REGULATORYOVERSIGHT.COM
LEARN MORE ABOUT OUR PRACTICE
State AG Election Tracker
Individual & Multistate investigation experience
Multistate investigation experience
Click on the state or US territory for more information
Interactive Data Breach Notification Map
Want to learn more about data breach notifications in Your State or US Territory?
In the event of a suspected security incident, our response team can be reached at incident.response@troutman.com
Get In Touch
Notification Statute Apply to Paper Records Too?
Notification to AG Required?
Specific Deadline to Provide Notice to Consumers?
Risk of Harm Analysis Allowed?
Access Only Trigger Notification?
Definition of Personal Information Broader than General Definition?
Hover to select a filter
GA
IN
KY
LA
ME
MS
MT
NE
NV
ND
OK
SC
SD
AK
AL
AZ
AR
CA
CO
CT
DE
FL
HI
ID
IL
IA
KS
MD
MA
MI
MN
MO
NH
NJ
NM
NY
NC
OH
OR
PA
RI
TX
UT
VT
Guam
USVI
PR
VA
WA
D.C.
WV
WI
WY
TN
Troutman Pepper
Notification Map
Interactive Data Breach
Get Started
Privacy Legislation MAP
AL AK AZ AR CA CO CT DE FL GA HI ID IL IN IA KS KY LA ME MD MA MI MN MS MO MT NE NV NH NJ NM NY NC ND OH OK OR PA RI SC SD TN TX UT VT VA WA D.C. WV WI WY guam pr u.s.v.i
No Pending Legislation
Legislation Pending
Active Consumer Privacy Law
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice to more than 1,000 individuals, the entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If the number of individuals an entity is required to notify exceeds 1,000, the entity shall notify the attorney general as expeditiously as possible and without unreasonable delay, but no later than 45 days after the entity either (i) determines that a breach is reasonably likely to cause substantial harm to individuals; or (ii) receives notice from a third-party agent that a breach has occurred.
4.
A general description of steps an affected individual can take to protect himself or herself from identity theft; and
5.
Information that the individual can use to contact the covered entity to inquire about the breach
3.
A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach
2.
A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach
1.
The date, estimated date, or estimated date range of the breach
The notice shall include:
a breach has occurred, or determination that a breach is likely to cause substantial harm to individuals, entity that owns or licenses computerized personal information shall notify Alabama residents within 45 days
Following notification from a third-party agent that...
shall notify the owner or licensee of the breach as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination or belief that a breach has occurred.
Entity that only maintains, stores or processes computerized personal information...
Following investigation:
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of causing substantial harm to consumers.
Alabama law outlines four factors to consider when determining whether personal information has been acquired.
A. B. C. D. E. F.
A nontruncated Social Security number or tax identification number A nontruncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
An individual’s first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
Alabama
AL ST §§ 8-38-1 et seq.
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
nO
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Is notice to a state agency or AG required?
Is there a specific deadline for individual notices?
Is there a specific format or language that must be included in the individual notice?
Is a private right of action permitted?
QUICK FACTS
If more than 1,000 Alabama residents are notiied
If 1,000 or more residents receive notice
Statute
AG Website
Download Full PDF
Key Resources
Highlights
Next STATE
PreviouS STATE
of 2
1. 2. 3.
Any consumer injured by a violation of this chapter may institute a civil action to recover damages. Any person or business that violates, proposes to violate, or has violated this chapter may be enjoined. The rights and remedies available under this chapter are cumulative to each other and to any other rights and remedies available under law.
For actions brought by the attorney general to enforce this chapter, a violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW. An action to enforce this chapter may not be brought under RCW 19.86.090.
The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter. For actions brought by the attorney general to enforce this chapter, the legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW.
The number of Washington consumers affected by the breach, or an estimate if the exact number is not known A list of the types of personal information that were or are reasonably believed to have been the subject of a breach A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach A summary of steps taken to contain the breach A single sample copy of the security breach notification excluding any personally identifiable information.
The notice to the attorney general shall include the following information:
The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due.
If notification to 500 or more Washington residents, entity must notify the attorney general.
A. B. C. D.
The name and contact information of the reporting person or business subject to this section A list of the types of personal information that were or are reasonably believed to have been the subject of a breach A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach Toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information
The notification must include, at a minimum, the following information:
The notification must be written in plain language
Shall notify Washington residents “in the most expedient time possible and without unreasonable delay” but not later than 30 days following discovery or notice of the breach.
Entity that owns or licenses personal information…
Shall notify the owner or licensee of the breach immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
30 days following discovery or notice of breach:
The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.
Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.
A. B.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and The data element or combination of data elements would enable a person to commit identity theft against a consumer.
Or
Username or email address in combination with a password or security questions and answers that would permit access to an online account
Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
E. F. G. H. I.
Private key that is unique to an individual and that is used to authenticate or sign an electronic record Student, military, or passport identification number Health insurance policy number or health insurance identification number Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer Biometric data
Social Security number Driver's license number or Washington identification card number Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account Full date of birth
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
The unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
Washington
Wash. Rev. Code § 19.255.005 et seq.
Yes
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Within 30 days following discovery of notification of the breach
If entity provides notice to more than 1,000 Oregon residents, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 250 Oregon residents, entity must also provide notice to the Attorney General.
6.
Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
Contact information for national consumer reporting agencies, and
Contact information for the covered entity
The type of personal information that was subject to the breach of security
The approximate date of the breach of security
A description of the breach of security in general terms
shall notify Oregon residents “in the most expeditious manner possible, without unreasonable delay,” but in no event later than 45 days after discovering or receiving notification of the breach.
shall notify the owner or licensee of the breach within 10 days after discovering the breach or having a reason to believe that the breach of security occurred.
45 days after discovering or receiving notification of the breach:
Entity does not need to notify consumers of a breach if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the entity reasonably determines that the consumers whose personal information was subject to the breach are unlikely to suffer harm.
The entity must document the determination in writing and maintain the documentation for at least five years.
A username or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the username or means of identification.
Any of the data elements or any combination of the data elements described subparagraph A or (B) of this paragraph without the consumer's username, or the consumer's first name or first initial and last name, if: (i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (ii) the data element or combination of data elements would enable a person to commit identity theft against a consumer.
F. G.
A consumer's health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer, or Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
A. B. C. D. E.
A consumer's Social Security number A consumer's driver license number or state identification card number issued by the Department of Transportation A consumer's passport number or other identification number issued by the United States A consumer's financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer's financial account Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction
A consumer's first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.
Oregon
ORS § 646A.600 et seq.
If more than 250 residents receive notice
Within 45 days after discovering or receiving notification of the breach
WASHINGTON
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Alaska residents are notified.
N/A
shall disclose the breach to each state resident in the most expeditious time possible and without unreasonable delay.
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information…
Following discovery or notification of the breach:
Notice is not required if after an appropriate investigation and after written notification to the attorney general, the entity determines there is not a reasonable likelihood that harm to the consumers will result from the breach. The determination shall be documented in writing and be maintained for five years.
Social Security number Driver’s license number or state identification card Account number, credit card number or debit card number in combination with a security code, access code, personal identification number, or a password; or Passwords, personal identification numbers, or other access codes for financial accounts
An individual’s first name or initial and their last name and one or more of the following:
The unauthorized acquisition of personal information.
Alaska
AS §§ 45.48.010 et seq.
NO
Unless relying on risk-of-harm analysis
If more than 1,000 Alaska residents are notified
If noticed required to 1,000 persons at any one time, entity shall also notify, without unreasonable delay, any consumer reporting agency.
shall notify Nevada residents “made in the most expedient time possible and without unreasonable delay,” following discovery or notification of the breach.
shall notify the owner or licensee of the breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Following discovery or notification of breach:
Notification only required if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Social Security number Driver's license number, driver authorization card number or identification card number Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account A medical identification number or a health insurance identification number, or A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account
A individuals’ first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector.
Nevada
Nev. Rev. Stat. Ann. § 603A.010 et seq.
shall notify Utah residents “in most expedient time possible” following discovery or notification of the breach.
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Notification not required if, after a reasonable and prompt investigation, the covered entity determines that the personal information has not or will not be misused for identity theft or fraud.
A. B. C.
Social Security number Driver’s license or state identification card number Account number, credit or debit card number, in combination with a linked security or access code, or password of an individual’s financial account
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
Utah
U.C.A. 1953 § 13-44-101 et seq.
If a business discloses a security breach to any individual and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual.
Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general’s consumer protection office.
If notification is made to more than one individual, the notification must indicate the number of individuals in the state who received notification.
shall notify Montana residents without unreasonable delay following the investigation that determines the breach caused or is reasonably believed to cause loss or injury to a Montana resident.
shall immediately notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Notification is not required if entity reasonably believes breach has not or will not cause loss or injury to a Montana resident.
Social Security number Driver’s license number, statement identification card number, or tribal identification card number Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account Medical record information Taxpayer identification number, or Identity protection personal identification number issued by the United States internal revenue service.
An individual’s first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.
Montana
Mt. Code Ann. 30-14-1704 et seq.
In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches
7.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports, and
8.
Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
Notice must be clear and conspicuous and shall include, at a minimum:
A toll-free number that the individual may use to contact the person collecting the data, or his agent
From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies
The types of personal identifying information that were or are reasonably believed to have been the subject of the breach
A general description of the breach incident
The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided
shall notify Wyoming residents of breach as soon as possible, when it becomes aware of a breach of the security of the system, which after conducting in good faith a reasonable and prompt investigation, determines the likelihood that personal identifying information has been or will be misused.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
Notification not necessary unless the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur.
I. J. K.
Health insurance information, meaning a person's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person's application and claims history Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes, or An individual taxpayer identification number
A. B. C. D. E. F. G. H.
Social Security number Driver's license number Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person Tribal identification card, or Federal or state government issued identification card A username or email address, in combination with a password or security question and answer that would permit access to an online account A birth or marriage certificate Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
The first name or first initial and last name of an individual in combination with one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.
Wyoming
Wyo. Stat. § 40-12-501 et seq.
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
Entity’s name and contact information
A general description of the security breach
The date, estimated date, or range of dates the breach occurred (if known)
A list of the types of personal information reasonably believed to have been subject to the breach
The toll-free numbers and addresses of the major consumer reporting agencies
Advice to review personal account statements and credit reports for errors, and
Advice regarding consumer rights under the Fair Credit Reporting Act
The notice shall state:
shall notify residents within 45 days following discovery or notification of the breach.
45 days following discovery or notification of the breach:
Notification not required if entity determines that the breach does not pose a significant risk of identity theft or fraud.
Social Security number Driver's license number or government-issued identification number Financial account number, including a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, or Biometric data
First name or first initial and last name in combination with at least one of the following:
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
New Mexico
N. M. Stat. Ann. § 57-12C-1 et seq.
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Within 45 days of discovery of the breach
If the unencrypted personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
shall notify North Dakota residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or license personal information…
A. B. C. D. E. F. G. H. I. J.
The individual’s Social Security number The operator’s license number assigned to an individual by the department of transportation A nondriver color photo identification card number assigned to the individual by the department of transportation The individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts The individual’s date of birth The maiden name of the individual’s mother Medical information Health insurance information An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password, or The individual’s digitized or other electronic signature
The unauthorized acquisition of computerized personal information.
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.
If 250 or more residents are notified
If notifying the South Dakota Attorney General, entity should notify all consumer reporting agencies without unreasonable delay.
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
Social Security number Driver's license number or other unique identification number created or collected by a government body Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account Health information, or An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
South Dakota
S.D. Codified Laws §§ 22-40 et seq.
Within 60 days from the discovery or notification of the breach if 250 or more residents are notified
Within 60 days from discovery or notification of the breach
Social Security number Driver's license number or other unique identification number created or collected by a government body Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account; Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by an individual or a commercial entity.
Nebraska
Neb. Rev. Stat. §§ 87-801 et seq.
shall, following discovery or notification of the breach, notify any Oklahoma resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
shall notify the owner or licensee of the breach of the security of the system as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.
Entity that only maintains or stores computerized data...
Notification only required if entity reasonably believes personal information has been accessed and acquired by an unauthorized person and that caused, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number Driver's license number or state identification card number issued in lieu of a driver license, or Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
An individual’s first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Oklahoma
24 Okl.St.Ann. § 161 et seq.
If entity notifies at least 10,000 Texas residents of a breach, entity shall also notify each consumer reporting agency that maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices without unreasonable delay.
If entity notifies at least 250 Texas residents of a breach, then entity shall also, not later than the time when notice is provided to the Texas residents, provide notice of the breach to the Attorney General.
shall notify Texas residents “without unreasonable delay” and within 60 days following discovery or notification of breach.
shall notify the owner or licensee of the breach immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Within 60 days following discovery or notification of breach:
“Sensitive personal information” means
A. (i) (ii) (iii)
an individual’s first name or first initial and last name in combination with any one or more of the following: Social Security number Driver’s license number or government-issued identification number, or Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account or
B. (i) (ii) (iii)
information that identifies an individual and relates to: The physical or mental health or condition of the individual The provision of health care to the individual, or Payment for the provision of health care to the individual.
Name, Social Security number, date of birth, or government-issued identification number Mother’s maiden name Unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image Unique electronic identification number, address, or routing code, and Telecommunication access device as defined by Section 32.51, Penal Code.
Information that alone or in conjunction with other information identifies an individual, including an individual’s:
• • •
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
Texas
V.T.C.A., Bus. & C. § 521.002 et seq.
Within 60 days following discovery or notification of breach, if 250 or more residents notified
Within 60 days following discovery or notification of breach
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the major consumer reporting agencies must be notified of the timing, distribution, and content of the notice to consumers.
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the Attorney General’s office must be notified of the timing, distribution, and content of the notice to consumers.
The incident in general terms
The type of personal information that was obtained as a result of the breach of security
A telephone number that the affected consumer may call for further information and assistance, if one exists
Contact information for consumer reporting agencies; and
Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
The notice must include a description of the following:
shall notify Missouri residents without unreasonable delay.
that the entity does not own or license shall notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur.
Social Security number Driver's license number or other unique identification number created or collected by a government body Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account Medical information; or Health insurance information
An individual's first name or first initial and last name in combination with any one or more of the following:
The unauthorized access to and unauthorized acquisition of computerized personal information.
Missouri
Mo. Rev. Stat. § 407.1500
If 1,000 or more residents are notified
If more than 1,000 Missouri residents are notiied
If the entity is required to provide notice to over 1,000 Wisconsin residents, it must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices sent to the individuals.
Upon written request by a person who has received a notice, the entity shall identify the personal information that was acquired.
The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the affected resident.
shall notify Wisconsin residents within a reasonable time, not to exceed 45 days.
but do not own such information shall notify the owner or licensee as soon as practicable.
Entity that only store personal information...
If the acquisition of personal information does not create a material risk of identity theft or fraud, or the personal information was acquired in good faith and used for a lawful purpose of the entity, no notice is required.
The individual's Social Security number The individual's driver's license number or state identification number The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account The individual's DNA; or The individual's biometric data
An individual's last name and the individual's first initial, in combination with any of the following:
When an entity knows that personal information has been acquired by a person whom the entity has not authorized to acquire the information.
Wisconsin
Wis. Stat. § 134.98 et seq.
45 days after the entity learns of the acquisition of personal information
If more than 1,000 Wisconsin residents are notified
If an entity is required to provide notice to over 1,000 Ohio residents, the entity must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the disclosure.
shall notify Indiana residents within 45 days.
on behalf of another entity shall notify that entity in an expeditious manner.
Entity that is the custodian of or stores personal information...
To constitute a breach, the unauthorized access to and acquisition of computerized data must be reasonably believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
Social Security number Driver's license number or state identification card number; or Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
A person’s first initial and last name with:
The unauthorized access to and acquisition of computerized personal information that reasonably is believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
Ohio
Ohio Rev. Code Ann. § 1349.19 et seq.
if more than 1,000 Ohio residents are notifieI
45 days after notification or discovery of breach
If an entity is required to provide notice to over 1,000 Tennessee residents, it must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the notice.
shall notify Tennessee residents within 45 days.
that it does not own must notify the owner or licensee within 45 days.
Entity that only maintains or personal information...
A breach only occurs when the acquisition of the information materially compromises the security, confidentiality, or integrity of personal information.
Social Security number Driver's license number Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
An individual’s first initial and last name with:
The acquisition of computerized personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
Tennessee
Tenn. Code Ann. § 47-18-2107 et seq.
If more than 1,000 Tennessee residents are notified
shall notify Mississippi residents without unreasonable delay.
that the entity does not own shall notify the owner or licensee as soon as practicable.
Entity that only maintains personal information...
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals.
Social Security number Driver's license number, state identification card number or tribal identification card number; or An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account.
An individual's first name or first initial and last name in combination with any one or more of the following.
The unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state.
Mississippi
Miss. Code Ann. § 75-24-29 et seq.
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, the South Carolina Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.
shall disclose the breach to each state resident in the most expedient time possible, without unreasonable delay following discovery of the breach.
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Disclosure of a breach of security to a customer shall not be required if illegal use of the information acquired is not reasonably likely to occur or is not reasonably likely to create a material risk of harm to the affected individual.
Social Security number Driver's license number or state identification card number issued instead of a driver's license Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account, or Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
The first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
South Carolina
S.C. Code § 39-1-90 et seq.
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to an affected person of a security breach, then the entity shall notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay.
information regarding the timing, distribution, and content of the notice
steps taken to prevent a similar breach in the future; and
steps taken to investigate the breach
the number of consumers affected by the breach
the of the nature of the breach
The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
The toll-free numbers and addresses for the major consumer reporting agencies; and
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
A telephone number for the business that the person may call for further information and assistance, if one exists
A description of the general acts of the business to protect the personal information from further unauthorized access
A description of the types of personal information that was accessed
A description of the incident in general terms
Notification shall include all of the following:
shall notify North Carolina residents without unreasonable delay.
that it does not own or license must notify the owner or licensee immediately.
Notification is not required where illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
Personal information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
A. B. C. D. E. F. G. H. I. J. K. L. M. N.
Social Security or employer taxpayer identification numbers Driver’s license, State identification card, or passport numbers Checking account numbers Savings account numbers Credit card numbers Debit card numbers Personal Identification (PIN) Code Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names Digital signatures Any other numbers or information that can be used to access a person's financial resources Biometric data Fingerprints Passwords; or Parent's legal surname prior to marriage
A person's first name or first initial and last name in combination with:
Unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.
North Carolina
N.C. Gen. Stat. §§ 75-60 et seq.
If more than 1,000 North Carolina residents are notiied
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, the Office of the Attorney General. and all consumer reporting agencies.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
A telephone number that the person may call for further information and assistance, if one exists, and
The general acts of the individual or entity to protect the personal information from further unauthorized access
The type of personal information that was subject to the unauthorized access and acquisition
shall shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay after the discovery or notification.
shall notify the owner or licensee without unreasonable delay following discovery of the breach.
Notice is required only if the breach that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number Driver's license number or state identification card number issued in lieu of a driver's license number Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts Passport number, or Military identification number
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.
Virginia
Va. Code Ann. § 18.2-186.6 (2008); as amended (2019)
without unreasonable delay, if more than 1,000 residents are notified.
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 West Virginia residents are notified.
The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.
A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn
What types of information the entity maintained about that individual or about individuals in general; and Whether the entity-maintained information about that individual.
A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person
shall notify West Virginia residents without unreasonable delay following discovery or notification of the breach.
shall notify the owner or licensee as soon as practicable following discovery or notification of the breach.
Entity that does not own or have the right to license personal information...
Notice is required only if the entity reasonably believes the breach has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number Driver's license number or state identification card number issued in lieu of a driver's license, or Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts
The first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of computerized personal information and that causes the entity to reasonably believe that the breach will cause identity theft/fraud to any resident.
West Virginia
§§ 46A-2A-101 et seq.
If more than 1,000 West Virginia residents are notified
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
If there is not a reasonable likelihood that the affected individuals’ personal Information has not been accessed or acquired by an unauthorized person, then notification is not needed.
Social Security number Driver's license number or a State identification card number issued in lieu of a driver’s license, or Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
pa
Pennsylvania
3 P.S. § 2301 et seq.
Notice must be made to the Division of State Police in the Department of Law and Public Safety before disclosing to affected consumers.
Disclosure of a breach of security to a customer shall not be required if the entity establishes that misuse of the information is not reasonably possible.
Social Security number Driver's license number or State identification card number Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
An individual's first name or first initial and last name linked with any one or more of the following:
The unauthorized access to electronic files, media or data containing personal information.
New Jersey
N.J.S.A. § 56:8-161 et seq.
If more than 5,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
If a New York resident is notified, the Attorney General must also be notified.
Such notice shall include:
A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization
The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and
Contact information for the person or business making the notification
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery of the breach.
Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.
Social Security number Driver's license number or non-driver identification card number Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual's financial account Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password, or Biometric information
Any information in combination with any one or more of the following:
A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access to or acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information.
New York
N.Y. Gen. Bus. Law 899-aa
If disclosure is inadvertent
If an entity is required to notify more than 1,000 consumers of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the New Hampshire attorney general's office as soon as practicable.
The telephonic contact information of the person subject to this section
The type of personal information obtained as a result of the security breach
The approximate date of breach
Notice shall include at a minimum:
Notification is not required if a determination can be made that misuse of the information has not occurred or is not reasonably likely to occur.
Social Security number Driver's license number or other government identification number Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
An individual's first name or initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.
New Hampshire
N.H. Rev. Stat § 359-C:20
If more than 500 Rhode Island residents are to be notified, the entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
If more than 500 Rhode Island residents are to be notified, within 45 days of the discovery of the breach, the entity shall notify the attorney general as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
Must include the following information to the extent known:
A general and brief description of the incident, including how the security breach occurred and the number of affected individuals The type of information that was subject to the breach Date of breach, estimated date of breach, or the date range within which the breach occurred Date that the breach was discovered A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (a) The credit reporting agencies; (b) Remediation service providers; (c) The attorney general, and A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
shall disclose the breach to each state resident in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.
shall notify the owner or licensee in the most expedient time possible following discovery of the breach.
The notification requirement considers whether the disclosure of personal information or breach of the security of the system poses a significant risk of identity theft to any resident of Rhode Island.
Social Security number Driver's license number, Rhode Island identification card number, or tribal identification number Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual's financial account Medical or health insurance information, or E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information.
Rhode Island
R.I. Gen. Laws § 11-49.3-4 et seq.
Within 45 days of the discovery of the breach if more than 500 residents are notified
Within 45 days of the discovery of the breach
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach
The date and time frame of the breach, if known
9.
The address and location of corporate headquarters, if outside of the District
10.
Any knowledge of foreign country involvement, and
11.
A sample of the notice to be provided to District residents
Notice must be provided to the Attorney General, made in the most expedient manner possible and without unreasonable delay, if the breach affects more than 50 District residents. The notice must include:
The name and contact information of the person or entity reporting the breach
The name and contact information of the person or entity that experienced the breach
The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach
The types of personal information compromised by the breach
The number of District residents affected by the breach
The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known
If the entity maintains procedures for notification under the GLBA, HIPAA, or HITECH and provides notice in accordance with those sections, the entity is deemed in compliance with the provisions for providing notice to consumers.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired
Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained
The toll-free telephone numbers and addresses for the major consumer reporting agencies and information how a resident may request a security freeze; and
The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:
The Federal Trade Commission; and The Office of the Attorney General for the District of Columbia
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery or notification.
Notice is not required if a determination is made after reasonable investigation and consultation with the Attorney General and federal law enforcement that the acquisition of PI will likely not result in harm to the individual.
A username or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in the above that permits access to an individual's e-mail account.
F.
Any combination of the above-data elements to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier
A. B. C. D. F.
Social Security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account Medical information Genetic information and deoxyribonucleic acid profile Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information
The unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.
Washington DC
D.C. Code § 28-3851 et seq.
If more than 50 residents notified
The entity shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach within 14 business days of the data collector's discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.
Notice shall be clear and conspicuous, and shall include a description of the following, if known to the data collector:
The type of personally identifiable information that was subject to the security breach
The general acts of the data collector to protect the personally identifiable information from further unauthorized access or acquisition
A telephone number, toll-free if available, that the consumer may call for further information and assistance
Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports
The approximate date of the security breach
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.
Notice of a security breach is not required if the entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible and the data collector provides notice of the determination that the misuse of the personally identifiable information or login credentials is not reasonably possible.
A. B. C. D. E. F. G. H. I.
Social Security number Driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords Password, personal identification number, or other access code for a financial account Unique biometric data used by the owner or licensee of the data to identify or authenticate the consumer Genetic information, and Health records or records of a wellness program or similar program of health promotion or disease prevention Health care professional's medical diagnosis or treatment of the consumer, or Health insurance policy number
An individual's first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information or login credentials maintained by a data collector.
Vermont
9 Vt. Stat. Ann. § 2435 et seq.
Within 14 business days of the entity’s discovery of the security breach
within 45 days following discovery or notification of the breach
Within a non-extendable term of 10 days after the violation of the system's security has been detected, the parties responsible shall inform the Department of Consumer Affairs, which shall make a public announcement of the fact within 24 hours after having received the information.
the nature of the situation
the number of clients potentially affected
whether criminal complaints have been filed
what measures are being taken in the matter and an estimate of the time; and
cost required to rectify the situation
The notice must include:
shall notify Puerto Rico residents as expeditiously as possible following discovery of the breach.
Entity that owns or is the custodian of personal information...
shall notify the proprietor, custodian, or holder of the information.
Entity that only maintain personal information...
A. B. C. D. E. F. G.
Social Security number Driver's license number, voter's identification or other official identification Bank or financial account numbers of any type with or without passwords or access code that may have been assigned Names of users and passwords or access codes to public or private information systems Medical information protected by HIPAA Tax information; or Work-related evaluations
The name or first initial and the surname of a person, together with any of the following:
Situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files; or when authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information.
Puerto Rico
10 P.R. Laws Ann. §§ 4051 et seq.
Within 10 days
shall disclose the breach without unreasonable delay.
that the entity does not own or license shall notify the owner or licensee of the information of the breach as soon as practicable.
Entity that maintains personal information...
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
Social Security number Driver’s license number or Guam identification card number; or Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts
The first name, or first initial, and last name in combination with any one or more of the following:
The unauthorized access and acquisition of computerized personal information that causes the individual or entity, or reasonably believes will cause identity theft/fraud.
9 G.C.A. § 48.10
Notification to Consumer Reporting Agencies Threshold
shall notify Virgin Island residents in the most expedient time possible and without unreasonable delay.
that the entity does not own shall notify the owner or licensee immediately.
Social Security number Driver's license number; or Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
U.S. Virgin Islands
14 V.I.C § 2208 et seq.
1
2
A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
The approximate date of the breach
A brief description of the personal information included in the breach
The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies
The toll-free number, address and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters
shall notify Arizona residents within 45 days following discovery or notification of the breach.
Notice not required if an independent third-party forensic auditor or law enforcement agency determines after a reasonable investigation that the breach has not or is not reasonably likely to result in substantial economic loss to affected residents.
A username or email address, in combination with a password or security question and answer, which allows access to an online account.
Social Security number Driver’s license number or identification card number Private key that is unique to a resident and used to authenticate or sign an electronic record Financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the resident’s financial account Health insurance identification number Medical or mental health treatment information or diagnosis by a health care professional Passport number Taxpayer identification number or an identity protection PIN issued by the Internal Revenue Service Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate a resident when accessing an online account, or
Arizona
Ariz. Rev. Stat. §§ 18-551–552 et seq.
If an entity that maintains personal information discovers circumstances requiring notice to more than 1,000 individuals, the entity must notify the attorney general at the same time the breach is disclosed to affected individuals or within forty-five days (45) after it is determined that there is a reasonable likelihood of harm to consumers, whichever occurs first.
shall notify Arkansas residents in the most expedient time and manner possible and without unreasonable delay.
Entity that acquires, owns or licenses computerized personal information...
that the entity does not own shall notify the owner or licensee of the breach immediately.
Entity that only maintains computerized personal information...
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to consumers.
Social Security number Driver's license number or Arkansas identification card number Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account Medical information; or Biometric data
An individual's first name or first initial and his or her last name in combination with any one or more of the following:
Arkansas
Ark. Code Ann. §§ 4-110-101 et seq.
For entities that maintain personal information if more than 1,000 Arkansas residents are notified
Notice to the California Attorney General is required, expediently and without unreasonable delay, if notice to 500 or more California residents is required.
If possible, any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred
Be dated
If reporting person or business providing the notification was the source of the breach, an offer to provide 12 months of complementary appropriate identity theft prevention and mitigation services
The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number
List the types of personal information that were or are reasonably believed to have been breached
Whether notification was delayed because of law enforcement investigation
A general description of the breach incident, if that information is possible to determine at the time the notice is provided
Include the name and contact information of the reporting person or business
Be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”
Be written in plain language
The notification must:
shall notify California residents without unreasonable delay following discovery or notification of the breach.
shall notify the owner or licensee immediately following discovery or notification of the breach.
Following discovery or notification of the breach
A username or email address, in combination with a password or security question and answer that would permit access to an online account.
Social Security number Driver’s license, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account Medical information Health insurance information Unique biometric information generated from measurements or technical analysis of human body characteristics Information or data collected through the use or operation of an automated license plate recognition system Genetic data, or
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
California
Cal. Civ. Code 1798.82 et seq.
If more than 500 California residents are notified
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Colorado residents are notified.
Notice to the Colorado Attorney General within 30 days is required if more than 500 Colorado residents are notified.
The date, estimated date, or estimated date range of the security breach
A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach
Information that the resident can use to contact the covered entity to inquire about the security breach
The toll-free numbers, addresses, and websites for consumer reporting agencies
The toll-free number, address, and website for the Federal Trade Commission, and
A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes
shall notify Colorado residents within 30 days after the date of determination that a breach occurred.
shall notify the owner or licensee expeditiously and without undue delay following discovery or notification of the breach.
Entity that does not own or have the right to license personal information…
Within 30 days following discovery or notification of the breach:
The entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.
Social Security number Student, military, or passport identification number Driver’s license number or identification card number Medical information Health insurance identification number; or Biometric data
The first name or first initial and last name in combination with any one or more of the following:
Username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account, or
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
Colorado
C.R.S.A. § 6-1-713.5 et seq.
C.R.S.A. § 6-1-713.5 et seq. [CEROS OBJECT]
If notice of a breach of security is required, the notifying person shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
shall disclose the breach to each state resident within 60 days after the discovery of the breach.
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the individual.
Social Security number Taxpayer identification number Identity protection personal identification number issued by the IRS Driver’s license number, state identification card number, passport number, military identification number or other identification number issued by the government Credit or debit card number Financial account number in combination with any required security code, access code or password that would permit access to such financial account Medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual, or Biometric information, or
An individual's first name or first initial and last name in combination with any one of the following:
Electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information.
Connecticut
Conn. Gen. Stat. Ann. § 36a-701b
within 60 days of discovery of the breach
Social Security number Taxpayer identification number Identity protection personal identification number issued by the IRS Driver’s license number, state identification card number, passport number, military identification number or other identification number issued by the government Credit or debit card number Financial account number in combination with any required security code, access code or password that would permit access to such financial account Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual, or Biometric information, or
An individual’s first name or first initial and last name in combination with any one of the following:
Within 60 days of discovery of the breach
If more than 500 Delaware residents are notified, then notice must be provided to the Attorney General not later than 60 days after determining that a breach occurred.
If after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached, then no notice is required.
Social Security number Driver’s license number or state or federal identification card number Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account Passport number A username or email address, in combination with a password or security question and answer that would permit access to an online account Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or deoxyribonucleic acid profile Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes, or An individual taxpayer identification number.
An individual’s first name or first initial and last name in combination with any 1 or more of the following data elements:
Delaware
Del. Code Title 6, §§ 12B-100 et seq.
Within 60 days of discovery of the breach, if 500 or more residents are notified
An entity shall provide notice to the Florida Department of Legal Affairs of any breach of security affecting 500 or more individuals in this state, within 30 days after the determination of the breach or reason to believe a breach occurred.
Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security.
The date, estimated date, or estimated date range of the breach of security.
shall disclose the breach to each state resident withing 30 days after the discovery of the breach.
shall notify the owner or licensee within 10 days after discovery of the breach.
Such a determination must be documented in writing and maintained for at least 5 years.
Notice is not required if, after an appropriate investigation, the entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.
A Social Security number A driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, or An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual, or
An individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access of data in electronic form containing personal information.
Florida
Fla. Stat. Ann. § 501.171
Within 30 days of discovery of the breach, if 500 or more residents are notified
shall disclose the breach to each state resident in most expedient time possible after the discovery of the breach.
shall notify the owner or licensee within 24 hours, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Social Security number Driver’s license number or state identification card number Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords Account passwords or personal identification numbers or other access codes; or Any of the above-items when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
The unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.
Georgia
Ga. Code § 10-1-910 et seq.
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice.
Notice to the State of Hawaii’s office of consumer protection without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice.
The general acts of the business or government agency to protect the personal information from further unauthorized access
A telephone number that the person may call for further information and assistance, if one exists; and
The notice shall include a description of the following:
shall provide notice to the affected person without unreasonably delay.
that the entity does not own or license shall notify the owner or licensee of the information immediately.
Entity that maintains or possesses personal information...
Notice is not required if the entity determines there is not a reasonable likelihood of risk of harm to an individual.
Social Security number Driver’s license number or Hawaii identification card number; or Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.
The unauthorized access to and acquisition of personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.
Hawaii
Haw. Rev. Stat. Ann. §§ 487N-1 et seq.
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice
Only when an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general.
shall give notice as soon as possible to the affected Idaho resident if the entity determines the likelihood that personal information has been or will be misused.
Entity that owns or licenses computerized data…
shall immediately notify the entity owner or licensee of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur.
Entity that only maintains or stores computerized data…
Following investigation that determines it is likely to cause misuse of personal information:
If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident.
Social Security number Driver’s license number or Idaho identification card number, or Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
An individual’s first name or first initial and last name in combination with any one more of the following:
The illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information.
Idaho
Idaho Code § 28-51-104 et seq.
Notice shall include a description of the breach, number of affected residents, and steps the entity took or plans to take relating to the incident.
Entities required to notify to more than 500 Illinois residents must also notify the attorney general in the most expedient time possible and without unreasonable delay, but not later than when affected individuals are notified.
Notifications may not contain information about the number of Illinois residents affected by the breach.
If there has been a breach impacting individuals’ login credentials, the notice must also direct the recipients to change their credentials or other appropriate steps.
A statement that the individual can obtain information from these sources about fraud alerts and security freezes
Toll-free number, address, and website address for the FTC; and
Toll-free numbers and address to consumer reporting agencies
Notice should include:
shall notify Illinois residents in the most expedient time possible and without unreasonable delay.
Entity that owns or license personal information...
shall notify the owner or licensee immediately.
Social Security number Driver’s license or state identification card Account number, credit card number or debit card number, in combination with any security code, access code or password required to access the account Health insurance information Medical information; or Biometric data
A person’s first initial and last name along with the person’s:
The username or e-mail address along with the password or security question answer that would permit access to an online account.
Illinois
815 ILCS §§ 530/1 to 530/25
If notifying 500 or more residents, attorney general must be notified no later than when affected individuals are notified
The entity must also notify the major consumer reporting agencies if notifying more than 1,000 residents of a breach.
Entity is required to disclose the breach to the attorney general within 45 days after discovery of the breach if providing notice to any Indiana resident.
shall notify Indiana residents within 45 days following discovery or notification of the breach.
shall notify the data base owner of the breach within 45 following discovery or notification of the breach
Entity that maintains computerized data but that is not a data owner...
An entity shall only be required to disclose the breach if the entity should know that the breach could result in identity deception, theft, or fraud affecting an Indiana resident.
A Social Security number that is not encrypted or redacted A first initial and last name, and one (1) or more of the following data elements Driver's license number State identification card number Credit card number; or A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
Personal information means:
The unauthorized acquisition of computerized personal information. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
Indiana
Ind. Code §§ 24-4.9 et seq.
45 days after discovery of the breach
45 days after discovery or notification of breach
45 days after discovery or notification of the breach
If more than five hundred (500) Iowa residents are notified, then notice must be provided to Director of the Consumer Protection Division of the Office of the Attorney General within five (5) business days after notifying affected individuals of the breach.
A description of the breach of security
The type of personal information obtained as a result of the breach of security
Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.
Notice must include:
shall notify Iowa residents in the most expeditious manner possible without unreasonable delay.
shall notify the owner immediately following discovery of the breach.
Entity that maintains personal information that the entity does not own...
Such a determination must be documented in writing and the documentation must be maintained for five years.
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that no reasonable likelihood of financial harm to the consumers.
Social Security number Driver’s license number or other unique identification number created or collected by a government body Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
Iowa
Iowa Code Ann. §§ 715C.1 et seq.
Within five (5) business days after notifying affected individuals of the breach
If notifying 1,000 or more Kansas residents at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
shall notify Kansas residents “in the most expedient time possible and without unreasonable delay” following the investigation that determines the misuse of personal information has occurred or is reasonably likely to occur.
shall notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.
Notification only required if the investigation determines that the misuse of information has occurred or is reasonably likely to occur.
Social Security number Driver's license number or state identification card number, or Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
An individual's first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.
Kansas
K.S.A. 50-7a01 et seq.
If the information holder notifies more than 1,000 persons at one time, it must also report the breach to the consumer reporting agencies and credit bureaus of the timing, distribution. And content of notices without reasonable delay.
shall notify Kentucky residents in the most expedient time possible and without unreasonable delay.
that it does not own must notify the owner or licensee as soon as reasonably practicable.
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Kentucky resident.
Social Security number Driver’s license number; or Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual's financial account.
The first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or data element is not redacted:
The unauthorized acquisition of computerized personally identifiable information that causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any Kentucky resident.
Kentucky
Ky. Rev. Stat. § 365.732 et seq.
If notifying more than 1,000 Kentucky residents
When notice to Louisiana citizens is required, then written notice detailing the breach of the security of the system must be sent to the Consumer Protection Section of the Attorney General’s office naming all Louisiana citizens affected by the breach.
Such notice must be received within ten (10) days of distribution of notice to Louisiana citizens.
shall notify Louisiana residents within 60 days following discovery of the breach.
notify the owner or licensee within 60 days following discovery of the breach.
Notification is not required if after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to Louisiana residents.
Social Security number Driver's license number or state identification card number Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account Passport number; or Biometric data
The first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized acquisition of and access to computerized personal information.
Louisiana
La. Rev. Stat. §§ 51:3071 et seq.
Yes, within 10 days of distribution of notice to Louisiana residents
If an entity is required to notify more than 1,000 Maine residents at one time, then the entity, within 30 days of discovery of the breach, shall also notify all consumer reporting agencies.
When notice of a breach of the security of the system is required under the statute, the person shall also notify the appropriate state regulators within the Department of Professional and Financial Regulation, within 30 days of discovery of the breach.
shall disclose the breach to each state resident within 30 days after the discovery of the breach.
shall notify the owner or licensee following discovery or notification that the misuse of personal information has occurred or if it is reasonably possible to occur.
30 days following discovery or notification of the breach:
Notice is only required if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.
Social Security number Driver's license number or state identification card number Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords Account passwords or personal identification numbers or other access codes, or Any of the data elements contained in the above paragraphs when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised
An individual's first name, or first initial, and last name in combination with any one or more of the following:
The unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.
Maine
Me. Rev. Stat. Ann. tit. 10 § 1348 et seq.
Within 30 days of discovery of the breach
Notice must be provided to the AG before sending notice to affected individuals.
The toll-free telephone numbers, addresses, and website addresses for:
The Federal Trade Commission; and The Office of the Attorney General; and (ii) A statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.
The toll-free telephone numbers and addresses for the major consumer reporting agencies, and
Contact information for the business making the notification, including the business' address, telephone number, and toll-free telephone number if one is maintained The approximate date of the breach of security
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired
shall disclose the breach to each state resident within 45 days after the discovery of the breach.
shall notify the owner or licensee as soon as practicable following discovery of the breach.
Notice is required only if, after investigation, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused.
A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government A driver's license number or State identification card number An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account Health information, including information about an individual's mental health A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information, or Biometric data of an individual,
A username or e-mail address in combination with a password or security question and answer that permits access to an individual's e-mail account.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.
Maryland
Md. Code Ann., Com. Law § 14-3501 et seq.
before giving notice to a Maryland resident
within 45 days following discovery of the breach
Within 45 days following discovery of the breach
The Federal Trade Commission; and
A.
The Office of the Attorney General; and (ii) A statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.
B.
Must notify relevant consumer reporting agencies as identified by the Director of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay.
Notice must be provided to the Attorney General and the director of consumer affairs and business regulation as soon as practicable and without unreasonable delay.
Said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use.
Mitigation services to be provided pursuant to this chapter.
That there shall be no charge for a security freeze, and
How a resident may request a security freeze and the necessary information to be provided when requesting the security freeze
The resident's right to obtain a police report
Social Security number Driver's license number or state-issued identification card number, or Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
An individual’s first name and last name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition or use of data that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.
Massachusetts
Mass. Gen. Laws Ann. Ch. 93H § 3 et seq.
An entity required to provide notice to more than 1,000 Michigan residents must also notify major consumer reporting agencies of the number of notices provided to Michigan residents and the timing of the notices.
Reminder for notice recipients to remain vigilant for incidents of fraud or identity theft.
Telephone number where a notice recipient may obtain additional information/assistance; and
Description what the agency or person providing notice is doing to protect the data from further security breaches
Description of the type(s) of personal information subject to unauthorized access or use
Description of the breach in general terms
must provide notice to affected residents without unreasonable delay.
but does not own or license the information must provide notice to the owner of the information without unreasonable delay.
Notice is not required if it is determined that the security breach has not or is not likely to cause substantial loss or injury to or result in identity theft.
Social Security number Driver’s license or state identification card; or Demand deposit, other financial account number or credit/debit card in combination with a required security or identification code or password.
A person’s first initial and last name along with a Michigan resident’s:
The unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals.
Michigan
Mich. Comp. Laws § 445.61 et seq.
if more than 1,000 Michigan residents are notiied
For a breach affecting over 500 people, entities must notify the major consumer reporting agencies within 48 hours. The notice must include information regarding the timing, distribution and content of the notices being sent to Minnesota residents.
shall notify Minnesota residents in the most expedient time possible and without unreasonable delay.
that the entity does not own shall notify the owner or licensee immediately following discovery of the breach.
Social Security number Driver’s license number; or Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Minnesota
Minn. Stat. Ann. § 325E.61
Within 48 hours if more than 500 Minnesota residents are notified
Entity does not need to notify consumers of a breach if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the entity reasonably determines that the consumers whose personal information was subject to the breach are unlikely to suffer harm. The entity must document the determination in writing and maintain the documentation for at least five years.
A consumer's Social Security number A consumer's driver license number or state identification card number issued by the Department of Transportation A consumer's passport number or other identification number issued by the United States A consumer's financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person reasonably knows or should know would permit access to the consumer's financial account Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction A consumer's health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer, or Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
an individual’s first name or first initial and last name in combination with any one or more of the following: Social Security number Driver’s license number or government-issued identification number, or Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account or information that identifies an individual and relates to: The physical or mental health or condition of the individual The provision of health care to the individual, or Payment for the provision of health care to the individual.
Within 45 days following discovery or notification of the breach
Within 14 business days of the entity's discovery of the security breach
Social Security number Driver's license number or Washington identification card number Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account Full date of birth Private key that is unique to an individual and that is used to authenticate or sign an electronic record Student, military, or passport identification number Health insurance policy number or health insurance identification number Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer Biometric data
Notice must be provided to the Attorney General, made in the most expedient manner possible and without unreasonable delay, if the breach affects more than 50 District residents.
The Office of the Attorney General for the District of Columbia
Social Security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account Medical information Genetic information and deoxyribonucleic acid profile Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information Any combination of the above-data elements to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier
What types of information the entity maintained about that individual or about individuals in general; and
Whether the entity-maintained information about that individual.
Social Security number Driver's license number Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person Tribal identification card, or Federal or state government issued identification card A username or email address, in combination with a password or security question and answer that would permit access to an online account A birth or marriage certificate Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional Health insurance information, meaning a person's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person's application and claims history Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes, or An individual taxpayer identification number
