State Governing Statutes 1st Party Breach Notification Notes Alabama No Law Alaska 45-48-10 Notification must be made "in the most expeditious time possible and without unreasonable delay" unless it will impede a criminal investigation. Notable exception: There is no mandatory disclosure if after reasonable investigation and written notification to the AK AG, it is determined by the covered business that there is not a reasonable likelihood that harm will result or has resulted to the consumers whose PI has been acquired. If an information collector is required to notify more than 1,000 state residents, all consumer credit reporting agencies must be notified of the breach. The notification requirement cannot be waived by contractual agreement. Statute only applicable to unencrypted information ( 45.48.090 (7)). Page 1 of 23 300
Arizona 44-32 -1 After discovery of a possible breach, the business must conduct a reasonable investigation to determine if a breach occurred. If there was a breach, the individuals affected need to be contacted in the "most expedient manner possible and without unreasonable delay." This statute is only applicable to unencrypted or unredacted PI. Arkansas 4-7-110 California 1798.81.5 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. Exception: Notification is not required if, after reasonable investigation, there is no reasonable likelihood of harm to customers. California has exceedingly complex and onerous requirements. An entity shall disclose to affected consumers upon discovery or notice of a breach whose PI was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to restore the integrity of the system or determine the scope of the breach. If a business maintains data that they do not own, they must immediately notify the business that does, with a law enforcement caveat. The entity that is the source of the breach is required to provide free identity protection service to the affected consumers. Law enforcement caveat. Only applies to unencrypted and redacted information. Medical PI is treated completely differently. Notice requires are lengthy, onerous, and expensive. Page 2 of 23 301
Colorado 6-1-716 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. Exception: Notification is not required if, after reasonable investigation, there is no reasonable likelihood of harm Only applies to unencrypted or unredacted information. Law enforcement caveat. Connecticut 36a-701b Disclosure must be made without unreasonable delay. Notification is not required if, after reasonable investigation and consultation with law enforcement officials, it is determined that the breach is unlikely to harm the individuals whose PI was acquired. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 3 of 23 302
Delaware 6-II-12B-102 Any covered entity must conduct a prompt and good faith investigation upon discovery of a breach. If the investigation determines that the misuse of information about a DE resident has occurred or is reasonably likely to occur, notice should be given as soon as possible to the affect resident. Any business or person that conducts business in state or owns/licenses/maintains data from DE residents is subject to the statute. Law Enforcement caveat District of Columbia 28-2851 Upon discovery of a breach, notice should be given in the most expedient manner possible to the affected DC residents. Any business or person that conducts business in state or owns/licenses/maintains data from DC residents is subject to the statute. Law enforcement caveat. Statute cannot be contractually waived. Creates a private cause of action. Page 4 of 23 303
Florida SB 1524 Georgia 10-1-910 Upon discovery of a breach, notice should be given to the Department of Legal Affairs if the breach affects more than 500 FL residents. Notice must be given as expeditiously as possible, but no later than 30 days after the discovery of a breach. Notice must also be given to the affected residents as soon as practicable and without unreasonable delay but no later than 30 days after discovery of the breach. Notice must be given in the most expedient manner possible without unreasonable delay Only applies to unencrypted or unredacted information. Law enforcement caveat. Law Enforcement caveat. Any business, broker, or medium that maintains PI on GA residents is covered by the statute. Hawaii 2-26-487N Disclosure notification must be made without unreasonable delay to affected persons or businesses. Notification can be delayed to investigate scope of the breach, restore the system to proper integrity, or further secure other information. Law Enforcement caveat. Any business, broker, or medium that maintains PI on HI residents is covered by the statute. Creates a private cause of action for actual damages and attorney fees to the winning party. Page 5 of 23 304
Idaho 28-51-104 Illinois 815 ILCS 530-5 Indiana 24-4.9-1-2 After discovery of a possible breach, the business must conduct in good faith a reasonable and prompt investigation to determine if a breach occurred. If there was a breach, the individuals affected need to be contacted in the most expedient manner possible and without unreasonable delay. After discovery of a breach, notification must be made in the most expedient time possible without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. Disclosure must be made without unreasonable delay. Delay is reasonable if the delay is necessary to restore the integrity of the computer system, discover the scope of the breach, or law enforcement requests. This statute is only applicable to unencrypted or unredacted PI. Statute applies to any agency, individual or commercial entity that maintains or owns PI. Law Enforcement caveat. Statute covers any data collector that owns, maintains, or licenses PI concerning IL residents. Applies to any breach of unencrypted PI or encrypted PI if the encryption key has been compromised. Only the AG can bring an action under the act. Page 6 of 23 305
Iowa XVI-715c Disclosure must be made in the most expeditious manner possible without unreasonable delay consistent with any measures necessary to determine contact information, determine the scope of the breach, and restore the informational system. Law enforcement caveat. Only applies to unencrypted or unredacted PI. Furthermore, notification is not required if, after an appropriate investigation or consultation with law enforcement, there is no reasonable likelihood of financial harm to the consumers whose personal information was acquired. Kansas 50-7a Upon awareness of a breach of the system, owner must conduct a reasonable investigation in good faith in a prompt manner to determine the likelihood that the misuse of information has occurred or is reasonably likely to occur. If there has been misuse or the likelihood of misuse, notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the informational system. Only applies to unencrypted or unredacted data. Law enforcement Caveat. Page 7 of 23 306
Louisiana 51-51-3071 Notification must be made in the most expedient time possible and without unreasonable delay consistent with the needs of law enforcement. Only applies to unencrypted or unredacted data. Law enforcement Caveat. Applies to any person that conducts business in the state or maintains data on LA residents. Allows a private cause of action. Maine 10-3-210-b- 1346 Upon discovery of a breach, the information broker must conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be miscued. Notice must be made as expeditiously as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the informational system. Only applies to unredacted or unencrypted PI. Law enforcement caveat. Page 8 of 23 307
Maryland 14-3504 Business must give notification of breach to affected MD residents, if, after a good faith reasonable investigation, determines that PI has been or will be misused as a result of the breach. Notification can be delayed due to law enforcement concerns, national security, determine the scope of the breach, or restore the integrity of the compromised system. Any business that owns, maintains or licenses data that includes PI is covered by this statute. Law enforcement caveat. Violation of statute is unfair or deceptive trade practice Massachusetts 1-15-93H A person or agency that owns or licenses data that includes PI about a resident of MA, shall provide notice as soon as practicable and without unreasonable delay upon discovery of a breach or when the person or agency has reason to believe that there was unauthorized use of PI. This notice must be made to the MA AG and consumer reporting agencies. Applies primarily to only unencrypted information. Law Enforcement caveat. Page 9 of 23 308
Michigan 445.63 Notice must be provided without unreasonable delay. Notice may be withheld if a security breach is not likely to cause substantial loss, injury, or result in identity theft. Notice may be delayed to investigate the scope of the breach and restore the integrity of the system. Applies primarily to only unencrypted information - however, there is a caveat if the encrypted information was acquired by a person with unauthorized access to the encryption key. Law Enforcement caveat. Notice must also be given to consumer reporting agencies. Minnesota 325E.61 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. A delay is reasonable if it is necessary to restore the integrity of the system, identify the scope of the breach, or identify the individuals affected. Applies only to unencrypted information. This statute is not savable by contract. Financial institutions are exempt from this statute. Page 10 of 23 309
Mississippi 75-24-29 Anyone who conducts business in the state must disclose a breach of PI to affected individuals without unreasonable delay, subject to legitimate needs of law enforcement, determine the scope of the breach, restore the compromised system, or identify the affected individuals. Notice is not required, if, after an appropriate investigation, it is determined that the breach will not likely rest Applies to unsecured and unencrypted information. Missouri 407.1500 Following discovery or notification of a breach, notice must be provided to the affected consumers without unreasonable delay, consistent with any measures necessary to determine contact information of those affected, determine the scope of the breach, and restore system integrity. Applies on to unencrypted or unredacted PI. Must contact AG if there are over 1000 individuals from the breach. Notification is not required, if, after reasonable investigation, it is unlikely that there could be identify theft or other fraud. Law enforcement caveat Page 11 of 23 310
Montana 30-14-1702 Following discovery or notification of a breach, notice must be provided to the affected consumers without unreasonable delay, consistent with any measures necessary to determine contact information of those affected, determine the scope of the breach, and restore the integrity of the system. Businesses have an obligation to destroy sensitive records that contain PI that are no longer necessary to preserve. Law enforcement caveat. Only applies to unencrypted or unredacted information. Issuers of credit cards have different obligations and rules. Nebraska 87-801 Following discovery or notification of a breach, the commercial entity must conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be used for an unauthorized purpose. If unauthorized purpose has occurred or is reasonably likely to occur, the commercial entity must provide notice as soon as possible and without unreasonable delay to the affected consumes, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system. Law enforcement caveat. This provision is unwaivable as against public policy. Only applies to unencrypted or unredacted information. Page 12 of 23 311
Nevada 52-603A.020 Following discovery or notice of a breach, disclosure must be made to the affected consumers in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the reasonable integrity of the system. This provision is unwaivable as against public policy. Law enforcement caveat. Only applies to unencrypted or unredacted information. The entity breached has a cause of action against the individual who unlawfully acquired the information. Page 13 of 23 312
New Hampshire 31-359-C:19 After awareness of a security breach, the commercial entity must promptly determine the likelihood that the information has been or will be misused. If it is determined that the information has been misused or is reasonably likely to be misused, the entity shall notify the individuals affected as soon as possible. Only applies to unencrypted or unredacted information. Law enforcement caveat. This creates a private cause of action for the individuals affected for actual damages. If the violation or protocol was a willing or knowing violation, damages must be at least doubled and possibly tripled. Prevailing plaintiff is additionally awarded costs and attorney fees. It is against public policy to waive or void this statute. The burden is on the entity to prove compliance with this statute. Page 14 of 23 313
New Jersey 56:8-161 Disclosure shall be made after awareness of a possible breach. Notice must be given in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Notification is not required if it is determined that misuse of information is not reasonably possible - this determination needs to be made in writing. Obligation for entity to destroy sensitive records containing PI when they are no longer relevant for business purposes. Law enforcement caveat. New Mexico No law. Page 15 of 23 314
New York 39-F-899-aa Disclosure must be made to the affected consumers following discovery, reasonable possibility of, or notification of the breach. Notice must be given in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the compromised system. Two year statute of limitations upon discovery of a breach. Law enforcement caveat. Applies only to unencrypted or unredacted information. North Carolina 75-2A-75-61 After discovery or notice of a breach, notice must be given to the affected individuals without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, determine contact information of the affected consumers, and restore the reasonable integrity of the system. Law Enforcement caveat. Only applies to unencrypted or unredacted PI. The AG needs to be contacted for large breaches. The particularities of the notification requirements are extremely detailed. North Dakota 51-30-01 Disclosure shall be made after notice, discovery, or reasonable belief of a breach. The notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the data system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 16 of 23 315
Ohio 1349.19 Following discovery or notification of a breach in which PI was, or reasonably is believed to have been acquired, AND acquisition of the PI causes or is reasonably believed will cause a risk of identity theft or other fraud, the affected consumers must be notified. The notification must be made in the most expedient time possible but no later than 45 days, consistent with any measures necessary to determine the scope of the breach or restore the security of the system. The disclosure required in this statute is allowed to be dictated by contract, as long as there is no conflict between the notification procedures in the statute and the contractual requirements. This statute still cannot be waived. Law enforcement caveat. Only applies to unencrypted or unredacted information. The fines for violations brought by the AG are particularly onerous. Oklahoma 24-161 Notice must be given following discovery or notification of the breach if PI has been or is reasonably believed to have been acquired AND that it causes, or reasonably believes that it will cause identity theft or other fraud. Disclosure must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 17 of 23 316
Oregon 646A.602 Pennsylvania 73-2301 Disclosure must be made after discovery or notification of a breach. Notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, gather contact information of the affected consumers, and to determine the reasonable integrity of the system. After discovery or notice of a breach, notice must be given to the affected consumers. Notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, gather contact information of the affected consumers, and to determine the reasonable integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Notification is not required if, after consultation with relevant authorities or an appropriate investigation, it is determined that there is no reasonable likelihood of harm to consumers resulting from the breach. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 18 of 23 317
Rhode Island 11-49.2-3 After discovery or notice of a breach, or a reasonable belief that PI may have been compromised, notice must be given. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Notification is not required if, after consultation with relevant authorities or an appropriate investigation, it is determined that there is no significant risk of identity theft from the misuse. South Carolina 39-1-90 After discovery or notice of a breach, or a reasonable belief that PI may have been compromised, notice must be given. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. The information must be used illegally or is reasonably likely to be used illegally to count as a "breach". This creates a private cause of action to recover damages in a willful or knowing violation or actual damages for a negligent violation. Prevailing plaintiffs may recover attorney fees. Law Enforcement caveat. Only applies to unencrypted or unredacted information. Page 19 of 23 318
South Dakota No law. Tennessee 47-18-2107 Notification must be made after discovery or notification of a breach when PI has been, or is reasonably likely to be compromised. Disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the compromised system. This creates a private cause of action to recover damages. Law enforcement caveat. Only applies to unencrypted or unredacted information. Page 20 of 23 319
Texas 521.002 Notification is required after discovery or notice of a breach, if any PI has been or is reasonably believed to have been acquired by an unauthorized person. Disclosure must be made as quickly as possible, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the compromised system. Law enforcement caveat. Only applies to unencrypted or unredacted information. Utah 13-44-101 After discovery or notification of a breach, the entity shall conduct a good faith, reasonable, and prompt investigation to determine whether PI has been or will be misused for identity theft or fraud purposes. Notification must be made in the most expedient time possible and without unreasonable delay. All businesses that maintain PI must maintain reasonable procedures to prevent unlawful acquisition. Law enforcement caveat. Only applies to unencrypted or unredacted information. Businesses are required to destroy unnecessary records that contain PI. Vermont 63-2430-5(A) This law is undergoing revisions. Upon discovery or notification of a breach, notice must be given in the most expeditious time possible and without unreasonable delay, consistent with measures necessary to restore the integrity of the system and to determine the scope of the breach. The notice requirements are onerous. Law enforcement caveat. Only applies to unredacted or unencrypted information. Page 21 of 23 320
Virginia 18.2-186.6 Washington 19.255.010 The PI acquired must, or will be reasonably likely to, cause identity theft or fraud to trigger the statute. Upon notification or discovery of a breach, disclosure must be made to the affected residents and the office of the AG without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Following discovery or notification of a breach in which PI was, or reasonably is believed to have been acquired, notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the reasonable integrity of the system. Law enforcement caveat. Only applies to unredacted or unencrypted information. Law enforcement caveat. Only applies to unredacted or unencrypted information. This provision cannot be waived or modified by contract. This creates a private cause of action. West Virginia 46A-2A-101 The PI acquired must, or will be reasonably likely to, cause identity theft or fraud to trigger the statute. Upon notification or discovery of a breach, disclosure must be made to the affected residents without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Law enforcement caveat. Only applies to unredacted or unencrypted information. Page 22 of 23 321
Wisconsin 134.98 After discovery or notice of a breach, disclosure must be made within a reasonable period, not to exceed 45 days. Notice is not required if the information acquired does not create a material risk of identity theft or fraud. Law enforcement caveat. Only applies to unencrypted or unredacted information. Failure to comply with this statute is not negligence or breach of any duty, but may be evidence of such. Wyoming 40-12-501 The PI acquired must cause or is reasonably likely to cause loss or injury to residents. Upon notification or discovery of a breach, disclosure must be made to the affected residents in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Law enforcement caveat. Only applies to unencrypted or unredacted information. There is a complicated third party notice requirement in conjunction with first party obligations. Page 23 of 23 322