BLUF - Bottom Line Up Front
A security breach involves unauthorized access affecting information, systems, or applications. All U.S. states have enacted breach notification laws, with Alabama and South Dakota being the last in 2019. State laws often require notifying the Attorney General. Covered information typically includes personal identifiers like Social Security numbers and financial data. Violations may lead to penalties. Organizations must determine the breach's scope and inform affected parties promptly. Ignyte offers solutions for streamlining compliance processes.
STATE SECURITY BREACH law summarized
A security breach is defined as any unauthorized access or acquisition that compromises the security, confidentiality, integrity or availability of covered information, systems, and applications. Recent years have seen significant amounts of legislative activity related to state data breach notification laws. South Dakota and Alabama enacted new data breach notification laws in 2019, becoming the last of 50 U.S. states to enact such laws. We have seen the growing influence of state Attorney Generals in the realm of consumer data protections. State laws are increasingly requiring AGs to be notified in the event of a breach, and state AGs are taking action for non-compliance, filing lawsuits for failure to notify within the required timeframe and reaching for paper or digital based security data breaches. Here at Ignyte we have summarized every state statute in regard to security breach notification laws and what it means for your specific state, what is the common denominator within these laws in regard to notifications timing, and what is considered “covered information”?
1. Alabama Security Breach Notification Law
Alabama Security Breach Notification Law states a notification is required following a prompt investigation, must not be later than 45 calendar days following notification of breach or determination that breach occurred is reasonably likely to cause substantial harm to customers or the organization. If over 1,000 residents notified, must notify AG as expeditiously as possible, but no later than 45 days after notification of security breach or close of the investigation. Must include a synopsis of events surrounding incident; approximate number of affected residents; any services being offered to residents free of charge and how to use them; contact information that AG can use to obtain additional information.
Covered information is described as First name or first initial and last name, plus: Social Security or tax ID number; driver’s license, state-issued ID card, passport, military ID, or other unique government-issued ID number; account, credit or debit card number in combination with any required security/access code or password that would permit access to a financial account or conduct a transaction; medical or health insurance information; or username or email address plus a password or security question and answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain covered info. Violations may result in civil or criminal penalties.
2. Alaska
Alaska Security Breach Notification Law does not specify a time for a breach notification. The notification must be made in the most expeditious time possible and without unreasonable delay consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system. A written notification to Alaska AG is required only if you do not send notice because the organization determined harm threshold is not reached. Violations may result in civil penalties. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account , credit or debit card number, in combination with any associated security or access code, PIN or password that would permit access to a resident’s financial account information (if any are required); or passwords, PINS or other access codes for financial accounts.
3. Arizona
Arizona Security Breach Notification Law states a notification must be made in the most expedient manner possible and without unreasonable delay consistent with the measures to determine the scope of the security breach, identify costumers affected, or restore the reasonable integrity of the system. Notice required within 45 days of the determination that a breach has occurred. If notice to more than 1,000 customers is required, the organization or entity shall notify the Attorney General.
Covered information is defined as first name or initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account, credit or debit card number, in combination with any required security or access code or password that would permit access to a resident’s financial account; private key that is unique to an individual and that is used to authenticate or sign an electronic record; an individual’s health insurance identification number; information about an individual’s medical or mental health treatment or diagnosis by a health care professional; passport number; individual’s taxpayer identification number or an identity protection personal identification number issued by the IRS; unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account; and an individual’s user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account. Violations may result in civil penalties.
4. Arkansas
Arkansas Security Breach Notification Law states a notification must be made in the most expedient time and manner without unreasonable delay consistent with any measures to determine the scope of the security breach and to restore the integrity of the system. Ark. Admin. Code § 214.00.2-5010: Licensees subject to state Fair Mortgage Lending Act must notify state Securities Commissioner of a breach. If a loan applicant’s or borrower’s financial information or Social Security number was breached or disclosed without authorization, must provide notice to Securities Commissioner within two business days of discovery. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account, credit or debit card number, in combination with any required security access code or password that would permit access to a resident’s financial account; or medical information. Violations may result in civil or criminal penalties.
5. California Security Breach Notification Law
This law states notification must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the system. If more than 500 state customers are notified as a result of a single breach, the organization or entity must electronically submit a sample copy of the notification to the California Attorney General. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account, credit or debit card number, in combination with any required security or access code or password permitting access to a resident’s financial account; medical or health insurance info; or info collected by automated license plate recognition systems. Covered information also includes a user name or email address, in combination with a password or security question and answer that would permit access to system or applications. Violations may result in civil penalties.
6. Colorado
Colorado Security Breach Notification Law states a notification must be made no later than 30 days after the date of determination that the security breach occurred consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. If covered entity reasonably believes that the breach affected 500 or more customers, the organization must also notify Attorney General no later than 30 days after determination that the breach occurred. Covered information is defined as (1) first name or first initial and last name, plus: Social Security number; student, military, or passport ID number; driver’s license or state identification card number; medical information; health insurance number; or biometric data; OR (2) username or email address in combination with a password or questions and answers that would permit access to a resident’s online account; OR (3) account number or credit or debit card number, in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
7. Connecticut
Connecticut Security Breach Notification Law states a notification must be made to no later than 90 days to customers without unreasonable delay, subject to completion of an investigation to determine the nature and scope of the incident, to identify those affected, or to restore the reasonable integrity of the system. The organization or entity must also provide notice to the Connecticut Attorney General no later than the time notice is provided to the resident or customer (90 days). Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; credit or debit card number; or financial account number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
8. Delaware
Delaware Security Breach Notification Law states a notification must be made without unreasonable delay, but no later than 60 days after the determination that a breach occurred. If over 500 residents or customers are to be notified, the organization or entity must notify Delaware Attorney General no later than the time consumer notice is provided (60 days). Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state or federal identification card number; account, credit or debit card number, in combination with any required security or access code or password that would permit access to a financial account; passport number, username or email address in combination with password or security question and answer that would permit access to an online account; medical information; health insurance information; unique biometric data; or individual taxpayer identification number. Violations may result in civil penalties.
9. Florida Security Breach Notification Law
This Law states a notification must be made as expeditiously without unreasonable delay, but no later than 30 days to customers after determination of a security breach or reason to believe a breach has occurred. The organization may receive 15 more days if good cause for delay provided to Department of Legal Affairs within original 30 days. If breach affects 500 or more residents, must notify Department of Legal Affairs as expeditiously as practicable, but no later than 30 days after determination of breach or reason to believe security breach occurred. The notice must include synopsis of events surrounding breach; number of residents affected/potentially affected; info on services offered to affected individuals free of charge; copy of the notice to residents; and contact info for the covered entity. Must provide additional info upon request by Department. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license, state identification card, passport, military identification, or other government-issued number to verify identity; financial account, credit, or debit card number in combination with any required code or password that would permit access to a financial account; info regarding medical history, mental/physical condition, or medical treatment/diagnosis; or health insurance policy or subscriber identification number and any unique identifier used by health insurer. Covered info also includes a username or email address in combination with password or security question and answer that would permit access to an online account. Violations may result in civil penalties.
10. Georgia
Georgia Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. There is no government notification required for the state of Georgia, however a Consumer Agency Notice is required If more than 10,000 residents or customers are notified, the organization or entity must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice. There is Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; account, credit or debit card number, if it can be used without additional identifying info, access codes or passwords; account passwords, PINs or other access codes; or any of the previous data elements when not connected with the first name or first initial and last name if information compromised is sufficient to perform or attempt identity theft. Violations may result in civil penalties.
11. Hawaii
Hawaii Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. If more than 1,000 individuals notified, must notify, in writing, the Hawaii Office of Consumer Protection without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or account, credit or debit card number, access code, or password that would permit access to an individual’s financial account. Violations may result in civil penalties.
12. Idaho
Idaho Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. There is no government notification required for the state of Idaho. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or account, credit card or debit card number in combination with any security code, access code, or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
13. Illinois
Illinois Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. Government notification is required to be deemed in compliance, covered entities and business associates must notify the Illinois Attorney General within 5 business days of notifying U.S. Dept. of Health and Human Services (“HHS”) of a breach if such notification to HHS is required under the HITECH Act. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; account, credit or debit card number, or an account or credit card number in combination with any required information that would permit access to a resident’s financial account; medical information; health insurance information; or unique biometric information. Covered info also includes username or email address plus a password or security question and answer that would permit access to an online account. Violations may result in civil penalties.
14. Indiana Security Breach Notification Law
This Law does not have a specific timeframe for a security breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. Government notification is required if the notice is provided to one or more residents or customers, the organization must notify the Indiana Attorney General. Covered information is defined as First name or first initial and last name, plus: Social Security number, driver’s license or state identification card number; credit card number; or financial account or debit card number in combination with a security code, access code or password that would permit access to the person’s account. Covered info includes a Social Security number by itself without name. Violations may result in civil penalties.
15. Iowa
Iowa Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. Government notification is required if more than 500 Iowa residents or customers are notified, must notify Director of the Iowa Attorney General’s Consumer Protection Division within 5 business days after notifying residents. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or other government-issued unique identification number; financial account, credit or debit card number, unique electronic identifier, or routing code in combination with any required expiration date, security or access code, or password that would permit access to a resident’s financial account; or unique biometric data. Violations may result in civil penalties.
16. Kansas
Kansas Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. There is no government notification required for the state of Kansas, however a Consumer Agency Notice is required if more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the notices. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number, alone or in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
17. Kentucky
Kentucky Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. There is no government notification required for the state of Kentucky, however a Consumer Agency Notice is required if more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the notices. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license number; or account, credit card or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.
18. Louisiana
Louisiana Security Breach Notification Law states a notification must be made to residents or customers in the most expedient time possible and without unreasonable delay, but no later than 60 days from discovery of the breach. For government notification La. Admin. Code tit. 16, pt. III, § 701: If notice to Louisiana residents or customers is required, must also provide written notice to the Consumer Protection Section of the Attorney General’s office. Notice must be received within 10 days of distribution of notice to Louisiana residents and must include the names of those affected residents or customers. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account; passport number; or biometric data. Violations may result in civil penalties and/or a fine.
19. Maine
Maine Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. Government notification is required if notification to residents or customers is required, must also notify the appropriate state regulator (either Dept. of Professional and Financial Regulation or, if not regulated by the Department, the Attorney General). Covered information is defined as first name, or first initial, and last name, plus: Social Security number; driver’s license or state ID card number; account or credit/debit card number if usable without additional identifying information, access codes or passwords; account passwords, PIN numbers, or other access codes; or any of the previous data elements when not in connection with first name, or first initial, and last name, if the compromised information would be sufficient to commit identity theft. Violations may result in civil penalties.
20. Maryland
Maryland Security Breach Notification Law states a notification must be made to residents or customers as soon as reasonably practicable, but no later than 45 days after concluding investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system. The organization or entity must notify the Maryland Attorney General BEFORE providing consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver’s license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (as defined by HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information. OR username or email address plus password or security question/answer permitting access to an email account. Violations may result in civil penalties.
21. Massachusetts
Massachusetts Security Breach Notification Law does not have a specific timeframe for a breach notification, however a notification must be made to residents or customers as soon as practicable and without unreasonable delay when an organization knows or has reason to know a breach or other unauthorized access or use of covered information has occurred. The state of Massachusetts must notify the Attorney General and the Director of the Office of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay. Notice must include the nature of the incident, the number of residents affected and any steps the entity has taken or plans to take relating to the incident. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
22. Michigan
Michigan Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. There is no government notification required for the state of Michigan, however a Consumer Agency Notice is required if more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the notices. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state ID card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil or criminal penalties.
23. Minnesota
Minnesota Security Breach Notification Law does not have a specific timeframe for a breach notification. The notification must be made to customers or residents without unreasonable delay consistent with any measures to determine contact info, scope of the breach and to restore the reasonable confidentiality, integrity and availability of the system. There is no government notification required for the state of Minnesota, however if more than 500 residents or customers are notified, the organization must notify Consumer Agency and all nationwide CRAs within 48 hours of consumer notice of the timing, distribution and content of the notices. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state ID card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to an individual’s financial account. Violations may result in civil or criminal penalties.
24. Mississippi Security Breach Notification Law
Mississippi Security Breach Notification Law does not have a specific timeframe for breach notification however, the notification must be made to residents or customers without unreasonable delay, subject to the completion of an investigation to determine the nature and scope of the breach or to restore the reasonable integrity of the system. Currently, there is no government notification required for the state of Mississippi. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state ID card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
25. Missouri
Missouri Security Breach Notification Law does not have a specific timeframe for a breach notification, however the notification must be made to residents or customers without unreasonable delay, consistent with any measure necessary to determine scope of the breach and sufficient contact information for affected customers or residents, and to restore reasonable confidentiality, integrity and availability of the system. A government notification is required if more than 1,000 residents are notified, must notify Attorney General’s office without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license, or other unique identification number created or collected by a government body; account number, credit or debit card number, unique electronic identifier, or routing code in combination with any required security code, access code, or password that would permit access to a resident’s financial account; medical information; or health insurance information. Violations may result in civil penalties.
26. Montana
Montana Security Breach Notification Law does not have a specific timeframe for a breach notification, however the notification must be made to residents or customers without unreasonable delay, consistent with any measure necessary to determine scope of the breach and sufficient contact information for affected customers or residents, and to restore reasonable confidentiality, integrity and availability of the system. Government notification is required if notice to customers or residents is required, must simultaneously submit electronic copy of notification to Attorney General along with a statement detailing the date and method of distributing the notice and number of residents or customers notified. Notification may be delayed if law enforcement determined notice may impede a criminal investigation. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license, state ID or tribal ID card number; account, credit card or debit card number in combination with any required security or access code or password that would permit access to an individual’s financial account; medical record info as defined by statute; tax ID number; or an identity protection personal ID number issued by the IRS. Violations may result in civil or criminal penalties.
27. Nebraska
Nebraska Security Breach Notification Law states if, after a reasonable and prompt investigation conducted in good faith, the organization determined that covered information has been or is reasonably likely to be used for unauthorized purposes, notice to affected residents or customers must be made as soon as possible and without unreasonable delay. If notice to residents or customers is required, the organization must notify the Nebraska Attorney General of the breach no later than the time when residents or customers are notified. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state ID card number; account, credit or debit card number in combination with any information that allows access to a resident’s financial account; unique electronic identification number or routing code combined with any required security code, access code, or password; or unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation OR user name or email address, in combination with a password or security question and answer that would permit access to an online account. Violations may result in civil penalties.
28. Nevada
Nevada Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Currently there is no government notification required for the state of Nevada, however if more than 1,000 residents or customers are notified, the state must notify Consumer Agency and all nationwide CRAs without unreasonable delay of timing and content of the consumer notice. Violations may result in civil or criminal penalties.
29. New Hampshire
New Hampshire Security Breach Notification Law notification must be made to residents or customers as soon as possible following determination that covered information has been or is reasonably likely to be misused or following conclusion that such determination cannot be made. A government notification is required for the state of New Hampshire, if notice to consumers is required, must also notify the Attorney General’s office of the breach. Such notice must contain the anticipated date of notice to consumers and the approximate number of New Hampshire residents and customers who will be notified. Organizations engaged in trade or commerce subject to the jurisdiction of the bank commissioner, director of securities regulation, insurance commissioner, public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators must notify the primary regulator of such trade or commerce about the breach instead of the Attorney General. Different regulators may have different notification requirements and deadlines. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or government identification number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to an individual’s financial account. Violations may result in civil penalties.
30. New Jersey
New Jersey Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Government notification is required for the state of New Jersey, in advance of any disclosure to the consumers, must report breach and any information pertaining to it to the Division of State Police in the Department of Law and Public Safety. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account, dissociated data that, if linked, would constitute covered info is itself covered info, if the means to link the dissociated data were accessed in connection with access to the dissociated data. Violations may result in civil penalties.
31. New Mexico
New Mexico Security Breach Notification Law states a notification to consumers must be made in the most expedient time possible, but no later than 45 calendar days following discovery of a breach, subject to the delay provision. Notification may be delayed if law enforcement determined notification will impede a criminal investigation OR as necessary to determine the scope of the breach and restore the confidentiality, integrity and availability of the system. Government notification is required if more than 1,000 residents are notified, must notify AG in the most expedient time possible but no later than 45 days after discovery of breach, unless delayed notice provision applies. Must include number of residents that were notified and a copy of the notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or government-issued identification number; account, credit or debit card number in combination with any required security or access code or password that would permit access to a person’s financial account; or biometric data. Violations may result in an injunction and civil penalties.
32. New York Security Breach Notification Law
This Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality, and availability of the system. Government notification is required for the state of New York, If residents are notified, must notify the AG, NY Department of State and New York State Police of the timing, content and distribution of the notices and the approximate number of affected persons. This notice must not delay consumer notice. Covered information is defined as name, number, or other identifier that can be used to personally identify an individual, plus: Social Security number; driver’s license or non-driver identification card number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
33. North Carolina
North Carolina Security Breach Notification Law does not have a specified timeframe to notify residents or consumers. However, a notification must be made without unreasonable delay. Government notification is required for the state of North Carolina If residents are notified, must notify the Consumer Protection Division of the Attorney General’s office without unreasonable delay and provide the nature of the breach, number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution and content of the consumer notices. N.C. Admin Code 3M.0402: Mortgage licensees must notify the Commissioner of the North Carolina Banking Commission within one business day of providing notice to resident. Covered information is defined as First name or first initial and last name, plus: Social Security or employer taxpayer ID numbers; driver’s license, state ID card, or passport numbers; checking account, savings account, credit card or debit card numbers; PIN code; digital signatures; biometric data; fingerprints; electronic ID numbers, email names/addresses, Internet account numbers, usernames, parent’s legal surname prior to marriage, or passwords (if such information would permit access to a person’s financial account or resources); or any other numbers or information that can be used to access a person’s financial resources. Violations may result in civil or criminal penalties.
34. North Dakota Security Breach Notification Law
This Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Government notification is required for the state of North Dakota to the Attorney General by email or via mail that affects more than 250 individuals. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or non-driver color photo identification card number assigned by the DOT; financial account number, credit card or debit card number in combination with any required security or access code, or password that would permit access to a financial account; date of birth; maiden name of the resident’s mother; medical information; health insurance information; employee identification number in combination with any required security code, access code, or password; or digitized or other electronic signature. Violations may result in civil penalties.
35. Ohio
Ohio Security Breach Notification Law, Ohio Revised Code 1349.19, Ohio Revised Code 1349.191, and Ohio Revised Code 1349.92 states a breach notification must be made in the most expedient time possible but no later than 45 days following its discovery of the breach. Government notification is not required by the state of Ohio, however if more than 1,000 Ohio residents are notified, the organization must notify Consumer Agency and all nationwide CRAs without unreasonable delay of timing, distribution, and content of the consumer notice. Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation or jeopardize homeland or national security. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
36. Oklahoma
Oklahoma Security Breach Notification Law, Oklahoma 24-166 does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Notice to state regulator is generally not required. However, organizations subject to the state Real Estate Commission must send notice of breach to the Commission (Okla. Admin. Code § 605:10-13-1). Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
37. Oregon
Oregon Security Breach Notification Law states a breach notification must be made in the most expedient time possible but no later than 45 days following its discovery of the breach. The state of Oregon must notify AG of breaches affecting over 250 residents within 45 days of discovery or notification of breach. Notification to consumers and AG may be delayed only if law enforcement determines that notice will impede criminal investigation and has made a written request that the notification is delayed. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver license or state ID card number; passport or other U.S.-issued ID number; financial account, credit or debit card number, in combination with any required security or access code or password that would permit access to the resident’s financial account or any other combination of information covered entity reasonably should know grants access to a financial account; biometric data; health insurance information used by insurer to identify the resident; or medical information OR any of the above data elements without name, if that information is not encrypted, redacted, or otherwise rendered unusable or if the compromised info would be sufficient to permit a person to commit identity theft. Violations may result in civil penalties.
38. Pennsylvania
Pennsylvania Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Government notification is not required for the state of Pennsylvania; however, the organization still must notify Consumer Agency if more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and number of consumer notices. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
39. Rhode Island
Rhode Island Security Breach Notification Law states a notification must be made to residents and consumers in the most expedient time possible but no later than 45 days after confirmation of the breach and the ability to ascertain information that must be included in the consumer notice. Government notification is required for the state of Rhode Island if more than 500 residents are notified, must notify the Attorney General of timing, distribution and content of the consumer notice and the number of affected individuals. Notification may not delay consumer notice. Rhode Island Admin. Code § 11-5-107:11: Entities subject to state insurance regulations must send notice of a breach to the state Department of Business in the most expedient time possible and without unreasonable delay. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license number or Rhode Island Identification card number; account, credit or debit card number, in combination with any required security or access code, password or PIN number that would permit access to a resident’s financial account; medical or health insurance information; or email address with any required security or access code, or password that would permit access to an individual’s personal, medical, insurance, or financial account. Violations may result in civil penalties.
40. South Carolina
South Carolina Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Government notification is required for the state of South Carolina If more than 1,000 residents notified pursuant to this statute, must notify Consumer Protection Division of the South Carolina Department of Consumer Affairs without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; financial account, credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account; or other numbers or info which may be used to access a person’s financial accounts or are issued by a governmental or regulatory entity that uniquely identifies a resident. Violations may result in civil penalties.
41. South Dakota Security Breach Notification Law
This Law states for consumer notification must be made no later than 60 days after discovery or notification of breach. This can be in a written notice or electronic. Government notification is required for the state of South Dakota if over 250 consumers or residents are affected, the organization must notify South Dakota AG no later than 60 days after discovery or notification of breach of system security. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or other unique government-issued ID number; account, credit or debit card number in combination with any required security/access code, password, routing number, PIN or other information that would permit access to a financial account; health information as defined by HIPAA; employee ID number in combination with any required security/access code, password, or biometric data used for authentication purposes; or username or email address plus a password or security question and answer permitting access to an online account. Violations may result in civil penalties.
42. Tennessee
Tennessee Security Breach Notification Law states a notification to consumers and residents must be made no later than 45 days after discovery of the breach. Government notification is not required by the state of Tennessee; however, a Consumer Agency notification must be made if more than 1,000 persons are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as First name or first initial and last name, plus: Social Security number; driver’s license number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
43. Texas
Texas Security Breach Notification Law and Texas Notification Required Following Breach of Security of Computerized Data does not specify a timeframe to notify consumer or government entities. The law states a notification must be made as quickly as possible. A notification to Consumer Agency must be made if more than 10,000 persons are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or government-issued identification number; account, credit or debit card number in combination with any required security or access code, or password that would permit access to an individual’s financial account. Information that identifies an individual and relates to: their physical or mental health or condition; the provision of health care to them; or their payment for the provision of health care. Violations may result in civil penalties.
44. Utah
Utah Security Breach Notification Law does not have a specific timeframe for breach notification. The notification must be made in the most expedient time possible without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, confidentiality and availability of the system. Currently there is not government notification required for the state of Utah. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
45. Vermont
Vermont Security Breach Notification Law states a breach notification must be made in the most expedient time possible but no later than 45 days following its discovery of the breach. Government notification is required for the state of Vermont as the state is Subject to a law enforcement delay, must provide preliminary notice to the Attorney General (or Dept. of Financial Regulation if regulated by the Dept.) within 14 business days of discovery of the breach. Notice should include date of the breach (if known), date of discovery, and a preliminary description of the breach. This requirement is subject to certain limitations. When consumer notice is provided, the organization must provide follow up notice to the Attorney General or Department, as appropriate, identifying the number of Vermont residents affected, and a copy of the consumer notice. Consumer notification must be made if more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or non-driver identification card number; financial account, credit or debit card number, if number could be used without additional identifying information, access codes, or passwords; or account passwords or personal identification numbers or other access codes for a financial account. Violations may result in civil penalties.
46. Virginia Security Breach Notification
This Law and Breach of Medical Information Notification does not specify a timeframe to notify consumer or government entities. However, a notification must be made to consumers or residents without unreasonable delay following the discovery of the breach. Government notification is required for the state of Virginia Attorney General without unreasonable delay following discovery or notification of the breach. Employer or payroll service provider that owns or licenses computerized data related to Virginia income tax withholdings must notify Attorney General without unreasonable delay of discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing taxpayer ID number in combination with income tax withheld (if reasonably believed that acquisition has or will cause identity theft or fraud). The notice must include the name and federal employer ID number that may be affected by compromise. For employers, this requirement only applies to information about their own employees. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number, in combination with any required security or access code, or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
47. Washington
Washington Security Breach Notification Law and Notice of Security Breaches states a breach notification must be made in the most expedient time possible but no later than 45 days following its discovery of the breach. Government notification is required for the state of Washington if more than 500 residents must be notified, must provide notice to the Attorney General prior to consumer notice. Notice must include an electronic copy of the consumer notice and the number of residents affected by the breach. Washington Admin Code 284-04-625: Licensees subject to state insurance regulations must notify state Insurance Commissioner about the number of consumers affected and measures taken in writing within two business days of determining notice must be sent to consumers under breach notification statute or 45 C.F.R. § 164.402. Additional notice requirements apply for breaches of PHI. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
48. West Virginia
West Virginia Security Breach Notification Law does not specify a timeframe for consumer notification. However, a notification must be made without unreasonable delay for resident or consumer who may be affected. There is currently no government notification required for the state of West Virginia. A Consumer Agency notification must be made if more than 1,000 residents are notified under this statute, must notify all nationwide CRAs without unreasonable delay of timing, distribution and content of the consumer notice. This does not apply to organization subject to Gramm-Leach-Bliley. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification card number; or financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
49. Wisconsin
Wisconsin Security Breach Notification Law states the organization must make reasonable efforts to notify affected residents or consumers within a reasonable time not to exceed 45 days after discovery of the breach, this notification is also subject to law enforcement if they determine necessary to protect an investigation or homeland security. There is currently no government notification required for the state of Wisconsin. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or state identification number; financial account, credit or debit card number, or any security or access code, or password that would permit access to the individual’s financial account; DNA profile; or unique biometric data. Violations may result in civil penalties.
50. Wyoming
Wyoming Security Breach Notification Law does not specify a timeframe for consumer notification. However, a notification must be made without unreasonable delay for resident or consumer who may be affected. There is currently no government notification required for the state of Wyoming. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license number; account, credit or debit card number in combination with any security code, access code or password that would allow access to a person’s financial account; tribal, or federal or state government-issued identification card; shared secrets or security tokens known to be used for data based authentication; username or email address, in combination with a required password or security question and answer; birth or marriage certificate; medical information; health insurance info; unique biometric info; or a taxpayer identification number. Violations may result in civil penalties.
51. District of Columbia
D.C. Security Breach Notification Law does not specify a timeframe to notify consumer or government entities. However, a notification must be made to consumers or residents without unreasonable delay following discovery of the breach. There is currently no government notification required for the District of Columbia. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license number; account, credit or debit card number in combination with any security code, access code or password that would allow access to a person’s financial account; tribal, or federal or state government-issued identification card; shared secrets or security tokens known to be used for data based authentication; username or email address, in combination with a required password or security question and answer; birth or marriage certificate; medical information; health insurance info; unique biometric info; or a taxpayer identification number. Violations may result in civil penalties.
52. Guam
Guam Security Breach Notification Law does not specify a timeframe to notify residents or consumers. However, a breach notification must be made without unreasonable delay. A government notification is not required for Guam or consumer agency notification required. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license or Guam identification card number; financial account, credit card or debit card number, in combination with any required security or access code, or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
53. Puerto Rico
Puerto Rico Security Breach Notification Law does not define a specific timeframe for consumer notifications. However, a notification must be made to consumers or residents as expeditiously as possible consistent with any measures to restore the security of the system. A government notification is required as the organization must notify the Department of Consumer Affairs within a non-extendable term of 10 days after discovery. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license number, voter identification or other official identification; bank or financial account number of any type, with or without any associated password or access code; names of users and passwords or access codes to public or private info systems; medical info protected by HIPAA; tax information; work-related evaluations. Violations may result in civil penalties.
54. The Virgin Islands
Virgin Islands Security Breach Notification Law does not define a specific timeframe for consumer notifications. However, a notification must be made to consumers or residents as expeditiously as possible consistent with any measures to restore the security of the system. There is currently no government notification required for the U.S. Virgin Islands. Covered information is defined as first name or first initial and last name, plus: Social Security number; driver’s license number; or account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident’s financial account. Violations may result in civil penalties.
Ignyte Assurance PlatformTM is a leader in collaborative security and integrated GRC solutions for global corporations. For corporate risk and compliance officers who depend heavily on the protection of their resources, Ignyte is the ultimate translation engine that assists with data collection, analysis, and helps streamline processes across multiple security frameworks at once. The Ignyte Assurance PlatformTM is used by leading corporations in diverse industries, such as Healthcare, Defense and Technology. Ignyte is headquartered in Miamisburg, Ohio and can be reached at ignyte1stg.wpengine.com or call 1.833.IGNYTE1, (937) 789-4216.