REGULATORYOVERSIGHT.COM
LEARN MORE ABOUT OUR PRACTICE
State AG Election Tracker
Individual & Multistate investigation experience
Multistate investigation experience
Click on the state or US territory for more information
Interactive Data Breach Notification Map
Want to learn more about data breach notifications in Your State or US Territory?
In the event of a suspected security incident, our response team can be reached at incident.response@troutman.com
Get In Touch
Notification Statute Apply to Paper Records Too?
Notification to AG Required?
Specific Deadline to Provide Notice to Consumers?
Risk of Harm Analysis Allowed?
Access Only Trigger Notification?
Definition of Personal Information Broader than General Definition?
Hover to select a filter
GA
IN
KY
LA
ME
MS
MT
NE
NV
ND
OK
SC
SD
AK
AL
AZ
AR
CA
CO
CT
DE
FL
HI
ID
IL
IA
KS
MD
MA
MI
MN
MO
NH
NJ
NM
NY
NC
OH
OR
PA
RI
TX
UT
VT
Guam
USVI
PR
VA
WA
D.C.
WV
WI
WY
TN
Troutman Pepper
Notification Map
Interactive Data Breach
Get Started
Get Started
Troutman Pepper
Notification Map
Privacy
Legislation MAP
Get Started
Interactive Data Breach
REGULATORYOVERSIGHT.COM
LEARN MORE ABOUT OUR PRACTICE
State AG Election Tracker
Individual & Multistate investigation experience
Multistate investigation experience
Click on the state or US territory for more information
Interactive Data Breach Notification Map
Want to learn more about data breach notifications in Your State or US Territory?
In the event of a suspected security incident, our response team can be reached at incident.response@troutman.com
Get In Touch
Notification Statute Apply to Paper Records Too?
Notification to AG Required?
Specific Deadline to Provide Notice to Consumers?
Risk of Harm Analysis Allowed?
Access Only Trigger Notification?
Definition of Personal Information Broader than General Definition?
Hover to select a filter
GA
IN
KY
LA
ME
MS
MT
NE
NV
ND
OK
SC
SD
AK
AL
AZ
AR
CA
CO
CT
DE
FL
HI
ID
IL
IA
KS
MD
MA
MI
MN
MO
NH
NJ
NM
NY
NC
OH
OR
PA
RI
TX
UT
VT
Guam
USVI
PR
VA
WA
D.C.
WV
WI
WY
TN
Click on the state or US territory for more information
Interactive Data Breach Notification Map
Want to learn more about data breach notifications in Your
State or US Territory?
In the event of a suspected security incident, our response team can be reached at incident.response@troutman.com
Get In Touch
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
No Pending Legislation
Legislation Pending
Active Consumer Privacy Law
In the event of a suspected security incident, our response
team can be reached at incident.response@troutman.com
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice to more than 1,000 individuals, the entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If the number of individuals an entity is required to notify exceeds 1,000, the entity shall notify the attorney general as expeditiously as possible and without unreasonable delay, but no later than 45 days after the entity either (i) determines that a breach is reasonably likely to cause substantial harm to individuals; or (ii) receives notice from a third-party agent that a breach has occurred.
4.
A general description of steps an affected individual can take to protect himself or herself from identity theft; and
5.
Information that the individual can use to contact the covered entity to inquire about the breach
3.
A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach
2.
A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach
1.
The date, estimated date, or estimated date range of the breach
The notice shall include:
a breach has occurred, or determination that a breach is likely to cause substantial harm to individuals, entity that owns or licenses computerized personal information shall notify Alabama residents within 45 days
Following notification from a third-party agent that...
shall notify the owner or licensee of the breach as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination or belief that a breach has occurred.
Entity that only maintains, stores or processes computerized personal information...
Following investigation:
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of causing substantial harm to consumers.
Alabama law outlines four factors to consider when determining whether personal information has been acquired.
A.
B.
C.
D.
E.
F.
A nontruncated Social Security number or tax identification number
A nontruncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual
A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the
financial account
Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
1.
An individual’s first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
AL
Alabama
AL ST §§ 8-38-1 et seq.
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
nO
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 1,000 Alabama residents are notiied
If 1,000 or more residents receive notice
Statute
AG Website
Download Full PDF
Key Resources
YES
nO
no
YES
YES
YES
YES
Is “Personal Information” broader than the general definition?
Does the law apply to paper records?
Is notification triggered by access only?
Is a risk-of-harm analysis permitted?
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
Is there a specific format or language that must be included
in the individual notice?
Is a private right of action permitted?
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
If 1,000 or more residents receive notice
QUICK FACTS
Highlights
Next STATE
PreviouS STATE
AL
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice to more than 1,000 individuals, the entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If the number of individuals an entity is required to notify exceeds 1,000, the entity shall notify the attorney general as expeditiously as possible and without unreasonable delay, but no later than 45 days after the entity either (i) determines that a breach is reasonably likely to cause substantial harm to individuals; or (ii) receives notice from a third-party agent that a breach has occurred.
4.
A general description of steps an affected individual can take to protect himself or herself from identity theft; and
5.
Information that the individual can use to contact the covered entity to inquire about the breach
3.
A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach
2.
A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach
1.
The date, estimated date, or estimated date range of the breach
The notice shall include:
a breach has occurred, or determination that a breach is likely to cause substantial harm to individuals, entity that owns or licenses computerized personal information shall notify Alabama residents within 45 days
Following notification from a third-party agent that...
shall notify the owner or licensee of the breach as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination or belief that a breach has occurred.
Entity that only maintains, stores or processes computerized personal information...
Following investigation:
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of causing substantial harm to consumers.
Alabama law outlines four factors to consider when determining whether personal information has been acquired.
A.
B.
C.
D.
E.
F.
A nontruncated Social Security number or tax identification number
A nontruncated driver's license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual
A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the
financial account
Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
A username or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.
1.
An individual’s first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of data in electronic form containing sensitive personally identifying information.
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
of 2
1.
2.
3.
Any consumer injured by a violation of this chapter may institute a civil action to recover damages.
Any person or business that violates, proposes to violate, or has violated this chapter may be enjoined.
The rights and remedies available under this chapter are cumulative to each other and to any other rights and remedies available under law.
For actions brought by the attorney general to enforce this chapter, a violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW. An action to enforce this chapter may not be brought under RCW 19.86.090.
The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter. For actions brought by the attorney general to enforce this chapter, the legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW.
The number of Washington consumers affected by the breach, or an estimate if the exact number is not known
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
A summary of steps taken to contain the breach
A single sample copy of the security breach notification excluding any personally identifiable information.
The notice to the attorney general shall include the following information:
The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due.
If notification to 500 or more Washington residents, entity must notify the attorney general.
A.
B.
C.
D.
The name and contact information of the reporting person or business subject to this section
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
Toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information
2.
The notification must include, at a minimum, the following information:
1.
The notification must be written in plain language
Shall notify Washington residents “in the most expedient time possible and without unreasonable delay” but not later than 30 days following discovery or notice of the breach.
Entity that owns or licenses personal information…
Shall notify the owner or licensee of the breach immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
30 days following discovery or notice of breach:
The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.
Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.
A.
B.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
The data element or combination of data elements would enable a person to commit identity theft against a consumer.
Or
2.
Username or email address in combination with a password or security questions and answers that would permit access to an online account
3.
Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
E.
F.
G.
H.
I.
Private key that is unique to an individual and that is used to authenticate or sign an electronic record
Student, military, or passport identification number
Health insurance policy number or health insurance identification number
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer
Biometric data
A.
B.
C.
D.
Social Security number
Driver's license number or Washington identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account
Full date of birth
1.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
of 2
The unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
WA
Washington
Wash. Rev. Code § 19.255.005 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Within 30 days following discovery of notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity provides notice to more than 1,000 Oregon residents, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 250 Oregon residents, entity must also provide notice to the Attorney General.
6.
Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
5.
Contact information for national consumer reporting agencies, and
4.
Contact information for the covered entity
3.
The type of personal information that was subject to the breach of security
2.
The approximate date of the breach of security
1.
A description of the breach of security in general terms
shall notify Oregon residents “in the most expeditious
manner possible, without unreasonable delay,” but in no event later than 45 days after discovering or receiving notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach within 10 days after discovering the breach or having a reason to believe that the breach of security occurred.
Entity that only maintains or stores personal information…
45 days after discovering or receiving notification of the breach:
Entity does not need to notify consumers of a breach if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the entity reasonably determines that the consumers whose personal information was subject to the breach are unlikely to suffer harm.
The entity must document the determination in writing and maintain the documentation for at least five years.
A.
B.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
The data element or combination of data elements would enable a person to commit identity theft against a consumer.
2.
A username or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the username or means
of identification.
3.
Any of the data elements or any combination of the data elements described subparagraph A or (B) of this paragraph without the consumer's username, or the consumer's first name or first initial and last name, if: (i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (ii) the data element or combination of data elements would enable a person to commit identity theft against a consumer.
F.
G.
A consumer's health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer, or
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
A.
B.
C.
D.
E.
A consumer's Social Security number
A consumer's driver license number or state identification card number issued by the Department of Transportation
A consumer's passport number or other identification number issued by the United States
A consumer's financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person
reasonably knows or should know would permit access to the consumer's financial account
Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction
1.
A consumer's first name or first initial and last name in combination with any one or more of the following:
of 2
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.
OR
Oregon
ORS § 646A.600 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 250 residents receive notice
Within 45 days after discovering or receiving notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Alaska residents are notified.
N/A
N/A
shall disclose the breach to each state resident in the most expeditious time possible and without unreasonable delay.
Entity that owns or licenses personal information…
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information…
Following discovery or notification of the breach:
Notice is not required if after an appropriate investigation and after written notification to the attorney general, the entity determines there is not a reasonable likelihood that harm to the consumers will result from the breach. The determination shall be documented in writing and be maintained for five years.
A.
B.
C.
D.
Social Security number
Driver’s license number or state identification card
Account number, credit card number or debit card number in combination with a security code, access code, personal identification number, or a password; or
Passwords, personal identification numbers, or other access codes for financial accounts
1.
An individual’s first name or initial and their last name and one or more of the following:
The unauthorized acquisition of personal information.
AK
Alaska
AS §§ 45.48.010 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
NO
Is a private right of action permitted?
YES
QUICK FACTS
Unless relying on risk-of-harm analysis
If more than 1,000 Alaska residents are notified
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If noticed required to 1,000 persons at any one time, entity shall also notify, without unreasonable delay, any consumer reporting agency.
N/A
N/A
shall notify Nevada residents “made in the most expedient time possible and without unreasonable delay,” following discovery or notification of the
breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of breach:
Notification only required if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number, driver authorization card number or identification card number
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account
A medical identification number or a health insurance identification number, or
A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account
1.
A individuals’ first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector.
NV
Nevada
Nev. Rev. Stat. Ann. § 603A.010 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall notify Utah residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of the breach:
Notification not required if, after a reasonable and prompt investigation, the covered entity determines that the personal information has not or will not be misused for identity theft or fraud.
A.
B.
C.
Social Security number
Driver’s license or state identification card number
Account number, credit or debit card number, in combination with a linked security or access code, or password of an individual’s financial account
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
UT
Utah
U.C.A. 1953 § 13-44-101 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If a business discloses a security breach to any individual and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual.
Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general’s consumer protection office.
If notification is made to more than one individual, the notification must indicate the number of individuals in the state who received notification.
N/A
shall notify Montana residents without unreasonable delay following the investigation that determines the breach caused or is reasonably believed to cause loss or injury to a Montana resident.
Entity that owns or licenses personal information…
shall immediately notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and
acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification is not required if entity reasonably believes breach has not or will not cause loss or injury to a Montana resident.
A.
B.
C.
D.
E.
F.
Social Security number
Driver’s license number, statement identification card number, or tribal identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical record information
Taxpayer identification number, or
Identity protection personal identification number issued by the United States internal revenue service.
1.
An individual’s first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.
MT
Montana
Mt. Code Ann. 30-14-1704 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
6.
In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches
7.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports, and
8.
Whether notification was delayed as a result of a law enforcement investigation, if that information is
reasonably possible to determine at the time the notice is provided.
Notice must be clear and conspicuous and shall include, at a minimum:
1.
A toll-free number that the individual may use to contact the person collecting the data, or his agent
2.
From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies
3.
The types of personal identifying information that were or are reasonably believed to have been the subject of the breach
4.
A general description of the breach incident
5.
The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided
of 2
shall notify Wyoming residents of breach as soon as
possible, when it becomes aware of a breach of the security of the system, which after conducting in good faith a reasonable and prompt investigation, determines the likelihood that personal identifying information has been or will be misused.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach as soon as practicable following the determination that personal identifying information was, or is
reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification not necessary unless the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur.
I.
J.
K.
Health insurance information, meaning a person's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person's application and claims history
Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes, or
An individual taxpayer identification number
A.
B.
C.
D.
E.
F.
G.
H.
Social Security number
Driver's license number
Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person
Tribal identification card, or
Federal or state government issued identification card
A username or email address, in combination with a password or security question and answer that would permit access to an online account
A birth or marriage certificate
Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
1.
The first name or first initial and last name of an individual in combination with one or more of the following:
of 2
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.
WY
Wyoming
Wyo. Stat. § 40-12-501 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
1.
Entity’s name and contact information
2.
A general description of the security breach
3.
The date, estimated date, or range of dates the breach occurred (if known)
4.
A list of the types of personal information reasonably believed to have been subject to the breach
5.
The toll-free numbers and addresses of the major consumer reporting agencies
6.
Advice to review personal account statements and credit reports for errors, and
7.
Advice regarding consumer rights under the Fair Credit Reporting Act
The notice shall state:
shall notify residents within 45 days following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
45 days following discovery or notification of the breach:
Notification not required if entity determines that the breach does not pose a significant risk of identity theft or fraud.
A.
B.
C.
D.
Social Security number
Driver's license number or government-issued identification number
Financial account number, including a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, or
Biometric data
1.
First name or first initial and last name in combination with at least one of the following:
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
NM
New Mexico
N. M. Stat. Ann. § 57-12C-1 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Within 45 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If the unencrypted personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify North Dakota residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or license personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
The individual’s Social Security number
The operator’s license number assigned to an individual by the department of transportation
A nondriver color photo identification card number assigned to the individual by the department of transportation
The individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts
The individual’s date of birth
The maiden name of the individual’s mother
Medical information
Health insurance information
An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password, or
The individual’s digitized or other electronic signature
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of computerized personal information.
ND
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
If 250 or more residents are notified
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notifying the South Dakota Attorney General, entity should notify all consumer reporting agencies without unreasonable delay.
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account
Health information, or
An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of
personal or protected information maintained by the information holder.
SD
South Dakota
S.D. Codified Laws §§ 22-40 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Within 60 days from the discovery or
notification of the breach if 250 or more residents are notified
Within 60 days from discovery or notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notifying the South Dakota Attorney General, entity should notify all consumer reporting agencies without unreasonable delay.
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;
Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of
personal or protected information maintained by an individual or a commercial entity.
NE
Nebraska
Neb. Rev. Stat. §§ 87-801 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall, following discovery or notification of the breach,
notify any Oklahoma resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach of
the security of the system as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.
Entity that only maintains or stores computerized data...
Following discovery or notification of breach:
Notification only required if entity reasonably believes personal information has been accessed and acquired by an unauthorized person and that caused, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver license, or
Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
1.
An individual’s first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
OK
Oklahoma
24 Okl.St.Ann. § 161 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity notifies at least 10,000 Texas residents of a breach, entity shall also notify each consumer reporting agency that maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices without unreasonable delay.
If entity notifies at least 250 Texas residents of a breach, then entity shall also, not later than the time when notice is provided to the Texas residents, provide notice of the breach to the Attorney General.
N/A
shall notify Texas residents “without unreasonable delay” and within 60 days following discovery or notification of breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of breach:
N/A
“Sensitive personal information” means
A.
(i)
(ii)
(iii)
an individual’s first name or first initial and last name in combination with any one or more of the following:
Social Security number
Driver’s license number or government-issued identification number, or
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account or
B.
(i)
(ii)
(iii)
information that identifies an individual and relates to:
The physical or mental health or condition of the individual
The provision of health care to the individual, or
Payment for the provision of health care to the individual.
A.
B.
C.
D.
E.
Name, Social Security number, date of birth, or government-issued identification number
Mother’s maiden name
Unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image
Unique electronic identification number, address, or routing code, and
Telecommunication access device as defined by Section 32.51, Penal Code.
1.
Information that alone or in conjunction with other information identifies an individual, including an individual’s:
•
•
•
of 2
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
TX
Texas
V.T.C.A., Bus. & C. § 521.002 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Within 60 days following discovery or
notification of breach, if 250 or more residents notified
Within 60 days following discovery or
notification of breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the major consumer reporting agencies must be notified of the timing, distribution, and content of the notice to consumers.
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the Attorney General’s office must be notified of the timing, distribution, and content of the notice to consumers.
1.
The incident in general terms
2.
The type of personal information that was obtained as a result of the breach of security
3.
A telephone number that the affected consumer may call for further information and assistance, if one exists
4.
Contact information for consumer reporting agencies; and
5.
Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
The notice must include a description of the following:
shall notify Missouri residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that a risk of identity theft or other
fraud to any consumer is not reasonably likely to occur.
A.
B.
C.
D.
E.
F.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account
Medical information; or
Health insurance information
1.
An individual's first name or first initial and last name in combination with any one or more of the following:
The unauthorized access to and unauthorized acquisition of computerized personal information.
MO
Missouri
Mo. Rev. Stat. § 407.1500
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If 1,000 or more residents are notified
If more than 1,000 Missouri residents are notiied
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If the entity is required to provide notice to over 1,000 Wisconsin residents, it must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing,
distribution, and content of the notices sent to the individuals.
N/A
Upon written request by a person who has received a notice, the entity shall identify the personal information that was acquired.
The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the affected resident.
shall notify Wisconsin residents within a reasonable time, not to exceed 45 days.
Entity that owns or licenses personal information...
but do not own such information shall notify the owner or licensee as soon as practicable.
Entity that only store personal information...
Following discovery or notification of the breach:
If the acquisition of personal information does not create a material risk of identity theft or fraud, or the personal information was acquired in good faith and used for a lawful purpose of the entity, no notice is required.
A.
B.
C.
D.
E.
The individual's Social Security number
The individual's driver's license number or state identification number
The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account
The individual's DNA; or
The individual's biometric data
1.
An individual's last name and the individual's first initial, in combination with any of the following:
When an entity knows that personal information has been acquired by a person whom the entity has not authorized to acquire the information.
WI
Wisconsin
Wis. Stat. § 134.98 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
45 days after the entity learns of the acquisition of personal information
If more than 1,000 Wisconsin residents are notified
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to provide notice to over 1,000 Ohio residents, the entity must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the disclosure.
N/A
N/A
shall notify Indiana residents within 45 days.
Entity that owns or licenses personal information...
on behalf of another entity shall notify that entity in an expeditious manner.
Entity that is the custodian of or stores personal information...
Following discovery or notification of breach:
To constitute a breach, the unauthorized access to and acquisition of computerized data must be reasonably believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio
resident.
A.
B.
C.
Social Security number
Driver's license number or state identification card number; or
Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
1.
A person’s first initial and last name with:
The unauthorized access to and acquisition of computerized personal information that reasonably is believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
OH
Ohio
Ohio Rev. Code Ann. § 1349.19 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
if more than 1,000 Ohio residents are notifieI
45 days after notification or discovery of breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to provide notice to over 1,000 Tennessee residents, it must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the notice.
N/A
N/A
shall notify Tennessee residents within 45 days.
Entity that owns or licenses personal information...
that it does not own must notify the owner or licensee within 45 days.
Entity that only maintains or personal information...
Following discovery or notification of the breach:
A breach only occurs when the acquisition of the information materially compromises the security, confidentiality, or integrity of personal information.
A.
B.
C.
Social Security number
Driver's license number
Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
1.
An individual’s first initial and last name with:
The acquisition of computerized personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
TN
Tennessee
Tenn. Code Ann. § 47-18-2107 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
If more than 1,000 Tennessee residents are notified
45 days after notification or discovery of breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall notify Mississippi residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee as soon as practicable.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals.
A.
B.
C.
Social Security number
Driver's license number, state identification card number or tribal identification card number; or
An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account.
1.
An individual's first name or first initial and last name in combination with any one or more of the following.
The unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state.
MS
Mississippi
Miss. Code Ann. § 75-24-29 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, the South Carolina Consumer Protection Division of the Department of Consumer
Affairs of the timing, distribution, and content of the notice.
N/A
shall disclose the breach to each state resident in the most expedient time possible, without unreasonable delay following discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if illegal use of the information acquired is not reasonably likely to occur or is not reasonably likely to create a material risk of harm to the
affected individual.
A.
B.
C.
D.
Social Security number
Driver's license number or state identification card number issued instead of a driver's license
Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account, or
Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
1.
The first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of
the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
SC
South Carolina
S.C. Code § 39-1-90 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to an affected person of a security breach, then the entity shall notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay.
The notice shall include:
5.
information regarding the timing, distribution, and content of the notice
4.
steps taken to prevent a similar breach in the future; and
3.
steps taken to investigate the breach
2.
the number of consumers affected by the breach
1.
the of the nature of the breach
7.
The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain
information from these sources about preventing identity theft.
6.
The toll-free numbers and addresses for the major consumer reporting agencies; and
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
4.
A telephone number for the business that the person may call for further information and assistance, if one exists
3.
A description of the general acts of the business to protect the personal information from further unauthorized access
2.
A description of the types of personal information that was accessed
1.
A description of the incident in general terms
Notification shall include all of the following:
shall notify North Carolina residents without unreasonable delay.
Entity that owns or licenses personal information...
that it does not own or license must notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required where illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
Personal information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
M.
N.
Social Security or employer taxpayer identification numbers
Driver’s license, State identification card, or passport numbers
Checking account numbers
Savings account numbers
Credit card numbers
Debit card numbers
Personal Identification (PIN) Code
Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names
Digital signatures
Any other numbers or information that can be used to access a person's financial resources
Biometric data
Fingerprints
Passwords; or
Parent's legal surname prior to marriage
1.
A person's first name or first initial and last name in combination with:
of 2
Unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.
NC
North Carolina
N.C. Gen. Stat. §§ 75-60 et seq.
Statute
AG Website
Download Full PDF
Key Resources
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
YES
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If more than 1,000 North Carolina residents are notiied
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, the Office of the Attorney General. and all consumer reporting agencies.
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
4.
A telephone number that the person may call for further information and assistance, if one exists, and
3.
The general acts of the individual or entity to protect the personal information from further unauthorized access
2.
The type of personal information that was subject to the unauthorized access and acquisition
1.
The incident in general terms
The notice shall include:
shall shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee without unreasonable delay following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is required only if the breach that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license number
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts
Passport number, or
Military identification number
1.
The first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.
VA
Virginia
Va. Code Ann. § 18.2-186.6 (2008); as amended (2019)
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
without unreasonable delay, if more than 1,000 residents are notified.
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 West Virginia residents are notified.
N/A
3.
The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.
2.
A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn
A.
B.
What types of information the entity maintained about that individual or about individuals in general; and
Whether the entity-maintained information about that individual.
1.
A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person
The notice shall include:
shall notify West Virginia residents without unreasonable delay following discovery or notification of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery or notification of the breach.
Entity that does not own or have the right to license personal information...
Following discovery or notification of the breach:
Notice is required only if the entity reasonably believes the breach has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license, or
Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts
1.
The first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of computerized personal information and that causes the entity to reasonably believe that the breach will cause identity theft/fraud to any resident.
WV
West Virginia
§§ 46A-2A-101 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 1,000 West Virginia residents are notified
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
N/A
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
If there is not a reasonable likelihood that the affected individuals’ personal Information has not been accessed or acquired by an unauthorized person, then notification is not needed.
A.
B.
C.
Social Security number
Driver's license number or a State identification card number issued in lieu of a driver’s license, or
Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
1.
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
pa
Pennsylvania
3 P.S. § 2301 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
Notice must be made to the Division of State Police in the Department of Law and Public Safety before disclosing to affected consumers.
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if the entity establishes that misuse of the information is not reasonably possible.
A.
B.
C.
D.
Social Security number
Driver's license number or State identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or
Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
1.
An individual's first name or first initial and last name linked with any one or more of the following:
The unauthorized access to electronic files, media or data containing personal information.
NJ
New Jersey
N.J.S.A. § 56:8-161 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 5,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
If a New York resident is notified, the Attorney General must also be notified.
Such notice shall include:
3.
A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization
2.
The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and
1.
Contact information for the person or business making the notification
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or non-driver identification card number
Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual's financial account
Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password, or
Biometric information
1.
Any information in combination with any one or more of the following:
2.
A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access to or acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information.
NY
New York
N.Y. Gen. Bus. Law 899-aa
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If disclosure is inadvertent
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to notify more than 1,000 consumers of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the New Hampshire attorney general's office as soon as practicable.
4.
The telephonic contact information of the person subject to this section
3.
The type of personal information obtained as a result of the security breach
2.
The approximate date of breach
1.
A description of the incident in general terms
Notice shall include at a minimum:
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notification is not required if a determination can be made that misuse of the information has not occurred or is not reasonably likely to occur.
A.
B.
C.
Social Security number
Driver's license number or other government identification number
Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
1.
An individual's first name or initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.
NH
New Hampshire
N.H. Rev. Stat § 359-C:20
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
Yes
Is a private right of action permitted?
Yes
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 500 Rhode Island residents are to be notified, the entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
If more than 500 Rhode Island residents are to be notified, within 45 days of the discovery of the breach, the entity shall notify the attorney general as to the timing, content, and distribution of the notices and the
approximate number of affected individuals.
1.
Must include the following information to the extent known:
A.
B.
C.
D.
E.
F.
A general and brief description of the incident, including how the security breach occurred and the number of affected individuals
The type of information that was subject to the breach
Date of breach, estimated date of breach, or the date range within which the breach occurred
Date that the breach was discovered
A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (a) The credit reporting agencies; (b) Remediation service providers; (c) The attorney general, and
A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
shall disclose the breach to each state resident in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.
Entity that owns or licenses personal information...
shall notify the owner or licensee in the most expedient time possible following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
The notification requirement considers whether the disclosure of personal information or breach of the security of the system poses a significant risk of identity theft to any resident of Rhode Island.
A.
B.
C.
D.
E.
Social Security number
Driver's license number, Rhode Island identification card number, or tribal identification number
Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual's financial account
Medical or health insurance information, or
E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information.
RI
Rhode Island
R.I. Gen. Laws § 11-49.3-4 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 45 days of the discovery of the breach if more than 500 residents are notified
Within 45 days of the discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
7.
The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach
8.
The date and time frame of the breach, if known
9.
The address and location of corporate headquarters, if outside of the District
10.
Any knowledge of foreign country involvement, and
11.
A sample of the notice to be provided to District residents
Notice must be provided to the Attorney General, made in the most expedient manner possible and without unreasonable delay, if the breach affects more than 50 District residents.
The notice must include:
1.
The name and contact information of the person or entity reporting the breach
2.
The name and contact information of the person or entity that experienced the breach
3.
The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach
4.
The types of personal information compromised by the breach
5.
The number of District residents affected by the breach
6.
The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known
of 2
5.
If the entity maintains procedures for notification under the GLBA, HIPAA, or HITECH and provides notice in accordance with those sections, the entity is deemed in compliance with the provisions for
providing notice to consumers.
The notice shall include:
1.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired
2.
Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained
3.
The toll-free telephone numbers and addresses for the major consumer reporting agencies and information how a resident may request a security freeze; and
4.
The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:
A.
B.
The Federal Trade Commission; and
The Office of the Attorney General for the District of Columbia
of 2
shall disclose the breach to each state resident in the
most expedient time possible and without unreasonable delay, after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is not required if a determination is made after reasonable investigation and consultation with the Attorney General and federal law enforcement that the acquisition of PI will likely not result in harm to the individual.
Or
2.
A username or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in the above that permits access
to an individual's e-mail account.
F.
Any combination of the above-data elements to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier
A.
B.
C.
D.
F.
Social Security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account
Medical information
Genetic information and deoxyribonucleic acid profile
Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information
1.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
of 2
The unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.
D.C.
Washington DC
D.C. Code § 28-3851 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
Yes
QUICK FACTS
If more than 50 residents notified
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach
within 14 business days of the data collector's discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.
Notice shall be clear and conspicuous, and shall include a description of the following, if known to the data collector:
1.
The incident in general terms
2.
The type of personally identifiable information that was subject to the security breach
3.
The general acts of the data collector to protect the personally identifiable information from further unauthorized access or acquisition
4.
A telephone number, toll-free if available, that the consumer may call for further information and assistance
5.
Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports
6.
The approximate date of the security breach
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
Notice of a security breach is not required if the entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible and the data collector provides notice of the determination that the misuse of the personally identifiable information or login credentials is not reasonably possible.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Social Security number
Driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a
commercial transaction
Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords
Password, personal identification number, or other access code for a financial account
Unique biometric data used by the owner or licensee of the data to identify or authenticate the consumer
Genetic information, and
Health records or records of a wellness program or similar program of health promotion or disease prevention
Health care professional's medical diagnosis or treatment of the consumer, or
Health insurance policy number
1.
An individual's first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally
identifiable information or login credentials maintained by a data collector.
VT
Vermont
9 Vt. Stat. Ann. § 2435 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 14 business days of the entity’s discovery of the security breach
within 45 days following discovery or notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Within a non-extendable term of 10 days after the violation of the system's security has been detected, the parties responsible shall inform the Department of Consumer Affairs, which shall make a public
announcement of the fact within 24 hours after having received the information.
1.
the nature of the situation
2.
the number of clients potentially affected
3.
whether criminal complaints have been filed
4.
what measures are being taken in the matter and an estimate of the time; and
5.
cost required to rectify the situation
The notice must include:
shall notify Puerto Rico residents as expeditiously as possible following discovery of the breach.
Entity that owns or is the custodian of personal information...
shall notify the proprietor, custodian, or holder of the information.
Entity that only maintain personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
F.
G.
Social Security number
Driver's license number, voter's identification or other official identification
Bank or financial account numbers of any type with or without passwords or access code that may have been assigned
Names of users and passwords or access codes to public or private information systems
Medical information protected by HIPAA
Tax information; or
Work-related evaluations
1.
The name or first initial and the surname of a person, together with any of the following:
Situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files; or when authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false
representation with the intention of making illegal use of the information.
PR
Puerto Rico
10 P.R. Laws Ann. §§ 4051 et seq.
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
no
Is notification triggered by access only?
YES
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
Within 10 days
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall disclose the breach without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee of the information of the breach as soon as practicable.
Entity that maintains personal information...
Following discovery or notification of the breach:
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
A.
B.
C.
Social Security number
Driver’s license number or Guam identification card number; or
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts
1.
The first name, or first initial, and last name in combination with any one or more of the following:
The unauthorized access and acquisition of computerized personal information that causes the individual or entity, or reasonably believes will cause identity theft/fraud.
Guam
Guam
9 G.C.A. § 48.10
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
Notification to Consumer Reporting Agencies Threshold
N/A
shall notify Virgin Island residents in the most expedient time possible and without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee immediately.
Entity that only maintains personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
Social Security number
Driver's license number; or
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
The unauthorized acquisition of computerized personal information.
USVI
U.S. Virgin Islands
14 V.I.C § 2208 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
1
2
1
2
1
2
1
2
1
2
1
2
1
2
2
1
2
1
2
1
2.
A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
Next STATE
PreviouS STATE
Alaska
AS §§ 45.48.010 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Alaska residents are notified.
N/A
N/A
shall disclose the breach to each state resident in the most expeditious time possible and without unreasonable delay.
Entity that owns or licenses personal information…
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information…
Following discovery or notification of the breach:
Notice is not required if after an appropriate investigation and after written notification to the attorney general, the entity determines there is not a reasonable likelihood that harm to the consumers will result from the breach. The determination shall be documented in writing and be maintained for five years.
A.
B.
C.
D.
E.
F.
Social Security number
Driver’s license number or state identification card
Account number, credit card number or debit card number in combination with a security code, access code, personal identification number, or a password; or
Passwords, personal identification numbers, or other access codes for financial accounts
1.
An individual’s first name or initial and their last name and one or more of the following:
The unauthorized acquisition of personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
no
Is there a specific format or language that must be included
in the individual notice?
no
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Unless relying on risk-of-harm analysis
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
1.
The approximate date of the breach
2.
A brief description of the personal information included in the breach
3.
The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies
4.
The toll-free number, address and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters
The notice shall state:
shall notify Arizona residents within 45 days following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
45 days following discovery or notification of the breach:
Notice not required if an independent third-party forensic auditor or law enforcement agency determines after a reasonable investigation that the breach has not or is not reasonably likely to result in substantial
economic loss to affected residents.
2.
A username or email address, in combination with a password or security question and answer, which allows access to an online account.
2
A.
B.
C.
D.
E.
F.
G.
H.
I.
Social Security number
Driver’s license number or identification card number
Private key that is unique to a resident and used to authenticate or sign an electronic record
Financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the resident’s financial account
Health insurance identification number
Medical or mental health treatment information or diagnosis by a health care professional
Passport number
Taxpayer identification number or an identity protection PIN issued by the Internal Revenue Service
Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate a resident when accessing an online account, or
1.
First name or first initial and last name in combination with at least one of the following:
1
of 2
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
AZ
Arizona
Ariz. Rev. Stat. §§ 18-551–552 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Within 45 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Arizona
Ariz. Rev. Stat. §§ 18-551–552 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
4.
The toll-free number, address and website address for the Federal Trade Commission or any federal agency that assists consumers with identity theft matters
3.
The toll-free numbers and addresses for the three largest nationwide consumer reporting agencies
2.
A brief description of the personal information included in the breach
1.
The approximate date of the breach
The notice shall state:
shall notify Arizona residents within 45 days following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
45 days following discovery or notification of the breach:
Notice not required if an independent third-party forensic auditor or law enforcement agency determines after a reasonable investigation that the breach has not or is not reasonably likely to result in substantial economic loss to affected residents.
Social Security number
Driver’s license number or identification card number
Private key that is unique to a resident and used to authenticate or sign an electronic record
Financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the resident’s financial account
Health insurance identification number
Medical or mental health treatment information or diagnosis by a health care professional
Passport number
Taxpayer identification number or an identity protection PIN issued by the Internal Revenue Service
Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate a resident when accessing an online account, or
A.
B.
C.
D.
E.
F.
First name or first initial and last name in combination with at least one of the following:
1.
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Within 45 days of discovery of the breach
A username or email address, in combination with a password or security question and answer, which allows access to an online account.
2.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If an entity that maintains personal information discovers circumstances requiring notice to more than 1,000 individuals, the entity must notify the attorney general at the same time the breach is disclosed to affected individuals or within forty-five days (45) after it is determined that there is a reasonable likelihood of harm to consumers, whichever occurs first.
N/A
shall notify Arkansas residents in the most expedient time and manner possible and without unreasonable delay.
Entity that acquires, owns or licenses computerized personal information...
that the entity does not own shall notify the owner or licensee of the breach immediately.
Entity that only maintains computerized personal information...
Following discovery or notification of the breach:
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to consumers.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or Arkansas identification card number
Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
Medical information; or
Biometric data
1.
An individual's first name or first initial and his or her last name in combination with any one or more of the following:
The unauthorized acquisition of computerized personal information.
AR
Arkansas
Ark. Code Ann. §§ 4-110-101 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
For entities that maintain personal information if more than 1,000 Arkansas residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Arkansas
AS §§ 45.48.010 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If an entity that maintains personal information discovers circumstances requiring notice to more than 1,000 individuals, the entity must notify the attorney general at the same time the breach is disclosed to affected individuals or within forty-five days (45) after it is determined that there is a reasonable likelihood of harm to consumers, whichever occurs first.
N/A
shall notify Arkansas residents in the most expedient time and manner possible and without unreasonable delay.
Entity that acquires, owns or licenses computerized personal information...
that the entity does not own shall notify the owner or licensee of the breach immediately.
Entity that only maintains computerized personal information...
Following discovery or notification of the breach:
Notification is not required if, after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to consumers.
A.
B.
C.
D.
Social Security number
Driver's license number or Arkansas identification card number
Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
Medical information; or
Biometric data
1.
An individual's first name or first initial and his or her last name in combination with any one or more of the following:
The unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
no
Is there a specific format or
language that must be included
in the individual notice?
no
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
For entities that maintain personal information if more than 1,000 Arkansas residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
AR
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Notice to the California Attorney General is required, expediently and without unreasonable delay, if notice to 500 or more California residents is required.
10.
If possible, any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred
9.
Be dated
8.
If reporting person or business providing the notification was the source of the breach, an offer to provide 12 months of complementary appropriate identity theft prevention and mitigation services
7.
The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number
2
4.
List the types of personal information that were or are reasonably believed to have been breached
5.
Whether notification was delayed because of law enforcement investigation
6.
A general description of the breach incident, if that information is possible to determine at the time the notice is provided
3.
Include the name and contact information of the reporting person or business
2.
Be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”
1.
Be written in plain language
The notification must:
1
of 2
shall notify California residents without unreasonable delay following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee immediately following discovery or notification of the breach.
Entity that only maintains or stores personal information…
Following discovery or notification of the breach
N/A
2.
A username or email address, in combination with a password or security question and answer that would permit access to an online account.
2
A.
B.
C.
D.
E.
F.
G.
H.
Social Security number
Driver’s license, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical information
Health insurance information
Unique biometric information generated from measurements or technical analysis of human body characteristics
Information or data collected through the use or operation of an automated license plate recognition system
Genetic data, or
1.
An individual’s first name or first initial and last name in combination with any one or more of the following:
1
of 2
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
CA
California
Cal. Civ. Code 1798.82 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If more than 500 California residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
California
Cal. Civ. Code 1798.82 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
Notice to the California Attorney General is required, expediently and without unreasonable delay, if notice to 500 or more California residents is required.
4.
List the types of personal information that were or are reasonably believed to have been breached
5.
Whether notification was delayed because of
law enforcement investigation
3.
Include the name and contact information of
the reporting person or business
2.
Be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”
1.
Be written in plain language
The notification must:
shall notify California residents without unreasonable delay following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee immediately following discovery or notification of the breach.
Entity that only maintains or stores personal information…
Following discovery or notification of the breach
N/A
Social Security number
Driver’s license, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical information
Health insurance information
Unique biometric information generated from measurements or technical analysis of human body characteristics
Information or data collected through the use or operation of an automated license plate recognition system
Genetic data, or
A.
B.
C.
D.
E.
F.
An individual’s first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
If more than 500 California residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A username or email address, in combination with a password or security question and answer, which allows access to an online account.
2.
6.
A general description of the breach incident, if that information is possible to determine at the time the notice is provided
8.
If reporting person or business providing the notification was the source of the breach, an
offer to provide 12 months of complementary appropriate identity theft prevention and
mitigation services
7.
The toll-free telephone numbers and addresses
of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number
10.
If possible, any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred
9.
Be dated
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Colorado residents are notified.
Notice to the Colorado Attorney General within 30 days is required if more than 500 Colorado residents are notified.
The notice must include:
1.
The date, estimated date, or estimated date range of the security breach
2.
A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach
3.
Information that the resident can use to contact the covered entity to inquire about the security breach
4.
The toll-free numbers, addresses, and websites for consumer reporting agencies
5.
The toll-free number, address, and website for the Federal Trade Commission, and
6.
A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes
shall notify Colorado residents within 30 days after the date of determination that a breach occurred.
Entity that owns or licenses personal information…
shall notify the owner or licensee expeditiously and without undue delay following discovery or notification of the breach.
Entity that does not own or have the right to license personal information…
Within 30 days following discovery or notification of the breach:
The entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.
A.
B.
C.
D.
E.
F.
Social Security number
Student, military, or passport identification number
Driver’s license number or identification card number
Medical information
Health insurance identification number; or
Biometric data
1.
The first name or first initial and last name in combination with any one or more of the following:
2.
Username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account, or
3.
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity
of personal information.
CO
Colorado
C.R.S.A. § 6-1-713.5 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Within 30 days following discovery of notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Colorado
C.R.S.A. § 6-1-713.5 et seq.
[CEROS OBJECT]
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Colorado residents are notified.
Notice to the Colorado Attorney General within 30 days is required if more than 500 Colorado residents are notified.
The notice must include:
shall notify Colorado residents within 30 days after the date of determination that a breach occurred.
Entity that owns or licenses personal information…
shall notify the owner or licensee expeditiously and without undue delay following discovery or notification of the breach.
Entity that does not own or have the right to license personal information…
Within 30 days following discovery or notification of the breach:
The entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.
A.
B.
C.
D.
Social Security number
Student, military, or passport identification number
Driver’s license number or identification card number
Medical information
Health insurance identification number; or
Biometric data
1.
The first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity
of personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Within 30 days following discovery of notification of the breach
3.
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
2.
Username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account, or
1.
The date, estimated date, or estimated date range of the security breach
A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach
2.
A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes
6.
Information that the resident can use to contact the covered entity to inquire about the security breach
3.
The toll-free numbers, addresses, and websites for consumer reporting agencies
4.
The toll-free number, address, and website for the Federal Trade Commission, and
5.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If notice of a breach of security is required, the notifying person shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
N/A
shall disclose the breach to each state resident within 60 days after the discovery of the breach.
Entity that owns or licenses personal information...
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information...
Within 60 days following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the individual.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Social Security number
Taxpayer identification number
Identity protection personal identification number issued by the IRS
Driver’s license number, state identification card number, passport number, military identification number or other identification number issued by the government
Credit or debit card number
Financial account number in combination with any required security code, access code or password that would permit access to such financial account
Medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual, or
Biometric information, or
1.
An individual's first name or first initial and last name in combination with any one of the following:
2.
Electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information.
CT
Connecticut
Conn. Gen. Stat. Ann. § 36a-701b
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
within 60 days of discovery of the breach
within 60 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Connecticut
Conn. Gen. Stat. Ann. § 36a-701b
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If notice of a breach of security is required, the notifying person shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.
N/A
shall disclose the breach to each state resident within 60 days after the discovery of the breach.
Entity that owns or licenses personal information...
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information...
Within 60 days following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the individual.
Social Security number
Taxpayer identification number
Identity protection personal identification number issued by the IRS
Driver’s license number, state identification card number, passport number, military identification number or other identification number issued by the government
Credit or debit card number
Financial account number in combination with any required security code, access code or password that would permit access to such financial account
Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual, or
Biometric information, or
A.
B.
C.
D.
E.
F.
An individual’s first name or first initial and
last name in combination with any one of the following:
1.
The unauthorized access to or unauthorized acquisition of electronic files, media, databases
or computerized data, containing personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Within 60 days of discovery of the breach
Electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
2.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If more than 500 Delaware residents are notified, then notice must be provided to the Attorney General not later than 60 days after determining that a breach occurred.
N/A
shall disclose the breach to each state resident within 60 days after the discovery of the breach.
Entity that owns or licenses personal information...
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information...
Within 60 days following discovery or notification of the breach:
If after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached, then no notice is required.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Social Security number
Driver’s license number or state or federal identification card number
Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account
Passport number
A username or email address, in combination with a password or security question and answer that would permit access to an online account
Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or deoxyribonucleic acid profile
Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person
Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes, or
An individual taxpayer identification number.
1.
An individual’s first name or first initial and last name in combination with any 1 or more of the following data elements:
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
DE
Delaware
Del. Code Title 6, §§ 12B-100 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Within 60 days of discovery of the breach, if 500 or more residents are notified
Within 60 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Delaware
Del. Code Title 6, §§ 12B-100 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If more than 500 Delaware residents are notified, then notice must be provided to the Attorney General not later than 60 days after determining that a breach occurred.
N/A
shall disclose the breach to each state resident within 60 days after the discovery of the breach.
Entity that owns or licenses personal information...
to another entity shall immediately disclose the breach to the entity that owns or who licensed the personal information to such entity.
Entity that does not own or have the right to license the personal information...
Within 60 days following discovery or notification of the breach:
If after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached, then no notice is required.
Social Security number
Driver’s license number or state or federal identification card number
Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account
Passport number
A username or email address, in combination with a password or security question and answer that would permit access to an online account
Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional, or deoxyribonucleic acid profile
Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person
Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes, or
An individual taxpayer identification number.
A.
B.
C.
D.
E.
F.
G.
H.
I.
An individual’s first name or first initial and last name in combination with any 1 or more of the following data elements:
1.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
An entity shall provide notice to the Florida Department of Legal Affairs of any breach of security affecting 500 or more individuals in this state, within 30 days after the determination of the breach or reason to
believe a breach occurred.
3.
Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
2.
A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security.
1.
The date, estimated date, or estimated date range of the breach of security.
The notice shall include:
shall disclose the breach to each state resident withing 30 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee within 10 days after discovery of the breach.
Entity that does not own or have the right to license the personal information...
Within 30 days following discovery or notification of the breach:
Such a determination must be documented in writing and maintained for at least 5 years.
Notice is not required if, after an appropriate investigation, the entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.
A.
B.
C.
D.
E.
A Social Security number
A driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account
Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, or
An individual's health insurance policy number or subscriber identification number and any unique
identifier used by a health insurer to identify the individual, or
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
2.
A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access of data in electronic form containing personal information.
FL
Florida
Fla. Stat. Ann. § 501.171
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 30 days of discovery of the breach, if 500 or more residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Florida
Fla. Stat. Ann. § 501.171
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
An entity shall provide notice to the Florida Department of Legal Affairs of any breach of security affecting 500 or more individuals in this state, within 30 days after the determination of the breach or reason to believe a breach occurred.
Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
3.
A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security.
2.
The date, estimated date, or estimated date range of the breach of security.
1.
The notice shall include:
shall disclose the breach to each state resident withing 30 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee within 10 days after discovery of the breach.
Entity that does not own or have the right to license the personal information...
Within 30 days following discovery or notification of the breach:
Notice is not required if, after an appropriate investigation, the entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.
2.
A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
A.
B.
C.
D.
E.
F.
A Social Security number
A driver’s license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account
Any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, or
An individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual, or
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
The unauthorized access of data in electronic form containing personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
YES
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 30 days following discovery of notification of the breach
Within 30 days of discovery of the breach, if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Such a determination must be documented in writing and maintained for at least 5 years.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall disclose the breach to each state resident in most expedient time possible after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee within 24 hours, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
Social Security number
Driver’s license number or state identification card number
Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords
Account passwords or personal identification numbers or other access codes; or
Any of the above-items when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
1.
An individual’s first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.
GA
Georgia
Ga. Code § 10-1-910 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Georgia
Ga. Code § 10-1-910 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall disclose the breach to each state resident in most expedient time possible after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee within 24 hours, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
N/A
Social Security number
Driver’s license number or state identification card number
Account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords
Account passwords or personal identification numbers or other access codes; or
Any of the above-items when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
A.
B.
C.
D.
E.
F.
G.
H.
I.
An individual’s first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice.
Notice to the State of Hawaii’s office of consumer protection without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice.
1.
The incident in general terms
2.
The type of personal information that was subject to the unauthorized access and acquisition
3.
The general acts of the business or government agency to protect the personal information from further unauthorized access
4.
A telephone number that the person may call for further information and assistance, if one exists; and
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
The notice shall include a description of the following:
shall provide notice to the affected person without unreasonably delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee of the information immediately.
Entity that maintains or possesses personal information...
Following discovery or notification of the breach:
Notice is not required if the entity determines there is not a reasonable likelihood of risk of harm to an individual.
A.
B.
C.
Social Security number
Driver’s license number or Hawaii identification card number; or
Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.
1.
An individual’s first name or first initial and last name in combination with any one or more of the following:
The unauthorized access to and acquisition of personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.
Hawaii
Haw. Rev. Stat. Ann. §§ 487N-1 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
YES
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
HI
Next STATE
PreviouS STATE
Hawaii
Haw. Rev. Stat. Ann. §§ 487N-1 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice
Notice to the State of Hawaii’s office of consumer protection without unreasonable delay is required if more than 1,000 Hawaii residents are notified. The notice shall include the timing, distribution, and content of the consumer notice.
The notice shall include a description of the following:
shall provide notice to the affected person without unreasonably delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee of the information immediately.
Entity that maintains or possesses personal information...
Following discovery or notification of the breach:
Notice is not required if the entity determines there is not a reasonable likelihood of risk of harm to an individual.
Social Security number
Driver’s license number or Hawaii identification card number; or
Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.
A.
B.
C.
D.
E.
An individual’s first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized access to and acquisition of personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
5.
A telephone number that the person may call for further information and assistance, if one exists; and
4.
The general acts of the business or government agency to protect the personal information from further unauthorized access
3.
The type of personal information that was subject to the unauthorized access and acquisition
2.
The incident in general terms
1.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Only when an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general.
N/A
shall give notice as soon as possible to the affected Idaho resident if the entity determines the likelihood that personal information has been or will be misused.
Entity that owns or licenses computerized data…
shall immediately notify the entity owner or licensee of a breach if misuse of personal information about an Idaho resident occurred or is reasonably
likely to occur.
Entity that only maintains or stores computerized data…
Following investigation that determines it is likely to cause misuse of personal information:
If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident.
A.
B.
C.
Social Security number
Driver’s license number or Idaho identification card number, or
Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
1.
An individual’s first name or first initial and last name in combination with any one more of the following:
The illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information.
ID
Idaho
Idaho Code § 28-51-104 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Idaho
Idaho Code § 28-51-104 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
Only when an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general.
N/A
shall give notice as soon as possible to the affected Idaho resident if the entity determines the likelihood that personal information has been or will be misused.
Entity that owns or licenses computerized data…
shall immediately notify the entity owner or licensee of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur.
Entity that only maintains or stores computerized data…
Following investigation that determines it is likely to cause misuse of personal information:
If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident.
Social Security number
Driver’s license number or Idaho identification card number, or
Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
A.
B.
C.
An individual’s first name or first initial and last name in combination with any one more of the following:
1.
The illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Notice shall include a description of the breach, number of affected residents, and steps the entity took or plans to take relating to the incident.
Entities required to notify to more than 500 Illinois residents must also notify the attorney general in the most expedient time possible and without unreasonable delay, but not later than when affected individuals are notified.
Notifications may not contain information about the number of Illinois residents affected by the breach.
If there has been a breach impacting individuals’ login credentials, the notice must also direct the recipients to change their credentials or other appropriate steps.
3.
A statement that the individual can obtain information from these sources about fraud alerts and security freezes
2.
Toll-free number, address, and website address for the FTC; and
1.
Toll-free numbers and address to consumer reporting agencies
Notice should include:
shall notify Illinois residents in the most expedient time possible and without unreasonable delay.
Entity that owns or license personal information...
shall notify the owner or licensee immediately.
Entity that only maintains or stores personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
F.
Social Security number
Driver’s license or state identification card
Account number, credit card number or debit card number, in combination with any security code, access code or password required to access the account
Health insurance information
Medical information; or
Biometric data
1.
A person’s first initial and last name along with the person’s:
2.
Or
The username or e-mail address along with the password or security question answer that would permit access to an online account.
The unauthorized acquisition of computerized personal information.
IL
Illinois
815 ILCS §§ 530/1 to 530/25
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If notifying 500 or more residents, attorney general must be notified no later than when affected individuals are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Illinois
815 ILCS §§ 530/1 to 530/25
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
Entities required to notify to more than 500 Illinois residents must also notify the attorney general in the most expedient time possible and without unreasonable delay, but not later than when affected individuals are notified.
A statement that the individual can obtain information from these sources about fraud alerts and security freezes
3.
Toll-free number, address, and website address for the FTC; and
2.
Toll-free numbers and address to consumer reporting agencies
1.
Notice should include:
shall notify Illinois residents in the most expedient time possible and without unreasonable delay.
Entity that owns or license personal information...
shall notify the owner or licensee immediately.
Entity that only maintains or stores personal information...
Following discovery or notification of the breach:
N/A
2.
The username or e-mail address along with the password or security question answer that would permit access to an online account.
A.
B.
C.
D.
E.
Social Security number
Driver’s license or state identification card
Account number, credit card number or debit card number, in combination with any security code, access code or password required to access the account
Health insurance information
Medical information; or
Biometric data
1.
A person’s first initial and last name along with the person’s:
The unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
NO
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 30 days following discovery of notification of the breach
If notifying 500 or more residents, attorney general must be notified no later than when affected individuals are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Or
If there has been a breach impacting individuals’ login credentials, the notice must also direct the recipients to change their credentials or other appropriate steps.
Notifications may not contain information about the number of Illinois residents affected by the breach.
Notice shall include a description of the breach, number of affected residents, and steps the entity took or plans to take relating to the incident.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
The entity must also notify the major consumer reporting agencies if notifying more than 1,000 residents of a breach.
Entity is required to disclose the breach to the attorney general within 45 days after discovery of the breach if providing notice to any Indiana resident.
N/A
shall notify Indiana residents within 45 days following discovery or notification of the breach.
Entity that owns or license personal information...
shall notify the data base owner of the breach within 45 following discovery or notification of the breach
Entity that maintains computerized data but that is not a data owner...
Following discovery or notification of the breach:
An entity shall only be required to disclose the breach if the entity should know that the breach could result in identity deception, theft, or fraud affecting an Indiana resident.
A.
B.
C.
D.
E.
F.
A Social Security number that is not encrypted or redacted
A first initial and last name, and one (1) or more of the following data elements
Driver's license number
State identification card number
Credit card number; or
A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
1.
Personal information means:
The unauthorized acquisition of computerized personal information. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
IN
Indiana
Ind. Code §§ 24-4.9 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
45 days after discovery of the breach
45 days after discovery or notification of breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Indiana
Ind. Code §§ 24-4.9 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
The entity must also notify the major consumer reporting agencies if notifying more than 1,000 residents of a breach.
Entity is required to disclose the breach to the attorney general within 45 days after discovery
of the breach if providing notice to any Indiana resident.
N/A
shall notify Indiana residents within 45 days following discovery or notification of the breach.
Entity that owns or license personal information...
shall notify the data base owner of the breach within 45 following discovery or notification of the breach
Entity that maintains computerized data but that is not a data owner...
Following discovery or notification of the breach:
An entity shall only be required to disclose the breach if the entity should know that the breach could result in identity deception, theft, or fraud affecting an Indiana resident.
A Social Security number that is not encrypted or redacted
A first initial and last name, and one (1) or more of the following data elements
Driver's license number
State identification card number
Credit card number; or
A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person's account.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Personal information means:
1.
The unauthorized acquisition of computerized personal information. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
45 days after discovery of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If more than five hundred (500) Iowa residents are notified, then notice must be provided to Director of the Consumer Protection Division of the Office of the Attorney General within five (5) business days after
notifying affected individuals of the breach.
1.
A description of the breach of security
2.
The approximate date of the breach of security
3.
The type of personal information obtained as a result of the breach of security
4.
Contact information for consumer reporting agencies; and
5.
Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.
Notice must include:
shall notify Iowa residents in the most expeditious manner possible without unreasonable delay.
Entity that owns or licenses personal information...
shall notify the owner immediately following discovery of the breach.
Entity that maintains personal information that the entity does not own...
Following discovery or notification of the breach:
Such a determination must be documented in writing and the documentation must be maintained for five years.
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that no reasonable likelihood of
financial harm to the consumers.
A.
B.
C.
D.
E.
Social Security number
Driver’s license number or other unique identification number created or collected by a government body
Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
1.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized acquisition of personal information.
IA
Iowa
Iowa Code Ann. §§ 715C.1 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within five (5) business days after notifying
affected individuals of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Iowa
Iowa Code Ann. §§ 715C.1 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If more than five hundred (500) Iowa residents are notified, then notice must be provided to Director of the Consumer Protection Division of the Office of the Attorney General within five (5) business days after notifying affected individuals of the breach.
shall notify Iowa residents in the most expeditious manner possible without unreasonable delay.
Entity that owns or licenses personal information...
shall notify the owner immediately following discovery of the breach.
Entity that maintains personal information that the entity does not own...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that no reasonable likelihood of financial harm to the consumers.
Social Security number
Driver’s license number or other unique identification number created or collected by a government body
Financial account number, credit card number, or debit card number in combination with any required expiration date, security code, access code, or password that would permit access to an individual’s financial account
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
A.
B.
C.
D.
E.
F.
An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
1.
The unauthorized acquisition of personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Such a determination must be documented in writing and the documentation must be maintained for five years.
Advice to the consumer to report suspected incidents of identity theft to local law enforcement or the attorney general.
5.
Contact information for consumer reporting agencies; and
4.
The type of personal information obtained as a result of the breach of security
3.
The approximate date of the breach of security
2.
A description of the breach of security
1.
Notice must include:
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notifying 1,000 or more Kansas residents at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
N/A
N/A
shall notify Kansas residents “in the most expedient time possible and without unreasonable delay” following the investigation that determines the misuse of personal information has occurred or is reasonably likely to occur.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and acquired by an
unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification only required if the investigation determines that the misuse of information has occurred or is reasonably likely to occur.
A.
B.
C.
Social Security number
Driver's license number or state identification card number, or
Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
1.
An individual's first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.
KS
Kansas
K.S.A. 50-7a01 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Kansas
K.S.A. 50-7a01 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If notifying 1,000 or more Kansas residents at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
N/A
N/A
shall notify Kansas residents “in the most expedient
time possible and without unreasonable delay” following the investigation that determines the misuse of personal information has occurred or is reasonably likely to occur.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification only required if the investigation determines that the misuse of information has occurred or is reasonably likely to occur.
Social Security number
Driver's license number or state identification card number, or
Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
A.
B.
C.
An individual's first name or first initial and last name linked to any one or more of the following:
1.
The unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If the information holder notifies more than 1,000 persons at one time, it must also report the breach to the consumer reporting agencies and credit bureaus of the timing, distribution. And content of notices without reasonable delay.
N/A
N/A
shall notify Kentucky residents in the most expedient time possible and without unreasonable delay.
Entity that owns or license personal information...
that it does not own must notify the owner or licensee as soon as reasonably practicable.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Kentucky resident.
A.
B.
C.
Social Security number
Driver’s license number; or
Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual's financial account.
1.
The first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or data element is not redacted:
The unauthorized acquisition of computerized personally identifiable information that causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any Kentucky resident.
KY
Kentucky
Ky. Rev. Stat. § 365.732 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
If notifying more than 1,000 Kentucky residents
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Kentucky
Ky. Rev. Stat. § 365.732 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If the information holder notifies more than 1,000 persons at one time, it must also report the breach to the consumer reporting agencies and credit bureaus of the timing, distribution. And content of notices without reasonable delay.
N/A
N/A
shall notify Kentucky residents in the most expedient time possible and without unreasonable delay.
Entity that owns or license personal information...
that it does not own must notify the owner or licensee as soon as reasonably practicable.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Kentucky resident.
Social Security number
Driver’s license number; or
Account number or credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual's financial account.
A.
B.
C.
The first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name or data element is not redacted:
1.
The unauthorized acquisition of computerized personally identifiable information that causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any Kentucky resident.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Within 60 days of discovery of the breach,
if 500 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
When notice to Louisiana citizens is required, then written notice detailing the breach of the security of the system must be sent to the Consumer Protection Section of the Attorney General’s office naming all
Louisiana citizens affected by the breach.
Such notice must be received within ten (10) days of distribution of notice to Louisiana citizens.
N/A
shall notify Louisiana residents within 60 days following discovery of the breach.
Entity that owns or license personal information...
notify the owner or licensee within 60 days following discovery of the breach.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to Louisiana residents.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or state identification card number
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
Passport number; or
Biometric data
1.
The first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized acquisition of and access to computerized personal information.
LA
Louisiana
La. Rev. Stat. §§ 51:3071 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Yes, within 10 days of distribution of notice to Louisiana residents
Within 60 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Louisiana
La. Rev. Stat. §§ 51:3071 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
When notice to Louisiana citizens is required, then written notice detailing the breach of the security of the system must be sent to the Consumer Protection Section of the Attorney General’s office naming all Louisiana citizens affected by the breach.
N/A
shall notify Louisiana residents within 60 days following discovery of the breach.
Entity that owns or license personal information...
notify the owner or licensee within 60 days following discovery of the breach.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if after a reasonable investigation, it is determined that there is no reasonable likelihood of harm to Louisiana residents.
Social Security number
Driver's license number or state identification card number
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
Passport number; or
Biometric data
A.
B.
C.
D.
E.
F.
The first name or first initial and last name in combination with any one or more of the following data elements:
1.
The unauthorized acquisition of and access to computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days of discovery of the breach
Yes, within 10 days of distribution of
notice to Louisiana residents
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Such notice must be received within ten (10) days of distribution of notice to Louisiana citizens.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to notify more than 1,000 Maine residents at one time, then the entity, within 30 days of discovery of the breach, shall also notify all consumer reporting agencies.
When notice of a breach of the security of the system is required under the statute, the person shall also notify the appropriate state regulators within the Department of Professional and Financial Regulation, within
30 days of discovery of the breach.
N/A
shall disclose the breach to each state resident within 30 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee following discovery or notification that the misuse of personal information has occurred or if it is reasonably possible to occur.
Entity that does not own or have the right to license the personal information...
30 days following discovery or notification of the breach:
Notice is only required if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or state identification card number
Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords
Account passwords or personal identification numbers or other access codes, or
Any of the data elements contained in the above paragraphs when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person
whose information was compromised
1.
An individual's first name, or first initial, and last name in combination with any one or more of the following:
The unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.
ME
Maine
Me. Rev. Stat. Ann. tit. 10 § 1348 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Within 30 days of discovery of the breach
Within 30 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Maine
Me. Rev. Stat. Ann. tit. 10 § 1348 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity is required to notify more than 1,000 Maine residents at one time, then the entity, within 30 days of discovery of the breach, shall also notify all consumer reporting agencies.
When notice of a breach of the security of the system is required under the statute, the person shall also notify the appropriate state regulators within the Department of Professional and Financial Regulation, within 30 days of discovery of the breach.
N/A
shall disclose the breach to each state resident within 30 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee following discovery or notification that the misuse of personal information has occurred or if it is reasonably possible to occur.
Entity that does not own or have the right to license the personal information...
30 days following discovery or notification of the breach:
Notice is only required if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.
Social Security number
Driver's license number or state identification card number
Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords
Account passwords or personal identification numbers or other access codes, or
Any of the data elements contained in the above paragraphs when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person
whose information was compromised
A.
B.
C.
D.
E.
An individual's first name, or first initial, and last name in combination with any one or more of the following:
1.
The unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 30 days of discovery of the breach
Within 30 days of discovery of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Notice must be provided to the AG before sending notice to affected individuals.
The notice shall include:
4.
The toll-free telephone numbers, addresses, and website addresses for:
A.
B.
The Federal Trade Commission; and
The Office of the Attorney General; and (ii) A statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.
3.
The toll-free telephone numbers and addresses for the major consumer reporting agencies, and
2.
Contact information for the business making the notification, including the business' address, telephone number, and toll-free telephone number if one is maintained The approximate date of the breach of security
1.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal
information were, or are reasonably believed to have been, acquired
shall disclose the breach to each state resident within 45 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
Notice is required only if, after investigation, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused.
A.
B.
C.
D.
E.
F.
A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government
A driver's license number or State identification card number
An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account
Health information, including information about an individual's mental health
A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information, or
Biometric data of an individual,
1.
An individual's first name or first initial and last name in combination with any one or more of the following:
Or
2.
A username or e-mail address in combination with a password or security question and answer that permits access to an individual's e-mail account.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.
MD
Maryland
Md. Code Ann., Com. Law § 14-3501 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
before giving notice to a Maryland resident
within 45 days following discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Maryland
Md. Code Ann., Com. Law § 14-3501 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
Notice must be provided to the AG before sending notice to affected individuals.
The notice shall include:
shall disclose the breach to each state resident within 45 days after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
Notice is required only if, after investigation, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused.
A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government
A driver's license number or State identification card number
An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account
Health information, including information about an individual's mental health
A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information, or
Biometric data of an individual,
A.
B.
C.
D.
E.
An individual's first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days following discovery of the breach
before giving notice to a Maryland resident
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A username or e-mail address in combination with a password or security question and answer that permits access to an individual's e-mail account.
2.
Or
The Federal Trade Commission; and
A.
The toll-free telephone numbers, addresses, and website addresses for:
4.
The toll-free telephone numbers and addresses for the major consumer reporting agencies, and
3.
Contact information for the business making the notification, including the business' address, telephone number, and toll-free telephone number if one is maintained The approximate date of the breach of security
2.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired
1.
The Office of the Attorney General; and (ii) A statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.
B.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Must notify relevant consumer reporting agencies as identified by the Director of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay.
Notice must be provided to the Attorney General and the director of consumer affairs and business regulation as soon as practicable and without unreasonable delay.
Said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use.
4.
Mitigation services to be provided pursuant to this chapter.
3.
That there shall be no charge for a security freeze, and
2.
How a resident may request a security freeze and the necessary information to be provided when requesting the security freeze
1.
The resident's right to obtain a police report
Notice must include:
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
Social Security number
Driver's license number or state-issued identification card number, or
Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
1.
An individual’s first name and last name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition or use of data that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.
MA
Massachusetts
Mass. Gen. Laws Ann. Ch. 93H § 3 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
Yes
Is a private right of action permitted?
Yes
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Massachusetts
Mass. Gen. Laws Ann. Ch. 93H § 3 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
Must notify relevant consumer reporting agencies as identified by the Director of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay.
Notice must be provided to the Attorney General and the director of consumer affairs and business regulation as soon as practicable and without unreasonable delay.
Mitigation services to be provided pursuant to this chapter.
4.
That there shall be no charge for a security freeze, and
3.
How a resident may request a security freeze and the necessary information to be provided when requesting the security freeze
2.
The resident's right to obtain a police report
1.
Notice must include:
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
N/A
Social Security number
Driver's license number or state-issued identification card number, or
Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
A.
B.
C.
D.
E.
An individual’s first name and last name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition or use of data that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
An entity required to provide notice to more than 1,000 Michigan residents must also notify major consumer reporting agencies of the number of notices provided to Michigan residents and the timing of the notices.
N/A
5.
Reminder for notice recipients to remain vigilant for incidents of fraud or identity theft.
4.
Telephone number where a notice recipient may obtain additional information/assistance; and
3.
Description what the agency or person providing notice is doing to protect the data from further security breaches
2.
Description of the type(s) of personal information subject to unauthorized access or use
1.
Description of the breach in general terms
Notice should include:
must provide notice to affected residents without unreasonable delay.
Entity that owns or licenses personal information...
but does not own or license the information must provide notice to the owner of the information without unreasonable delay.
Entity that maintains personal information...
Following discovery or notification of the breach:
Notice is not required if it is determined that the security breach has not or is not likely to cause substantial loss or injury to or result in identity theft.
A.
B.
C.
Social Security number
Driver’s license or state identification card; or
Demand deposit, other financial account number or credit/debit card in combination with a required security or identification code or password.
1.
A person’s first initial and last name along with a Michigan resident’s:
The unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals.
MI
Michigan
Mich. Comp. Laws § 445.61 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
if more than 1,000 Michigan residents are notiied
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Michigan
Mich. Comp. Laws § 445.61 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
An entity required to provide notice to more than 1,000 Michigan residents must also notify major consumer reporting agencies of the number of notices provided to Michigan residents and the timing of the notices.
N/A
Telephone number where a notice recipient may obtain additional information/assistance; and
4.
Description what the agency or person providing notice is doing to protect the data from further security breaches
3.
Description of the type(s) of personal information subject to unauthorized access or use
2.
Description of the breach in general terms
1.
Notice should include:
must provide notice to affected residents without unreasonable delay.
Entity that owns or licenses personal information...
but does not own or license the information must provide notice to the owner of the information without unreasonable delay.
Entity that maintains personal information...
Following discovery or notification of the breach:
Notice is not required if it is determined that the security breach has not or is not likely to cause substantial loss or injury to or result in identity theft.
Social Security number
Driver’s license or state identification card; or
Demand deposit, other financial account number or credit/debit card in combination with a required security or identification code or password.
A.
B.
C.
A person’s first initial and last name along with a Michigan resident’s:
1.
The unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Reminder for notice recipients to remain vigilant for incidents of fraud or identity theft.
5.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
For a breach affecting over 500 people, entities must notify the major consumer reporting agencies within 48 hours. The notice must include information regarding the timing, distribution and content of the notices
being sent to Minnesota residents.
N/A
N/A
shall notify Minnesota residents in the most expedient time possible and without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee immediately following discovery of the breach.
Entity that only maintains personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
Social Security number
Driver’s license number; or
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
1.
An individual's first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized personal information.
MN
Minnesota
Minn. Stat. Ann. § 325E.61
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 48 hours if more than 500 Minnesota residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Minnesota
Minn. Stat. Ann. § 325E.61
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
For a breach affecting over 500 people, entities must notify the major consumer reporting agencies within 48 hours. The notice must include information regarding the timing, distribution and content of the notices being sent to Minnesota residents.
N/A
N/A
shall notify Minnesota residents in the most expedient time possible and without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee immediately following discovery of the breach.
Entity that only maintains personal information...
Following discovery or notification of the breach:
N/A
Social Security number
Driver’s license number; or
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
A.
B.
C.
An individual's first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
no
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall notify Mississippi residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee as soon as practicable.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals.
A.
B.
C.
Social Security number
Driver's license number, state identification card number or tribal identification card number; or
An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account.
1.
An individual's first name or first initial and last name in combination with any one or more of the following.
The unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state.
MS
Mississippi
Miss. Code Ann. § 75-24-29 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Mississippi
Miss. Code Ann. § 75-24-29 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall notify Mississippi residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee as soon as practicable.
Entity that only maintains personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals.
Social Security number
Driver's license number, state identification card number or tribal identification card number; or
An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account.
A.
B.
C.
An individual's first name or first initial and last name in combination with any one or more of the following.
1.
The unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
no
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the major consumer reporting agencies must be notified of the timing, distribution, and content of the notice to consumers.
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the Attorney General’s office must be notified of the timing, distribution, and content of the notice to consumers.
1.
The incident in general terms
2.
The type of personal information that was obtained as a result of the breach of security
3.
A telephone number that the affected consumer may call for further information and assistance, if one exists
4.
Contact information for consumer reporting agencies; and
5.
Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
The notice must include a description of the following:
shall notify Missouri residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that a risk of identity theft or other
fraud to any consumer is not reasonably likely to occur.
A.
B.
C.
D.
E.
F.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account
Medical information; or
Health insurance information
1.
An individual's first name or first initial and last name in combination with any one or more of the following:
The unauthorized access to and unauthorized acquisition of computerized personal information.
MO
Missouri
Mo. Rev. Stat. § 407.1500
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If 1,000 or more residents are notified
If more than 1,000 Missouri residents are notiied
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Missouri
Mo. Rev. Stat. § 407.1500
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the major consumer reporting agencies must be notified of the timing, distribution, and content of the notice to consumers.
If notice is required to be provided to more than 1,000 Missouri residents, then without unreasonable delay, the Attorney General’s office must be notified of the timing, distribution, and content of the notice to consumers.
Contact information for consumer reporting agencies; and
4.
A telephone number that the affected consumer may call for further information and assistance, if one exists
3.
The type of personal information that was obtained as a result of the breach of security
2.
The incident in general terms
1.
The notice must include a description of the following:
shall notify Missouri residents without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, it is determined that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account
Medical information; or
Health insurance information
A.
B.
C.
D.
E.
F.
An individual's first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized access to and unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days following discovery of the breach
If 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
5.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If a business discloses a security breach to any individual and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual.
Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general’s consumer protection office.
If notification is made to more than one individual, the notification must indicate the number of individuals in the state who received notification.
N/A
shall notify Montana residents without unreasonable delay following the investigation that determines the breach caused or is reasonably believed to cause loss or injury to a Montana resident.
Entity that owns or licenses personal information…
shall immediately notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and
acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification is not required if entity reasonably believes breach has not or will not cause loss or injury to a Montana resident.
A.
B.
C.
D.
E.
F.
Social Security number
Driver’s license number, statement identification card number, or tribal identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical record information
Taxpayer identification number, or
Identity protection personal identification number issued by the United States internal revenue service.
1.
An individual’s first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.
MT
Montana
Mt. Code Ann. 30-14-1704 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Montana
Mt. Code Ann. 30-14-1704 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If a business discloses a security breach to any individual and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual.
Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general’s consumer protection office.
N/A
shall notify Montana residents without unreasonable delay following the investigation that determines the breach caused or is reasonably believed to cause loss or injury to a Montana resident.
Entity that owns or licenses personal information…
shall immediately notify the owner or licensee of the breach if the personal information was, or is reasonably believed to have been, accessed and
acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification is not required if entity reasonably believes breach has not or will not cause loss or injury to a Montana resident.
Social Security number
Driver’s license number, statement identification card number, or tribal identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Medical record information
Taxpayer identification number, or
Identity protection personal identification number issued by the United States internal revenue service.
A.
B.
C.
An individual’s first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
If notification is made to more than one individual, the notification must indicate the number of individuals in the state who received notification.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;
Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
1.
An individual’s first name or first initial and last name in combination with:
2.
A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of
personal or protected information maintained by an individual or a commercial entity.
NE
Nebraska
Neb. Rev. Stat. §§ 87-801 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Nebraska
Neb. Rev. Stat. §§ 87-801 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;
Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
A.
B.
C.
D.
E.
F.
An individual’s first name or first initial and last name in combination with:
1.
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by an individual or a commercial entity.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
2.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If noticed required to 1,000 persons at any one time, entity shall also notify, without unreasonable delay, any consumer reporting agency.
N/A
N/A
shall notify Nevada residents “made in the most expedient time possible and without unreasonable delay,” following discovery or notification of the
breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of breach:
Notification only required if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number, driver authorization card number or identification card number
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account
A medical identification number or a health insurance identification number, or
A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account
1.
A individuals’ first name or first initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector.
NV
Nevada
Nev. Rev. Stat. Ann. § 603A.010 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Nevada
Nev. Rev. Stat. Ann. § 603A.010 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If noticed required to 1,000 persons at any one time, entity shall also notify, without unreasonable delay, any consumer reporting agency.
N/A
N/A
shall notify Nevada residents “made in the most expedient time possible and without unreasonable delay,” following discovery or notification of the
breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach immediately following discovery that the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of breach:
Notification only required if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Social Security number
Driver's license number, driver authorization card number or identification card number
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account
A medical identification number or a health insurance identification number, or
A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account
A.
B.
C.
D.
E.
A individuals’ first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to notify more than 1,000 consumers of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the New Hampshire attorney general's office as soon as practicable.
4.
The telephonic contact information of the person subject to this section
3.
The type of personal information obtained as a result of the security breach
2.
The approximate date of breach
1.
A description of the incident in general terms
Notice shall include at a minimum:
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notification is not required if a determination can be made that misuse of the information has not occurred or is not reasonably likely to occur.
A.
B.
C.
Social Security number
Driver's license number or other government identification number
Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
1.
An individual's first name or initial and last name in combination with any one or more of the following:
The unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.
NH
New Hampshire
N.H. Rev. Stat § 359-C:20
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
Yes
Is a private right of action permitted?
Yes
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
Next STATE
PreviouS STATE
New Hampshire
N.H. Rev. Stat § 359-C:20
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity is required to notify more than 1,000 consumers of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the New Hampshire attorney general's office as soon as practicable.
The telephonic contact information of the person subject to this section
4.
The type of personal information obtained as a result of the security breach
3.
The approximate date of breach
2.
A description of the incident in general terms
1.
Notice shall include at a minimum:
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notification is not required if a determination can be made that misuse of the information has not occurred or is not reasonably likely to occur.
Social Security number
Driver's license number or other government identification number
Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
A.
B.
C.
An individual's first name or initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
Notice must be made to the Division of State Police in the Department of Law and Public Safety before disclosing to affected consumers.
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if the entity establishes that misuse of the information is not reasonably possible.
A.
B.
C.
D.
Social Security number
Driver's license number or State identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or
Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
1.
An individual's first name or first initial and last name linked with any one or more of the following:
The unauthorized access to electronic files, media or data containing personal information.
NJ
New Jersey
N.J.S.A. § 56:8-161 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
New Jersey
N.J.S.A. § 56:8-161 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
Notice must be made to the Division of State Police in the Department of Law and Public Safety before disclosing to affected consumers.
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if the entity establishes that misuse of the information is not reasonably possible.
Social Security number
Driver's license number or State identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or
Username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
A.
B.
C.
D.
E.
An individual's first name or first initial and last name linked with any one or more of the following:
1.
The unauthorized access to electronic files, media or data containing personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
YES
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within 48 hours if more than 500 Minnesota residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
1.
Entity’s name and contact information
2.
A general description of the security breach
3.
The date, estimated date, or range of dates the breach occurred (if known)
4.
A list of the types of personal information reasonably believed to have been subject to the breach
5.
The toll-free numbers and addresses of the major consumer reporting agencies
6.
Advice to review personal account statements and credit reports for errors, and
7.
Advice regarding consumer rights under the Fair Credit Reporting Act
The notice shall state:
shall notify residents within 45 days following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
45 days following discovery or notification of the breach:
Notification not required if entity determines that the breach does not pose a significant risk of identity theft or fraud.
A.
B.
C.
D.
Social Security number
Driver's license number or government-issued identification number
Financial account number, including a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, or
Biometric data
1.
First name or first initial and last name in combination with at least one of the following:
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
NM
New Mexico
N. M. Stat. Ann. § 57-12C-1 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Within 45 days of discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
New Mexico
N. M. Stat. Ann. § 57-12C-1 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
The three largest nationwide consumer reporting agencies if more than 1,000 residents must be notified.
If the unencrypted personal information of more than 1,000 individuals is breached, then the data controller must disclose the breach to the attorney general.
4.
A list of the types of personal information reasonably believed to have been subject to the breach
3.
The date, estimated date, or range of dates the breach occurred (if known)
2.
A general description of the security breach
1.
Entity’s name and contact information
The notice shall state:
shall notify residents within 45 days following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
45 days following discovery or notification of the breach:
Notification not required if entity determines that the breach does not pose a significant risk of identity theft or fraud.
Social Security number
Driver's license number or government-issued identification number
Financial account number, including a credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account, or
Biometric data
A.
B.
C.
D.
E.
F.
G.
H.
I.
First name or first initial and last name in combination with at least one of the following:
1.
The unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days of discovery of the breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
7.
Advice regarding consumer rights under the Fair Credit Reporting Act
6.
Advice to review personal account statements and credit reports for errors, and
5.
The toll-free numbers and addresses of the major consumer reporting agencies
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 5,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
If a New York resident is notified, the Attorney General must also be notified.
Such notice shall include:
3.
A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization
2.
The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and
1.
Contact information for the person or business making the notification
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or non-driver identification card number
Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual's financial account
Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password, or
Biometric information
1.
Any information in combination with any one or more of the following:
2.
A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
The unauthorized access to or acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information.
NY
New York
N.Y. Gen. Bus. Law 899-aa
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If disclosure is inadvertent
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
New York
N.Y. Gen. Bus. Law 899-aa
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If more than 5,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
If a New York resident is notified, the Attorney General must also be notified.
3.
A description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization
2.
The telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information, and
1.
Contact information for the person or business making the notification
Such notice shall include:
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.
Social Security number
Driver's license number or non-driver identification card number
Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual's financial account
Account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual's financial account without additional identifying information, security code, access code, or password, or
Biometric information
A.
B.
C.
D.
Any information in combination with any one or more of the following:
1.
The unauthorized access to or acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
YES
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days of discovery of the breach
If disclosure is inadvertent
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A username or e-mail address in combination with a password or security question and answer that would permit access to an online account.
2.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to an affected person of a security breach, then the entity shall notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay.
The notice shall include:
5.
information regarding the timing, distribution, and content of the notice
4.
steps taken to prevent a similar breach in the future; and
3.
steps taken to investigate the breach
2.
the number of consumers affected by the breach
1.
the of the nature of the breach
7.
The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain
information from these sources about preventing identity theft.
6.
The toll-free numbers and addresses for the major consumer reporting agencies; and
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
4.
A telephone number for the business that the person may call for further information and assistance, if one exists
3.
A description of the general acts of the business to protect the personal information from further unauthorized access
2.
A description of the types of personal information that was accessed
1.
A description of the incident in general terms
Notification shall include all of the following:
shall notify North Carolina residents without unreasonable delay.
Entity that owns or licenses personal information...
that it does not own or license must notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required where illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
Personal information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
2
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
M.
N.
Social Security or employer taxpayer identification numbers
Driver’s license, State identification card, or passport numbers
Checking account numbers
Savings account numbers
Credit card numbers
Debit card numbers
Personal Identification (PIN) Code
Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names
Digital signatures
Any other numbers or information that can be used to access a person's financial resources
Biometric data
Fingerprints
Passwords; or
Parent's legal surname prior to marriage
1.
A person's first name or first initial and last name in combination with:
1
of 2
Unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.
NC
North Carolina
N.C. Gen. Stat. §§ 75-60 et seq.
Statute
AG Website
Download Full PDF
Key Resources
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
YES
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If more than 1,000 North Carolina residents are notiied
Next STATE
PreviouS STATE
NH
North Carolina
N.C. Gen. Stat. §§ 75-60 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity discovers circumstances requiring notice pursuant to this section of more than 1,000 individuals at a single time, the covered entity shall also notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to an affected person of a security breach, then the entity shall notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay.
A telephone number for the business that the person may call for further information and assistance, if one exists
4.
A description of the general acts of the business to protect the personal information from further unauthorized access
3.
A description of the types of personal information that was accessed
2.
A description of the incident in general terms
1.
Notification shall include all of the following:
shall notify North Carolina residents without unreasonable delay.
Entity that owns or licenses personal information...
that it does not own or license must notify the owner or licensee immediately.
Entity that only maintains or possesses personal information...
Following discovery or notification of the breach:
Notification is not required where illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
Social Security or employer taxpayer identification numbers
Driver’s license, State identification card, or passport numbers
Checking account numbers
Savings account numbers
Credit card numbers
Debit card numbers
Personal Identification (PIN) Code
Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names
Digital signatures
Any other numbers or information that can be used to access a person's financial resources
Biometric data
Fingerprints
Passwords; or
Parent's legal surname prior to marriage
A.
B.
C.
A person's first name or first initial and last name in combination with:
1.
Unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports
5.
The toll-free numbers and addresses for the major consumer reporting agencies; and
6.
The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
7.
The notice shall include:
the of the nature of the breach
1.
the number of consumers affected by the breach
2.
steps taken to investigate the breach
3.
steps taken to prevent a similar breach in the future; and
4.
information regarding the timing, distribution, and content of the notice
5.
Personal information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
If the unencrypted personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify North Dakota residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or license personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
The individual’s Social Security number
The operator’s license number assigned to an individual by the department of transportation
A nondriver color photo identification card number assigned to the individual by the department of transportation
The individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts
The individual’s date of birth
The maiden name of the individual’s mother
Medical information
Health insurance information
An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password, or
The individual’s digitized or other electronic signature
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of computerized personal information.
ND
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
If 250 or more residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
If the unencrypted personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify North Dakota residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or license personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following discovery or notification of the breach:
N/A
The individual’s Social Security number
The operator’s license number assigned to an individual by the department of transportation
A nondriver color photo identification card number assigned to the individual by the department of transportation
The individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts
The individual’s date of birth
The maiden name of the individual’s mother
Medical information
Health insurance information
An identification number assigned to the individual by the individual’s employer in combination with any required security code, access code, or password, or
The individual’s digitized or other electronic signature
A.
B.
C.
D.
E.
F.
An individual’s first name or first initial and last name in combination with:
1.
The unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days following discovery of the breach
If 250 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to provide notice to over 1,000 Ohio residents, the entity must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the disclosure.
N/A
N/A
shall notify Indiana residents within 45 days.
Entity that owns or licenses personal information...
on behalf of another entity shall notify that entity in an expeditious manner.
Entity that is the custodian of or stores personal information...
Following discovery or notification of breach:
To constitute a breach, the unauthorized access to and acquisition of computerized data must be reasonably believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio
resident.
A.
B.
C.
Social Security number
Driver's license number or state identification card number; or
Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
1.
A person’s first initial and last name with:
The unauthorized access to and acquisition of computerized personal information that reasonably is believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
OH
Ohio
Ohio Rev. Code Ann. § 1349.19 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
if more than 1,000 Ohio residents are notifieI
45 days after notification or discovery of breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Ohio
Ohio Rev. Code Ann. § 1349.19 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity is required to provide notice to over 1,000 Ohio residents, the entity must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the disclosure.
N/A
N/A
shall notify Indiana residents within 45 days.
Entity that owns or licenses personal information...
on behalf of another entity shall notify that entity in an expeditious manner.
Entity that is the custodian of or stores personal information...
Following discovery or notification of breach:
To constitute a breach, the unauthorized access to and acquisition of computerized data must be reasonably believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
Social Security number
Driver's license number or state identification card number; or
Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.
A.
B.
C.
D.
A person’s first initial and last name with:
1.
The unauthorized access to and acquisition of computerized personal information that reasonably is believed to have caused or will cause a material risk of identity theft or other fraud to an Ohio resident.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall, following discovery or notification of the breach,
notify any Oklahoma resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach of
the security of the system as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.
Entity that only maintains or stores computerized data...
Following discovery or notification of breach:
Notification only required if entity reasonably believes personal information has been accessed and acquired by an unauthorized person and that caused, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver license, or
Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
1.
An individual’s first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
OK
Oklahoma
24 Okl.St.Ann. § 161 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
NH
Oklahoma
24 Okl.St.Ann. § 161 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall, following discovery or notification of the breach, notify any Oklahoma resident whose personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach of
the security of the system as soon as practicable following discovery, if the personal information was or if the entity reasonably believes was accessed and acquired by an unauthorized person.
Entity that only maintains or stores computerized data...
Following discovery or notification of breach:
Notification only required if entity reasonably believes personal information has been accessed and acquired by an unauthorized person and that caused, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver license, or
Financial account number, or credit or debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer's financial account.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
M.
N.
An individual’s first name or first initial and last name linked to any one or more of the following:
1.
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information and that causes, or the entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity provides notice to more than 1,000 Oregon residents, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 250 Oregon residents, entity must also provide notice to the Attorney General.
6.
Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
5.
Contact information for national consumer reporting agencies, and
4.
Contact information for the covered entity
3.
The type of personal information that was subject to the breach of security
2.
The approximate date of the breach of security
1.
A description of the breach of security in general terms
shall notify Oregon residents “in the most expeditious manner possible, without unreasonable delay,” but in no event later than 45 days after discovering or receiving notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach within 10 days after discovering the breach or having a reason to believe that the breach of security occurred.
Entity that only maintains or stores personal information…
45 days after discovering or receiving notification of the breach:
Entity does not need to notify consumers of a breach if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the entity reasonably determines that the consumers whose personal information was subject to the breach are unlikely to suffer harm.
The entity must document the determination in writing and maintain the documentation for at least five years.
A.
B.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
The data element or combination of data elements would enable a person to commit identity theft against a consumer.
2.
A username or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the username or means
of identification.
3.
Any of the data elements or any combination of the data elements described subparagraph A or (B) of this paragraph without the consumer's username, or the consumer's first name or first initial and last name, if: (i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (ii) the data element or combination of data elements would enable a person to commit identity theft against a consumer.
F.
G.
A consumer's health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer, or
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
2
A.
B.
C.
D.
E.
A consumer's Social Security number
A consumer's driver license number or state identification card number issued by the Department of Transportation
A consumer's passport number or other identification number issued by the United States
A consumer's financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person
reasonably knows or should know would permit access to the consumer's financial account
Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction
1.
A consumer's first name or first initial and last name in combination with any one or more of the following:
1
of 2
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.
OR
Oregon
ORS § 646A.600 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 250 residents receive notice
Within 45 days after discovering or receiving notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
Next STATE
PreviouS STATE
Oregon
ORS § 646A.600 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If entity provides notice to more than 1,000 Oregon residents, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 250 Oregon residents, entity must also provide notice to the Attorney General.
shall notify Oregon residents “in the most expeditious manner possible, without unreasonable delay,” but in no event later than 45 days after discovering or receiving notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee of the breach within 10 days after discovering the breach or having a reason to believe that the breach of security occurred.
Entity that only maintains or stores personal information…
45 days after discovering or receiving notification of the breach:
Entity does not need to notify consumers of a breach if, after an appropriate investigation or after consultation with relevant federal, state or local law enforcement agencies, the entity reasonably determines that the consumers whose personal information was subject to the breach are unlikely to suffer harm.
The entity must document the determination in writing and maintain the documentation for at least five years.
A consumer's Social Security number
A consumer's driver license number or state identification card number issued by the Department of Transportation
A consumer's passport number or other identification number issued by the United States
A consumer's financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account, or any other information or combination of information that a person
reasonably knows or should know would permit access to the consumer's financial account
Data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction
A consumer's health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer, or
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
A.
B.
C.
D.
A consumer's first name or first initial and last name in combination with any one or more of the following:
1.
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days after discovering or receiving notification of the breach
If more than 250 residents receive notice
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A username or other means of identifying a consumer for the purpose of permitting access to the consumer's account, together with any other method necessary to authenticate the username or means
of identification.
Any of the data elements or any combination of the data elements described subparagraph A or (B) of this paragraph without the consumer's username, or the consumer's first name or first initial and last name, if: (i) Encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (ii) the data element or combination of data elements would enable a person to commit identity theft against a consumer.
3.
2.
4.
Contact information for the covered entity
3.
The type of personal information that was subject to the breach of security
2.
The approximate date of the breach of security
6.
Advice to the consumer to report suspected identity theft to law enforcement, including the Attorney General and the Federal Trade Commission.
5.
Contact information for national consumer reporting agencies, and
1.
A description of the breach of security in general terms
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
N/A
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
If there is not a reasonable likelihood that the affected individuals’ personal Information has not been accessed or acquired by an unauthorized person, then notification is not needed.
A.
B.
C.
Social Security number
Driver's license number or a State identification card number issued in lieu of a driver’s license, or
Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
1.
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
pa
Pennsylvania
3 P.S. § 2301 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Pennsylvania
3 P.S. § 2301 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If more than 1,000 individuals are notified in one incident, then an entity must provide notice to all consumer reporting agencies without unreasonable delay.
N/A
N/A
shall disclose the breach to each state resident as soon as practicable and without unreasonable delay after the discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
If there is not a reasonable likelihood that the affected individuals’ personal Information has not been accessed or acquired by an unauthorized person, then notification is not needed.
Social Security number
Driver's license number or a State identification card number issued in lieu of a driver’s license, or
Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
A.
B.
C.
An individual’s first name or first initial and last name in combination with and linked to any one or more of the following:
1.
The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If more than 500 Rhode Island residents are to be notified, the entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
If more than 500 Rhode Island residents are to be notified, within 45 days of the discovery of the breach, the entity shall notify the attorney general as to the timing, content, and distribution of the notices and the
approximate number of affected individuals.
1.
Must include the following information to the extent known:
A.
B.
C.
D.
E.
F.
A general and brief description of the incident, including how the security breach occurred and the number of affected individuals
The type of information that was subject to the breach
Date of breach, estimated date of breach, or the date range within which the breach occurred
Date that the breach was discovered
A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (a) The credit reporting agencies; (b) Remediation service providers; (c) The attorney general, and
A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
shall disclose the breach to each state resident in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.
Entity that owns or licenses personal information...
shall notify the owner or licensee in the most expedient time possible following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
The notification requirement considers whether the disclosure of personal information or breach of the security of the system poses a significant risk of identity theft to any resident of Rhode Island.
A.
B.
C.
D.
E.
Social Security number
Driver's license number, Rhode Island identification card number, or tribal identification number
Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual's financial account
Medical or health insurance information, or
E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
The unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information.
RI
Rhode Island
R.I. Gen. Laws § 11-49.3-4 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
Yes
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 45 days of the discovery of the breach if more than 500 residents are notified
Within 45 days of the discovery of the breach
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
Next STATE
PreviouS STATE
Rhode Island
R.I. Gen. Laws § 11-49.3-4 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If more than 500 Rhode Island residents are to be notified, the entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
If more than 500 Rhode Island residents are to be notified, within 45 days of the discovery of the breach, the entity shall notify the attorney general as to the timing, content, and distribution of the notices and the approximate number of affected individuals.
Must include the following information to the extent known:
shall disclose the breach to each state resident in the most expedient time possible, but no later than 45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements.
Entity that owns or licenses personal information...
shall notify the owner or licensee in the most expedient time possible following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
The notification requirement considers whether the disclosure of personal information or breach of the security of the system poses a significant risk of identity theft to any resident of Rhode Island.
Social Security number
Driver's license number, Rhode Island identification card number, or tribal identification number
Account number, credit, or debit card number, in combination with any required security code, access code, password, or personal identification number, that would permit access to an individual's financial account
Medical or health insurance information, or
E-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
A.
B.
C.
D.
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
1.
The unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
YES
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days of the discovery of the breach
Within 45 days of the discovery of the breach if more than 500 residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
1.
A general and brief description of the incident, including how the security breach occurred and the number of affected individuals
The type of information that was subject to the breach
Date of breach, estimated date of breach, or the date range within which the breach occurred
Date that the breach was discovered
A clear and concise description of any remediation services offered to affected individuals including toll free numbers and websites to contact: (a) The credit reporting agencies; (b) Remediation service providers; (c) The attorney general, and
A clear and concise description of the consumer's ability to file or obtain a police report; how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze; and that fees may be required to be paid to the consumer reporting agencies.
A.
B.
C.
D.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, the South Carolina Consumer Protection Division of the Department of Consumer
Affairs of the timing, distribution, and content of the notice.
N/A
shall disclose the breach to each state resident in the most expedient time possible, without unreasonable delay following discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if illegal use of the information acquired is not reasonably likely to occur or is not reasonably likely to create a material risk of harm to the
affected individual.
A.
B.
C.
D.
Social Security number
Driver's license number or state identification card number issued instead of a driver's license
Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account, or
Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
1.
The first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of
the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
SC
South Carolina
S.C. Code § 39-1-90 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
South Carolina
S.C. Code § 39-1-90 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, all consumer reporting agencies.
If an entity provides notice to more than 1,000 persons at one time, then the business shall notify, without unreasonable delay, the South Carolina Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.
N/A
shall disclose the breach to each state resident in the most expedient time possible, without unreasonable delay following discovery of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Disclosure of a breach of security to a customer shall not be required if illegal use of the information acquired is not reasonably likely to occur or is not reasonably likely to create a material risk of harm to the
affected individual.
Social Security number
Driver's license number or state identification card number issued instead of a driver's license
Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account, or
Other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
A.
B.
C.
The first name or first initial and last name in combination with and linked to any one or more of the following:
1.
The unauthorized access to and acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If notifying the South Dakota Attorney General, entity should notify all consumer reporting agencies without unreasonable delay.
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account
Health information, or
An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of
personal or protected information maintained by the information holder.
SD
South Dakota
S.D. Codified Laws §§ 22-40 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Within 60 days from the discovery or
notification of the breach if 250 or more residents are notified
Within 60 days from discovery or notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
South Dakota
S.D. Codified Laws §§ 22-40 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If notifying the South Dakota Attorney General, entity should notify all consumer reporting agencies without unreasonable delay.
If the personal information of more than 250 individuals is breached, then the data controller must disclose the breach to the attorney general.
N/A
shall notify South Dakota residents “within 60 days” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of the breach:
Entity not required to notify if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person.
Social Security number
Driver's license number or other unique identification number created or collected by a government body
Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account
Health information, or
An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes
A.
B.
C.
D.
E.
An individual’s first name or first initial and last name in combination with:
1.
The unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days from discovery or notification of the breach
Within 60 days from the discovery or notification of the breach if 250 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If an entity is required to provide notice to over 1,000 Tennessee residents, it must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the notice.
N/A
shall notify Tennessee residents within 45 days.
Entity that owns or licenses personal information...
that it does not own must notify the owner or licensee within 45 days.
Entity that only maintains or personal information...
Following discovery or notification of the breach:
A breach only occurs when the acquisition of the information materially compromises the security, confidentiality, or integrity of personal information.
A.
B.
C.
Social Security number
Driver's license number
Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
1.
An individual’s first initial and last name with:
The acquisition of computerized personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
TN
Tennessee
Tenn. Code Ann. § 47-18-2107 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
If more than 1,000 Tennessee residents are notified
45 days after notification or discovery of breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Tennessee
Tenn. Code Ann. § 47-18-2107 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If an entity is required to provide notice to over 1,000 Tennessee residents, it must also notify, without reasonable delay, the major consumer reporting agencies of the timing, distribution, and content of the notice.
N/A
N/A
shall notify Tennessee residents within 45 days.
Entity that owns or licenses personal information...
that it does not own must notify the owner or licensee within 45 days.
Entity that only maintains or personal information...
Following discovery or notification of the breach:
A breach only occurs when the acquisition of the information materially compromises the security, confidentiality, or integrity of personal information.
Social Security number
Driver's license number
Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
A.
B.
C.
D.
E.
An individual’s first initial and last name with:
1.
The acquisition of computerized personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 30 days of discovery of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
N/A
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity notifies at least 10,000 Texas residents of a breach, entity shall also notify each consumer reporting agency that maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices without unreasonable delay.
If entity notifies at least 250 Texas residents of a breach, then entity shall also, not later than the time when notice is provided to the Texas residents, provide notice of the breach to the Attorney General.
N/A
shall notify Texas residents “without unreasonable delay” and within 60 days following discovery or notification of breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of breach:
N/A
“Sensitive personal information” means
A.
(i)
(ii)
(iii)
an individual’s first name or first initial and last name in combination with any one or more of the following:
Social Security number
Driver’s license number or government-issued identification number, or
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account or
B.
(i)
(ii)
(iii)
information that identifies an individual and relates to:
The physical or mental health or condition of the individual
The provision of health care to the individual, or
Payment for the provision of health care to the individual.
2
A.
B.
C.
D.
E.
Name, Social Security number, date of birth, or government-issued identification number
Mother’s maiden name
Unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image
Unique electronic identification number, address, or routing code, and
Telecommunication access device as defined by Section 32.51, Penal Code.
1.
Information that alone or in conjunction with other information identifies an individual, including an individual’s:
•
•
•
1
of 2
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
TX
Texas
V.T.C.A., Bus. & C. § 521.002 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Within 60 days following discovery or
notification of breach, if 250 or more residents notified
Within 60 days following discovery or
notification of breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Texas
V.T.C.A., Bus. & C. § 521.002 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If entity notifies at least 10,000 Texas residents of a breach, entity shall also notify each consumer reporting agency that maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices without unreasonable delay.
If entity notifies at least 250 Texas residents of a breach, then entity shall also, not later than the time when notice is provided to the Texas residents, provide notice of the breach to the Attorney General.
N/A
shall notify Texas residents “without unreasonable delay” and within 60 days following discovery or notification of breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Within 60 days following discovery or notification of breach:
N/A
Name, Social Security number, date of birth, or government-issued identification number
Mother’s maiden name
Unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image
Unique electronic identification number, address, or routing code, and
Telecommunication access device as defined by Section 32.51, Penal Code.
A.
B.
C.
D.
E.
Information that alone or in conjunction with other information identifies an individual, including an individual’s:
1.
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 60 days following discovery or notification of breach
Within 60 days following discovery or notification of breach, if 250 or more residents notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
“Sensitive personal information” means
an individual’s first name or first initial and last name in combination with any one or more of the following:
Social Security number
Driver’s license number or government-issued identification number, or
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account or
information that identifies an individual and relates to:
The physical or mental health or condition of the individual
The provision of health care to the individual, or
Payment for the provision of health care to the individual.
A.
B.
C.
D.
E.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall notify Utah residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of the breach:
Notification not required if, after a reasonable and prompt investigation, the covered entity determines that the personal information has not or will not be misused for identity theft or fraud.
A.
B.
C.
Social Security number
Driver’s license or state identification card number
Account number, credit or debit card number, in combination with a linked security or access code, or password of an individual’s financial account
1.
An individual’s first name or first initial and last name in combination with:
The unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
UT
Utah
U.C.A. 1953 § 13-44-101 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
WASHINGTON
Next STATE
PreviouS STATE
Utah
U.C.A. 1953 § 13-44-101 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall notify Utah residents “in most expedient time possible” following discovery or notification of the breach.
Entity that owns or licenses personal information…
shall notify the owner or licensee “immediately following discovery” of the breach if they discover that personal information may have been acquired by an unauthorized person.
Entity that only maintains or stores personal information…
Following discovery or notification of the breach:
Notification not required if, after a reasonable and prompt investigation, the covered entity determines that the personal information has not or will not be misused for identity theft or fraud.
Social Security number
Driver’s license or state identification card number
Account number, credit or debit card number, in combination with a linked security or access code, or password of an individual’s financial account
A.
B.
C.
D.
An individual’s first name or first initial and last name in combination with:
1.
The unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach
within 14 business days of the data collector's discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.
Notice shall be clear and conspicuous, and shall include a description of the following, if known to the data collector:
1.
The incident in general terms
2.
The type of personally identifiable information that was subject to the security breach
3.
The general acts of the data collector to protect the personally identifiable information from further unauthorized access or acquisition
4.
A telephone number, toll-free if available, that the consumer may call for further information and assistance
5.
Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports
6.
The approximate date of the security breach
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
Notice of a security breach is not required if the entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible and the data collector provides notice of the determination that the misuse of the personally identifiable information or login credentials is not reasonably possible.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Social Security number
Driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a
commercial transaction
Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords
Password, personal identification number, or other access code for a financial account
Unique biometric data used by the owner or licensee of the data to identify or authenticate the consumer
Genetic information, and
Health records or records of a wellness program or similar program of health promotion or disease prevention
Health care professional's medical diagnosis or treatment of the consumer, or
Health insurance policy number
1.
An individual's first name or first initial and last name in combination with one or more of the following:
The unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally
identifiable information or login credentials maintained by a data collector.
VT
Vermont
9 Vt. Stat. Ann. § 2435 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Within 14 business days of the entity’s discovery of the security breach
within 45 days following discovery or notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Vermont
9 Vt. Stat. Ann. § 2435 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
The entity shall notify the Attorney General or the Department, as applicable, of the date of the security breach and the date of discovery of the breach and shall provide a preliminary description of the breach within 14 business days of the data collector's discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, but not later than 45 days after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
45 days following discovery or notification of the breach:
Notice of a security breach is not required if the entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible and the data collector provides notice of the determination that the misuse of the personally identifiable information or login credentials is not reasonably possible.
Social Security number
Driver license or nondriver State identification card number, individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a
commercial transaction
Financial account number or credit or debit card number, if the number could be used without additional identifying information, access codes, or passwords
Password, personal identification number, or other access code for a financial account
Unique biometric data used by the owner or licensee of the data to identify or authenticate the consumer
Genetic information, and
Health records or records of a wellness program or similar program of health promotion or disease prevention
Health care professional's medical diagnosis or treatment of the consumer, or
Health insurance policy number
A.
B.
C.
D.
An individual's first name or first initial and last name in combination with one or more of the following:
1.
The unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information or login credentials maintained by a data collector.
Statute
AG Website
Download Full PDF
Key Resources
no
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
NO
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days following discovery or notification of the breach
Within 14 business days of the entity's discovery of the security breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Notice shall be clear and conspicuous, and shall include a description of the following, if known to the data collector:
4.
A telephone number, toll-free if available, that the consumer may call for further information and assistance
3.
2.
The type of personally identifiable information that was subject to the security breach
6.
The approximate date of the security breach
5.
Advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports
1.
The incident in general terms
The general acts of the data collector to protect the personally identifiable information from further unauthorized access or acquisition
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, the Office of the Attorney General. and all consumer reporting agencies.
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
4.
A telephone number that the person may call for further information and assistance, if one exists, and
3.
The general acts of the individual or entity to protect the personal information from further unauthorized access
2.
The type of personal information that was subject to the unauthorized access and acquisition
1.
The incident in general terms
The notice shall include:
shall shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee without unreasonable delay following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is required only if the breach that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
D.
E.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license number
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts
Passport number, or
Military identification number
1.
The first name or first initial and last name in combination with and linked to any one or more of the following:
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.
VA
Virginia
Va. Code Ann. § 18.2-186.6 (2008); as amended (2019)
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
without unreasonable delay, if more than 1,000 residents are notified.
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Virginia
Va. Code Ann. § 18.2-186.6 (2008); as amended (2019)
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, all consumer reporting agencies.
If entity provides notice to more than 1,000 persons at one time, the entity shall notify, without unreasonable delay, the Office of the Attorney General. and all consumer reporting agencies.
4.
A telephone number that the person may call for further information and assistance, if one exists, and
3.
2.
The type of personal information that was subject to the unauthorized access and acquisition
The general acts of the individual or entity to protect the personal information from further unauthorized access
5.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
1.
The incident in general terms
The notice shall include:
shall shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee without unreasonable delay following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is required only if the breach that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license number
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial accounts
Passport number, or
Military identification number
A.
B.
C.
D.
E.
F.
G.
H.
I.
The first name or first initial and last name in combination with and linked to any one or more of the following:
1.
The unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
NO
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 45 days following discovery or notification of the breach
without unreasonable delay, if more than 1,000 residents are notified.
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
of 2
1.
2.
3.
Any consumer injured by a violation of this chapter may institute a civil action to recover damages.
Any person or business that violates, proposes to violate, or has violated this chapter may be enjoined.
The rights and remedies available under this chapter are cumulative to each other and to any other rights and remedies available under law.
For actions brought by the attorney general to enforce this chapter, a violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW. An action to enforce this chapter may not be brought under RCW 19.86.090.
2
The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter. For actions brought by the attorney general to enforce this chapter, the legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW.
1
The number of Washington consumers affected by the breach, or an estimate if the exact number is not known
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
A summary of steps taken to contain the breach
A single sample copy of the security breach notification excluding any personally identifiable information.
The notice to the attorney general shall include the following information:
The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due.
If notification to 500 or more Washington residents, entity must notify the attorney general.
A.
B.
C.
D.
The name and contact information of the reporting person or business subject to this section
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
Toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information
2.
The notification must include, at a minimum, the following information:
1.
The notification must be written in plain language
Shall notify Washington residents “in the most expedient time possible and without unreasonable delay” but not later than 30 days following discovery or notice of the breach.
Entity that owns or licenses personal information…
Shall notify the owner or licensee of the breach immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
30 days following discovery or notice of breach:
The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.
Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.
A.
B.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
The data element or combination of data elements would enable a person to commit identity theft against a consumer.
Or
2.
Username or email address in combination with a password or security questions and answers that would permit access to an online account
3.
Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
2
E.
F.
G.
H.
I.
Private key that is unique to an individual and that is used to authenticate or sign an electronic record
Student, military, or passport identification number
Health insurance policy number or health insurance identification number
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer
Biometric data
A.
B.
C.
D.
Social Security number
Driver's license number or Washington identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account
Full date of birth
1.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
1
of 2
The unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
WA
Washington
Wash. Rev. Code § 19.255.005 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Within 30 days following discovery of notification of the breach
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Washington
Wash. Rev. Code § 19.255.005 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter. For actions brought by the attorney general to enforce this chapter, the legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW.
If notification to 500 or more Washington residents, entity must notify the attorney general.
The name and contact information of the reporting person or business subject to this section
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
Toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information
A.
B.
C.
D.
E.
F.
1.
The notification must be written in plain
language
Shall notify Washington residents “in the most expedient time possible and without unreasonable delay” but not later than 30 days following discovery or notice of the breach.
Entity that owns or licenses personal information…
Shall notify the owner or licensee of the breach immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information…
30 days following discovery or notice of breach:
Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.
Social Security number
Driver's license number or Washington identification card number
Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account
Full date of birth
Private key that is unique to an individual and that is used to authenticate or sign an electronic record
Student, military, or passport identification number
Health insurance policy number or health insurance identification number
Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer
Biometric data
A.
B.
C.
D.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
1.
The unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
NO
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 30 days following discovery of notification of the breach
If more than 500 residents receive notice, and must be within 30 days following discovery or notification of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.
2.
The notification must include, at a minimum,
the following information:
The notice to the attorney general shall include the following information:
The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due.
The number of Washington consumers affected by the breach, or an estimate if the exact number is not known
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach
A summary of steps taken to contain the breach
A single sample copy of the security breach notification excluding any personally identifiable information.
For actions brought by the attorney general to enforce this chapter, a violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW. An action to enforce this chapter may not be brought under RCW 19.86.090.
Any consumer injured by a violation of this chapter may institute a civil action to recover damages.
Any person or business that violates, proposes to violate, or has violated this chapter may be enjoined.
The rights and remedies available under this chapter are cumulative to each other and to any other rights and remedies available under law.
1.
2.
3.
Username or email address in combination with a password or security questions and answers that would permit access to an online account
2.
Or
Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
3.
Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
The data element or combination of data elements would enable a person to commit identity theft against a consumer.
A.
B.
C.
D.
E.
F.
G.
H.
I.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
7.
The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach
8.
The date and time frame of the breach, if known
9.
The address and location of corporate headquarters, if outside of the District
10.
Any knowledge of foreign country involvement, and
11.
A sample of the notice to be provided to District residents
2
Notice must be provided to the Attorney General, made in the most expedient manner possible and without unreasonable delay, if the breach affects more than 50 District residents.
The notice must include:
1.
The name and contact information of the person or entity reporting the breach
2.
The name and contact information of the person or entity that experienced the breach
3.
The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach
4.
The types of personal information compromised by the breach
5.
The number of District residents affected by the breach
6.
The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known
1
of 2
5.
If the entity maintains procedures for notification under the GLBA, HIPAA, or HITECH and provides notice in accordance with those sections, the entity is deemed in compliance with the provisions for
providing notice to consumers.
2
The notice shall include:
1.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired
2.
Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained
3.
The toll-free telephone numbers and addresses for the major consumer reporting agencies and information how a resident may request a security freeze; and
4.
The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:
A.
B.
The Federal Trade Commission; and
The Office of the Attorney General for the District of Columbia
1
of 2
shall disclose the breach to each state resident in the
most expedient time possible and without unreasonable delay, after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is not required if a determination is made after reasonable investigation and consultation with the Attorney General and federal law enforcement that the acquisition of PI will likely not result in harm to the individual.
Or
2.
A username or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in the above that permits access
to an individual's e-mail account.
F.
Any combination of the above-data elements to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier
2
A.
B.
C.
D.
E.
Social Security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account
Medical information
Genetic information and deoxyribonucleic acid profile
Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information
1.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
1
of 2
The unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.
D.C.
Washington DC
D.C. Code § 28-3851 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
Yes
Is notice to a state agency or AG required?
Yes
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
Yes
QUICK FACTS
If more than 50 residents notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
NH
Washington DC
D.C. Code § 28-3851 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
In the event the entity provides notice to more than 1,000 consumers at one time, the data collector shall notify, without unreasonable delay, all consumer reporting agencies.
Notice must be provided to the Attorney General, made in the most expedient manner possible and without unreasonable delay, if the breach affects more than 50 District residents.
The name and contact information of the person or entity reporting the breach
1.
The name and contact information of the person or entity that experienced the breach
2.
The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach
3.
The types of personal information compromised by the breach
4.
The number of District residents affected by the breach
5.
The notice shall include:
The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:
4.
The Federal Trade Commission; and
A.
The Office of the Attorney General for the District of Columbia
B.
If the entity maintains procedures for notification under the GLBA, HIPAA, or HITECH and provides notice in accordance with those sections, the entity is deemed in compliance with the provisions for providing notice to consumers.
7.
The toll-free telephone numbers and addresses for the major consumer reporting agencies and information how a resident may request a security freeze; and
3.
Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained
2.
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired
1.
The notice shall include:
shall disclose the breach to each state resident in the most expedient time possible and without unreasonable delay, after the discovery or notification.
Entity that owns or licenses personal information...
shall notify the owner or licensee immediately following discovery of the breach.
Entity that does not own or have the right to license the personal information...
Following discovery or notification of the breach:
Notice is not required if a determination is made after reasonable investigation and consultation with the Attorney General and federal law enforcement that the acquisition of PI will likely not result in harm to the individual.
Social Security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account
Medical information
Genetic information and deoxyribonucleic acid profile
Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information
Any combination of the above-data elements to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
K.
L.
M.
N.
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following:
1.
The unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
If more than 50 residents notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A username or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in the above that permits access to an individual's
e-mail account.
2.
Or
The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known
6.
The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach
7.
The date and time frame of the breach, if known
8.
The address and location of corporate headquarters, if outside of the District
9.
Any knowledge of foreign country involvement, and
10.
A sample of the notice to be provided to District residents
11.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 West Virginia residents are notified.
N/A
3.
The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.
2.
A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn
A.
B.
What types of information the entity maintained about that individual or about individuals in general; and
Whether the entity-maintained information about that individual.
1.
A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person
The notice shall include:
shall notify West Virginia residents without unreasonable delay following discovery or notification of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery or notification of the breach.
Entity that does not own or have the right to license personal information...
Following discovery or notification of the breach:
Notice is required only if the entity reasonably believes the breach has caused or will cause, identity theft or other fraud to any resident of this state.
A.
B.
C.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license, or
Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts
1.
The first name or first initial and last name linked to any one or more of the following:
The unauthorized access and acquisition of computerized personal information and that causes the entity to reasonably believe that the breach will cause identity theft/fraud to any resident.
WV
West Virginia
§§ 46A-2A-101 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
If more than 1,000 West Virginia residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
West Virginia
§§ 46A-2A-101 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
Notice to consumer reporting agencies without unreasonable delay is required if more than 1,000 West Virginia residents are notified.
N/A
The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.
3.
What types of information the entity maintained about that individual or about individuals in general; and
A.
A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn
2.
A description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person
1.
The notice shall include:
shall notify West Virginia residents without unreasonable delay following discovery or notification of the breach.
Entity that owns or licenses personal information...
shall notify the owner or licensee as soon as practicable following discovery or notification of the breach.
Entity that does not own or have the right to license personal information...
Following discovery or notification of the breach:
Notice is required only if the entity reasonably believes the breach has caused or will cause, identity theft or other fraud to any resident of this state.
Social Security number
Driver's license number or state identification card number issued in lieu of a driver's license, or
Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts
A.
B.
C.
The first name or first initial and last name linked to any one or more of the following:
1.
The unauthorized access and acquisition of computerized personal information and that causes the entity to reasonably believe that the breach will cause identity theft/fraud to any resident.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Whether the entity-maintained information about that individual.
B.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
If the entity is required to provide notice to over 1,000 Wisconsin residents, it must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing,
distribution, and content of the notices sent to the individuals.
N/A
Upon written request by a person who has received a notice, the entity shall identify the personal information that was acquired.
The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the affected resident.
shall notify Wisconsin residents within a reasonable time, not to exceed 45 days.
Entity that owns or licenses personal information...
but do not own such information shall notify the owner or licensee as soon as practicable.
Entity that only store personal information...
Following discovery or notification of the breach:
If the acquisition of personal information does not create a material risk of identity theft or fraud, or the personal information was acquired in good faith and used for a lawful purpose of the entity, no notice is required.
A.
B.
C.
D.
E.
The individual's Social Security number
The individual's driver's license number or state identification number
The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account
The individual's DNA; or
The individual's biometric data
1.
An individual's last name and the individual's first initial, in combination with any of the following:
When an entity knows that personal information has been acquired by a person whom the entity has not authorized to acquire the information.
WI
Wisconsin
Wis. Stat. § 134.98 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
Yes
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
YES
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
45 days after the entity learns of the acquisition of personal information
If more than 1,000 Wisconsin residents are notified
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Wisconsin
Wis. Stat. § 134.98 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
If the entity is required to provide notice to over 1,000 Wisconsin residents, it must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices sent to the individuals.
N/A
The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the affected resident.
shall notify Wisconsin residents within a reasonable time, not to exceed 45 days.
Entity that owns or licenses personal information...
but do not own such information shall notify the owner or licensee as soon as practicable.
Entity that only store personal information...
Following discovery or notification of the breach:
If the acquisition of personal information does not create a material risk of identity theft or fraud, or the personal information was acquired in good faith and used for a lawful purpose of the entity, no notice is required.
The individual's Social Security number
The individual's driver's license number or state identification number
The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account
The individual's DNA; or
The individual's biometric data
A.
B.
C.
An individual's last name and the individual's first initial, in combination with any of the following:
1.
When an entity knows that personal information has been acquired by a person whom the entity has not authorized to acquire the information.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
YES
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
YES
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after the entity learns of the acquisition of personal information
Within 30 days of discovery of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Upon written request by a person who has received a notice, the entity shall identify the personal information that was acquired.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
6.
In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches
7.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports, and
8.
Whether notification was delayed as a result of a law enforcement investigation, if that information is
reasonably possible to determine at the time the notice is provided.
2
Notice must be clear and conspicuous and shall include, at a minimum:
1.
A toll-free number that the individual may use to contact the person collecting the data, or his agent
2.
From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies
3.
The types of personal identifying information that were or are reasonably believed to have been the subject of the breach
4.
A general description of the breach incident
5.
The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided
1
of 2
shall notify Wyoming residents of breach as soon as
possible, when it becomes aware of a breach of the security of the system, which after conducting in good faith a reasonable and prompt investigation, determines the likelihood that personal identifying information has been or will be misused.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach as soon as practicable following the determination that personal identifying information was, or is
reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification not necessary unless the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur.
I.
J.
K.
Health insurance information, meaning a person's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person's application and claims history
Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes, or
An individual taxpayer identification number
2
A.
B.
C.
D.
E.
F.
G.
H.
Social Security number
Driver's license number
Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person
Tribal identification card, or
Federal or state government issued identification card
A username or email address, in combination with a password or security question and answer that would permit access to an online account
A birth or marriage certificate
Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
1.
The first name or first initial and last name of an individual in combination with one or more of the following:
1
of 2
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.
WY
Wyoming
Wyo. Stat. § 40-12-501 et seq.
Is “Personal Information” broader than the general definition?
Yes
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Wyoming
Wyo. Stat. § 40-12-501 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
The types of personal identifying information that were or are reasonably believed to have been the subject of the breach
3.
From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies
2.
A toll-free number that the individual may use to contact the person collecting the data, or his agent
1.
Notice must be clear and conspicuous and shall include, at a minimum:
shall notify Wyoming residents of breach as soon as possible, when it becomes aware of a breach of the security of the system, which after conducting in good faith a reasonable and prompt investigation, determines the likelihood that personal identifying information has been or will be misused.
Entity that owns or licenses personal information...
shall notify the owner or licensee of the breach as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
Entity that only maintains or stores personal information...
Following investigation:
Notification not necessary unless the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur.
Social Security number
Driver's license number
Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person
Tribal identification card, or
Federal or state government issued identification card
A username or email address, in combination with a password or security question and answer that would permit access to an online account
A birth or marriage certificate
Medical information, meaning a person's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
Health insurance information, meaning a person's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person's application and claims history
Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes, or
An individual taxpayer identification number
A.
B.
C.
The first name or first initial and last name of an individual in combination with one or more of the following:
1.
The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
NO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after discovery or notification of
the breach
Within five (5) business days after
notifying affected individuals of the breach
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
A general description of the breach incident
4.
The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided
5.
In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches
6.
Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports, and
7.
Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
8.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall disclose the breach without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee of the information of the breach as soon as practicable.
Entity that maintains personal information...
Following discovery or notification of the breach:
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
A.
B.
C.
Social Security number
Driver’s license number or Guam identification card number; or
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts
1.
The first name, or first initial, and last name in combination with any one or more of the following:
The unauthorized access and acquisition of computerized personal information that causes the individual or entity, or reasonably believes will cause identity theft/fraud.
Guam
Guam
9 G.C.A. § 48.10
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
YES
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
no
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Guam
9 G.C.A. § 48.10
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall disclose the breach without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own or license shall notify the owner or licensee of the information of the breach as soon as practicable.
Entity that maintains personal information...
Following discovery or notification of the breach:
Notification is not required if the acquisition of personal information does not cause, or the subject entity does not reasonably believe it has or will cause, identity theft or other fraud to a Guam resident.
Social Security number
Driver’s license number or Guam identification card number; or
Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts
A.
B.
C.
The first name, or first initial, and last name in combination with any one or more of the following:
1.
The unauthorized access and acquisition of computerized personal information that causes the individual or entity, or reasonably believes will cause identity theft/fraud.
Statute
AG Website
Download Full PDF
Key Resources
NO
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
YES
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
Within a non-extendable term of 10 days after the violation of the system's security has been detected, the parties responsible shall inform the Department of Consumer Affairs, which shall make a public
announcement of the fact within 24 hours after having received the information.
1.
the nature of the situation
2.
the number of clients potentially affected
3.
whether criminal complaints have been filed
4.
what measures are being taken in the matter and an estimate of the time; and
5.
cost required to rectify the situation
The notice must include:
shall notify Puerto Rico residents as expeditiously as possible following discovery of the breach.
Entity that owns or is the custodian of personal information...
shall notify the proprietor, custodian, or holder of the information.
Entity that only maintain personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
D.
E.
F.
G.
Social Security number
Driver's license number, voter's identification or other official identification
Bank or financial account numbers of any type with or without passwords or access code that may have been assigned
Names of users and passwords or access codes to public or private information systems
Medical information protected by HIPAA
Tax information; or
Work-related evaluations
1.
The name or first initial and the surname of a person, together with any of the following:
Situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files; or when authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false
representation with the intention of making illegal use of the information.
PR
Puerto Rico
10 P.R. Laws Ann. §§ 4051 et seq.
Is “Personal Information” broader than the general definition?
YES
Does the law apply to paper records?
no
Is notification triggered by access only?
YES
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
YES
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
YES
Is a private right of action permitted?
YES
QUICK FACTS
Within 10 days
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
Puerto Rico
10 P.R. Laws Ann. §§ 4051 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
Within a non-extendable term of 10 days after the violation of the system's security has been detected, the parties responsible shall inform the Department of Consumer Affairs, which shall make a public announcement of the fact within 24 hours after having received the information.
The notice must include:
the nature of the situation
shall notify Puerto Rico residents as expeditiously as possible following discovery of the breach.
Entity that owns or is the custodian of personal information...
shall notify the proprietor, custodian, or holder of the information.
Entity that only maintain personal information...
Following discovery or notification of the breach:
N/A
Social Security number
Driver's license number, voter's identification or other official identification
Bank or financial account numbers of any type with or without passwords or access code that may have been assigned
Names of users and passwords or access codes to public or private information systems
Medical information protected by HIPAA
Tax information; or
Work-related evaluations
A.
B.
C.
D.
E.
F.
G.
H.
I.
The name or first initial and the surname of a person, together with any of the following:
1.
Situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files; or when authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
YES
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
YES
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
YES
Is notification triggered by access only?
nO
Does the law apply to paper records?
YES
Is “Personal Information” broader than the general definition?
QUICK FACTS
Within 30 days following discovery of notification of the breach
Within 10 days
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
1.
the number of clients potentially affected
2.
whether criminal complaints have been filed
3.
what measures are being taken in the matter and an estimate of the time; and
4.
cost required to rectify the situation
5.
Previous State
Next State
How is “Breach” defined?
How is “Personal Information” defined?
Risk of Harm Analysis Standard
Notice Deadline
Notice Content Requirements
AG Notice Trigger
Notification to Consumer Protection Agencies
N/A
N/A
N/A
shall notify Virgin Island residents in the most expedient time possible and without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee immediately.
Entity that only maintains personal information...
Following discovery or notification of the breach:
N/A
A.
B.
C.
Social Security number
Driver's license number; or
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
1.
An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
The unauthorized acquisition of computerized personal information.
USVI
U.S. Virgin Islands
14 V.I.C § 2208 et seq.
Is “Personal Information” broader than the general definition?
no
Does the law apply to paper records?
no
Is notification triggered by access only?
no
Is a risk-of-harm analysis permitted?
no
Is notice to a state agency or AG required?
no
Is there a specific deadline for individual notices?
no
Is there a specific format or language that must be included in the individual notice?
no
Is a private right of action permitted?
YES
QUICK FACTS
Statute
AG Website
Download Full PDF
Key Resources
Next STATE
PreviouS STATE
U.S. Virgin Islands
14 V.I.C § 2208 et seq.
Notification to Consumer Protection Agencies
AG Notice Trigger
Notice Content Requirements
Notice Deadline
Risk of Harm Analysis Standard
How is “Personal Information” defined?
How is “Breach” defined?
N/A
N/A
N/A
shall notify Virgin Island residents in the most expedient time possible and without unreasonable delay.
Entity that owns or licenses personal information...
that the entity does not own shall notify the owner or licensee immediately.
Entity that only maintains personal information...
Following discovery or notification of the breach:
N/A
Social Security number
Driver's license number; or
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
A.
B.
C.
An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
1.
The unauthorized acquisition of computerized personal information.
Statute
AG Website
Download Full PDF
Key Resources
YES
Is a private right of action permitted?
NO
Is there a specific format or language that must be included
in the individual notice?
NO
Is there a specific deadline for individual notices?
NO
Is notice to a state agency or AG required?
NO
Is a risk-of-harm analysis permitted?
no
Is notification triggered by access only?
nO
Does the law apply to paper records?
NO
Is “Personal Information” broader than the general definition?
QUICK FACTS
45 days after notification or discovery of breach
Within 45 days of discovery of the breach, if 1,000 or more residents are notified
Highlights
QUICK FACTS
AL
AK
AZ
AR
CA
CO
CT
DE
FL
GA
HI
ID
IL
IN
IA
KS
KY
LA
ME
MD
MA
MI
MN
MS
MO
MT
NE
NV
NH
NJ
NM
NY
NC
ND
OH
OK
OR
PA
RI
SC
SD
TN
TX
UT
VT
VA
WA
D.C.
WV
WI
WY
guam
pr
u.s.v.i
