br>(3) Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards.<br>(4) Retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information.<br>(5) Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information.<br>(6) Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures; provided, however, that the management of a government entity subject to this subdivision may be appropriately informed of the status of its security measures through a properly convened executive session under the Open Meetings Act pursuant to Section 36-25A-7.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>An assessment of a covered entity’s security shall be based upon the entity’s reasonable security measures as a whole and shall place an emphasis on data security failures that are multiple or systemic, including consideration of all the following:<br>(1) The size of the covered entity.<br>(2) The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.<br>(3) The covered entity’s cost to implement and maintain the reasonable security measures to protect against a breach of security relative to its resources.</p>



<hr class="wp-block-separator has-alpha-channel-opacity is-style-wide"/>



<h3 class="wp-block-heading">Data Disposal</h3>



<p>A covered entity or third-party agent shall take reasonable measures to dispose, or arrange for the disposal, of records containing sensitive personally identifying information within its custody or control when the records are no longer to be retained pursuant to applicable law, regulations, or business needs. Disposal shall include shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any reasonable means consistent with industry standards.</p>


California Consumer Privacy Act (CCPA) Compliance

CCPA Checklist

Resources

Have a question regarding privacy or cybersecurity issues?

Data Protection Map

Recent Insights

California Consumer Privacy Act (CCPA) Compliance

CCPA Checklist

Resources

Have a question regarding privacy or cybersecurity issues?

Related Services

Data Protection Map

Recent Insights