State Data Breach Laws

Similar documents
State Data Breach Notification Laws

Security Breach Notification Chart

Data Breach Charts. November 2017

Security Breach Notification Chart

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Security Breach Notification Chart

Security Breach Notification Chart

State Data Breach Notification Laws

Laws Governing Data Security and Privacy U.S. Jurisdictions at a Glance UPDATED MARCH 30, 2015

Security Breach Notification Chart

Laws Governing Data Security and Privacy U.S. Jurisdictions at a Glance

State Data Breach Notification Laws

Elder Financial Abuse and State Mandatory Reporting Laws for Financial Institutions Prepared by CUNA s State Government Affairs

State Data Breach Law Summary. November 2017

STATE DATA SECURITY BREACH LEGISLATION SURVEY

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Statutes of Limitations for the 50 States (and the District of Columbia)

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Survey of State Laws on Credit Unions Incidental Powers

States Adopt Emancipation Day Deadline for Individual Returns; Some Opt Against Allowing Delay for Corporate Returns in 2012

THE 2010 AMENDMENTS TO UCC ARTICLE 9

State Prescription Monitoring Program Statutes and Regulations List

State By State Survey:

Page 1 of 5. Appendix A.

Arent Fox LLP Survey of Data Breach Notification Statutes

DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

Name Change Laws. Current as of February 23, 2017

APPENDIX D STATE PERPETUITIES STATUTES

States Permitting Or Prohibiting Mutual July respondent in the same action.

Accountability-Sanctions

APPENDIX C STATE UNIFORM TRUST CODE STATUTES

Section 4. Table of State Court Authorities Governing Judicial Adjuncts and Comparison Between State Rules and Fed. R. Civ. P. 53

Survey of State Civil Shoplifting Statutes

CA CALIFORNIA. Ala. Code 10-2B (2009) [Transferred, effective January 1, 2011, to 10A ] No monetary penalties listed.

WORLD TRADE ORGANIZATION

STATUTES OF REPOSE. Presented by 2-10 Home Buyers Warranty on behalf of the National Association of Home Builders.

Arent Fox LLP Survey of Data Breach Notification Statutes

H.R and the Protection of State Conscience Rights for Pro-Life Healthcare Workers. November 4, 2009 * * * * *

National State Law Survey: Mistake of Age Defense 1

State Statutory Provisions Addressing Mutual Protection Orders

Do you consider FEIN's to be public or private information? Do you consider phone numbers to be private information?

EXCEPTIONS: WHAT IS ADMISSIBLE?

Authorizing Automated Vehicle Platooning

REPORTS AND REFERRALS TO LAW ENFORCEMENT: PROVISIONS AND CITATIONS IN ADULT PROTECTIVE SERVICES LAWS, BY STATE

Governance State Boards/Chiefs/Agencies

Electronic Notarization

Once More Unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes

Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes

State-by-State Lien Matrix

State P3 Legislation Matrix 1

Teacher Tenure: Teacher Due Process Rights to Continued Employment

State By State Survey:

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

National State Law Survey: Expungement and Vacatur Laws 1

The Victim Rights Law Center thanks Catherine Cambridge for her research assistance.

STATE PRESCRIPTION MONITORING STATUTES AND REGULATIONS LIST

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

TABLE OF CONTENTS. Introduction. Identifying the Importance of ID. Overview. Policy Recommendations. Conclusion. Summary of Findings

If it hasn t happened already, at some point

DEFINED TIMEFRAMES FOR RATE CASES (i.e., suspension period)

If you have questions, please or call

Intersections Data Breach. July

UNIFORM NOTICE OF REGULATION A TIER 2 OFFERING Pursuant to Section 18(b)(3), (b)(4), and/or (c)(2) of the Securities Act of 1933

You are working on the discovery plan for

CRS Report for Congress

Employee must be. provide reasonable notice (Ala. Code 1975, ).

State UCC Fraudulent Filing Statutes & Rules Compiled by Paul Hodnefield, Corporation Service Company August 3, 2015

ANIMAL CRUELTY STATE LAW SUMMARY CHART: Court-Ordered Programs for Animal Cruelty Offenses

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Immigrant Caregivers:

INSTITUTE of PUBLIC POLICY

Effect of Nonpayment

State Law Guide UNEMPLOYMENT INSURANCE BENEFITS FOR DOMESTIC & SEXUAL VIOLENCE SURVIVORS

PERMISSIBILITY OF ELECTRONIC VOTING IN THE UNITED STATES. Member Electronic Vote/ . Alabama No No Yes No. Alaska No No No No

Time Off To Vote State-by-State

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

STATE LAWS SUMMARY: CHILD LABOR CERTIFICATION REQUIREMENTS BY STATE

28 USC 152. NB: This unofficial compilation of the U.S. Code is current as of Jan. 4, 2012 (see

2016 Voter Registration Deadlines by State

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

RESTORATION IN ADULT GUARDIANSHIPS (STATUTES)

50 State Desktop Reference

Right to Try: It s More Complicated Than You Think

State Statutory Authority for Restoration of Rights in Termination of Adult Guardianship

WYOMING POPULATION DECLINED SLIGHTLY

Rhoads Online State Appointment Rules Handy Guide

National State Law Survey: Statute of Limitations 1

Speedy Trial Statutes in Cases Involving Child Victims and Witnesses Updated May 2011

Official Voter Information for General Election Statute Titles

50 State DESKTOP REFERENCE. What Employers Need To Know About Non-Compete and Trade Secrets Law EDITION

According to the Bureau of Justice Statistics, guilty pleas in 1996 accounted for 91

STATE STANDARDS FOR EMERGENCY EVALUATION

Limitations on Contributions to Political Committees

Appendix 6 Right of Publicity

Matthew Miller, Bureau of Legislative Research

Table 1. Comparison of Creditor s Rights Provisions Of the Uniform LP Act and the Uniform LLC Act

THE PROCESS TO RENEW A JUDGMENT SHOULD BEGIN 6-8 MONTHS PRIOR TO THE DEADLINE

Issue Brief. A Public Policy Paper of the National Association of Mutual Insurance Companies July 2005

Case 3:15-md CRB Document 4700 Filed 01/29/18 Page 1 of 5

Transcription:

State Data Breach Laws 1

Alaska Personal information means a combination of (A) an individual s name;... and (B) one or more of the following information elements: (i) the individual s social security number; (ii) the individual s driver s license number or state identification card number; (iii) except as provided in (iv) of this subparagraph, the individual s account number, credit card number, or debit card number; (iv) if an account can only be accessed with a personal code, the number in (iii) of this subparagraph and the personal code; in this sub-subparagraph, personal code means a security code, an access code, a personal identification number, or a password; (v) passwords, personal identification numbers, or other access codes for financial accounts. No, if notice provided to Attorney General that there is not a reasonable likelihood that harm to the consumers will result from breach. ALASKA STAT. 45.48.010. Yes. Disclosure is not required if, after an appropriate investigation and after written notification to the attorney general of this state, the covered person determines that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing, and the documentation shall be maintained for five years. ALASKA STAT. 45.48.010. Most expeditious time ALASKA STAT. 45.48.010. Arizona ALASKA STAT. 45.48.090. Personal information is an individual s first name or first initial and last name in combination with any one or more of the following data elements: (i) The individual s social security number. (ii) The individual s number on a driver license. (iii) The individual s financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual s financial account. ARIZ. REV. STAT. 44-7501. Yes, but a person is not required to disclose a breach of the security of the system if the person or a law enforcement agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely to occur. ARIZ. REV. STAT. 44-7501. Breach, breach of the security of the system, breach of the security system or security breach means an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. The notice shall be made in the most expedient manner unreasonable delay ARIZ. REV. STAT. 44-7501. ARIZ. REV. STAT. 44-7501 (emphasis added). 2

Arkansas Personal information means an individual s first name or first initial and his or her last name in combination with any one (1) or more of the following data elements: (A) Social security number; (B) Driver s license number or Arkansas identification card number; (C) Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual s financial account; and (D) Medical information. Yes, but notification... is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers. ARK. CODE 4-110-105. The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay ARK. CODE 4-110-105. California ARK. CODE 4-110-103. Personal information means either of the following: (1) An individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (A) Social security number. (B) Driver s license number or California identification card number. (C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. (D) Medical information. (E) Health insurance information. (F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5. (2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account. Yes. Yes, if more than 500 California residents are notified. A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. CAL. CIV. CODE 1798.82(g). The disclosure shall be made in the most expedient time unreasonable delay, CAL. CIV. CODE 1798.82. Cal. Civ. Code 1798.82(h). 3

Colorado Personal information means a Colorado resident s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (A) Social security number; (B) Driver s license number or identification card number; (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account. Yes, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. COLO. REV. STAT. 6-1-716. Notice shall be made in the most expedient time possible and without unreasonable delay, COLO. REV. STAT. 6-1-716. Connecticut COLO. REV. STAT. 6-1-716(d). Personal information means an individual s first name or first initial and last name in combination with any one, or more, of the following data: (A) Social Security number; (B) driver s license number or state identification card number; or (C) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual s financial account. CONN. GEN. STAT. 36a-701b. Yes, but notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. Person must provide simultaneous notice to Attorney General and residents. CONN. GEN. STAT. 36a-701b. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law. CONN. GEN. STAT. 36a-701b. Delaware Personal information means a Delaware resident s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted: a. Social Security number; b. Driver s license number or Delaware Identification Card number; or c. Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account. CONN. GEN. STAT. 36a-701b. Yes, but only if an investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur. DEL. CODE TIT. 6, 12B-102. Notice must be made in the most expedient time possible and without unreasonable delay. DEL. CODE TIT. 6, 12B-102. DEL. CODE TIT. 6, 12B-101. 4

Florida Georgia Personal information means either of the following: a. An individual s first name or first initial and last name in combination with any one or more of the following data elements for that individual: (I) A social security number; (II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual s financial account; (IV) Any information regarding an individual s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (V) An individual s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. FLA. STAT. 501.171. Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (A) Social security number; (B) Driver s license number or state identification card number; (C) Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords; (D) Account passwords or personal identification numbers or other access codes; or (E) Any of the items contained in subparagraphs (A) through (D) of this paragraph when not in connection with the individual s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised. GA. CODE 10-1-911. Yes, but notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination to the department within 30 days after the determination. FLA. STAT. 501.171. Yes, if the disclosure affects more than 500 residents. FLA. STAT. 501.171. Notice must be provided to residents and government as expeditiously as practicable and without unreasonable delay, but no later than 30 days after breach. FLA. STAT. 501.171. Yes. The notice shall be made in the most expedient time GA. CODE 10-1-912. 5

Hawaii Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver s license number or Hawaii identification card number; or (3) Account number, credit or debit card number, access code, or password that would permit access to an individual s financial account. HAW. REV. STAT. 487N-1. Yes, but only where harm is likely to occur. Security breach means an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. HAW. REV. STAT. 487N-1. Yes, if more than 1,000 persons notified pursuant to Hawaii law. In the event a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify in writing, without unreasonable delay, the State of Hawaii s office of consumer protection and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. section 1681a(p), of the timing, distribution, and content of the notice. The disclosure notification shall be made without HAW. REV. STAT. 487N-2. Idaho Personal information means an Idaho resident s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driver s license number or Idaho identification card number; or (c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account. Yes, but only if the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. IDAHO CODE 28-51-105. HAW. REV. STAT. 487N-2. Yes, if the breach occurs on the network of a government agency. IDAHO CODE 28-51-105. Notice must be made in the most expedient time possible and without unreasonable delay. IDAHO CODE 28-51-105. IDAHO CODE 28-51-104. 6

Illinois Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) Social Security number. (2) Driver s license number or State identification card number. (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual s financial account. 815 ILL. COMP. STAT. 530/5. Yes. An amendment effective January 1, 2017 requires that all entities, including state agencies, with a data breach affecting over 250 Illinois residents has to notify the Illinois AG, generally within 45 days of the breach, regarding the following: 1) the kind of personal information compromised; 2) the number of Illinois residents affected by the breach; 3) what the entity will do to inform people about the breach; and 4) information about the breach Beginning on January 1, 2017, yes. IL. H.B. 1260 (2016) Notification shall be made in the most expedient time 815 ILL. COMP. STAT. 530/10. Indiana Personal information means: (1) a Social Security number that is not encrypted or redacted; or (2) an individual s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) A driver s license number. (B) A state identification card number. (C) A credit card number. (D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person s account. Yes, but only if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. IND. CODE 24-4.9-3-1. Yes, if database owner must notify residents, it must also notify Attorney General. IND. CODE 24-4.9-3-1. The disclosure or notification must be sent without unreasonable delay. IND. CODE 24-4.9-3-3. IND. CODE 24-4.9-2-10. 7

Iowa Kansas Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or are encrypted, redacted, or otherwise altered by any method or technology but the keys to unencrypt, unredact, or otherwise read the data elements have been obtained through the breach of security: (1) Social security number. (2) Driver s license number or other unique identification number created or collected by a government body. (3) Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual s financial account. (4) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual s financial account. (5) Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. IOWA CODE 715C.1. Personal information means a consumer s first name or first initial and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted: (1) Social security number; (2) driver s license number or state identification card number; or (3) financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer s financial account. KAN. STAT. 50-7a01. Yes, but notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years. IOWA CODE 715C.2. Notice required only if, after investigation, misuse of information has occurred or is likely to occur. KAN. STAT. 50-7a02. Yes, if notice is provided to 500 or more Iowa residents. Any person who owns or licenses computerized data that includes a consumer s personal information that is used in the course of the person s business, vocation, occupation, or volunteer activities and that was subject to a breach of security requiring notification to more than five hundred residents of this state pursuant to this section shall give written notice of the breach of security following discovery of such breach of security, or receipt of notification under subsection 2, to the director of the consumer protection division of the office of the attorney general within five business days after giving notice of the breach of security to any consumer pursuant to this section. IOWA CODE 715C.2. The consumer notification shall be made in the most expeditious manner IOWA CODE 715C.2. Notice must be made in the most expedient time unreasonable delay KAN. STAT. 50-7a02. 8

Kentucky Personally identifiable information means an individual s first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or data element is not redacted: 1. Social Security number; 2. Driver s license number; or 3. Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual s financial account. KY. REV. STAT. 365.732 (West) Disclosure required only if breach actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky. KY. REV. STAT. 365.732. The disclosure shall be made in the most expedient time possible and without unreasonable delay. KY. REV. STAT. 365.732. Louisiana Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: (i) Social security number. (ii) Driver s license number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Notification to residents is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers. LA. STAT. 51:3074. Where notice is required to be provided to citizens, notice is also required to be provided to Attorney General. LA. ADMIN. CODE TIT. 16, pt. III, 701. Notice shall be made in the most expedient time LA. STAT. 51:3074. LA. STAT. 51:3073. Maine Personal information means an individual s first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: A. Social security number; B. Driver s license number or state identification card number; C. Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords; D. Account passwords or personal identification numbers or other access codes; or E. Any of the data elements contained in paragraphs A to D when not in connection with the individual s first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised. ME. REV. STAT. TIT. 10, 1347. Notice required only if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur. ME. REV. STAT. TIT. 10, 1348. If notice to residents is required, notice to appropriate governmental authority is also required: When notice of a breach of the security of the system is required under subsection 1, the person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General. ME. REV. STAT. TIT. 10, 1348. Notice must be made expediently as possible and without unreasonable delay. ME. REV. STAT. TIT. 10, 1348. 9

Maryland Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) A Social Security number; (ii) A driver s license number; (iii) A financial account number, including a credit card number or debit card number, that in combination with any required security code, access code, or password, would permit access to an individual s financial account; or (iv) An Individual Taxpayer Identification Number. MD. CODE, COM. LAW 14-3501. Disclosure is required only where the business determines that misuse of the individual s personal information has occurred or is reasonably likely to occur as a result of a breach of the security of a system. MD. CODE, COM. LAW 14-3504. Attorney General must be notified prior to any notices to residents. Prior to giving the notification required under subsection (b) of this section and subject to subsection (d) of this section, a business shall provide notice of a breach of the security of a system to the Office of the Attorney General. MD. CODE, COM. LAW 14-3504. As soon as reasonably practicable. MD. CODE, COM. LAW 14-3504. Massachusetts Personal information a resident s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver s license number or stateissued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Notice required only if the breach creates a substantial risk of identity theft or fraud against a resident of the commonwealth. MASS. GEN. LAWS ch. 93H, 1. Must notify governmental agencies, including Attorney General and the director of consumer affairs and business regulation. MASS. GEN. LAWS ch. 93H, 3. Notice must be provided as soon as practicable and without unreasonable delay. MASS. GEN. LAWS ch. 93H, 3. MASS. GEN. LAWS ch. 93H, 1. 10

Michigan Personal identifying information means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person s financial accounts, including, but not limited to, a person s name, address, telephone number, driver license or state personal identification card number, social security number, place of employment, employee identification number, employer or taxpayer identification number, government passport number, health insurance identification number, mother s maiden name, demand deposit account number, savings account number, financial transaction device account number or the person s account password, any other account password in combination with sufficient information to identify and access the account, automated or electronic signature, biometrics, stock or other security certificate or account number, credit card number, vital record, or medical records or information. Notice to residents required unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state. MICH. COMP. LAWS 445.72. Without unreasonable delay. MICH. COMP. LAWS. 445.72. Minnesota MICH. COMP. LAWS 445.63. Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired: (1) Social Security number; (2) driver s license number or Minnesota identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Yes. The disclosure must be made in the most expedient time possible and without unreasonable delay. MINN. STAT. 325E.61. Mississippi MINN. STAT. 325E.61. Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social security number; (ii) Driver s license number or state identification card number; or (iii) An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual s financial account; personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. MISS. CODE 75-24-29. Yes, but notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals. MISS. CODE 75-24-29. Without unreasonable delay. MISS. CODE 75-24-29. 11

Missouri Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: (a) Social Security number; (b) Driver s license number or other unique identification number created or collected by a government body; (c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual s financial account; (d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual s financial account; (e) Medical information; or (f) Health insurance information. MO. STAT. 407.1500. Yes, but notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years. Yes, if more than 1,000 persons affected. In the event a person provides notice to more than one thousand consumers at one time pursuant to this section, the person shall notify, without unreasonable delay, the attorney general s office and all consumer reporting agencies. MO. STAT. 407.1500. Without unreasonable delay. MO. STAT. 407.1500. Montana Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (A) social security number; (B) driver s license number, state identification card number, or tribal identification card number; (C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account; (D) medical record information as defined in 33-19-104; (E) a taxpayer identification number; or (F) an identity protection personal identification number issued by the United States internal revenue service. MONT. CODE 30-14-1704. MO. STAT. 407.1500. Yes, but notification required only where there is a breach of the security of the data system, which means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident. Yes, if required to notify residents. Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general s consumer protection office. MONT. CODE 30-14-1704. The disclosure must be made without MONT. CODE 30-14-1704. MONT. CODE 30-14-1704. 12

Nebraska Personal information means a Nebraska resident s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable: (a) Social security number; (b) Motor vehicle operator s license number or state identification card number; (c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account; (d) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or (e) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation. NEB. REV. STAT. 87-802. Yes, after breach, business must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose and if the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident. NEB. REV. STAT. 87-803. No, but amendments take effect on July 20, 2016 that do require notice to Attorney General: If notice of a breach of security of the system is required by subsection (1) of this section, the individual or commercial entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the Attorney General. NE LEGIS 835 (2016). As soon as possible and without unreasonable delay NEB. REV. STAT. 87-803. Nevada Personal information means a natural person s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (a) Social security number. (b) Driver s license number, driver authorization card number or identification card number. (c) Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person s financial account. (d) A medical identification number or a health insurance identification number. (e) A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account. Yes, but only where there is a breach of the security of the system data, defined as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector. NEV. REV. STAT. 603A.020. The disclosure must be made in the most expedient time possible and without unreasonable delay. NEV. REV. STAT. 603A.220. New Hampshire NEV. REV. STAT. 603A.040. Personal information means an individual s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver s license number or other government identification number. (3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Yes, if after determining that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision. Yes, notice to applicable regulator and Attorney General. N.H. REV. STAT. 359-C:20. As soon as possible. N.H. REV. STAT. 359-C:20. N.H. REV. STAT. 359-C:19. N.H. REV. STAT. 359-C:20. 13

New Jersey Personal information means an individual s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver s license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. N.J. STAT. 56:8-161. Yes, but disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years. N.J. STAT. 56:8-163. Yes, prior to any notice to residents: Any business or public entity required under this section to disclose a breach of security of a customer s personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities. N.J. STAT. 56:8-163. The disclosure to a customer shall be made in the most expedient time N.J. STAT. 56:8-163. New York Personal information shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person; (b) Private information shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Yes. Yes, if residents are notified. In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. N.Y. GEN. BUS. LAW 899-aa. The disclosure shall be made in the most expedient time possible and without unreasonable delay. N.Y. GEN. BUS. LAW 899- aa. N.Y. GEN. BUS. LAW 899-aa. 14

North Carolina A person s first name or first initial and last name in combination with identifying information, which includes (1) Social security or employer taxpayer identification numbers. (2) Drivers license, State identification card, or passport numbers. (3) Checking account numbers. (4) Savings account numbers. (5) Credit card numbers. (6) Debit card numbers. (7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6). (8) Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names. (9) Digital signatures. (10) Any other numbers or information that can be used to access a person s financial resources. (11) Biometric data. (12) Fingerprints. (13) Passwords. (14) Parent s legal surname prior to marriage. N.C. GEN. STAT. 75-61. Yes, but only where there is a security breach, defined to limit notification to those instances where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. N.C. GEN. STAT. 75-61. Yes, if notice to residents is required. In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. The disclosure notification shall be made without N.C. GEN. STAT. 75-65. North Dakota Personal information means an individual s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: (1) The individual s social security number; (2) The operator s license number assigned to an individual by the department of transportation under section 39-06-14; (3) A nondriver color photo identification card number assigned to the individual by the department of transportation under section 39-06-03.1; (4) The individual s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual s financial accounts; (5) The individual s date of birth; (6) The maiden name of the individual s mother; (7) Medical information; (8) Health insurance information; (9) An identification number assigned to the individual by the individual s employer in combination with any required security code, access code, or password; or (10) The individual s digitized or other electronic signature. N.C. GEN. STAT. 75-65. Yes. Yes, where breach affects more than 250 individuals. In addition, any person that experiences a breach of the security system as provided in this section shall disclose to the attorney general by mail or email any breach of the security system which exceeds two hundred fifty individuals. N.D. CENT. CODE 51-30-02. The disclosure must be made in the most expedient time possible. N.D. CENT. CODE 51-30-02. N.D. CENT. CODE 51-30-01. 15

Ohio (exempts credit unions regulated under federal law, OHIO REV. CODE 1349.19) Personal information means an individual s name, consisting of the individual s first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Social security number; (ii) Driver s license number or state identification card number; (iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual s financial account. OHIO REV. CODE 1349.19. Yes, but notice is required only for a breach of the security of the system, which is limited to unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state. OHIO REV. CODE 1349.19. Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident. Yes, if the data breach occurs on the system of a state agency or political subdivision, and that agency or subdivision is the custodian of, or stores, the breached data on behalf of another state agency or subdivision. OHIO REV. CODE 1347.12. Most expedient time possible, but no later than 45 days after discovery or notification of breach. OHIO REV. CODE 1349.19. Oklahoma (safe harbor with Gramm- Leach-Bliley Act, OKLA. STAT. TIT. 24, 164). Personal information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted: a. social security number, b. driver license number or state identification card number issued in lieu of a driver license, or c. financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident. OKLA. STAT. TIT. 24, 162. OHIO REV. CODE 1349.19. Yes, but only if there is a reasonable belief of identity theft or fraud: An individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. OKLA. STAT. TIT. 24, 163. The disclosure shall be made without OKLA. STAT. TIT. 24, 163. 16

Oregon Personal information means: (a) A consumer s first name or first initial and last name in combination with any one or more of the following data elements, if encryption, redaction or other methods have not rendered the data elements unusable or if the data elements are encrypted and the encryption key has been acquired: (A) A consumer s Social Security number; (B) A consumer s driver license number or state identification card number issued by the Department of Transportation; (C) A consumer s passport number or other identification number issued by the United States; (D) A consumer s financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer s financial account; (E) Data from automatic measurements of a consumer s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer s identity in the course of a financial transaction or other transaction; (F) A consumer s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or (G) Any information about a consumer s medical history or mental or physical condition or about a health care professional s medical diagnosis or treatment of the consumer. OR. REV. STAT. 646A.602. Yes, but notice is required only where there is a breach of security, which does not include an inadvertent acquisition of personal information by a person or the person s employee or agent if the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality or integrity of the personal information. OR. REV. STAT. 646A.602. Moreover, a person does not need to notify consumers of a breach of security if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the person reasonably determines that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm. The person must document the determination in writing and maintain the documentation for at least five years. OR. REV. STAT. 646A.604. Yes, notice must be provided to Attorney General if provided to individuals exceeds 250. OR. REV. STAT. 646A.604. The person shall notify the consumer in the most expeditious manner possible, without OR. REV. STAT. 646A.604. Pennsylvania Personal information means an individual s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: (i) Social Security number. (ii) Driver s license number or a State identification card number issued in lieu of a driver s license. (iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual s financial account. 73 PA. STAT. 2302. Yes, notice required for breach of the security system, which means the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. 73 PA. STAT. 2303. The notice shall be made without unreasonable delay. 73 PA. STAT. 2303. 17

Rhode Island South Carolina (Gramm- Leach-Bliley Act safe harbor, S.C. CODE 39-1- 90(I)). Personal information means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number; (2) Driver s license number or Rhode Island Identification Card number; (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. 11 R.I. GEN. LAWS 11-49.2-5. **Note: A broader definition was adopted in new law effective summer of 2016. Personal identifying information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted: (a) social security number; (b) driver s license number or state identification card number issued instead of a driver s license; (c) financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident s financial account; or (d) other numbers or information which may be used to access a person s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual. Yes, but notification of a breach is not required if, after an appropriate investigation or after consultation with relevant federal, state, or local law enforcement agencies, a determination is made that the breach has not and will not likely result in a significant risk of identity theft to the individuals whose personal information has been acquired. 11 R.I. GEN. LAWS 11-49.2-4. Yes, but notice is required only when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident. S.C. CODE 39-1-90. No, but new requirement effective July 2, 2016, requiring notice to Attorney General if more than 500 residents are affected. In the event that more than five hundred (500) Rhode Island residents are to be notified, the municipal agency, state agency, or person shall notify the attorney general. 11 R.I. GEN. LAWS 11-49.3-4. Yes, but only if there are 1,000 or more persons notified: If a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs. S.C. CODE 39-1-90. The disclosure shall be made in the most expedient time 11 R.I. GEN. LAWS 11-49.2-3. **45-day deadline effective July 2, 2016. 11 R.I. GEN. LAWS 11-49.3-4. The disclosure must be made in the most expedient time S.C. CODE 39-1-90. Tennessee S.C. CODE 39-1-90. Personal information means an individual s first name or first initial and last name, in combination with any one (1) or more of the following data elements, when either the name or the data elements are not encrypted: (i) Social security number; (ii) Driver license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. Yes. The disclosure shall be made in the most expedient time TENN. CODE 47-18-2107. **Effective July 1, 2016, there is a 45-day deadline for notice. TENN. CODE 47-18-2107. 2016 Tennessee Laws Pub. Ch. 692 (S.B. 2005). 18

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback