DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

Similar documents
Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

Security Breach Notification Chart

State Data Breach Notification Laws

State Data Breach Notification Laws

PERMISSIBILITY OF ELECTRONIC VOTING IN THE UNITED STATES. Member Electronic Vote/ . Alabama No No Yes No. Alaska No No No No

2016 Voter Registration Deadlines by State

National State Law Survey: Statute of Limitations 1

Matthew Miller, Bureau of Legislative Research

Page 1 of 5. Appendix A.

State Data Breach Law Summary. November 2017

State Data Breach Laws

MEMORANDUM JUDGES SERVING AS ARBITRATORS AND MEDIATORS

Security Breach Notification Chart

Data Breach Charts. November 2017

ACCESS TO STATE GOVERNMENT 1. Web Pages for State Laws, State Rules and State Departments of Health

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

STATE DATA SECURITY BREACH NOTIFICATION LAWS

STATE DATA SECURITY BREACH NOTIFICATION LAWS

NOTICE TO MEMBERS No January 2, 2018

Campaign Finance E-Filing Systems by State WHAT IS REQUIRED? WHO MUST E-FILE? Candidates (Annually, Monthly, Weekly, Daily).

The Victim Rights Law Center thanks Catherine Cambridge for her research assistance.

Case 3:15-md CRB Document 4700 Filed 01/29/18 Page 1 of 5

STATE LAWS SUMMARY: CHILD LABOR CERTIFICATION REQUIREMENTS BY STATE

THE PROCESS TO RENEW A JUDGMENT SHOULD BEGIN 6-8 MONTHS PRIOR TO THE DEADLINE

State Data Breach Notification Laws

State Trial Courts with Incidental Appellate Jurisdiction, 2010

Notice N HCFB-1. March 25, Subject: FEDERAL-AID HIGHWAY PROGRAM OBLIGATION AUTHORITY FISCAL YEAR (FY) Classification Code

STATE DATA SECURITY BREACH NOTIFICATION LAWS

If you have questions, please or call

State Complaint Information

Rhoads Online State Appointment Rules Handy Guide

The remaining legislative bodies have guides that help determine bill assignments. Table shows the criteria used to refer bills.

UNIFORM NOTICE OF REGULATION A TIER 2 OFFERING Pursuant to Section 18(b)(3), (b)(4), and/or (c)(2) of the Securities Act of 1933

INSTITUTE of PUBLIC POLICY

7-45. Electronic Access to Legislative Documents. Legislative Documents

Registered Agents. Question by: Kristyne Tanaka. Date: 27 October 2010

2008 Changes to the Constitution of International Union UNITED STEELWORKERS

State-by-State Chart of HIV-Specific Laws and Prosecutorial Tools

ACTION: Notice announcing addresses for summons and complaints. SUMMARY: Our Office of the General Counsel (OGC) is responsible for processing

12B,C: Voting Power and Apportionment

ADVANCEMENT, JURISDICTION-BY-JURISDICTION

FEDERAL ELECTION COMMISSION [NOTICE ] Price Index Adjustments for Contribution and Expenditure Limitations and

Class Actions and the Refund of Unconstitutional Taxes. Revenue Laws Study Committee Trina Griffin, Research Division April 2, 2008

Case 1:16-cv Document 3 Filed 02/05/16 Page 1 of 66 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ) ) ) ) ) ) ) ) ) ) ) ) ) )

Limitations on Contributions to Political Committees

Bylaws of the. Student Membership

Laws Governing Data Security and Privacy U.S. Jurisdictions at a Glance UPDATED MARCH 30, 2015

Arent Fox LLP Survey of Data Breach Notification Statutes

Federal Rate of Return. FY 2019 Update Texas Department of Transportation - Federal Affairs

Elder Financial Abuse and State Mandatory Reporting Laws for Financial Institutions Prepared by CUNA s State Government Affairs

TELEPHONE; STATISTICAL INFORMATION; PRISONS AND PRISONERS; LITIGATION; CORRECTIONS; DEPARTMENT OF CORRECTION ISSUES

National Latino Peace Officers Association

Laws Governing Data Security and Privacy U.S. Jurisdictions at a Glance

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C

WYOMING POPULATION DECLINED SLIGHTLY

Complying with Electric Cooperative State Statutes

American Government. Workbook

Soybean Promotion and Research: Amend the Order to Adjust Representation on the United Soybean Board

and Ethics: Slope Lisa Sommer Devlin

We re Paying Dearly for Bush s Tax Cuts Study Shows Burdens by State from Bush s $87-Billion-Every-51-Days Borrowing Binge

YOU PAY FOR YOUR WRONG AND NO ONE ELSE S: THE ABOLITION OF JOINT AND SEVERAL LIABILITY

Official Voter Information for General Election Statute Titles

Results and Criteria of BGA/NFOIC survey

Case 1:14-cv Document 1-1 Filed 06/17/14 Page 1 of 61 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Delegates: Understanding the numbers and the rules

28 USC 152. NB: This unofficial compilation of the U.S. Code is current as of Jan. 4, 2012 (see

New Census Estimates Show Slight Changes For Congressional Apportionment Now, But Point to Larger Changes by 2020

Chapter 12: The Math of Democracy 12B,C: Voting Power and Apportionment - SOLUTIONS

2008 Electoral Vote Preliminary Preview

Survey of State Laws on Credit Unions Incidental Powers

Oregon enacts statute to make improper patent license demands a violation of its unlawful trade practices law

How Many Illegal Aliens Currently Live in the United States?

Democratic Convention *Saturday 1 March 2008 *Monday 25 August - Thursday 28 August District of Columbia Non-binding Primary

Components of Population Change by State

State By State Survey:

STATE DATA SECURITY BREACH LEGISLATION SURVEY

2016 us election results

Women in Federal and State-level Judgeships

TABLE OF CONTENTS. Introduction. Identifying the Importance of ID. Overview. Policy Recommendations. Conclusion. Summary of Findings

Department of Legislative Services Maryland General Assembly 2010 Session

For jurisdictions that reject for punctuation errors, is the rejection based on a policy decision or due to statutory provisions?

Should Politicians Choose Their Voters? League of Women Voters of MI Education Fund

Nominating Committee Policy

Intake 1 Total Requests Received 4

Franklin D. Roosevelt. Pertaining to the. Campaign of 1928

Appendix: Legal Boundaries Between the Juvenile and Criminal. Justice Systems in the United States. Patrick Griffin

Intake 1 Total Requests Received 4

Apportionment. Seven Roads to Fairness. NCTM Regional Conference. November 13, 2014 Richmond, VA. William L. Bowdish

U.S. Sentencing Commission 2014 Drug Guidelines Amendment Retroactivity Data Report

CIRCLE The Center for Information & Research on Civic Learning & Engagement. State Voter Registration and Election Day Laws

Employee must be. provide reasonable notice (Ala. Code 1975, ).

Fiscal Year (September 30, 2018) Requests by Intake and Case Status Intake 1 Case Review 6 Period

POLITICAL CONTRIBUTIONS. OUT-OF- STATE DONORS. INITIATIVE STATUTE.

NORTH CAROLINA GENERAL ASSEMBLY Legislative Services Office

8. Public Information

2018 Constituent Society Delegate Apportionment

ASSOCIATES OF VIETNAM VETERANS OF AMERICA, INC. BYLAWS (A Nonprofit Corporation)

Destruction of Paper Files. Date: September 12, [Destruction of Paper Files] [September 12, 2013]

Transcription:

State Governing Statutes 1st Party Breach Notification Notes Alabama No Law Alaska 45-48-10 Notification must be made "in the most expeditious time possible and without unreasonable delay" unless it will impede a criminal investigation. Notable exception: There is no mandatory disclosure if after reasonable investigation and written notification to the AK AG, it is determined by the covered business that there is not a reasonable likelihood that harm will result or has resulted to the consumers whose PI has been acquired. If an information collector is required to notify more than 1,000 state residents, all consumer credit reporting agencies must be notified of the breach. The notification requirement cannot be waived by contractual agreement. Statute only applicable to unencrypted information ( 45.48.090 (7)). Page 1 of 23 300

Arizona 44-32 -1 After discovery of a possible breach, the business must conduct a reasonable investigation to determine if a breach occurred. If there was a breach, the individuals affected need to be contacted in the "most expedient manner possible and without unreasonable delay." This statute is only applicable to unencrypted or unredacted PI. Arkansas 4-7-110 California 1798.81.5 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. Exception: Notification is not required if, after reasonable investigation, there is no reasonable likelihood of harm to customers. California has exceedingly complex and onerous requirements. An entity shall disclose to affected consumers upon discovery or notice of a breach whose PI was, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to restore the integrity of the system or determine the scope of the breach. If a business maintains data that they do not own, they must immediately notify the business that does, with a law enforcement caveat. The entity that is the source of the breach is required to provide free identity protection service to the affected consumers. Law enforcement caveat. Only applies to unencrypted and redacted information. Medical PI is treated completely differently. Notice requires are lengthy, onerous, and expensive. Page 2 of 23 301

Colorado 6-1-716 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. Exception: Notification is not required if, after reasonable investigation, there is no reasonable likelihood of harm Only applies to unencrypted or unredacted information. Law enforcement caveat. Connecticut 36a-701b Disclosure must be made without unreasonable delay. Notification is not required if, after reasonable investigation and consultation with law enforcement officials, it is determined that the breach is unlikely to harm the individuals whose PI was acquired. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 3 of 23 302

Delaware 6-II-12B-102 Any covered entity must conduct a prompt and good faith investigation upon discovery of a breach. If the investigation determines that the misuse of information about a DE resident has occurred or is reasonably likely to occur, notice should be given as soon as possible to the affect resident. Any business or person that conducts business in state or owns/licenses/maintains data from DE residents is subject to the statute. Law Enforcement caveat District of Columbia 28-2851 Upon discovery of a breach, notice should be given in the most expedient manner possible to the affected DC residents. Any business or person that conducts business in state or owns/licenses/maintains data from DC residents is subject to the statute. Law enforcement caveat. Statute cannot be contractually waived. Creates a private cause of action. Page 4 of 23 303

Florida SB 1524 Georgia 10-1-910 Upon discovery of a breach, notice should be given to the Department of Legal Affairs if the breach affects more than 500 FL residents. Notice must be given as expeditiously as possible, but no later than 30 days after the discovery of a breach. Notice must also be given to the affected residents as soon as practicable and without unreasonable delay but no later than 30 days after discovery of the breach. Notice must be given in the most expedient manner possible without unreasonable delay Only applies to unencrypted or unredacted information. Law enforcement caveat. Law Enforcement caveat. Any business, broker, or medium that maintains PI on GA residents is covered by the statute. Hawaii 2-26-487N Disclosure notification must be made without unreasonable delay to affected persons or businesses. Notification can be delayed to investigate scope of the breach, restore the system to proper integrity, or further secure other information. Law Enforcement caveat. Any business, broker, or medium that maintains PI on HI residents is covered by the statute. Creates a private cause of action for actual damages and attorney fees to the winning party. Page 5 of 23 304

Idaho 28-51-104 Illinois 815 ILCS 530-5 Indiana 24-4.9-1-2 After discovery of a possible breach, the business must conduct in good faith a reasonable and prompt investigation to determine if a breach occurred. If there was a breach, the individuals affected need to be contacted in the most expedient manner possible and without unreasonable delay. After discovery of a breach, notification must be made in the most expedient time possible without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. Disclosure must be made without unreasonable delay. Delay is reasonable if the delay is necessary to restore the integrity of the computer system, discover the scope of the breach, or law enforcement requests. This statute is only applicable to unencrypted or unredacted PI. Statute applies to any agency, individual or commercial entity that maintains or owns PI. Law Enforcement caveat. Statute covers any data collector that owns, maintains, or licenses PI concerning IL residents. Applies to any breach of unencrypted PI or encrypted PI if the encryption key has been compromised. Only the AG can bring an action under the act. Page 6 of 23 305

Iowa XVI-715c Disclosure must be made in the most expeditious manner possible without unreasonable delay consistent with any measures necessary to determine contact information, determine the scope of the breach, and restore the informational system. Law enforcement caveat. Only applies to unencrypted or unredacted PI. Furthermore, notification is not required if, after an appropriate investigation or consultation with law enforcement, there is no reasonable likelihood of financial harm to the consumers whose personal information was acquired. Kansas 50-7a Upon awareness of a breach of the system, owner must conduct a reasonable investigation in good faith in a prompt manner to determine the likelihood that the misuse of information has occurred or is reasonably likely to occur. If there has been misuse or the likelihood of misuse, notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the informational system. Only applies to unencrypted or unredacted data. Law enforcement Caveat. Page 7 of 23 306

Louisiana 51-51-3071 Notification must be made in the most expedient time possible and without unreasonable delay consistent with the needs of law enforcement. Only applies to unencrypted or unredacted data. Law enforcement Caveat. Applies to any person that conducts business in the state or maintains data on LA residents. Allows a private cause of action. Maine 10-3-210-b- 1346 Upon discovery of a breach, the information broker must conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be miscued. Notice must be made as expeditiously as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the informational system. Only applies to unredacted or unencrypted PI. Law enforcement caveat. Page 8 of 23 307

Maryland 14-3504 Business must give notification of breach to affected MD residents, if, after a good faith reasonable investigation, determines that PI has been or will be misused as a result of the breach. Notification can be delayed due to law enforcement concerns, national security, determine the scope of the breach, or restore the integrity of the compromised system. Any business that owns, maintains or licenses data that includes PI is covered by this statute. Law enforcement caveat. Violation of statute is unfair or deceptive trade practice Massachusetts 1-15-93H A person or agency that owns or licenses data that includes PI about a resident of MA, shall provide notice as soon as practicable and without unreasonable delay upon discovery of a breach or when the person or agency has reason to believe that there was unauthorized use of PI. This notice must be made to the MA AG and consumer reporting agencies. Applies primarily to only unencrypted information. Law Enforcement caveat. Page 9 of 23 308

Michigan 445.63 Notice must be provided without unreasonable delay. Notice may be withheld if a security breach is not likely to cause substantial loss, injury, or result in identity theft. Notice may be delayed to investigate the scope of the breach and restore the integrity of the system. Applies primarily to only unencrypted information - however, there is a caveat if the encrypted information was acquired by a person with unauthorized access to the encryption key. Law Enforcement caveat. Notice must also be given to consumer reporting agencies. Minnesota 325E.61 Disclosure must be made in the most expedient time and manner possible without unreasonable delay consistent with legitimate needs of law enforcement. A delay is reasonable if it is necessary to restore the integrity of the system, identify the scope of the breach, or identify the individuals affected. Applies only to unencrypted information. This statute is not savable by contract. Financial institutions are exempt from this statute. Page 10 of 23 309

Mississippi 75-24-29 Anyone who conducts business in the state must disclose a breach of PI to affected individuals without unreasonable delay, subject to legitimate needs of law enforcement, determine the scope of the breach, restore the compromised system, or identify the affected individuals. Notice is not required, if, after an appropriate investigation, it is determined that the breach will not likely rest Applies to unsecured and unencrypted information. Missouri 407.1500 Following discovery or notification of a breach, notice must be provided to the affected consumers without unreasonable delay, consistent with any measures necessary to determine contact information of those affected, determine the scope of the breach, and restore system integrity. Applies on to unencrypted or unredacted PI. Must contact AG if there are over 1000 individuals from the breach. Notification is not required, if, after reasonable investigation, it is unlikely that there could be identify theft or other fraud. Law enforcement caveat Page 11 of 23 310

Montana 30-14-1702 Following discovery or notification of a breach, notice must be provided to the affected consumers without unreasonable delay, consistent with any measures necessary to determine contact information of those affected, determine the scope of the breach, and restore the integrity of the system. Businesses have an obligation to destroy sensitive records that contain PI that are no longer necessary to preserve. Law enforcement caveat. Only applies to unencrypted or unredacted information. Issuers of credit cards have different obligations and rules. Nebraska 87-801 Following discovery or notification of a breach, the commercial entity must conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be used for an unauthorized purpose. If unauthorized purpose has occurred or is reasonably likely to occur, the commercial entity must provide notice as soon as possible and without unreasonable delay to the affected consumes, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system. Law enforcement caveat. This provision is unwaivable as against public policy. Only applies to unencrypted or unredacted information. Page 12 of 23 311

Nevada 52-603A.020 Following discovery or notice of a breach, disclosure must be made to the affected consumers in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the reasonable integrity of the system. This provision is unwaivable as against public policy. Law enforcement caveat. Only applies to unencrypted or unredacted information. The entity breached has a cause of action against the individual who unlawfully acquired the information. Page 13 of 23 312

New Hampshire 31-359-C:19 After awareness of a security breach, the commercial entity must promptly determine the likelihood that the information has been or will be misused. If it is determined that the information has been misused or is reasonably likely to be misused, the entity shall notify the individuals affected as soon as possible. Only applies to unencrypted or unredacted information. Law enforcement caveat. This creates a private cause of action for the individuals affected for actual damages. If the violation or protocol was a willing or knowing violation, damages must be at least doubled and possibly tripled. Prevailing plaintiff is additionally awarded costs and attorney fees. It is against public policy to waive or void this statute. The burden is on the entity to prove compliance with this statute. Page 14 of 23 313

New Jersey 56:8-161 Disclosure shall be made after awareness of a possible breach. Notice must be given in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Notification is not required if it is determined that misuse of information is not reasonably possible - this determination needs to be made in writing. Obligation for entity to destroy sensitive records containing PI when they are no longer relevant for business purposes. Law enforcement caveat. New Mexico No law. Page 15 of 23 314

New York 39-F-899-aa Disclosure must be made to the affected consumers following discovery, reasonable possibility of, or notification of the breach. Notice must be given in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the compromised system. Two year statute of limitations upon discovery of a breach. Law enforcement caveat. Applies only to unencrypted or unredacted information. North Carolina 75-2A-75-61 After discovery or notice of a breach, notice must be given to the affected individuals without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, determine contact information of the affected consumers, and restore the reasonable integrity of the system. Law Enforcement caveat. Only applies to unencrypted or unredacted PI. The AG needs to be contacted for large breaches. The particularities of the notification requirements are extremely detailed. North Dakota 51-30-01 Disclosure shall be made after notice, discovery, or reasonable belief of a breach. The notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the data system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 16 of 23 315

Ohio 1349.19 Following discovery or notification of a breach in which PI was, or reasonably is believed to have been acquired, AND acquisition of the PI causes or is reasonably believed will cause a risk of identity theft or other fraud, the affected consumers must be notified. The notification must be made in the most expedient time possible but no later than 45 days, consistent with any measures necessary to determine the scope of the breach or restore the security of the system. The disclosure required in this statute is allowed to be dictated by contract, as long as there is no conflict between the notification procedures in the statute and the contractual requirements. This statute still cannot be waived. Law enforcement caveat. Only applies to unencrypted or unredacted information. The fines for violations brought by the AG are particularly onerous. Oklahoma 24-161 Notice must be given following discovery or notification of the breach if PI has been or is reasonably believed to have been acquired AND that it causes, or reasonably believes that it will cause identity theft or other fraud. Disclosure must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 17 of 23 316

Oregon 646A.602 Pennsylvania 73-2301 Disclosure must be made after discovery or notification of a breach. Notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, gather contact information of the affected consumers, and to determine the reasonable integrity of the system. After discovery or notice of a breach, notice must be given to the affected consumers. Notice must be given in the most expeditious time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, gather contact information of the affected consumers, and to determine the reasonable integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Notification is not required if, after consultation with relevant authorities or an appropriate investigation, it is determined that there is no reasonable likelihood of harm to consumers resulting from the breach. Only applies to unencrypted or unredacted information. Law enforcement caveat. Page 18 of 23 317

Rhode Island 11-49.2-3 After discovery or notice of a breach, or a reasonable belief that PI may have been compromised, notice must be given. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Only applies to unencrypted or unredacted information. Law enforcement caveat. Notification is not required if, after consultation with relevant authorities or an appropriate investigation, it is determined that there is no significant risk of identity theft from the misuse. South Carolina 39-1-90 After discovery or notice of a breach, or a reasonable belief that PI may have been compromised, notice must be given. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. The information must be used illegally or is reasonably likely to be used illegally to count as a "breach". This creates a private cause of action to recover damages in a willful or knowing violation or actual damages for a negligent violation. Prevailing plaintiffs may recover attorney fees. Law Enforcement caveat. Only applies to unencrypted or unredacted information. Page 19 of 23 318

South Dakota No law. Tennessee 47-18-2107 Notification must be made after discovery or notification of a breach when PI has been, or is reasonably likely to be compromised. Disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the compromised system. This creates a private cause of action to recover damages. Law enforcement caveat. Only applies to unencrypted or unredacted information. Page 20 of 23 319

Texas 521.002 Notification is required after discovery or notice of a breach, if any PI has been or is reasonably believed to have been acquired by an unauthorized person. Disclosure must be made as quickly as possible, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the compromised system. Law enforcement caveat. Only applies to unencrypted or unredacted information. Utah 13-44-101 After discovery or notification of a breach, the entity shall conduct a good faith, reasonable, and prompt investigation to determine whether PI has been or will be misused for identity theft or fraud purposes. Notification must be made in the most expedient time possible and without unreasonable delay. All businesses that maintain PI must maintain reasonable procedures to prevent unlawful acquisition. Law enforcement caveat. Only applies to unencrypted or unredacted information. Businesses are required to destroy unnecessary records that contain PI. Vermont 63-2430-5(A) This law is undergoing revisions. Upon discovery or notification of a breach, notice must be given in the most expeditious time possible and without unreasonable delay, consistent with measures necessary to restore the integrity of the system and to determine the scope of the breach. The notice requirements are onerous. Law enforcement caveat. Only applies to unredacted or unencrypted information. Page 21 of 23 320

Virginia 18.2-186.6 Washington 19.255.010 The PI acquired must, or will be reasonably likely to, cause identity theft or fraud to trigger the statute. Upon notification or discovery of a breach, disclosure must be made to the affected residents and the office of the AG without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Following discovery or notification of a breach in which PI was, or reasonably is believed to have been acquired, notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the reasonable integrity of the system. Law enforcement caveat. Only applies to unredacted or unencrypted information. Law enforcement caveat. Only applies to unredacted or unencrypted information. This provision cannot be waived or modified by contract. This creates a private cause of action. West Virginia 46A-2A-101 The PI acquired must, or will be reasonably likely to, cause identity theft or fraud to trigger the statute. Upon notification or discovery of a breach, disclosure must be made to the affected residents without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Law enforcement caveat. Only applies to unredacted or unencrypted information. Page 22 of 23 321

Wisconsin 134.98 After discovery or notice of a breach, disclosure must be made within a reasonable period, not to exceed 45 days. Notice is not required if the information acquired does not create a material risk of identity theft or fraud. Law enforcement caveat. Only applies to unencrypted or unredacted information. Failure to comply with this statute is not negligence or breach of any duty, but may be evidence of such. Wyoming 40-12-501 The PI acquired must cause or is reasonably likely to cause loss or injury to residents. Upon notification or discovery of a breach, disclosure must be made to the affected residents in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach or restore the integrity of the system. Law enforcement caveat. Only applies to unencrypted or unredacted information. There is a complicated third party notice requirement in conjunction with first party obligations. Page 23 of 23 322

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback