legacypaychex.datasecurityu.com
Open in
urlscan Pro
141.193.213.21
Public Scan
Submitted URL: http://legacypaychex.datasecurityu.com/
Effective URL: https://legacypaychex.datasecurityu.com/login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F
Submission Tags: fd 1.1.2 ds12 Search All
Submission: On January 05 via api from US — Scanned from DE
Effective URL: https://legacypaychex.datasecurityu.com/login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F
Submission Tags: fd 1.1.2 ds12 Search All
Submission: On January 05 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST
<form method="post" action="" autocomplete="off">
<div class="um-row _um_row_1 " style="margin: 0 0 30px 0;">
<div class="um-col-1">
<div class="um-field um-field-username um-field-text um-field-type_text" data-key="username">
<div class="um-field-label"><label for="username-2710">Username or E-mail</label>
<div class="um-clear"></div>
</div>
<div class="um-field-area"><input autocomplete="off" class="um-form-field valid " type="text" name="username-2710" id="username-2710" value="" placeholder="" data-validate="unique_username_or_email" data-key="username">
</div>
</div>
<div class="um-field um-field-user_password um-field-password um-field-type_password" data-key="user_password">
<div class="um-field-label"><label for="user_password-2710">Password</label>
<div class="um-clear"></div>
</div>
<div class="um-field-area"><input class="um-form-field valid " type="password" name="user_password-2710" id="user_password-2710" value="" placeholder="" data-validate="" data-key="user_password">
</div>
</div>
</div>
</div> <input type="hidden" name="form_id" id="form_id_2710" value="2710">
<input type="hidden" name="timestamp" class="um_timestamp" value="1641400023">
<p class="request_name">
<label for="request_2710">Only fill in if you are not human</label>
<input type="text" name="request" id="request_2710" class="input" value="" size="25" autocomplete="off">
</p>
<input type="hidden" name="redirect_to" id="redirect_to" value="https://legacypaychex.datasecurityu.com/">
<div class="um-col-alt">
<div class="um-center">
<input type="submit" value="Log In" class="um-button" id="um-submit-btn">
</div>
<div class="um-clear"></div>
</div>
<div class="um-col-alt-b">
<a href="https://legacypaychex.datasecurityu.com/password-reset/" class="um-link-alt">
Forgot your password? </a>
</div>
</form><form class="ipt_uif_validate_form ipt_fsqm_main_form" id="ipt_fsqm_form_30" autocomplete="on" onsubmit="return false">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_epoc" class="eform-epoc-value" value="1641400023">
<input type="hidden" name="_wp_http_referer" value="/login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F">
<input type="hidden" data-sayt-exclude="" name="form_id" value="30">
<div class="ipt-eform-width-restrain">
<div class="ipt-eform-content ">
<div
data-settings="{"can_previous":true,"show_progress_bar":true,"progress_bar_bottom":false,"block_previous":false,"any_tab":false,"type":"1","scroll":false,"decimal_point":2,"auto_progress":false,"auto_progress_delay":"1500","auto_submit":false,"hidden_buttons":false,"scroll_on_error":false}"
class="ipt_fsqm_main_tab ipt_uif_tabs horizontal ui-tabs ui-corner-all ui-widget ui-widget-content">
<div class="ipt-eform-tab-nav-wrap">
<ul role="tablist" class="ui-tabs-nav ui-corner-all ui-helper-reset ui-helper-clearfix ui-widget-header">
<li id="ipt_fsqm_form_30_tab_0_control_li" role="tab" tabindex="0" class="ui-tabs-tab ui-corner-top ui-state-default ui-tab ui-tabs-active ui-state-active" aria-controls="ipt_fsqm_form_30_tab_0" aria-labelledby="ui-id-1"
aria-selected="true" aria-expanded="true">
<a class="eform-ripple ui-tabs-anchor waves-effect waves-light" href="#ipt_fsqm_form_30_tab_0" role="presentation" tabindex="-1" id="ui-id-1"><span class="eform-tab-labels">Data Security Breach Calculator </span></a></li>
<li id="ipt_fsqm_form_30_tab_1_control_li" role="tab" tabindex="-1" class="ui-tabs-tab ui-corner-top ui-state-default ui-tab" aria-controls="ipt_fsqm_form_30_tab_1" aria-labelledby="ui-id-2" aria-selected="false" aria-expanded="false">
<a class="eform-ripple ui-tabs-anchor waves-effect waves-light" href="#ipt_fsqm_form_30_tab_1" role="presentation" tabindex="-1" id="ui-id-2"><span class="eform-tab-labels">GDPR Breach Calculator </span></a></li>
</ul>
<i class="eform-tab-nav eform-tab-nav-right ipt-icomoon-angle-right eform-ripple waves-effect waves-light"></i>
<i class="eform-tab-nav eform-tab-nav-left ipt-icomoon-angle-left disabled eform-ripple waves-effect waves-light"></i>
<span class="eform-tab-passive-notifier"></span>
<span class="eform-tab-active-notifier" style="left: -13px; right: 9px;"></span>
</div>
<div id="ipt_fsqm_form_30_tab_0" class="ipt_fsqm_form_tab_panel ui-tabs-panel ui-corner-bottom ui-widget-content" aria-labelledby="ui-id-1" role="tabpanel" aria-hidden="false">
<div id="ipt_fsqm_form_30_layout_0_inner" class="ipt-eform-layout-wrapper">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][6][m_type]" id="ipt_fsqm_form_30_design_6_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][6][type]" id="ipt_fsqm_form_30_design_6_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_6">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p><img class="size-large wp-image-1120 aligncenter" src="/wp-content/uploads/2017/02/headerimg-1024x580.png" alt="" width="1024" height="580"></p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][3][m_type]" id="ipt_fsqm_form_30_design_3_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][3][type]" id="ipt_fsqm_form_30_design_3_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_3">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p><span style="font-family: 'Exo 2'; font-size: medium;">Our Data Security Breach Calculator is designed to show you how a breach could impact your specific business. A recent breach of a Specialty Physician Practice Group in
the US with 8 locations and 30 Physicians affected over 500,000 patient records. The cost was so staggering that the Practice lost over $150M in enterprise value and was sold for $0.00 within 1 year of the
breach.</span><br style="font-family: 'Exo 2'; font-size: medium; box-sizing: border-box !important;"><br style="font-family: 'Exo 2'; font-size: medium; box-sizing: border-box !important;"><span
style="font-family: 'Exo 2'; font-size: medium;">Those that survive suffer significant damage to both their reputations and their brands – damage that can often take years to repair. </span><br
style="font-family: 'Exo 2'; font-size: medium; box-sizing: border-box !important;"><br style="font-family: 'Exo 2'; font-size: medium; box-sizing: border-box !important;"><span
style="font-family: 'Exo 2'; font-size: medium;">To use our Data Breach Calculator all you have to do is answer three questions and click “calculate.” The potential impact just may astound you. </span></p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][14][m_type]" id="ipt_fsqm_form_30_design_14_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][14][type]" id="ipt_fsqm_form_30_design_14_type" value="heading" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_heading" id="ipt_fsqm_form_30_design_14">
<div class="ipt_uif_column_inner">
<h2 class="ipt_uif_heading ipt_uif_divider ipt_uif_align_center">
<span class="ipt_uif_divider_text">
<i title="" class=" ipticm prefix" data-ipt-icomoon=""></i>
<span class="ipt_uif_divider_text_inner"> Calculate your risk: </span>
</span>
</h2>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][9][m_type]" id="ipt_fsqm_form_30_design_9_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][9][type]" id="ipt_fsqm_form_30_design_9_type" value="container" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_container" id="ipt_fsqm_form_30_design_9">
<div class="ipt_uif_column_inner side_margin">
<div class="eform-styled-container ipt_uif_container" data-opened="1">
<div class="ipt_uif_container_head">
<h3> <span class="ipt_uif_container_label">Please identify the nation where your operations are based or where you conduct business.</span></h3>
</div>
<div class="ipt_uif_container_inner">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][1][m_type]" id="ipt_fsqm_form_30_pinfo_1_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][1][type]" id="ipt_fsqm_form_30_pinfo_1_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select" id="ipt_fsqm_form_30_pinfo_1">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][1][options][]" id="ipt_fsqm_form_30_pinfo_1_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="0" data-num="0">United States</option>
<option value="1" data-num="190">Canada</option>
<option value="2" data-num="160">Germany</option>
<option value="3" data-num="155">Middle East</option>
<option value="4" data-num="146">France</option>
<option value="5" data-num="140">Japan</option>
<option value="6" data-num="128">Italy</option>
<option value="7" data-num="128">South Africa</option>
<option value="8" data-num="123">United Kingdom</option>
<option value="9" data-num="112">ASEAN</option>
<option value="10" data-num="79">Brazil</option>
<option value="11" data-num="64">India</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_1_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_1_options_-container" title="United States">United States</span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][18][m_type]" id="ipt_fsqm_form_30_design_18_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][18][type]" id="ipt_fsqm_form_30_design_18_type" value="container" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_container" id="ipt_fsqm_form_30_design_18">
<div class="ipt_uif_column_inner side_margin">
<div class="eform-styled-container ipt_uif_container" data-opened="1">
<div class="ipt_uif_container_head">
<h3> <span class="ipt_uif_container_label">Please identify the industry sector which best fits your company or organization.</span></h3>
</div>
<div class="ipt_uif_container_inner">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][8][m_type]" id="ipt_fsqm_form_30_pinfo_8_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][8][type]" id="ipt_fsqm_form_30_pinfo_8_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select" id="ipt_fsqm_form_30_pinfo_8" style="">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][8][options][]" id="ipt_fsqm_form_30_pinfo_8_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="380">Health</option>
<option value="14" data-num="245">Financial</option>
<option value="8" data-num="223">Services</option>
<option value="11" data-num="200">Education</option>
<option value="1" data-num="188">Life Science</option>
<option value="10" data-num="165">Technology</option>
<option value="9" data-num="154">Retail</option>
<option value="13" data-num="150">Communications</option>
<option value="17" data-num="149">Industrial</option>
<option value="15" data-num="137">Energy</option>
<option value="4" data-num="132">Consumer</option>
<option value="5" data-num="131">Entertainment</option>
<option value="18" data-num="124">Hospitality & Hotel</option>
<option value="23" data-num="124">Restaurants</option>
<option value="19" data-num="123">Transportation</option>
<option value="20" data-num="119">Media</option>
<option value="21" data-num="101">Research</option>
<option value="22" data-num="71">Public Sector</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_8_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_8_options_-container" title="Health">Health</span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][38][m_type]" id="ipt_fsqm_form_30_pinfo_38_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][38][type]" id="ipt_fsqm_form_30_pinfo_38_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_38" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][38][options][]" id="ipt_fsqm_form_30_pinfo_38_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="316">Services</option>
<option value="14" data-num="283">Financial</option>
<option value="8" data-num="270">Technology</option>
<option value="11" data-num="255">Energy</option>
<option value="1" data-num="248">Media</option>
<option value="10" data-num="214">Industrial</option>
<option value="9" data-num="180">Retail</option>
<option value="13" data-num="159">Consumer</option>
<option value="17" data-num="149">Education</option>
<option value="15" data-num="139">Transportation</option>
<option value="4" data-num="137">Hospitality & Hotel</option>
<option value="5" data-num="83">Public Sector</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_38_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_38_options_-container" title="Services"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][27][m_type]" id="ipt_fsqm_form_30_pinfo_27_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][27][type]" id="ipt_fsqm_form_30_pinfo_27_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_27" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][27][options][]" id="ipt_fsqm_form_30_pinfo_27_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="250">Services</option>
<option value="14" data-num="267">Financial</option>
<option value="8" data-num="186">Technology</option>
<option value="11" data-num="199">Energy</option>
<option value="1" data-num="159">Media</option>
<option value="10" data-num="218">Industrial</option>
<option value="9" data-num="154">Retail</option>
<option value="13" data-num="191">Consumer</option>
<option value="15" data-num="123">Transportation</option>
<option value="4" data-num="143">Hospitality & Hotel</option>
<option value="5" data-num="117">Public Sector</option>
<option value="19" data-num="162">Communications</option>
<option value="20" data-num="213">Life Science</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_27_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_27_options_-container" title="Services"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][28][m_type]" id="ipt_fsqm_form_30_pinfo_28_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][28][type]" id="ipt_fsqm_form_30_pinfo_28_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_28" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][28][options][]" id="ipt_fsqm_form_30_pinfo_28_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="215">Financial Services</option>
<option value="8" data-num="205">Technology</option>
<option value="11" data-num="164">Energy</option>
<option value="1" data-num="145">Media</option>
<option value="10" data-num="181">Industrial</option>
<option value="9" data-num="122">Retail</option>
<option value="13" data-num="192">Consumer</option>
<option value="15" data-num="153">Transportation</option>
<option value="4" data-num="154">Hospitality & Hotel</option>
<option value="5" data-num="92">Public Sector</option>
<option value="19" data-num="176">Communications</option>
<option value="20" data-num="195">Life Science</option>
<option value="21" data-num="174">Services</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_28_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_28_options_-container" title="Financial Services"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][29][m_type]" id="ipt_fsqm_form_30_pinfo_29_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][29][type]" id="ipt_fsqm_form_30_pinfo_29_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_29" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][29][options][]" id="ipt_fsqm_form_30_pinfo_29_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="213">Financial</option>
<option value="8" data-num="195">Technology</option>
<option value="11" data-num="143">Energy</option>
<option value="1" data-num="136">Media</option>
<option value="10" data-num="105">Industrial</option>
<option value="9" data-num="112">Retail</option>
<option value="13" data-num="123">Consumer</option>
<option value="15" data-num="93">Transportation</option>
<option value="5" data-num="82">Public</option>
<option value="19" data-num="140">Communications</option>
<option value="20" data-num="170">Life Science</option>
<option value="21" data-num="100">Education</option>
<option value="22" data-num="152">Services</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_29_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_29_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][30][m_type]" id="ipt_fsqm_form_30_pinfo_30_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][30][type]" id="ipt_fsqm_form_30_pinfo_30_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_30" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][30][options][]" id="ipt_fsqm_form_30_pinfo_30_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="192">Financial Services</option>
<option value="8" data-num="166">Technology</option>
<option value="11" data-num="183">Services</option>
<option value="1" data-num="113">Media</option>
<option value="10" data-num="167">Industrial</option>
<option value="9" data-num="143">Retail</option>
<option value="13" data-num="154">Consumer</option>
<option value="5" data-num="60">Public Sector</option>
<option value="19" data-num="146">Communications</option>
<option value="20" data-num="183">Life Science</option>
<option value="23" data-num="102">Hospitality</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_30_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_30_options_-container" title="Financial Services"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][31][m_type]" id="ipt_fsqm_form_30_pinfo_31_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][31][type]" id="ipt_fsqm_form_30_pinfo_31_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_31" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][31][options][]" id="ipt_fsqm_form_30_pinfo_31_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="236">Financial</option>
<option value="8" data-num="218">Technology</option>
<option value="11" data-num="180">Industrial</option>
<option value="1" data-num="173">Life Science</option>
<option value="10" data-num="162">Services</option>
<option value="9" data-num="130">Communications</option>
<option value="13" data-num="127">Education</option>
<option value="5" data-num="111">Consumer</option>
<option value="19" data-num="103">Retail</option>
<option value="20" data-num="92">Transportation</option>
<option value="22" data-num="48">Public</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_31_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_31_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][32][m_type]" id="ipt_fsqm_form_30_pinfo_32_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][32][type]" id="ipt_fsqm_form_30_pinfo_32_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_32" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][32][options][]" id="ipt_fsqm_form_30_pinfo_32_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="221">Services</option>
<option value="8" data-num="199">Financial</option>
<option value="11" data-num="185">Technology</option>
<option value="1" data-num="174">Energy</option>
<option value="10" data-num="160">Industrial</option>
<option value="9" data-num="140">Transportation</option>
<option value="13" data-num="133">Communications</option>
<option value="5" data-num="123">Education</option>
<option value="19" data-num="111">Retail</option>
<option value="20" data-num="100">Public</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_32_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_32_options_-container" title="Services"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][33][m_type]" id="ipt_fsqm_form_30_pinfo_33_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][33][type]" id="ipt_fsqm_form_30_pinfo_33_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_33" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][33][options][]" id="ipt_fsqm_form_30_pinfo_33_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="182">Financial</option>
<option value="8" data-num="158">Services</option>
<option value="11" data-num="123">Technology</option>
<option value="1" data-num="114">Communications</option>
<option value="10" data-num="112">Industrial</option>
<option value="9" data-num="110">Education</option>
<option value="13" data-num="95">Media</option>
<option value="5" data-num="89">Hospitality & Hotel</option>
<option value="19" data-num="83">Retail</option>
<option value="20" data-num="80">Transportation</option>
<option value="24" data-num="53">Public</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_33_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_33_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][34][m_type]" id="ipt_fsqm_form_30_pinfo_34_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][34][type]" id="ipt_fsqm_form_30_pinfo_34_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_34" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][34][options][]" id="ipt_fsqm_form_30_pinfo_34_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="180">Financial</option>
<option value="8" data-num="176">Services</option>
<option value="11" data-num="159">Industrial</option>
<option value="1" data-num="134">Technology</option>
<option value="10" data-num="131">Transportation</option>
<option value="9" data-num="121">Consumer</option>
<option value="13" data-num="117">Media</option>
<option value="5" data-num="112">Retail</option>
<option value="19" data-num="103">Public</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_34_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_34_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][35][m_type]" id="ipt_fsqm_form_30_pinfo_35_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][35][type]" id="ipt_fsqm_form_30_pinfo_35_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_35" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][35][options][]" id="ipt_fsqm_form_30_pinfo_35_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="112">Financial</option>
<option value="8" data-num="109">Services</option>
<option value="11" data-num="96">Technology</option>
<option value="1" data-num="95">Life Science</option>
<option value="10" data-num="95">Energy</option>
<option value="9" data-num="83">Communications</option>
<option value="13" data-num="77">Consumer</option>
<option value="5" data-num="69">Industrial</option>
<option value="19" data-num="53">Hospitality & Hotel</option>
<option value="25" data-num="41">Transportation</option>
<option value="26" data-num="39">Retail</option>
<option value="27" data-num="26">Public</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_35_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_35_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][36][m_type]" id="ipt_fsqm_form_30_pinfo_36_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][36][type]" id="ipt_fsqm_form_30_pinfo_36_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_36" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][36][options][]" id="ipt_fsqm_form_30_pinfo_36_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="91">Financial</option>
<option value="8" data-num="96">Services</option>
<option value="11" data-num="86">Industrial</option>
<option value="1" data-num="84">Technology</option>
<option value="10" data-num="78">Life Science</option>
<option value="9" data-num="68">Hospitality & Hotel</option>
<option value="13" data-num="62">Retail</option>
<option value="5" data-num="61">Consumer</option>
<option value="19" data-num="59">Energy</option>
<option value="25" data-num="50">Communications</option>
<option value="26" data-num="48">Transportation</option>
<option value="27" data-num="39">Research</option>
<option value="28" data-num="30">Public Sector</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_36_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_36_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][37][m_type]" id="ipt_fsqm_form_30_pinfo_37_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][37][type]" id="ipt_fsqm_form_30_pinfo_37_type" value="p_select" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_p_select iptUIFCHidden" id="ipt_fsqm_form_30_pinfo_37" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<select class="check_me ipt_uif_select select2-hidden-accessible" name="ipt_fsqm_form_30[pinfo][37][options][]" id="ipt_fsqm_form_30_pinfo_37_options_" data-theme="eform-material" tabindex="-1" aria-hidden="true">
<option value="7" data-num="186">Financial</option>
<option value="8" data-num="146">Transportation</option>
<option value="11" data-num="136">Technology</option>
<option value="1" data-num="134">Services</option>
<option value="10" data-num="110">Industrial</option>
<option value="9" data-num="100">Communications</option>
<option value="13" data-num="91">Consumer</option>
<option value="5" data-num="81">Public</option>
<option value="19" data-num="74">Hospitality & Hotel</option>
</select><span class="select2 select2-container select2-container--eform-material" dir="ltr" style="width: auto;"><span class="selection"><span class="select2-selection select2-selection--single" role="combobox"
aria-haspopup="true" aria-expanded="false" tabindex="0" aria-labelledby="select2-ipt_fsqm_form_30_pinfo_37_options_-container"><span class="select2-selection__rendered"
id="select2-ipt_fsqm_form_30_pinfo_37_options_-container" title="Financial"></span><span class="select2-selection__arrow" role="presentation"><b role="presentation"></b></span></span></span><span
class="dropdown-wrapper" aria-hidden="true"></span></span>
<div class="clear-both"></div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][8][m_type]" id="ipt_fsqm_form_30_design_8_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][8][type]" id="ipt_fsqm_form_30_design_8_type" value="container" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_container" id="ipt_fsqm_form_30_design_8">
<div class="ipt_uif_column_inner side_margin">
<div class="eform-styled-container ipt_uif_container" data-opened="1">
<div class="ipt_uif_container_head">
<h3> <span class="ipt_uif_container_label">Please estimate how many records your company retains in total.</span></h3>
</div>
<div class="ipt_uif_container_inner">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][3][m_type]" id="ipt_fsqm_form_30_pinfo_3_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][3][type]" id="ipt_fsqm_form_30_pinfo_3_type" value="textinput" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_textinput" id="ipt_fsqm_form_30_pinfo_3">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="input-field has-icon">
<input class=" check_me validate[custom[integer],min[0]] ipt_uif_text" min="0" max="" step="any" type="number" name="ipt_fsqm_form_30[pinfo][3][value]" id="ipt_fsqm_form_30_pinfo_3_value" maxlength="" value="">
<i title="" class=" ipticm prefix" data-ipt-icomoon=""></i>
<label for="ipt_fsqm_form_30_pinfo_3_value">i.e. 12000 - no commas</label>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][11][m_type]" id="ipt_fsqm_form_30_design_11_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][11][type]" id="ipt_fsqm_form_30_design_11_type" value="container" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_container" id="ipt_fsqm_form_30_design_11">
<div class="ipt_uif_column_inner side_margin">
<div class="eform-styled-container ipt_uif_container" data-opened="1">
<div class="ipt_uif_container_head">
<h3> <span class="ipt_uif_container_label">Given your input, here is a rough estimate of the overall financial costs that you could expect to encounter given the number of records at risk in a breach.</span></h3>
</div>
<div class="ipt_uif_container_inner">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][0][m_type]" id="ipt_fsqm_form_30_freetype_0_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][0][type]" id="ipt_fsqm_form_30_freetype_0_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical" id="ipt_fsqm_form_30_freetype_0" style="">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][0][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O8*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][22][m_type]" id="ipt_fsqm_form_30_freetype_22_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][22][type]" id="ipt_fsqm_form_30_freetype_22_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_22" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][22][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O27*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][23][m_type]" id="ipt_fsqm_form_30_freetype_23_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][23][type]" id="ipt_fsqm_form_30_freetype_23_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_23" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][23][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O28*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][24][m_type]" id="ipt_fsqm_form_30_freetype_24_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][24][type]" id="ipt_fsqm_form_30_freetype_24_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_24" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][24][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O29*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][25][m_type]" id="ipt_fsqm_form_30_freetype_25_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][25][type]" id="ipt_fsqm_form_30_freetype_25_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_25" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][25][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O30*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][26][m_type]" id="ipt_fsqm_form_30_freetype_26_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][26][type]" id="ipt_fsqm_form_30_freetype_26_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_26" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][26][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O31*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][27][m_type]" id="ipt_fsqm_form_30_freetype_27_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][27][type]" id="ipt_fsqm_form_30_freetype_27_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_27" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][27][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O32*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][28][m_type]" id="ipt_fsqm_form_30_freetype_28_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][28][type]" id="ipt_fsqm_form_30_freetype_28_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_28" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][28][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O33*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][29][m_type]" id="ipt_fsqm_form_30_freetype_29_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][29][type]" id="ipt_fsqm_form_30_freetype_29_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_29" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][29][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O34*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][30][m_type]" id="ipt_fsqm_form_30_freetype_30_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][30][type]" id="ipt_fsqm_form_30_freetype_30_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_30" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][30][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O35*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][33][m_type]" id="ipt_fsqm_form_30_freetype_33_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][33][type]" id="ipt_fsqm_form_30_freetype_33_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_33" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][33][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O36*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][31][m_type]" id="ipt_fsqm_form_30_freetype_31_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][31][type]" id="ipt_fsqm_form_30_freetype_31_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_31" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][31][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O37*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][32][m_type]" id="ipt_fsqm_form_30_freetype_32_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][32][type]" id="ipt_fsqm_form_30_freetype_32_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_32" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> $ <input name="ipt_fsqm_form_30[freetype][32][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O38*O3" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
<input type="hidden" tabindex="0">
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][15][m_type]" id="ipt_fsqm_form_30_design_15_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][15][type]" id="ipt_fsqm_form_30_design_15_type" value="button" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_button" id="ipt_fsqm_form_30_design_15">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt-eform-material-button-container">
<div class="eform-button-container-inner">
<button type="button" data-pos="1" class="ipt_uif_button eform-material-button eform-ripple ipt_fsqm_jump_button medium secondary-button ui-button ui-corner-all ui-widget waves-effect waves-light" name="ipt_fsqm_jump_button_15"
id="ipt_fsqm_jump_button_15"> </button>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][54][m_type]" id="ipt_fsqm_form_30_design_54_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][54][type]" id="ipt_fsqm_form_30_design_54_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_54">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<div id="currency-bcc-61d60d27dbd8c" class="currency-bcc">
<iframe id="61d60d27dbd8c" name="61d60d27dbd8c" width="100%" height="300px" src="https://www.currency.wiki/widget/w.php?wd=1&tm=1641418023&lang="
style="min-width: 170px; min-height: 300px; border: 0px !important;"></iframe>
</div>
<script type="text/javascript">
jQuery.noConflict();
var ypFrame = document.createElement("IFRAME");
function widgetTrigger(ypFrame, type, lang) {
var langg = (lang != '-1' && typeof lang != 'undefined') ? '&lang=' + lang : "";
var uniqID = '61d60d27dbd8c';
var yp = '';
ypFrame.id = uniqID;
ypFrame.name = uniqID;
ypFrame.style = "border:0!important;min-width:170px;min-height:300px";
ypFrame.width = (type == 'custom') ? "0px" : ((type == 'fix') ? "170px" : "100%");
ypFrame.height = (type == 'custom') ? "0px" : ((type == 'fix') ? "300px" : "300px");
document.getElementById("currency-bcc-" + uniqID).appendChild(ypFrame);
var ypElem = document.getElementById(uniqID).parentNode.childNodes;
var l = false;
var width = (type == 'custom') ? '0' : ((type == 'fix') ? 170 : 0);
var height = (type == 'custom') ? '0' : ((type == 'fix') ? 300 : 300);
for (var i = 0; i < ypElem.length; i++) {
if (ypElem[i].nodeType == 1 && ypElem[i].nodeName == "A" && ypElem[i].href == "https://www.currency.wiki/" && !(ypElem[i].rel && (ypElem[i].rel.indexOf('nofollow') + 1))) {
var ypTmp = ypElem[i];
yp = JSON.stringify({
w: width,
h: height,
nodeType: ypElem[i].nodeType,
nodeName: ypElem[i].nodeName,
href: ypElem[i].href,
rel: ypElem[i].rel,
cd: uniqID,
f: 'USD',
t: 'GBP',
c: 'ffffff',
fc: '333333'
});
l = true;
break;
}
}
if (l && yp) {
var url = "https://www.currency.wiki/widget/w.php?wd=1&tm=" + 1641418023 + langg;
url = url.replace(/\"/g, "");
ypFrame.setAttribute("src", url);
var w = window.frames[uniqID];
ypFrame.onload = function() {
w.postMessage({
"t": yp
}, "*");
}
ypTmp.parentNode.removeChild(ypTmp);
} else {
console.log('Something went wrong, please try later.');
}
}
widgetTrigger(ypFrame, 'auto', '');
</script>
<style>
.currency-bcc iframe {
border: none;
outline: none;
}
</style>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][53][m_type]" id="ipt_fsqm_form_30_design_53_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][53][type]" id="ipt_fsqm_form_30_design_53_type" value="collapsible" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_collapsible" id="ipt_fsqm_form_30_design_53">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_container ipt_uif_collapsible" data-opened="">
<div class="ipt_uif_container_head">
<h3><a href="javascript:;" class="ipt_uif_collapsible_handle_anchor"><span class="ipt-icomoon-arrow-down3 collapsible_state"></span> <span class="ipt_uif_container_label">How we calculated your score:</span> </a>
</h3>
</div>
<div class="ipt_uif_container_inner" style="display: none;">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][4][m_type]" id="ipt_fsqm_form_30_design_4_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][4][type]" id="ipt_fsqm_form_30_design_4_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_4">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p>The average data cost per stolen record stems from highly regarded research sponsored by IBM and independently conducted by Ponemon Institute LLC (June 2017 report). The research was conducted with 419 participating
organisations. Data breaches ranged from a low of 2,600 to slightly less than 100,000 compromised records.</p>
<p class="MsoNormal">Other variables include:</p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Cost for ID Fraud Incident Investigation/Forensic Audit: </b><span style="text-indent: -0.25in;">Forensic auditors often charge by the individual unit or location
being investigated. These numbers can be anywhere between $8,000 – $20,000 a location for small businesses and can far exceed $30,000 for companies that engage in substantial e-commerce business and/or a material volume
of credit transactions.</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Reissuance of Cards (PCI-DSS):</b><span style="text-indent: -0.25in;"> Banks often insist that a breached company’s customers be reissued new credit
cards.</span><span style="text-indent: -0.25in;"> </span><span style="text-indent: -0.25in;">This cost can range from $3 to $10 a card.</span><span style="text-indent: -0.25in;"> </span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Merchant Acquirer/Processor Fines and Penalties (PCI-DSS):</b><span style="text-indent: -0.25in;"> These fines that are contractually implemented per your card
processing agreements can range from $50,000 to $500,000 depending on the size, nature and severity of the PCI-DSS infractions.</span><span style="text-indent: -0.25in;"> </span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Fraud Chargebacks (PCI-DSS):</b><span style="text-indent: -0.25in;"> These depend upon such variables as the amount of time that a hacker spends undetected in a
company’s internal systems (average amount of time is 150-170 days)</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Remediation Costs:</b><span style="text-indent: -0.25in;"> The price of fixing the problems that gave rise to the breach may be considerable. The type of expensive
stringent assessments and analysis required of large companies that utilize a substantial amount of credit cards will be imposed on small and medium sized companies that experience a breach.</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Customer Notification and Credit Monitoring:</b><span style="text-indent: -0.25in;"> Most states now require that customers be notified in writing and in a timely
manner. Many breached organisations feel a responsibility to offer its consumer customers an annual credit monitoring service. These are not inexpensive costs.</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Litigation:</b><span style="text-indent: -0.25in;"> Within this litigious society, there are law firms specializing in breach litigation. The expense of defending a
single case can be considerable.</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Loss of Consumer Confidence:</b><span style="text-indent: -0.25in;"> Cybersecurity experts have extrapolated from actual data breach experience that businesses may
lose as many as 40% of their customers post breach.</span><span style="text-indent: -0.25in;"> </span><span style="text-indent: -0.25in;">Between the tangible and intangible costs of a breach, it is no wonder
that so many companies are put out of business by a significant breach.</span></p>
<p class="MsoNormal"><b style="text-indent: -0.25in;">Health Organization Costs:</b><span style="text-indent: -0.25in;"> Like Personally Identifiable Information (PII), patient records can be much more valuable than
credit card data on the black market which explains why hackers have targeted patient records. It is a virtual treasure trove for a hacker as they are often able to obtain DOB and Social Security numbers which make it
easy to create false identities which enable fraudsters to make false insurance claims, loans, and tax returns. From a patient’s point of view, it is often much harder to repair the damage that they may experience with a
compromised credit card and may even require obtaining a new Social Security Number to replace the stolen one. From a Healthcare company’s perspective, not only are they dealing with the aftermath of deeply upset patient
customers, but they are also more vulnerable to State Attorney General actions, class action lawsuits, Federal Trade Commission fines, and HHS penalties.</span></p>
<p class="MsoNormal">Now that you have a better sense for the profound financial cost of a data breach, please see our video and take the Educational Assessment Tests to better determine your organisation’s CyberSecurity,
PCI-DSS and GDPR vulnerability to a breach and how to minimize your exposure.</p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][5][m_type]" id="ipt_fsqm_form_30_pinfo_5_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][5][type]" id="ipt_fsqm_form_30_pinfo_5_type" value="textinput" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_textinput" id="ipt_fsqm_form_30_pinfo_5">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question">
<div class="ipt_uif_question_label">
<label class="ipt_uif_question_title ipt_uif_label" for="ipt_fsqm_form_30_pinfo_5_value">Small Text Title<span class="ipt_uif_question_required">*</span></label>
<div class="clear-both"></div>
</div>
<div class="ipt_uif_question_content">
<div class="input-field has-icon">
<input class=" check_me validate[required] ipt_uif_text" type="text" name="ipt_fsqm_form_30[pinfo][5][value]" id="ipt_fsqm_form_30_pinfo_5_value" maxlength="" value="">
<i title="" class=" ipticm prefix" data-ipt-icomoon=""></i>
<label for="ipt_fsqm_form_30_pinfo_5_value">Write here</label>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
<div id="ipt_fsqm_form_30_tab_1" class="ipt_fsqm_form_tab_panel ui-tabs-panel ui-corner-bottom ui-widget-content" aria-labelledby="ui-id-2" role="tabpanel" aria-hidden="true" style="display: none;">
<div id="ipt_fsqm_form_30_layout_1_inner" class="ipt-eform-layout-wrapper">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][31][m_type]" id="ipt_fsqm_form_30_design_31_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][31][type]" id="ipt_fsqm_form_30_design_31_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_31">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p><img class="alignnone size-full wp-image-2008" src="/wp-content/uploads/2018/02/screenshot-pciu.wpengine.com-2018.02.08-11-14-53.jpeg" alt="" width="1024" height="580"></p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][43][m_type]" id="ipt_fsqm_form_30_design_43_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][43][type]" id="ipt_fsqm_form_30_design_43_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_43">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p>The GDPR provides for a mechanism to deliver two-tiered sanctions dependent upon the extent of violations determined by the regulators. As both levels of sanctions are determined by your organisation’s annual global turnover
(revenue), the following question is both relevant and material to obtain the range of penalties in the event of a data security breach.</p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][44][m_type]" id="ipt_fsqm_form_30_design_44_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][44][type]" id="ipt_fsqm_form_30_design_44_type" value="container" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_container" id="ipt_fsqm_form_30_design_44">
<div class="ipt_uif_column_inner side_margin">
<div class="eform-styled-container ipt_uif_container" data-opened="1">
<div class="ipt_uif_container_head">
<h3> <span class="ipt_uif_container_label">Please insert the amount of your organisation’s annual Global Turnover (Revenue) in your last fiscal year.</span></h3>
</div>
<div class="ipt_uif_container_inner">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][15][m_type]" id="ipt_fsqm_form_30_pinfo_15_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][15][type]" id="ipt_fsqm_form_30_pinfo_15_type" value="textinput" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_textinput" id="ipt_fsqm_form_30_pinfo_15">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_vertical ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="input-field has-icon">
<input class=" check_me validate[custom[integer]] ipt_uif_text" min="" max="" step="any" type="number" name="ipt_fsqm_form_30[pinfo][15][value]" id="ipt_fsqm_form_30_pinfo_15_value" maxlength="" value="">
<i title="" class=" ipticm prefix" data-ipt-icomoon=""></i>
<label for="ipt_fsqm_form_30_pinfo_15_value">i.e. 15230000</label>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][46][m_type]" id="ipt_fsqm_form_30_design_46_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][46][type]" id="ipt_fsqm_form_30_design_46_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_46">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<h2 style="text-align: center;"><strong>Egregious Penalty</strong></h2>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][47][m_type]" id="ipt_fsqm_form_30_design_47_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][47][type]" id="ipt_fsqm_form_30_design_47_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_47">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p>The following calculation takes into account what happens with a finding by the regulators of the most serious of GDPR infractions wherein regulatory fines <strong>may go as high as 20 million Euros or 4%</strong> of your
organisation’s annual global turnover for the preceding financial year, whichever is greater.</p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][7][m_type]" id="ipt_fsqm_form_30_freetype_7_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][7][type]" id="ipt_fsqm_form_30_freetype_7_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical" id="ipt_fsqm_form_30_freetype_7">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> € <input name="ipt_fsqm_form_30[freetype][7][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O15*0.04" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][9][m_type]" id="ipt_fsqm_form_30_freetype_9_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][9][type]" id="ipt_fsqm_form_30_freetype_9_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_9" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> € <input name="ipt_fsqm_form_30[freetype][9][value]" type="hidden" value="20000000.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="20000000.00" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">20,000,000.00</span>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][45][m_type]" id="ipt_fsqm_form_30_design_45_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][45][type]" id="ipt_fsqm_form_30_design_45_type" value="button" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_button" id="ipt_fsqm_form_30_design_45">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt-eform-material-button-container">
<div class="eform-button-container-inner">
<button type="button" data-pos="1" class="ipt_uif_button eform-material-button eform-ripple ipt_fsqm_jump_button medium secondary-button ui-button ui-corner-all ui-widget waves-effect waves-light" name="ipt_fsqm_jump_button_45"
id="ipt_fsqm_jump_button_45"> </button>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][48][m_type]" id="ipt_fsqm_form_30_design_48_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][48][type]" id="ipt_fsqm_form_30_design_48_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_48">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<h2 style="text-align: center;"><strong>Non-Egregious Penalty</strong></h2>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][49][m_type]" id="ipt_fsqm_form_30_design_49_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][49][type]" id="ipt_fsqm_form_30_design_49_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_49">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p>The following calculation takes into account what happens for a finding by the regulators of lesser violations, wherein regulatory fines could be imposed up to <strong>10 million Euros or 2%</strong> for global annual turnover
(revenue) for the preceding financial year, whichever is greater.</p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][10][m_type]" id="ipt_fsqm_form_30_freetype_10_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][10][type]" id="ipt_fsqm_form_30_freetype_10_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical" id="ipt_fsqm_form_30_freetype_10" style="">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> € <input name="ipt_fsqm_form_30[freetype][10][value]" type="hidden" value="0.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="O15*0.02" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">0.00</span>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][11][m_type]" id="ipt_fsqm_form_30_freetype_11_m_type" value="freetype" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[freetype][11][type]" id="ipt_fsqm_form_30_freetype_11_type" value="mathematical" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_mathematical iptUIFCHidden" id="ipt_fsqm_form_30_freetype_11" style="display: none;">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question ipt_uif_question_full">
<div class="ipt_uif_question_content">
<div class="ipt_uif_fancy_container">
<div class="ipt_uif_richtext ipt_uif_mathematical"> € <input name="ipt_fsqm_form_30[freetype][11][value]" type="hidden" value="20000000.00" data-sayt-exclude="" class="ipt_uif_mathematical_input" data-precision="2"
data-formula="20000000.00" data-options="{"useGrouping":true,"separator":",","decimal":"."}" data-noanim="false">
<span class="ipt_uif_mathematical_span">20,000,000.00</span>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][51][m_type]" id="ipt_fsqm_form_30_design_51_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][51][type]" id="ipt_fsqm_form_30_design_51_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_51">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<div id="currency-bcc-61d60d27dc5f2" class="currency-bcc">
<iframe id="61d60d27dc5f2" name="61d60d27dc5f2" width="100%" height="300px" src="https://www.currency.wiki/widget/w.php?wd=1&tm=1641418023&lang="
style="min-width: 170px; min-height: 300px; border: 0px !important;"></iframe>
</div>
<script type="text/javascript">
jQuery.noConflict();
var ypFrame = document.createElement("IFRAME");
function widgetTrigger(ypFrame, type, lang) {
var langg = (lang != '-1' && typeof lang != 'undefined') ? '&lang=' + lang : "";
var uniqID = '61d60d27dc5f2';
var yp = '';
ypFrame.id = uniqID;
ypFrame.name = uniqID;
ypFrame.style = "border:0!important;min-width:170px;min-height:300px";
ypFrame.width = (type == 'custom') ? "0px" : ((type == 'fix') ? "170px" : "100%");
ypFrame.height = (type == 'custom') ? "0px" : ((type == 'fix') ? "300px" : "300px");
document.getElementById("currency-bcc-" + uniqID).appendChild(ypFrame);
var ypElem = document.getElementById(uniqID).parentNode.childNodes;
var l = false;
var width = (type == 'custom') ? '0' : ((type == 'fix') ? 170 : 0);
var height = (type == 'custom') ? '0' : ((type == 'fix') ? 300 : 300);
for (var i = 0; i < ypElem.length; i++) {
if (ypElem[i].nodeType == 1 && ypElem[i].nodeName == "A" && ypElem[i].href == "https://www.currency.wiki/" && !(ypElem[i].rel && (ypElem[i].rel.indexOf('nofollow') + 1))) {
var ypTmp = ypElem[i];
yp = JSON.stringify({
w: width,
h: height,
nodeType: ypElem[i].nodeType,
nodeName: ypElem[i].nodeName,
href: ypElem[i].href,
rel: ypElem[i].rel,
cd: uniqID,
f: 'EUR',
t: 'GPB',
c: 'ffffff',
fc: '333333'
});
l = true;
break;
}
}
if (l && yp) {
var url = "https://www.currency.wiki/widget/w.php?wd=1&tm=" + 1641418023 + langg;
url = url.replace(/\"/g, "");
ypFrame.setAttribute("src", url);
var w = window.frames[uniqID];
ypFrame.onload = function() {
w.postMessage({
"t": yp
}, "*");
}
ypTmp.parentNode.removeChild(ypTmp);
} else {
console.log('Something went wrong, please try later.');
}
}
widgetTrigger(ypFrame, 'auto', '');
</script>
<style>
.currency-bcc iframe {
border: none;
outline: none;
}
</style>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][52][m_type]" id="ipt_fsqm_form_30_design_52_m_type" value="design" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[design][52][type]" id="ipt_fsqm_form_30_design_52_type" value="richtext" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional" id="ipt_fsqm_form_30_design_52">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_richtext">
<p>Now that you have a better sense for the profound financial cost of a data breach, please see our videos and take the Educational Assessment Tests to better determine your organisation’s Cyber Security, PCI-DSS and GDPR
vulnerability to a breach and how to minimize your exposure.</p>
<div class="clear-both"></div>
</div>
<div class="clear-both"></div>
</div>
</div>
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][39][m_type]" id="ipt_fsqm_form_30_pinfo_39_m_type" value="pinfo" class="ipt_fsqm_hf_m_type">
<input type="hidden" data-sayt-exclude="" name="ipt_fsqm_form_30[pinfo][39][type]" id="ipt_fsqm_form_30_pinfo_39_type" value="textinput" class="ipt_fsqm_hf_type">
<div class="ipt_uif_column ipt_uif_column_full ipt_uif_conditional ipt_fsqm_container_textinput" id="ipt_fsqm_form_30_pinfo_39">
<div class="ipt_uif_column_inner side_margin">
<div class="ipt_uif_question">
<div class="ipt_uif_question_label">
<label class="ipt_uif_question_title ipt_uif_label" for="ipt_fsqm_form_30_pinfo_39_value">Small Text Title<span class="ipt_uif_question_required">*</span></label>
<div class="clear-both"></div>
</div>
<div class="ipt_uif_question_content">
<div class="input-field has-icon">
<input class=" check_me validate[required] ipt_uif_text" type="text" name="ipt_fsqm_form_30[pinfo][39][value]" id="ipt_fsqm_form_30_pinfo_39_value" maxlength="" value="">
<i title="" class=" ipticm prefix" data-ipt-icomoon=""></i>
<label for="ipt_fsqm_form_30_pinfo_39_value">Write here</label>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
</div>
<div class="clear-both"></div>
</div>
</div>
<div class="clear"></div>
<div id="ipt_fsqm_form_30_button_container" class="ipt_fsqm_form_button_container ipt_fsqm_form_button_container--flat ipt-eform-material-button-container">
<div class="eform-button-container-inner">
<button type="button" class="ipt_uif_button eform-material-button eform-ripple ipt_fsqm_form_button_prev medium primary-button ui-button ui-corner-all ui-widget waves-effect waves-light ui-button-disabled ui-state-disabled"
name="ipt_fsqm_form_30_button_prev" id="ipt_fsqm_form_30_button_prev" disabled=""> Previous</button>
<button type="button" class="ipt_uif_button eform-material-button eform-ripple ipt_fsqm_form_button_next medium primary-button ui-button ui-corner-all ui-widget waves-effect waves-light" name="ipt_fsqm_form_30_button_next"
id="ipt_fsqm_form_30_button_next"> Next</button>
</div>
</div>
<div class="clear-both"></div>
</div>
</div><input type="hidden" name="pum_form_popup_id" value="1094">
</form>POST /login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F#gf_31
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_31" id="gform_31" action="/login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F#gf_31">
<input type="hidden" class="gforms-pum" value="{"closepopup":false,"closedelay":0,"openpopup":false,"openpopup_id":0}">
<div class="gform_heading">
<span class="gform_description"></span>
</div>
<div class="gform_body">
<ul id="gform_fields_31" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_31_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_31_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_select"><select name="input_1" id="input_31_1" class="large gfield_select" aria-required="true" aria-invalid="false">
<option value="" selected="selected" class="gf_placeholder">Company Name</option>
<option value="R4">Data Security University</option>
<option value="R1">Bluefin</option>
<option value="R3">Paychex</option>
<option value="R2">Jimmy Johns</option>
</select></div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_31" class="gform_button button" value="Visit Portal" onclick="if(window["gf_submitting_31"]){return false;} window["gf_submitting_31"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_31"]){return false;} window["gf_submitting_31"]=true; jQuery("#gform_31").trigger("submit",[true]); }"> <input type="hidden"
name="gform_ajax" value="form_id=31&title=&description=1&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_31" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="31">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_31" value="WyJbXSIsImZmMTdhZWI2OGNiYzhmYmNiM2UxYzU2MGIxNTE4YjU5Il0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_31" id="gform_target_page_number_31" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_31" id="gform_source_page_number_31" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<input type="hidden" name="pum_form_popup_id" value="1534">
</form>POST
<form id="mk-contact-form-2" class="mk-contact-form clearfix" method="post" novalidate="novalidate" enctype="multipart/form-data">
<div class="mk-form-row one-third">
<input placeholder="Your Name" type="text" required="required" name="name" class="text-input s_txt-input" value="" tabindex="0">
</div>
<div class="mk-form-row one-third">
<input placeholder="Your Phone Number" class="text-input s_txt-input" type="text" name="phone" value="" tabindex="0">
</div>
<div class="mk-form-row one-third">
<input placeholder="Your Email" class="text-input s_txt-input" type="email" data-type="email" required="required" name="email" value="" tabindex="0">
</div>
<div class="mk-form-row">
<textarea required="required" placeholder="Your Message" class="mk-textarea s_txt-input" name="content" tabindex="0"></textarea>
</div>
<div class="mk-form-row" style="float:left;">
<button class="mk-progress-button contact-outline-submit outline-btn-dark" data-style="move-up" tabindex="0">
<span class="mk-progress-button-content"> SCHEDULE DEMO </span>
<span class="mk-progress">
<span class="mk-progress-inner"></span>
</span>
<span class="state-success">
<svg class="mk-svg-icon" data-name="mk-moon-checkmark" data-cacheid="icon-61d60d27e156c" style=" height:16px; width: 16px; " xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path d="M432 64l-240 240-112-112-80 80 192 192 320-320z"></path>
</svg> </span>
<span class="state-error">
<svg class="mk-svg-icon" data-name="mk-moon-close" data-cacheid="icon-61d60d27e16e7" style=" height:16px; width: 16px; " xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path
d="M507.331 411.33l-.006-.005-155.322-155.325 155.322-155.325.006-.005c1.672-1.673 2.881-3.627 3.656-5.708 2.123-5.688.912-12.341-3.662-16.915l-73.373-73.373c-4.574-4.573-11.225-5.783-16.914-3.66-2.08.775-4.035 1.984-5.709 3.655l-.004.005-155.324 155.326-155.324-155.325-.005-.005c-1.673-1.671-3.627-2.88-5.707-3.655-5.69-2.124-12.341-.913-16.915 3.66l-73.374 73.374c-4.574 4.574-5.784 11.226-3.661 16.914.776 2.08 1.985 4.036 3.656 5.708l.005.005 155.325 155.324-155.325 155.326-.004.005c-1.671 1.673-2.88 3.627-3.657 5.707-2.124 5.688-.913 12.341 3.661 16.915l73.374 73.373c4.575 4.574 11.226 5.784 16.915 3.661 2.08-.776 4.035-1.985 5.708-3.656l.005-.005 155.324-155.325 155.324 155.325.006.004c1.674 1.672 3.627 2.881 5.707 3.657 5.689 2.123 12.342.913 16.914-3.661l73.373-73.374c4.574-4.574 5.785-11.227 3.662-16.915-.776-2.08-1.985-4.034-3.657-5.707z">
</path>
</svg> </span>
</button>
</div>
<input type="hidden" id="security" name="security" value="992bf15e90"><input type="hidden" name="_wp_http_referer" value="/login/?redirect_to=https%3A%2F%2Flegacypaychex.datasecurityu.com%2F"><input type="hidden" id="sh_id" name="sh_id"
value="17"><input type="hidden" id="p_id" name="p_id" value="2714">
<div class="contact-form-message clearfix"></div>
<input type="hidden" name="pum_form_popup_id" value="2137">
</form>Text Content
Username or E-mail
Password
Only fill in if you are not human
Forgot your password?
Terms of Use
SOUTH CAROLINA INSURANCE DATA SECURITY LAW
Name: H4655
Effective Date: April 23, 2013South Carolina’s NAIC Data Security Law passed on
5/31/18 and took effect on January 1, 2019. However, licensees were given until
July 1, 2019 to implement a comprehensive Written Information Security Program
and July 1, 2020 to require licensee’s third-party service providers to
implement appropriate administrative, technical, and physical measures to
protect and secure the nonpublic information that are accessible to, or held by,
the third-party service provider.
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, South Carolina has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
South Carolina’s Insurance Department, e.g. Insurance companies, Insurance
agencies and brokerage businesses, and other entities that offer insurance
packages in connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM CERTAIN KEY REGULATIONS?
Exemptions apply to South Carolina’s insurance licensees with fewer
than ten (10) employees (including independent contractors).
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
South Carolina’s insurance licensees must maintain a comprehensive Written
Information Security Program (WISP) and controls based upon the findings of a
Risk Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards;
4. Maintain an Incident Response Plan;
5. Notify South Carolina’s Insurance Commissioner of a “cybersecurity event”
within 72 (seventy-two) hours of discovery.
6. Maintain records concerning all cybersecurity events for a period of 5 years
from the date of the cybersecurity event and produce those records upon
demand of the Director.
7. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE:
Each insurer domiciled in this State shall annually submit to the Insurance
Commission a written statement by February 15th certifying that the insurer is
in compliance with the Act’s requirements. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of 5
years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information includes
business related information of a licensee that if tampered with, or if there is
an unauthorized access, use or disclosure would result in a material adverse
impact on the licensees’ business, operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
Civil penalties may be imposed by South Carolina’s State Department of
Insurance.
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or a fine of up to $15,000. If the
violation is willful, the fine can go up to $30,000.
x
ALABAMA DATA SECURITY LAW
Name: Senate S.B. 54
Effective Date: Alabama’s NAIC Data Security Law was enacted on May 1, 2019, and
licensees were provided an additional year, or until May 1, 2020, to implement
the statute’s information security requirements. Licensees have until May 1,
2021 to implement the statute’s required controls for third party service
providers.
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Alabama has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
Alabama’s Insurance Department, e.g. Insurance companies, Insurance agencies and
brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM KEY REGULATIONS?
Exemptions apply to Alabama’s insurance licensees with fewer than twenty five
(25) employees (including independent contractors), less than five (5) million
($5,000,000.00) in gross annual revenue, less than 10 (ten) million
($10,000,000.00) in year-end total assets.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
Alabama’s insurance licensees must maintain a comprehensive Written Information
Security Program (WISP) and controls based upon the findings of a Risk
Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan,
5. Notify Alabama’s Insurance Commissioner of a “cybersecurity event”
within three (3) business days from discovery,
6. Maintain records concerning all cybersecurity events for a period of at
least 5 years from the dated of the cybersecurity event and shall produce
those records upon demand of the Commissioner.
7. Maintain records concerning all cybersecurity events for a period of 5 years
from the date of the cybersecurity event and produce those records upon
demand of the Director.
8. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE?
Each insurer domiciled in Alabama shall annually submit to the commissioner on
or before February 15th a written statement certifying that the insurer is in
compliance with the requirements of the Act. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of
five years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information includes
business related information of a licensee that if tampered with, or if there is
an unauthorized access, use or disclosure would result in a material adverse
impact on the licensees’ business, operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or a fine of up to $10,000.
x
OHIO
Name:S.B.273
Effective Date: The law went into effect on March 2019 takes effect on January
20, 2021 and licensees have another year until January 20, 2022 to implement a
Written Information Security Program based on a licensee’s Risk Assessment.
However, a licensee shall have an additional year to ensure that Third Party
Service Providers are in compliance.
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Ohio has adopted the National Association of insurance
Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security Model
provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
Ohio’s Insurance Department, e.g. Insurance companies, Insurance agencies and
brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM KEY CERTAIN REGULATIONS?
The Exemption applies Ohio’s insurance licensees with fewer
than twenty (20) employees, less than five (5) million dollars
($5,000,000,00) in gross annual revenue, less than ten (10) million
$10,000,000.00 in year-end total sales.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
Ohio’s insurance licensees must maintain a comprehensive Written Information
Security Program (WISP) and controls based upon the findings of a Risk
Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan;
5. Annually submit a written statement to the superintendent of insurance,
certifying that the licensee is in compliance with the requirements set
forth in the law. Records supporting this certificate are to be maintained
for five years;
6. Notify Ohio’s Insurance Commissioner of a cybersecurity event involving 250
or more consumers within three (3) business days of discovery;
7. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails
8. ***Safe Harbor Provision: As long as an insurance licensee implements a
Cybersecurity program in conformance with the statute, they shall have an
affirmative defense to any cause of action alleging failure to implement
reasonable information security controls resulting in a data breach.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE?
Each insurer domiciled in this State shall annually submit to the Insurance
Commission a written statement by February 15th certifying that the insurer is
in compliance with the Act’s requirements. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of 5
years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information includes
business related information of a licensee that if tampered with, or if there is
an unauthorized access, use or disclosure, would result in a material adverse
impact on the licensees’ business, operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or a fine of up to $10,000.
x
CONNECTICUT
Name: Section 230 of the Connecticut Budget Bill
Effective Date: Connecticut’s Cybersecurity Law is actually buried within
Connecticut’s state budget bill. Section 230 was signed on June 26, 2019 and
became effective on October 1, 2019. Insurance licenses are provided until
October 1, 2020 to implement a Written Information Security Program (WISP). Not
later than October 1, 2021, each licensee shall require each of such licensee’s
3rd party service providers to implement measures to protect and secure the
licensee’s nonpublic information that is either accessible or held by such 3rd
party service providers.
Link to Documentation
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Connecticut has adopted, in large part, the New York
Department of Financial Services (NYDFS) Cybersecurity regulation, 23 NYCRR
500).
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
Connecticut’s Insurance Department, e.g. Insurance companies, Insurance agencies
and brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM KEY CERTAIN REGULATIONS?
Beginning on 10/1/2020 and ending on 9/30/21, each licensee with fewer than 20
employees (including independent contractors) are accorded an exemption from key
regulations. Thereafter, only licensees with fewer than ten (10) employees are
to be exempted. Exemptions also apply where there is less than $5,000,000 in
year-end total assets in each of the last three fiscal years from New York
business operations or where there is less than $10,000,000 in year-end total
assets.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
The requirements are similar to the New York Department of Financial Services
cybersecurity law in that they include the implementation of a Written
Information Security Program (WISP) based upon a Risk Assessment as well as
administrative, technical, and physical safeguards to protect non-public
information. The licensee is to designate a responsible individual to oversee
the WISP, and the licensee’s Board of Directors is required to provide
oversight. The WISP must include Penetration Testing and Vulnerability
Assessments, Audit Trails, Employee Training, a Record Retention procedure, and
Incident Response process which provides that Connecticut’s Insurance
Commissioner is to be notified of an event that involves at least 250 consumers
no later than three business days after the date of the cybersecurity event.
***This is a departure from the NAIC model law requirement that notification is
to be provided from a “determination” that a cybersecurity event has occurred.
*** Insurance licensees are also obligated to offer 24 months of credit
monitoring to consumer breach victims.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE?
Each insurer domiciled in this State shall annually submit to the Insurance
Commission a written statement by February 15th certifying that the insurer is
in compliance with the Act’s requirements. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of 5
years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information includes
business related information of a licensee that if tampered with, or if there is
an unauthorized access, use or disclosure would result in a material adverse
impact on the licensees’ business, operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or impose a fine of not more than fifty
(50) thousand dollars ($50,000.00).
x
DELAWARE INSURANCE DATA SECURITY ACT
Effective Date: The law, which was passed on July 31, 201,9 provides for a
compliance deadline of July 31, 2020 for insurance licensees. An additional year
has been added to the compliance deadline for third party service providers of
insurance licensees.
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Delaware has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
WHO IS SUBJECT TO DELAWARE'S INSURANCE DATA SECURITY ACT?
Covered businesses provide insurance related services and are licensed under
Delaware’s Insurance Department, e.g. Insurance companies, Insurance agencies
and brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM CERTAIN KEY REGULATIONS?
Exemptions apply to Delaware’s insurance licensees with fewer than fifteen (15)
employees
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
Delaware’s insurance licensees must maintain a comprehensive Written Information
Security Program (WISP) and controls based upon the findings of a Risk
Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan,
5. Notify Delaware’s Insurance Commissioner of a cybersecurity event within
three (3) business days of discovery.
6. Maintain records concerning a cybersecurity event for a period of 5 years
from the date of the cybersecurity event and produce those records upon
demand of the Director.
7. Provide consumer breach notification within 60 days after a cybersecurity
event which had subjected the consumer to material harm and then offer
credit monitoring.
8. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE?
Each insurer domiciled in Delaware shall annually submit to the commissioner on
or before February 15th a written statement certifying that the insurer is in
compliance with the requirements of the Act. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of
five years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information includes
business related information of a licensee that if tampered with, or if there is
an unauthorized access, use or disclosure, would result in a material adverse
impact on the licensees’ business, operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or a fine of up to $20,000.
x
MISSISSIPPI INSURANCE DATA SECURITY LAW
Name: The Cybersecurity Law Senate Bill 2831
Effective Date: The law which was passed on April 3, 2019 and became effective
on July 1, 2019. Licensees were given until July 1, 2020 to establish a
comprehensive Written Information Security Program (WISP). An additional year
has been added to the compliance deadline for third party service providers of
insurance licensees.
INTENT OF THE REGULATION
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Mississippi has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
Mississippi’s Insurance Department, e.g. Insurance companies, Insurance agencies
and brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM KEY CERTAIN REGULATIONS?
Mississippi’s insurance licensees with fewer than fifty (15) employees
(excluding independent contractors) less than five (5) million dollars
($5,000,000.00) in gross annual revenue, has less than ten (10) million dollars
($10,000,000.00) in year-end total assets.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
Mississippi’s insurance licensees must maintain a comprehensive Written
Information Security Program (WISP) and controls based upon the findings of a
Risk Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan;
5. Notify Mississippi’s Insurance Commissioner of a cybersecurity event
within three (3) business days of discovery;
6. Maintain records concerning all cybersecurity events for a period of at
least 5 years from the date of the cybersecurity event and produce those
records upon demand of the Director,
7. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE:
Each insurer domiciled in Mississippi shall annually submit to the commissioner
on or before February 15th a written statement certifying that the insurer is in
compliance with the requirements of the Act. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of
five years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” refers to electronic information, but does not include
“business related information”.
HOW VIOLATIONS ARE TO BE HANDLED:
The Insurance Commissioner has the authority to investigate any violation and
take the appropriate action that is necessary to enforce the Act inclusive of
suspension or revocation of a license or a fine of up to $5,000.
x
NEW HAMPSHIRE INSURANCE DATA SECURITY LAW
Name: Senate Bill 194
Effective Date: The law, which was passed on June 5, 2019, implemented a
compliance deadline of January 1, 2020. There is an additional year provided to
ensure that third party service providers are compliant.
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information – they are a prime target of
cyberattacks. As such, New Hampshire has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under New
Hampshire’s Insurance Department, e.g. Insurance companies, Insurance agencies
and brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM CERTAIN KEY REGULATIONS?
New Hampshire’s insurance licensees with fewer than twenty (20) employees
(including independent contractors) or that already comply with HIPAA are exempt
from the Act’s requirement to maintain a Written Information Security Program
(WISP).
***The law contains a “safe harbor” provision which maintains that all licensee
that are already in compliance with the New York Department of Financial
Services (NYDFS) Cybersecurity Law are deemed to be compliant under New
Hampshire’s Cybersecurity Law.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
New Hampshire’s insurance licensees must maintain a comprehensive Written
Information Security Program (WISP) and controls based upon the findings of a
Risk Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan,
5. Notify New Hampshire’s Insurance Commissioner of a cybersecurity event
within three (3) business days of discovery.
6. Maintain records concerning all cybersecurity events for a period of at
least 5 years from the dated of the cybersecurity event and shall produce
those records upon demand of the Commissioner
7. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails.
8. **** Safe Harbor protection is afforded for licensees that are already in
compliance with the New York Department of Financial Services (NYDFS)
Cybersecurity Regulation - Bill 23 NYCRR 50
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE:
Each insurer domiciled in New Hampshire shall annually submit to the
commissioner on or before March 1st a written statement certifying that the
insurer is in compliance with the requirements of the Act. Each insurer shall
maintain for examination all records and data supporting this certificate for a
period of five years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” broadly defines “Personal Information,” although it does
not include “business related information”.
It does not include “business related information” within the definition of NPI.
“Nonpublic Information” refers to electronic information and is more
encompassing than “Personal Information” as defined under state breach
notification laws.
HOW VIOLATIONS ARE TO BE HANDLED:
The state insurance commissioner may take “necessary or appropriate” action to
enforce the new law. Violations of the provisions may result in the suspension
or revocation of a licensee’s certificate of authority or license, or an
administrative fine of up to $2,500 per violation.
x
MICHIGAN DATA SECURITY LAW
Name: H.B. 6491
Effective Date:The law passed on December 28, 2018 and provided insurance
licensees with a phased implementation program:
January 20, 2021: As of this date, all sections except for the WISP and third
party service provider oversight provisions are in effect:, e.g. the breach
reporting provisions relating to cybersecurity event investigations, regulatory
reporting, and individual notifications for breaches that were discovered or
subject to notification after December 31, 2019;
January 20, 2022: Licenses are to implement their WISP;
January 20, 2023: Licensees are to exercise due diligence and oversight of their
third-party service providers to ensure that they are protecting the licensee’s
nonpublic information
Link to Documentation
INTENT OF THE REGULATION:
As insurance related businesses collect and maintain significant amounts of
sensitive, nonpublic personal information, they are a prime target of
cyberattacks. As such, Michigan has adopted the National Association of
insurance Commissioner’s (NAIC) Data Security Model Law. The NAIC Data Security
Model provides a benchmark for how state licensed insurance businesses are to
implement effective cybersecurity programs to protect sensitive personal data
and consumer privacy.
TO WHOM DOES THE REGULATION APPLY?
Covered businesses provide insurance related services and are licensed under
Michigan’s Insurance Department, e.g. Insurance companies, Insurance agencies
and brokerage businesses, and other entities that offer insurance packages in
connection with their primary business.
WHAT ENTITIES ARE EXEMPT FROM CERTAIN KEY REGULATIONS?
Exemptions apply to Michigan’s insurance licensees with fewer
than twenty-five (25) employees (including independent contractors).
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
Michigan’s insurance licensees must maintain a comprehensive Written Information
Security Program (WISP) and controls based upon the findings of a Risk
Assessment. The WISP must include third party service providers and require
protection of nonpublic information collected, processed, and maintained by the
licensee.
1. Ensure that the licensee’s Board or Executive Management carries out
compliance oversight;
2. Implement Cybersecurity Training of your Personnel;
3. Exercise due diligence concerning data security in the selection of
licensees’ third-party service providers, and require third-party service
providers to maintain reasonable safeguards:
4. Maintain an Incident Response Plan;
5. Notify Michigan’s Insurance Commissioner of a cybersecurity event within ten
(10) business days of discovery.
6. Determine the “appropriateness” and implement Security Measures of Access
Controls, Encryption, Multi-factor Authentication, Testing and Monitoring
Systems, and Audit Trails;
7. Provide Breach Notification to Consumer residents where substantial loss or
injury may be caused by the Cybersecurity Event.
8. ***Safe Harbor Provision: As long as an insurance licensee implements a
Cybersecurity program in conformance with the statute, they shall have an
affirmative defense to any cause of action alleging failure to implement
reasonable information security controls resulting in a data breach.
WHAT FORM OF COMPLIANCE CERTIFICATION IS REQUIRED OF LICENSEE?
Each insurer domiciled in this State shall annually submit to the Insurance
Commission a written statement by February 15th certifying that the insurer is
in compliance with the Act’s requirements. Each insurer shall maintain for
examination all records and data supporting this certificate for a period of 5
years.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information refers to
electronic information which includes business related information of a licensee
that if tampered with, or if there is an unauthorized access, use or disclosure,
would result in a material adverse impact on the licensees’ business,
operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
If a person knowingly fails to provide required notice of a security breach, the
person may be ordered to pay a civil fine of up to $250 for each failure to
provide notice, up to a possible total of $750,000 for a single security breach.
x
NEW YORK
Name: The New York Department of Financial Services (NYDFS) Cybersecurity
Regulation - Bill 23 NYCRR 500
Effective Date: The NYDFS Cybersecurity Regulation was adopted on March 1, 2017
and provides for a phased implementation process which incorporated four
distinct phases that provided entities with the time to implement sound policies
and controls. The fourth and final phase was effective as of March 1, 2019.
Link to Documentation
INTENT OF THE REGULATION:
The New York Department Financial Services (NYDFS) Cybersecurity Regulation was
passed after damaging cyber-attacks and data breaches within the financial
industry and is intended to impose strict cybersecurity rules on covered
entities. The Regulation’s primary requirements call for a detailed
cybersecurity plan, the designation of a Chief Information Security Officer
(CISO), the implementation of a comprehensive cybersecurity policy, and the
maintenance of an ongoing reporting system for cybersecurity events.
HOW THE NY REGULATION 500 AND NAIC INSURANCE DATA SECURITY MODEL LAW ARE
SIMILAR:
* Implementation of a Cybersecurity Program based on performance of a Risk
Assessment;
* Oversight of Third-Party Service Providers;
* Regulatory Notification of Cybersecurity Incidents that may have a material
effect on state resident consumers and the insurer’s business operations;
* Nonpublic information (NPI) includes “business related information” of the
licensee the unauthorized disclosure, access or use of which could cause a
“material adverse impact” to the business, operation or security of the
licensee. NPI also includes (1) information identifying a consumer plus an
additional data element such as social security number or account number and
(2) health care related information
Submission of a written statement certifying regulation compliance
HOW THE NY REGULATION 500 AND NAIC INSURANCE DATA SECURITY MODEL LAW DIFFER:
* The NY Reg 500 covers state licensed banks and financial institutions as well
as insurance related businesses whereas the NAIC Model Law is restricted to
insurance related businesses regulated by the State Insurance Commissioner;
* The NAIC Model Law does not limit protected “nonpublic information” to
electronic data as does NY Reg 500.
* The NAIC Model Law, unlike NY Reg 500, excludes risk purchasing groups and
risk retention groups licensed in another State or a Licensee that is acting
as an assuming insurer domiciled in another state. Thus, affiliates of a
licensee located outside the state in question may be exempt from the
cybersecurity requirements.
* Unlike NY Reg 500’s specific requirements pertaining to Penetration Testing,
Vulnerability Scanning, appointment of a CISO, Encryption, Multi-factor
authentication, etc., the NAIC Model Law allows licensees some reasonable
flexibility to determine which “appropriate” security controls should apply
to their organization.
TO WHOM DOES THE REGULATION APPLY?
The NYDFS Cybersecurity Regulation applies to all entities operating under or
required to operate under DFS licensure as well as those unregulated third-party
service providers that serve DFS regulated organizations. These licensees
include insurance companies, state-chartered banks, licensed lenders, private
bankers, foreign banks licensed to operate in New York, and mortgage companies.
WHAT ENTITIES ARE EXEMPT FROM CERTAIN REGULATIONS?
The NYDFS Cybersecurity Regulation provides for key exemptions for those
organizations that employ fewer than ten (10) people, or produce less than five
(5) million dollars ($5,000,000.00) in gross annual revenue from its NY
operations in each of the past three years, or hold less than ten (10) million
dollars ($10,000,000.00) in year-end assets.
WHAT ARE THE PRIMARY REQUIREMENTS OF THE REGULATION?
The Regulations include 23 sections outlining the requirements for: i)
developing and implementing an effective cybersecurity program; ii) requiring
covered entities to assess their cybersecurity risks, and iii) establishing
plans to proactively address those risks. As such, it is critical that the
entity policy conform with industry best practices such as ISO 27001 standards
as well as implement several key requirements that are aligned to the NIST
Cybersecurity Framework, e.g. identify both internal and external threats;
employ a cyber defense infrastructure to protect against threats; use a system
to detect and respond to cybersecurity events as well as provide breach
notifications within 72 hours of a discovered breach; work to recover from each
cybersecurity event and fulfill regulatory reporting obligations.
To round out the Regulations, an organization is required to manage
cybersecurity threats by:
1. Using Continuously Trained and Qualified Personnel;
2. Limiting Access Privileges;
3. Encrypting Sensitive Data;
4. Completing annual compliance certification with NY regulators, and
5. Employing enhanced multi-factor authentication or a reasonable equivalent
for all inbound connections to the entity’s network.
WHAT IS THE DEFINITION OF 'NONPUBLIC INFORMATION' THAT’S PROTECTED BY THE
REGULATION?
“Nonpublic Information” is more encompassing than “Personal Information” as
defined under state breach notification laws. Nonpublic information refers to
electronic information which includes business related information of a licensee
that if tampered with, or if there is an unauthorized access, use or disclosure,
would result in a material adverse impact on the licensees’ business,
operations, or security.
HOW VIOLATIONS ARE TO BE HANDLED:
The NYDFS created a special unit within the Cybersecurity Division to protect
consumers and industries from cyber threats by investigating and enforcing the
Cybersecurity Regulations. Organizations are subject to both penalties and fines
for violations.
x
COLORADO
Name: Colo. Rev. Stat. 6-1-716 H.B. 18-1128
Effective Date: September 1, 2018
Link to Documentation
APPLICATION
Any individual or commercial entity (collectively, Entity) that conducts
business in CO and that owns, licenses, or maintains computerized data that
includes PI.
The provisions governing maintenance of PI that the Entity does not own appear
applicable to any Entity maintaining information on CO residents, whether or not
the Entity conducts business in CO.
SECURITY BREACH DEFINITION
An unauthorized acquisition of unencrypted computerized data that compromises
the security, confidentiality, or integrity of PI maintained by an Entity.
Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system if the PI
is not used for a purpose unrelated to the lawful operation of the business or
is not subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
An Entity that conducts business in CO and that owns or licenses computerized
data that includes PI about a resident of CO shall, when it becomes aware of a
breach of the security of the system, give notice as soon as possible to the
affected CO resident.
Notification is not required if after a good-faith, prompt, and reasonable
investigation, the Entity determines that misuse of PI about a CO resident has
not occurred and is not likely to occur.
ATTORNEY GENERAL NOTIFICATION
If notice is provided to more than 500 CO residents, the Entity must provide
notice to the Attorney General not later than 30 days after the date of
determination that the breach occurred.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 CO residents, the Entity
shall also notify, without unreasonable delay, all consumer reporting agencies
that compile and maintain files on consumers on a nationwide basis of the
anticipated date of the notification to the residents and the approximate number
of residents who are to be notified. This paragraph shall not apply to a person
who is subject to Title V of the Gramm-Leach-Bliley Act.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own or license, the Entity shall give notice to and cooperate with the owner
or licensee of the information of any breach of the security of the system
immediately following discovery of a breach, if misuse of PI about a CO resident
occurred or is likely to occur. Cooperation includes sharing with the owner or
licensee information relevant to the breach, except that such cooperation shall
not be deemed to require the disclosure of confidential business information or
trade secrets.
TIMING OF NOTIFICATION
Notice shall be made in the most expedient time possible and without
unreasonable delay, but not later than 30 days after the date of determination
that the breach occurred, consistent with any measures necessary to determine
the scope of the breach and to restore the reasonable integrity of the
computerized data system.
PERSONAL INFORMATION DEFINITION
“Personal Information” means:
(a) A CO resident’s first name or first initial and last name in combination
with any one or more of the following data elements that relate to the resident,
when the data elements are not encrypted, redacted, or secured by any other
method rendering the name or the element unreadable or unusable:
* Social Security number;
* Student, military, or passport ID number;
* Driver’s license number or other identification card number;
* Medical information;
* Health insurance identification number; or
* Biometric data;
(b) Username or email address, in combination with a password or security
question that would permit access to an online account; or
(c) Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access to
that account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice to the postal address listed in the Entity’s records;
* Telephonic notice; or
* Electronic notice, if a primary means of communication by the Entity with a
CO resident is by electronic means or the notice provided is consistent with
the provisions regarding electronic records and signatures set forth in 15
U.S.C. § 7001 (E-Sign Act).
For incidents that involve login credentials of an email account furnished by
the Entity, notice may not be given to that email address, but may be given by
clear and conspicuous notice delivered to the resident online when connected to
the account from an IP address or online location from which the Entity knows
the resident customarily accesses the account.
The notice must include:
* The date, estimated date, or estimated date range of the breach;
* Type of PI subject to the unauthorized acquisition;
* Information the resident can use to contact the Entity to inquire about the
security breach;
* The toll-free telephone numbers, addresses, and websites of the major credit
reporting agencies and the Federal Trade Commission; and
* A statement that the resident can obtain information from the Federal Trade
Commission and the credit reporting agencies about fraud alerts and security
freezes.
For a breach of online account credentials, in addition to the information
above, the notice must direct the consumer to promptly change his or her
password or question and answer, or to take other steps appropriate to protect
the online account with the covered Entity and all other online accounts for
which the person whose PI has been breached uses the same username or e-mail
address and password or security question or answer.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice will exceed
$250,000, or that the affected class of persons to be notified exceeds 250,000
CO residents, or the Entity does not have sufficient contact information to
provide notice. Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of CO residents;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and whose procedures are
otherwise consistent with the timing requirements of the statute shall be deemed
to be in compliance with the notice requirements of the statute if the Entity
notifies affected CO customers in accordance with its policies in the event of a
breach of the security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state regulator is sufficient for compliance.
* Gramm-Leach-Bliley Act. The provisions of this statute shall not apply to any
Entity who is subject to Title V of the Gramm-Leach- Bliley Act.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation and the law
enforcement agency has notified the Entity that conducts business in CO not
to send notice required by the statute.
* Attorney General Enforcement. The Attorney General may seek direct damages
and injunctive relief.
x
IOWA
Name: Iowa Code 715C.1-2 2018 S.F. 2177
Effective Date: July 1, 2018
Link to Documentation
APPLICATION
Any individual, corporation, business trust, estate, trust, partnership, limited
liability company, association, joint venture, government, governmental
subdivision, agency, or instrumentality, public corporation, or any other legal
or commercial entity (collectively, Entity) that owns or licenses computerized
data that includes an IA resident’s PI that is used in the course of the
Entity’s business, vocation, occupation, or volunteer activities and that was
subject to a breach of security.
SECURITY BREACH DEFINITION
Unauthorized acquisition of PI maintained in computerized form by an Entity that
compromises the security, confidentiality, or integrity of the PI. Also,
unauthorized acquisition of PI maintained by a person in any medium, including
on paper, that was transferred by the person to that medium from computerized
form and that compromises the security, confidentiality, or integrity of the PI.
* Good-faith acquisition of PI by an Entity or that Entity’s employee or agent
for a legitimate purpose of that Entity is not a breach of security, provided
that the PI is not used in violation of applicable law or in a manner that
harms or poses an actual threat to the security, confidentiality, or
integrity of the PI.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall give notice of the breach of
security following discovery of such breach of security, or receipt of
notification of such breach, to any IA resident whose PI was included in the
information that was breached.
* Notification is not required if, after an appropriate investigation or after
consultation with the relevant federal, state, or local agencies responsible
for law enforcement, the Entity determines that no reasonable likelihood of
financial harm to the IA residents whose PI has been acquired has resulted or
will result from the breach. Such a determination must be documented in
writing and the documentation must be maintained for 5 years.
ATTORNEY GENERAL NOTIFICATION
If an Entity owns or licenses computerized data that includes a consumer’s PI
that is used in the course of the Entity’s business, vocation, occupation, or
volunteer activities suffers a security breach requiring notification of more
than 500 IA residents than the Entity will give written notice following
discovery of such breach, or receipt of notification required by third parties,
to the director of the consumer protection division of the Attorney General’s
office. Notice or receipt of notice must be provided within 5 business days of
giving notice to any consumer.
THIRD-PARTY DATA NOTIFICATION
Any Entity who maintains or otherwise possesses PI on behalf of another Entity
shall notify the owner or licensor of the information of any breach of security
immediately following discovery of such breach if an IA resident’s PI was
included in the information that was breached.
TIMING OF NOTIFICATION
The notification shall be made in the most expeditious manner possible and
without unreasonable delay, consistent with any measures necessary to
sufficiently determine contact information for the affected IA residents,
determine the scope of the breach, and restore the reasonable integrity,
security, and confidentiality of the data.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements that relate to the individual if
any of the data elements are not encrypted, redacted, or otherwise altered by
any method or technology in such a manner that the name or data elements are
unreadable or are encrypted, redacted, or otherwise altered by any method or
technology but the keys to unencrypt, unredact, or otherwise read the data
elements have also been obtained through the breach of security:
* Social Security number;
* Driver’s license number or other unique identification number created or
collected by a government body;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account;
* Account number or credit card number or debit card number in combination with
any required expiration date, security code, access code, or password that
would permit access to an individual’s financial account;
* Unique electronic identifier or routing code, in combination with any
required security code, access code, or password that would permit access to
an individual’s financial account; or
* Unique biometric data, such as a fingerprint, retina or iris image, or other
unique physical representation or digital representation of biometric data.
PI does not include information that is lawfully obtained from publicly
available sources, or from federal, state, or local government records lawfully
made available to the general public.
NOTICE REQUIRED
Notice shall include, at a minimum, all of the following:
* A description of the breach of security;
* The approximate date of the breach of security;
* The type of PI obtained as a result of the breach of security;
* Contact information for consumer reporting agencies; and
* Advice to the consumer to report suspected incidents of identity theft to
local law enforcement or the Attorney General.
Notification may be provided by one of the following methods:
* Written notice to the last available address the Entity has in the Entity’s
records; or
* Electronic notice, if the Entity’s customary method of communication with the
resident is by electronic means or is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, that the affected class of IA residents to be notified exceeds 350,000
persons, or if the Entity does not have sufficient contact information to
provide notice. Substitute notice shall consist of the following:
* Email notice when the Entity has email addresses for the affected IA
residents;
* Conspicuous posting of the notice or a link to the notice on the Entity’s
website, if the Entity maintains one; and
* Notification to major statewide media.
Exception: Own Notification Policy. Any Entity that maintains its own disclosure
procedures as part of an information privacy policy or a security policy is not
required to make a separate disclosure under the statute if the Entity’s
information privacy policy or security policy is at least as stringent as the
disclosure requirements under the statute.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Federal Regulator. This statute does not apply to an Entity that complies
with notification requirements or breach of security procedures that provide
greater protection to PI and at least as thorough disclosure requirements
than that provided by this section pursuant to the rules, regulations,
procedures, guidance, or guidelines established by the Entity’s primary or
functional federal regulator.
* More Protective Law. This statute does not apply to an Entity that complies
with a state or federal law that provides greater protection to PI and at
least as thorough disclosure requirements for a breach of security or PI than
that provided by the statute.
* Gramm-Leach-Bliley Act. This statute does not apply to an Entity that is
subject to and complies with regulations promulgated pursuant to Title V of
the Gramm-Leach-Bliley Act.
* HIPAA and HITECH. This statute does not apply to an Entity that is subject to
and complies with the regulations promulgated pursuant to the Title II,
subtitle F of the Health Insurance Portability and Accountability Act (HIPAA)
and Title XIII, subtitle D of the Health Information Technology for Economic
and Clinical Health Act (HITECH).
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The consumer notification requirements of this
section may be delayed if a law enforcement agency determines that the
notification will impede a criminal investigation and the agency has made a
written request that the notification be delayed. The notification required
by this section shall be made after the law enforcement agency determines
that the notification will not compromise the investigation and notifies the
Entity required to give notice in writing.
* Attorney General Enforcement.
x
INDIANA
Name: Ind. Code 4-1-11 et seq.; 24-4.9-1 et seq. H.E.A. No. 1121
Effective Date: June 1, 2018
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any individual, corporation, business trust, estate, trust, partnership,
association, nonprofit corporation or organization, cooperative, state agency or
any other legal entity (collectively, Entity) that owns or licenses computerized
data that includes PI.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on IN residents, whether or not organized or licensed
under the laws of IN.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI maintained by an Entity. The term includes
the unauthorized acquisition of computerized data that has been transferred to
another medium, including paper, microfilm, or a similar medium, even if the
transferred data are no longer in a computerized format.
* Unauthorized acquisition of a portable electronic device on which PI is
stored does not constitute a security breach if all PI on the device is
protected by encryption and the encryption key (i) has not been compromised
or disclosed, and (ii) is not in the possession of or known to the person
who, without authorization, acquired or has access to the portable electronic
device.
* Good-faith acquisition of PI by an employee or agent of the Entity for lawful
purposes of the Entity does not constitute a security breach if the PI is not
used or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity, after discovering or being notified of a breach of the security of
data, shall disclose the breach to an IN resident whose unencrypted PI was or
may have been acquired by an unauthorized person or whose encrypted PI was or
may have been acquired by an unauthorized person with access to the encryption
key if the Entity knows, or should know, or should have known that the
unauthorized acquisition constituting the breach has resulted in or could result
in identity deception (as defined in Ind. Code § 35-43-5-3.5), identity theft,
or fraud affecting the IN resident.
ATTORNEY GENERAL NOTIFICATION
If the Entity makes such a disclosure, the data base owner shall also disclose
the breach to the Attorney General.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
An Entity required to make a disclosure to more than 1,000 consumers shall also
disclose to all consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis information necessary to assist the consumer
reporting agency in preventing fraud, including PI of an IN resident affected by
the breach of the security of a system.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI but that does not
own or license the PI shall notify the owner of the PI if the Entity discovers
that PI was or may have been acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure notification shall be made without unreasonable delay and
consistent with any measures necessary to determine the scope of the breach and
restore the integrity of the system.
PERSONAL INFORMATION DEFINITION
A Social Security number that is not encrypted or redacted, or an individual’s
first and last names, or first initial and last name, and one or more of the
following data elements that are not encrypted or redacted:
* A driver’s license number or state identification card number;
* A credit card number; or
* A financial account number or debit card number in combination with a
security code, password, or access code that would permit access to the
person’s account.
PI does not include information that is lawfully obtained from publicly
available information or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Mail;
* Telephone;
* Fax; or
* Email, if the Entity has the email address of the affected IN resident.
State agencies are subject to slightly different notice requirements.
SUBSTITUTE NOTICE AVAILABLE
If an Entity demonstrates that the cost of the disclosure exceeds $250,000, or
that the affected class of subject persons to be notified exceeds 500,000.
Substitute notice shall consist of all of the following:
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notice to major news reporting media in the geographic area where IN
residents affected by the breach of the security of a system reside.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own disclosure procedures as part of an
information privacy policy or a security policy is not required to make a
separate disclosure under the statute if the Entity’s information privacy policy
or security policy is at least as stringent as the disclosure requirements under
the statute.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
This section does not apply to an Entity that maintains its own data security
procedures as part of an information privacy, security policy, or compliance
plan under:
* The Gramm-Leach-Bliley Act;
* The Health Insurance Portability and Accountability Act of 1996 (HIPAA);
* The USA Patriot Act (P.L. 107-56);
* Executive Order 13224;
* The Driver Privacy Protection Act (18 U.S.C. § 2781 et seq.); or
* The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.)
If the Entity’s information privacy, security policy, or compliance plan
requires the Entity to maintain reasonable procedures to protect and safeguard
from unlawful use or disclosure PI of IN residents that is collected or
maintained by the Entity and the Entity complies with the Entity’s information
privacy, security policy, or compliance plan.
OTHER KEY PROVISIONS:
* Attorney General Enforcement. A person that knowingly or intentionally fails
to comply with the database maintenance obligations commits a deceptive act
that is actionable only by the state Attorney General. Penalties include
injunctive relief, a civil penalty of not more than $150,000 per violation,
and reasonable costs.
x
OREGON
Name: Or. Rev. Stat. §§ 646A.600, 646A.602, 646A.604, 646A.624, 646A.626 S.B.
684
Effective Date: January 1, 2020
Link to Documentation
APPLICATION
Any individual, private or public corporation, partnership, cooperative,
association, estate, limited liability company, organization, or other entity,
whether or not organized to operate at a profit, or a public body as defined in
Or. Rev. Stat. § 174.109 (collectively, Entity) that owns, licenses, maintains,
stores, manages, collects, processes, acquires or otherwise possesses PI in the
course of the Entity’s business, vocation, occupation or volunteer activities
and was subject to the breach of security. This does not include any person or
entity that contracts with the Entity to maintain, store, manage, process or
otherwise access PI for the purpose of, or in connection with, providing
services to or on behalf of the Entity. (Note: The expansion of application to
entities that maintain, store, or process information on their own behalf but
that they do not own is effective Jan. 1, 2020.)
SECURITY BREACH DEFINITION
Unauthorized acquisition of computerized data that materially compromises the
security, confidentiality or integrity of PI maintained or possessed by the
Entity.
* Does not include an inadvertent acquisition of PI by an Entity or that
Entity’s employee or agent if the PI is not used in violation of applicable
law or in a manner that harms or poses an actual threat to the security,
confidentiality or integrity of the PI.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall give notice of the breach of
security following discovery of such breach of security, or receipt of
notification, to any consumer to whom the PI pertains.
* Notification is not required if, after an appropriate investigation or after
consultation with relevant federal, state, or local agencies responsible for
law enforcement, the Entity reasonably determines that the breach has not and
will not likely result in harm to the individuals whose PI has been acquired
and accessed. Such a determination must be documented in writing and the
documentation must be maintained for 5 years.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity discovers a breach of security affecting more than 1,000
individuals that requires disclosure under this section, the Entity shall
notify, without unreasonable delay, all consumer reporting agencies that compile
and maintain reports on individuals on a nationwide basis of the timing,
distribution, and content of the notification given by the Entity to the
individuals. The Entity shall include the police report number, if available, in
its notification to the consumer reporting agencies.
ATTORNEY GENERAL NOTIFICATION
The entity must provide notice to the Attorney General, either in writing or
electronically, if the number of OR residents affected exceeds 250. The Entity
shall disclose the breach of security to the Attorney General in the same manner
as to consumers.
Entities that are otherwise exempt from the requirements of this section by
virtue of federal regulation must nonetheless provide to the Attorney General
within a reasonable time at least one copy of any notice the person sends to
consumers or to the person’s primary or functional regulator in compliance with
this section or with other state or federal laws or regulations that apply to
the person as a consequence of a breach of security.
THIRD-PARTY DATA NOTIFICATION
Any person that maintains or otherwise possesses PI on behalf of another person
shall notify the other person of any breach of security as soon as practicable,
[Effective Jan. 1, 2020] but not later than 10 days after discovering the breach
of security or having a reason to believe that the breach of security occurred.
That person must also notify the Attorney General in writing or electronically
if the number of residents affected exceeds 250 or cannot be determined, unless
the Entity has already notified the Attorney General.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient manner possible and without
unreasonable delay, but not later than 45 days after discovering or receiving
notice of the breach. In providing the notice, the Entity shall take reasonable
measures necessary to determine sufficient contact information for the
individuals, determine the scope of the breach, and restore the reasonable
integrity, security, and confidentiality of the PI.
PERSONAL INFORMATION DEFINITION
1) An OR resident’s first name or first initial and last name in combination
with any one or more of the following data elements, if encryption, redaction,
or other methods have not rendered the data unusable or if the data elements are
encrypted and the encryption key has also been acquired:
* Social Security number;
* Driver’s license number or state identification card number issued by the
Department of Transportation;
* Passport number or other identification number issued by the United States;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an OR resident’s financial account, or any other information or
combination of information that a person reasonably knows or should know
would permit access to the consumer’s financial account;
* Biometric data from automatic measurements of a consumer’s physical
characteristics, such as an image of a fingerprint, retina, or iris, that are
used to authenticate the consumer’s identity in the course of a financial or
other transaction;
* A consumer’s health insurance policy number or health insurance subscriber
identification number in combination with any other unique identifier that a
health insurer uses to identify the consumer; or
* Any information about a consumer’s medical history or mental or physical
condition or about a health care professional’s medical diagnosis or
treatment of the consumer.
[Effective Jan. 1, 2020] 2) A user name or other means of identifying a consumer
for the purpose of permitting access to the consumer’s account, together with
any other method necessary to authenticate the user name or means of
identification.
PI also includes any PI data element or any combination of the PI data elements
without with the consumer’s first name or first initial and last name if
encryption, redaction, or other methods have not rendered the data element or
combination of data elements unusable and the data element or combination of
data elements would enable an individual to commit identity theft. PI does not
include publicly available information, other than a Social Security number,
that is lawfully made available to the general public from federal, state or
local government records.
NOTICE REQUIRED
Notice shall include at a minimum:
* A description of the breach of security in general terms;
* The approximate date of the breach of security;
* The type of PI that was subject to the breach of security;
* Contact information for the person providing the notice;
* Contact information for national consumer reporting agencies; and
* Advice to the individual to report suspected identity theft to law
enforcement, including the Attorney General and the Federal Trade Commission.
Notice may be provided by one of the following methods:
* In writing;
* By telephone, if the Entity contacts the affected consumer directly; or
* Electronically, if the Entity’s primary method of communication with the
individual is by electronic means or is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
CREDIT MONITORING SERVICES
If an Entity offers credit monitoring or identity theft prevention services
without charge, the Entity may not require the affected individual to provide a
credit or debit card number or accept another service offered by the Entity for
free. If services are offered for a fee, the Entity must separately, distinctly,
clearly, and conspicuously disclose in the offer that the person will charge the
consumer a fee. The entity must require compliance with these terms from any
company offering services on the entity’s behalf.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, that the affected class of individuals to be notified exceeds 350,000,
or if the Entity does not have sufficient contact information to provide notice.
Substitute notice consists of the following:
* Conspicuous posting of the notice or a link to the notice on the Entity’s
website, if the Entity maintains a website; and
* Notification to major statewide television and newspaper media.
EXCEPTION:COMPLIANCE WITH OTHER LAWS
In each of the following cases, Oregon’s notification requirements do not apply,
except that any person claiming one of these exemptions and notifying more than
250 Oregon residents must provide a copy of the individual notice and any notice
to any primary or functional regulator, to the Oregon Attorney General:
* Primary Regulator. Personal information that is subject to, and a person that
complies with the notification requirements or breach of security procedures
that the person’s primary or functional federal regulator adopts, promulgates
or issues in rules, regulations, procedures, guidelines or guidance.
* Gramm-Leach-Bliley Act. A person that complies with regulations regarding
notification requirements or breach of security procedures that provide
greater protection to PI and at least as thorough disclosure requirements
promulgated pursuant to Title V of the Gramm-Leach-Bliley Act.
* HIPAA/HITECH. A person that complies with regulations promulgated under HIPAA
or the HITECH Act.
* More Restrictive State or Federal Law. An Entity that complies with a state
or federal law that provides greater protection to PI and at least as
thorough disclosure requirements for a breach of security of PI than that
provided by this section.
OTHER KEY PROVISIONS:
* Unlawful Practice. Violation of the statute is an unlawful practice under ORS
646.607 (Unlawful Trade Practice).
* Delay for Law Enforcement. Notification may be delayed if a law enforcement
agency determines that the notification will impede a criminal investigation
and that agency has made a written request that the notification be delayed.
The required notification shall be made after that law enforcement agency
determines that its disclosure will not compromise the investigation and
notifies the Entity in writing.
x
WYOMING
Name: Wyo. Stat. 40-12-501 et seq. Senate File Nos. 35 and 36
Effective Date: July 1, 2015
Link to Documentation
APPLICATION
An individual or commercial entity (collectively, Entity) that conducts business
in WY and that owns or licenses computerized data that includes PI about a
resident of WY.
SECURITY BREACH DEFINITION
Unauthorized acquisition of computerized data that materially compromises the
security, confidentiality or integrity of PI maintained by an Entity and causes
or is reasonably believed to cause loss or injury to a resident of WY.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the data system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall, when it becomes aware of a breach
of the security of the system, conduct in good faith a reasonable and prompt
investigation to determine the likelihood that PI has been or will be misused.
If the investigation determines that the misuse of PI about a WY resident has
occurred or is reasonably likely to occur, the Entity shall give notice as soon
as possible to the affected WY resident.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI on behalf of another
Entity shall disclose to the Entity for which the information is maintained any
breach of the security of the system as soon as practicable following the
determination that PI was, or is reasonably believed to have been, acquired by
an unauthorized person.
The Entity that maintains the data on behalf of another Entity and Entity on
whose behalf the data is maintained may agree which Entity will provide any
required notice, provided only a single notice for each breach of the security
of the system shall be Required If agreement regarding notification cannot be
reached, the Entity who has the direct business relationship with the resident
of WY shall provide the required notice.
TIMING OF NOTIFICATION
Notice shall be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and to restore the reasonable integrity of the computerized
data system.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name of a person in combination with
one or more of the following data elements when the data elements are not
redacted:
* Social Security number;
* Driver’s license number;
* Account number, credit card number, or debit card number in combination with
any security code, access code, or password that would allow access to a
financial account of the person;
* Tribal identification card;
* Federal or state government-issued identification card;
* Shared secrets or security tokens that are known to be used for database
authentication;
* A username or email address, in combination with a password or security
question and answer that would permit access to an online account;
* A birth or marriage certificate;
* Medical information, meaning a person’s medical history, mental or physical
condition, or medical treatment or diagnosis by a health care professional;
* Health insurance information, meaning a person’s health insurance policy
number or subscriber identification number, any unique identifier used by a
health insurer to identify the person, or information related to a person’s
application and claims history;
* Unique biometric data, meaning data generated from measurements or analysis
of human body characteristics for authentication purposes; or
* An individual taxpayer identification number.
PI does not include information, regardless of its source, contained in any
federal, state or local government records or in widely distributed media that
are lawfully made available to the general public.
NOTICE REQUIRED
Notice shall be clear and conspicuous and shall include, at a minimum:
* A toll-free number that the individual may use to contact the person
collecting the data, or his/her agent, and from which the individual may
learn the toll-free contact telephone numbers and addresses for the major
credit reporting agencies;
* The types of personal identifying information that were or are reasonably
believed to have been the subject of the breach;
* A general description of the breach incident;
* The approximate date of the breach of security, if that information is
reasonably possible to determine at the time notice is provided;
* In general terms, the actions taken by the individual or commercial entity to
protect the system containing the personal identifying information from
further breaches;
* Advice that directs the person to remain vigilant by reviewing account
statements and monitoring credit reports; and
* Whether notification was delayed as a result of a law enforcement
investigation, if that information is reasonably possible to determine at the
time the notice is provided.
Notice may be provided by one of the following methods:
* Written notice; or
* Email notice.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$10,000 for WY-based Entities, and $250,000 for all other Entities operating but
not based in Wyoming; that the affected class of subject persons to be notified
exceeds 10,000 for WY-based Entities and 500,000 for all other businesses
operating but not based in WY; or the person does not have sufficient contact
information. Substitute notice shall consist of all of the following:
* Conspicuous posting of the notice on the Internet, the World Wide Web, or a
similar proprietary or common carrier electronic system site of the person
collecting the data, if the person maintains a public Internet, World Wide
Web, or a similar proprietary or common carrier electronic system site; and
* Notification to major statewide media. The notice to media shall include a
toll-free phone number where an individual can learn whether or not that
individual’s personal data is included in the security breach.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Certain Financial Institutions. Any financial institution as defined in 15
U.S.C. § 6809 or federal credit union as defined by 12 U.S.C. § 1752 that
maintains notification procedures subject to the requirements of 15 U.S.C. §
6801(b)(3) and 12 C.F.R. pt. 364 App. B or pt. 748 App. B, is deemed to be in
compliance with the statute if the financial institution notifies affected WY
customers in compliance with the requirements of 15 U.S.C. § 6801 through
6809 and 12 C.F.R. pt. 364 App. B or pt. 748 App. B.
* A covered entity or business associate that is subject to and complies with
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and
the regulations promulgated under that Act, 45 C.F.R. Parts 160 and 164, is
deemed to be in compliance if the covered entity or business associate
notifies affected Wyoming customers or entities in compliance with the
requirements of HIPAA and 45 C.F.R. Parts 160 and 164.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by the statute may be
delayed if a law enforcement agency determines in writing that the
notification may seriously impede a criminal investigation.
* Attorney General Enforcement. The state Attorney General may bring an action
in law or equity to address any violation of this section and for other
relief that may be appropriate to ensure proper compliance with this section,
to recover damages, or both.
x
IDAHO
Name: Idaho Code 28-51-104 et seq. H.B. 566
Effective Date: July 1, 2010
Link to Documentation
APPLICATION
Any agency, individual or commercial entity (collectively, Entity) that conducts
business in ID and that owns or licenses computerized data that includes PI
about a resident of ID.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on ID residents,
whether or not the Entity conducts business in ID.
SECURITY BREACH DEFINITION
An illegal acquisition of unencrypted computerized data that materially
compromises the security, confidentiality, or integrity of PI for one or more
persons maintained by Entity.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
An Entity to which the statute applies shall give notice as soon as possible to
the affected ID resident.
* Notification is not required if after a good-faith, reasonable, and prompt
investigation the Entity determines that the PI has not been and will not be
misused.
NOTIFICATION OBLIGATION FOR STATE AGENCIES
When an agency becomes aware of a security breach, it shall, within 24 hours,
notify the office of the state Attorney General.
* A state agency must also report a security breach to the Chief Information
Officer within the Department of Administration, pursuant to the Information
Technology Resource Management Council policies.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall give notice to and cooperate with the owner or licensee
of the information of any breach of the security of the system immediately
following discovery of the breach, if misuse of PI about an ID resident occurred
or is reasonably likely to occur. Cooperation includes sharing with the owner or
licensee information relevant to the breach.
TIMING OF NOTIFICATION
Notice must be made in the most expedient time possible and without unreasonable
delay, consistent with any measures necessary to determine the scope of the
breach, to identify the individuals affected, and to restore the reasonable
integrity of the computerized data system.
PERSONAL INFORMATION DEFINITION
An ID resident’s first name or first initial and last name in combination with
any one or more of the following data elements that relate to the resident, when
either the name or the data elements are not encrypted:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number or credit card number in combination with any required
security code, access code, or password that would permit access to a
resident’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice to the most recent address the Entity has in its records;
* Telephonic notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity required to provide notice demonstrates that the cost of providing
notice would exceed $25,000, or that the number of ID residents to be notified
exceeds 50,000, or that the Entity does not have sufficient contact information
to provide notice. Substitute notice consists of all of the following:
* Email notice, if the Entity has email addresses for the affected ID
residents;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notice to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own notice procedures as part of an information
security policy for the treatment of PI, and whose procedures are otherwise
consistent with the timing requirements of the statute is deemed to be in
compliance with the notice requirements if the Entity notifies affected ID
residents in accordance with its policies in the event of a breach of the
security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state regulator is sufficient for compliance.
PENALTIES
Any Entity that intentionally fails to give notice in accordance with the
statute shall be subject to a fine of not more than $25,000 per breach of the
security of the system.
PENALTIES FOR GOVERNMENT DISCLOSURE
Any governmental employee that intentionally discloses PI not subject to
disclosure otherwise allowed by law shall be subject to a fine of not more than
$2,000, by imprisonment in the county jail for a period of not more than 1 year,
or both.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made as soon as possible after the law
enforcement agency determines that notification will no longer impede the
investigation.
* Primary State Regulator Enforcement. Authorizes primary state regulator to
bring a civil action against an Entity that it believes to have violated the
statute by failing to give notice to enforce compliance with the statute and
enjoin the Entity from further violation.
x
WISCONSIN
Name: Wis. Stat. 134.98 S.B. 164
Effective Date: March 31, 2006
Link to Documentation
APPLICATION
Any Entity that maintains or licenses PI in WI or that knows that PI pertaining
to a resident of WI has been acquired by a person whom the Entity has not
authorized to acquire the PI. “Entity” includes the state of WI and any office,
department, independent agency, authority, institution, association, society, or
other body in state government created or authorized to be created by the
constitution or any law, including the legislature and the courts; a city,
village, town, or county; and a person, other than an individual, that does any
of the following:
* Conducts business in WI and maintains PI in the ordinary course of business;
* Licenses PI in WI;
* Maintains for a resident of WI a depository account; or
* Lends money to a resident of WI.
SECURITY BREACH DEFINITION
When an Entity whose principal place of business is located in WI or an Entity
that maintains or licenses PI in WI knows that PI in the Entity’s possession has
been acquired by a person whom the Entity has not authorized to acquire the PI,
or, in the case of an Entity whose principal place of business is not located in
WI, when it knows that PI pertaining to a resident of WI has been acquired by a
person whom the Entity has not authorized to acquire the PI.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall make reasonable efforts to notify
each subject of the PI.
* An Entity is not required to provide notice of the acquisition of PI if the
acquisition of PI does not create a material risk of identity theft or fraud
to the subject of the PI or if the PI was acquired in good faith by an
employee or agent of the Entity, if the PI is used for a lawful purpose of
the Entity.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If, as the result of a single incident, an Entity is required to notify 1,000 or
more individuals that PI pertaining to the individuals has been acquired, the
Entity shall without unreasonable delay notify all consumer reporting agencies
that compile and maintain files on consumers on a nationwide basis, of the
timing, distribution, and content of the notices sent to the individuals.
THIRD-PARTY DATA NOTIFICATION
If a person, other than an individual, that stores PI pertaining to a resident
of WI, but does not own or license the PI, knows that the PI has been acquired
by a person whom the person storing the PI has not authorized to acquire the PI,
and the person storing the PI has not entered into a contract with the person
that owns or licenses the PI, the person storing the PI shall notify the person
that owns or licenses the PI of the acquisition as soon as practicable.
TIMING OF NOTIFICATION
An Entity shall provide the notice within a reasonable time, not to exceed 45
days after the Entity learns of the acquisition of PI. A determination as to
reasonableness shall include consideration of the number of notices that an
Entity must provide and the methods of communication available to the Entity.
PERSONAL INFORMATION DEFINITION
An individual’s last name and the individual’s first name or first initial, in
combination with and linked to any of the following elements, if the element is
not publicly available information and is not encrypted, redacted, or altered in
a manner that renders the element unreadable:
* Social Security number;
* Driver’s license number or state identification number;
* Account number, credit card number, or debit card number, or any security
code, access code, or password that would permit access to the individual’s
financial account;
* DNA profile; or
* Unique biometric data, including fingerprint, voice print, retina or iris
image, or any other unique physical representation.
An element is publicly available if the Entity reasonably believes that it was
lawfully made widely available through any media or lawfully made available to
the general public from federal, state, or local government records or
disclosures to the general public that are required to be made by federal,
state, or local law.
NOTICE REQUIRED
The notice shall indicate that the Entity knows of the unauthorized acquisition
of PI pertaining to the resident of WI who is the subject of the PI. Notice may
be provided by one of the following methods:
* Mail; or
* A method the Entity has previously employed to communicate with the subject
of the PI.
SUBSTITUTE NOTICE AVAILABLE
If an Entity cannot with reasonable diligence determine the mailing address of
the subject of the PI, and if the Entity has not previously communicated with
the subject of the PI, the Entity shall provide notice by a method reasonably
calculated to provide actual notice to the subject of the PI.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act. An Entity that is subject to, and in compliance with,
the privacy and security requirements of Title V of the Gramm-Leach-Bliley
Act, or a person that has a contractual obligation to such an Entity, if the
Entity or person has in effect a policy concerning breaches of information
security.
* HIPAA-Covered Entities. A health plan, health care clearinghouse, or health
care provider who transmits any health information in electronic form, if the
Entity complies with the requirements of 45 C.F.R. pt. 164.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. A law enforcement agency may, to protect an
investigation or homeland security, ask an Entity not to provide a required
notice for any period of time. If an Entity receives such a request, the
Entity may not provide notice of or publicize an unauthorized acquisition of
PI, except as authorized by the law enforcement agency that made the request.
x
WEST VIRGINIA
Name: VA. Code 46A-2A-101 et seq. S.B. 340
Effective Date: June 6, 2008
Link to Documentation
APPLICATION
An individual, corporation, business trust, estate, partnership, limited
partnership, limited liability partnership, limited liability company,
association, organization, joint venture, government, governmental subdivision,
agency, or instrumentality, or any other legal entity, whether for profit or not
for profit, (collectively, Entity) that owns or licenses computerized data that
includes PI.
SECURITY BREACH DEFINITION
Unauthorized access and acquisition of unencrypted and unredacted computerized
data that compromises the security or confidentiality of PI maintained by an
Entity as part of a database of PI regarding multiple individuals and that
causes the Entity to reasonably believe that the breach of security has caused
or will cause identity theft or other fraud to any resident of WV.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used for a purpose other than a lawful purpose of
the Entity or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall give notice of any breach of the
security of the system following discovery or notification of the breach of the
security of the system to any resident of WV whose unencrypted and unredacted PI
was or is reasonably believed to have been accessed and acquired by an
unauthorized person and that causes, or the individual or entity reasonably
believes has caused or will cause, identity theft or other fraud to any resident
of WV.
* An Entity must give notice of the breach of the security of the system if
encrypted information is accessed and acquired in an unencrypted form or if
the security breach involves a person with access to the encryption key and
the Entity reasonably believes that such breach has caused or will cause
identity theft or other fraud to any resident of this state.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 persons of a breach of
security pursuant to this article, the Entity shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on a nationwide basis of the timing, distribution, and content of the
notices. Nothing in this subsection shall be construed to require the entity to
provide to the consumer reporting agency the names or other PI of breach notice
recipients.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall give notice to the owner or licensee of the information
of any breach of the security of the system as soon as practicable following
discovery, if the PI was or the Entity reasonably believes was accessed and
acquired by an unauthorized person.
TIMING OF NOTIFICATION
Except to take any measures necessary to determine the scope of the breach and
to restore the reasonable integrity of the system, the notice shall be made
without unreasonable delay.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name linked to any one or more of the
following data elements that relate to a resident of WV, when the data elements
are neither encrypted nor redacted:
* Social Security number;
* Driver’s license number or state identification card number issued in lieu of
a driver’s license; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to a resident’s financial accounts.
PI does not include information that is lawfully obtained from publicly
available information, or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
The notice shall include:
* To the extent possible, a description of the categories of information that
were reasonably believed to have been accessed or acquired by an unauthorized
person, including Social Security numbers, driver’s license or state
identification numbers, and financial data;
* A telephone number or website address that the individual may use to contact
the Entity or the agent of the Entity and from whom the individual may learn
what types of information the Entity maintained about that individual or
about individuals in general and whether or not the Entity maintained
information about that individual; and
* The toll-free contact telephone numbers and addresses for the major credit
reporting agencies and information on how to place a fraud alert or security
freeze.
Notice may be provided by one of the following methods:
* Written notice to the postal address in the records of the Entity;
* Telephonic notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If an Entity demonstrates that the cost of providing notice will exceed $50,000,
or that the affected class of residents to be notified exceeds 100,000 persons,
or that the Entity does not have sufficient contact information to provide
notice. Substitute notice consists of any two of the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of residents;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; or
* Notice to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information privacy or security policy for the treatment of PI that are
consistent with the timing requirements of this article shall be deemed to be in
compliance with the notification requirements of this article if the Entity
notifies residents of WV in accordance with its procedures in the event of a
breach of security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Federal Interagency Guidance. A financial institution that responds in
accordance with the notification guidelines prescribed by the Federal
Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice is deemed to be in compliance with this
article.
* Primary Regulator. An Entity that complies with the notification requirements
or procedures pursuant to the rules, regulation, procedures, or guidelines
established by the Entity’s primary or functional regulator shall be in
compliance with this article.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice required by this section may be delayed if
a law enforcement agency determines and advises the Entity that the notice
will impede a criminal or civil investigation or homeland or national
security. Notice required by this section must be made without unreasonable
delay after the law enforcement agency determines that notification will no
longer impede the investigation or jeopardize national or homeland security.
* Attorney General Enforcement.
* Gramm-Leach-Bliley Act. This subsection shall not apply to an entity subject
to Title V of the Gramm-Leach-Bliley Act.
x
WASHINGTON
Name: Wash. Rev. Code 19.255.010 et seq., 42.56.590 H.B. 1071
Effective Date: March 1, 2020
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any state or local agency or any person or business which conducts business in
WA (collectively, Entity) that owns or licenses computerized data that includes
PI.
SECURITY BREACH DEFINITION
Unauthorized acquisition of data that compromises the security, confidentiality,
or integrity of PI maintained by the Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system when the
PI is not used or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach in the
security of the data to any resident of WA whose PI was, or is reasonably
believed to have been, acquired by an unauthorized person and the PI was not
“secured” (i.e., encrypted in a manner that meets or exceeds the National
Institute of Standards and Technology (NIST) standard or is otherwise modified
so that the PI is rendered unreadable, unusable, or undecipherable by an
unauthorized person).
* Notice is not required if the breach of the security of the system is not
reasonably likely to subject consumers to a risk of harm. The breach of
secured PI must be disclosed if the information acquired and accessed is not
secured during a security breach or if the confidential process, encryption
key, or other means to decipher the secured PI was acquired by an
unauthorized person.
ATTORNEY GENERAL NOTIFICATION
Any Entity that is required to issue a notification to more than 500 WA
residents as a result of a single breach shall, by the time notice is provided
to affected consumers, electronically submit a single sample copy of that
security breach notification, excluding any personally identifiable information,
to the Attorney General. The Entity shall also provide to the Attorney General
the following information:
* The number of WA consumers affected by the breach, or an estimate if the
exact number is not known.
[Effective March 1, 2020]
* A list of the types of personal information that were or are reasonably
believed to have been the subject of a breach;
* A timeframe of exposure, if known, including the date of the breach and the
date of the discovery of the breach; and
* A summary of steps taken to contain the breach.
The notice to the attorney general must be updated if any of the information
identified above is unknown at the time the notice is due.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains computerized data that includes PI that the Entity
does not own shall notify the owner or licensee of the PI of any breach
immediately following discovery, if the PI was, or is reasonably believed to
have been, acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure to affected consumers and to the Attorney General shall be made
in the most expedient time possible and without unreasonable delay, no more than
45 [Effective March 1, 2020] 30 calendar days after the breach was discovered,
unless the delay is at the request of law enforcement or the delay is due to any
measures necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
(1) An individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the name or the
data elements are not encrypted:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account, or [Effective March 1, 2020] any other
numbers or information that can be used to access a person’s financial
account
[Additional elements effective March 1, 2020]
* Full date of birth;
* Private key that is unique to an individual and that is used to authenticate
or sign an electronic record;
* Student, military, or passport identification number;
* Health insurance policy number or health insurance identification number;
* Any information about a consumer’s medical history or mental or physical
condition or about a health care professional’s medical diagnosis or
treatment of the consumer; or
* Biometric data generated by automatic measurements of an individual’s
biological characteristics such as a fingerprint, voiceprint, eye retinas,
irises, or other unique biological patterns or characteristics that is used
to identify a specific individual;
(2) Username or email address in combination with a password or security
questions and answers that would permit access to an online account; and
(3) Any of the data elements or any combination of the data elements described
in (1) above, without the consumer’s first name or first initial and last name
if:
(A) Encryption, redaction, or other methods have not rendered the data element
or combination of data elements unusable; and
(B) The data element or combination of data elements would enable a person to
commit identity theft against a consumer.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
The notification must be written in plain language and must include, at a
minimum, the following information:
* The name and contact information of the reporting person or business subject
to this section;
* A list of the types of PI that were or are reasonably believed to have been
the subject of a breach;
* [Effective March 1, 2020] A timeframe of exposure, if known, including the
date of the breach and the date of the discovery of the breach; and
* The toll-free telephone numbers and addresses of the major credit reporting
agencies if the breach exposed PI.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website if the Entity
maintains one; and
* Notification to major statewide media; or
[Effective March 1, 2020] If the breach of the security of the system involves
personal information including a user name or password, notice may be provided
electronically or by email. If the breach involves login credentials of an email
account furnished by the Entity, notice may be provided using another method;
not to that email address.
The notice must inform the whose personal information has been breached to
promptly change his or her password and security question or answer, as
applicable, or to take other appropriate steps to protect the online account
with the Entity and all other online accounts for which the person whose
personal information has been breached uses the same username or email address
and password or security question or answer.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Certain Financial Institutions. A financial institution under the authority
of the Office of the Comptroller of the Currency, the Federal Deposit
Insurance Corporation, the National Credit Union Administration, or the
Federal Reserve system is deemed to have complied with respect to “sensitive
customer information” as defined in the interagency guidelines establishing
information security standards, 12 C.F.R. Part 30, Appendix B, 12 C.F.R. Part
208, Appendix D-2, 12 C.F.R. Part 225, Appendix F, and 12 C.F.R. Part 364,
Appendix B, and 12 C.F.R. Part 748, Appendices A and B, if the financial
institution provides notice to affected consumers pursuant to the interagency
guidelines and the notice complies with the customer notice provisions of the
interagency guidelines establishing information security standards and the
interagency guidance on response programs for unauthorized access to customer
information and customer notice under 12 C.F.R. Part 364 as it existed on the
effective date of this section. The entity shall comply with the Attorney
General notification requirements here in addition to providing notice to its
primary federal regulator.
* HIPAA-Covered Entities. A covered entity under Health Insurance Portability
and Accountability Act of 1996 (HIPAA) is deemed to have complied with
respect to protected health information if it has complied with section 13402
of the federal Health Information Technology for Economic and Clinical Health
Act, Public Law 111-5. Covered entities must notify the Attorney General in
compliance with the timeliness of notification requirements of the
aforementioned section 13402, notwithstanding the timing of notification
requirements here.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of this section is in compliance with the
notification requirements of this section if the Entity notifies subject persons
in accordance with its policies in the event of a breach of security.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notification may be delayed if the data owner or
licensee contacts a law enforcement agency after discovery of a breach of the
security of the system and a law enforcement agency determines that the
notification will impede a criminal investigation. The required notification
shall be made after the law enforcement agency determines that it will not
compromise the investigation.
* Attorney General Enforcement. The Attorney General may bring action on behalf
of the state or its residents. The violations are “unfair or deceptive act”
and “unfair method of competition.”
* Private Right of Action. Any consumer injured by a violation of this section
may institute a civil action to recover damages.
* Waiver Not Permitted.
REIMBURSEMENT FROM BUSINESSES TO FINANCIAL INSTITUTIONS
In the event of a breach where an Entity held unencrypted account information or
was not Payment Card Industry Data Security Standard compliant, payment
processors, businesses, and vendors can be liable to a financial institution for
the cost of reissuing credit and debit cards in the event of a breach that
results in the disclosure of the full, unencrypted account information contained
on an identification device, or the full, unencrypted account number on a credit
or debit card or identification device plus the cardholder’s name, expiration
date, or service code.
x
VIRGINIA
Name: Va. Code 18.2-186.6 H.B. 2396
Effective Date: July 1, 2019
Link to Documentation 1
Link to Documentation 2
APPLICATION
An individual, corporation, business trust, estate, partnership, limited
partnership, limited liability partnership, limited liability company,
association, organization, joint venture, government, governmental subdivision,
agency, or instrumentality or any other legal entity, whether for profit or not
for profit (collectively, Entity) that owns or licenses computerized data that
includes PI.
* A separate provision covering health information applies only to government
entities, defined as any authority, board, bureau, commission, district or
agency of the Commonwealth or of any political subdivision of the
Commonwealth, including cities, towns and counties, municipal councils,
governing bodies of counties, school boards and planning commissions; boards
of visitors of public institutions of higher education; and other
organizations, corporations, or agencies in VA supported wholly or
principally by public funds.
SECURITY BREACH DEFINITION
Unauthorized access and acquisition of unencrypted and unredacted computerized
data that compromises the security or confidentiality of PI maintained by an
Entity as part of a database of PI regarding multiple individuals and that
causes, or the Entity reasonably believes has caused, or will cause, identity
theft or other fraud to any resident of VA.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used for a purpose other than a lawful purpose of
the individual or entity or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
If unencrypted or unredacted PI was or is reasonably believed to have been
accessed and acquired by an unauthorized person and causes, or the Entity
reasonably believes has caused or will cause, identity theft or another fraud to
any resident of VA, an Entity to which the statute applies shall disclose any
breach of the security of the system following discovery or notification of the
breach of the security of the system to any affected resident of VA.
* An Entity shall disclose the breach of the security of the system if
encrypted information is accessed and acquired in an unencrypted form, or if
the security breach involves a person with access to the encryption key and
the Entity reasonably believes that such a breach has caused or will cause
identity theft or other fraud to any resident of VA.
* For health information, the Entity must notify both the subject of the
medical information and any affected resident of VA, if those are not the
same person.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event an Entity provides notice to more than 1,000 persons at one time
pursuant to the general security breach section, the Entity shall notify,
without unreasonable delay, all consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis, as defined in 15 U.S.C.
Section 1682(a)(p), of the timing, distribution, and content of the notice.
ATTORNEY GENERAL/AGENCY NOTIFICATION
The state AG must be notified whenever any VA residents are notified under the
criteria above. In the event an Entity provides notice to more than 1,000
persons at one time pursuant to this section, the individual or entity shall
notify, without unreasonable delay, the state Attorney General of the timing,
distribution, and content of the notice. For health information, the Entity must
also notify the Commissioner of Health.
ATTORNEY GENERAL NOTIFICATION FOR BREACH OF EMPLOYEE INCOME TAX DATA
Employers or payroll service providers that own or license computerized data
relating to state income tax withheld must notify the Attorney General of
unauthorized access and acquisition of unencrypted and unredacted computerized
data containing a taxpayer identification number in combination with the income
tax withheld for that taxpayer that compromises the confidentiality of such data
and that creates a reasonable belief that an unencrypted and unredacted version
of such information was accessed and acquired by an unauthorized person, and
causes, or the employer or payroll provider reasonably believes has caused or
will cause, identity theft or other fraud. For employers, the notification
obligation applies only to information regarding its employees (not customers or
other non-employees).
Such employer or payroll service provider shall provide the Attorney General
with the name and federal employer identification number of the employer without
unreasonable delay after the discovery of the breach. The Attorney General shall
then notify the Department of Taxation of the breach.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall notify the owner or licensee of the information of any
breach of the security of the system without unreasonable delay following
discovery of the breach of the security of the system, if the PI was accessed
and acquired by an unauthorized person or the Entity reasonably believes the PI
was accessed and acquired by an unauthorized person.
TIMING OF NOTIFICATION
Notice required by the statute shall be made without unreasonable delay. Notice
may be reasonably delayed to allow the individual or Entity to determine scope
of the breach of security and restore the reasonable integrity of the system.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name in combination with and linked to
any one or more of the following data elements that relate to a resident of VA,
when the data elements are neither encrypted nor redacted:
* Social Security number;
* Driver’s license number or state identification card number issued in lieu of
a driver’s license number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to a resident’s financial accounts;
* Passport number; or
* Military identification number.
The health information breach law applies to the first name or first initial and
last name with any of the following elements:
* Any information regarding an individual’s medical or mental health history,
mental or physical condition, or medical treatment or diagnosis by a health
care professional; or
* An individual’s health insurance policy number or subscriber identification
number, any unique identifier used by a health insurer to identify the
individual, or any information in an individual’s application and claims
history, including any appeals records.
PI does not include information that is lawfully obtained from publicly
available information, or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
Notice shall include a description of the following:
* The incident in general terms;
* The type of PI or medical information that was subject to the unauthorized
access and acquisition;
* The general acts of the individual or entity to protect the PI from further
unauthorized access;
* A telephone number that the person may call for further information and
assistance, if one exists; and
* Advice that directs the person to remain vigilant by reviewing account
statements and monitoring free credit reports.
Notice means:
* Written notice to the last known postal address in the records of the
individual or entity;
* Telephone notice; or
* Electronic notice.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice will exceed
$50,000, the affected class of VA residents to be notified exceeds 100,000
residents, or the individual or the Entity does not have sufficient contact
information or consent to provide written, electronic or telephonic notice.
Substitute notice consists of all of the following:
* Email notice, if the individual or the Entity has email addresses for the
members of the affected class of residents;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notice to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information privacy or security policy for the treatment of PI that are
consistent with the timing requirements of this section shall be deemed to be in
compliance with the notification requirements of this section if it notifies
residents of VA in accordance with its procedures in the event of a breach of
the security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act. An entity that is subject to Title V of the
Gramm-Leach-Bliley Act and maintains procedures for notification of a breach
of the security of the system in accordance with the provision of that Act
and any rules, regulations, or guidelines promulgated thereto shall be deemed
to be in compliance with this section.
* Primary Regulator. An entity that complies with the notification requirements
or procedures pursuant to the rules, regulations, procedures, or guidelines
established by the entity’s primary or functional state or federal regulator
shall be in compliance with this section.
* HIPAA-Covered Entities. The notification requirements for incidents involving
medical information do not apply to (i) a “covered entity” or “business
associate” subject to requirements for notification in the case of a breach
of protected health information (42 U.S.C. § 17932 et seq.) or (ii) a person
or entity who is a non–HIPAA-covered entity subject to the Health Breach
Notification Rule promulgated by the Federal Trade Commission pursuant to 42
U.S.C. § 17937 et seq.
PENALTIES
The state Attorney General may impose a civil penalty not to exceed $150,000 per
breach of the security of the system or a series of breaches of a similar nature
that are discovered in a single investigation. (This provision does not apply to
health information breaches.)
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice required by this section may be delayed if,
after the Entity notifies a law enforcement agency, the law enforcement
agency determines and advises the Entity that the notice will impede a
criminal or civil investigation, or homeland or national security. Notice
shall be made without unreasonable delay after the law enforcement agency
determines that the notification will no longer impede the investigation or
jeopardize national or homeland security.
* Attorney General Enforcement.
x
VERMONT
Name: 9 V.S.A. 2430, 2435 S. 73
Effective Date: July 1, 2015
Link to Documentation
APPLICATION
Any data collector, including, but not limited to, the state, state agencies,
political subdivisions of the state, public and private universities, privately
and publicly held corporations, limited liability companies, financial
institutions, retail operators, and any other entity that, for any purpose,
whether by automated collection or otherwise, handles, collects, disseminates,
or otherwise deals with nonpublic PI (Entity), that owns or licenses
computerized PI that includes PI concerning an individual residing in VT.
SECURITY BREACH DEFINITION
Unauthorized acquisition of electronic data or a reasonable belief of such
unauthorized acquisition that compromises the security, confidentiality, or
integrity of PI maintained by an Entity.
* Does not include good-faith but unauthorized acquisition or access of PI by
an employee or agent of the Entity for a legitimate purpose of the Entity,
provided that the PI is not used for a purpose unrelated to the Entity’s
business or subject to further unauthorized disclosure.
To determine whether this definition applies, any Entity may consider the
following factors (among others):
* Indications that the information is in the physical possession and control of
a person without valid authorization, such as a lost or stolen computer or
other device containing information;
* Indications that the information has been downloaded or copied;
* Indications that the information was used by an unauthorized person, such as
fraudulent accounts opened or instances of identity theft reported; or
* That the information has been made public.
NOTIFICATION OBLIGATION
An Entity shall notify affected individuals residing in VT that there has been a
security breach following discovery or notification to the Entity of the breach.
* Notice of a security breach is not required if the Entity establishes that
misuse of PI is not reasonably possible and the Entity provides notice of the
determination that the misuse of the PI is not reasonably possible and a
detailed explanation for said determination to the VT Attorney General or to
the Department of Banking, Insurance, Securities, and Health Care
Administration in the event that the Entity is a person or entity licensed or
registered with the Department.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event an Entity is required to provide notice to more than 1,000
residents of VT at one time, the Entity shall notify, without unreasonable
delay, all consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis of the timing, distribution, and content of the
notice. This subsection shall not apply to a person who is licensed or
registered under Title 8 by the Department of Banking, Insurance, Securities,
and Health Care Administration.
ATTORNEY GENERAL/AGENCY NOTIFICATION
An Entity shall notify the Attorney General or Department of Financial
Regulation of any breach within 14 business days of the date the Entity
discovers the breach or the date the Entity provides notice to consumers,
whichever is sooner.
Any Entity that has, prior to the breach, sworn in writing on a form and in a
manner prescribed by the Attorney General that the Entity maintains written
policies and procedures to maintain the security of PI and respond to breaches
in a manner consistent with state law shall notify the Attorney General before
providing notice to consumers. Notice to the Attorney General shall contain the
date the breach occurred, the date the breach was discovered, and a description
of the breach. If the date of the breach is unknown, then the Entity shall send
notice to the Attorney General or the Department as soon as the date becomes
known.
If an Entity provides notice of the breach to consumers, the Entity shall notify
the Attorney General or the Department of the number of VT residents affected,
if known, and shall provide a copy of the notice that was provided to consumers.
An Entity may also send the Attorney General or Department a second copy of the
notice to consumers that redacts the type of PI breached for any public
disclosure of the breach.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains or possesses computerized data containing PI of an
individual residing in VT that the Entity does not own or license or any Entity
that conducts business in VT that maintains or possesses records or data
containing PI that the Entity does not own or license shall notify the owner or
licensee of the information of any security breach immediately following
discovery of the breach, consistent with the legitimate needs of law
enforcement.
TIMING OF NOTIFICATION
Notice of the breach shall be made in the most expedient time possible and
without unreasonable delay, but not later than 45 days after the discovery of
the breach, consistent with any measures necessary to determine the scope of the
breach and restore the reasonable integrity, security, and confidentiality of
the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted or redacted or protected by another method that
renders them unreadable or unusable by unauthorized persons:
* Social Security number;
* Motor vehicle operator’s license number or nondriver identification card
number;
* Account number, credit card number, or debit card number if circumstances
exist in which the number could be used without additional identifying
information, access codes, or passwords; or
* Account passwords or personal identification numbers or other access codes
for a financial account.
PI does not mean publicly available information that is lawfully made available
to the general public from federal, state, or local government records.
NOTICE REQUIRED
The notice to a consumer shall be clear and conspicuous and include a
description of each of the following, if known to the Entity:
* The incident in general terms;
* The type of PI that was subject to the security breach;
* The general acts of the Entity to protect the PI from further security
breach;
* A telephone number (toll-free, if available) that the consumer may call for
further information and assistance;
* Advice that directs the consumer to remain vigilant by reviewing account
statements and monitoring free credit reports; and
* The approximate date of the security breach.
Notice may be provided by one or more of the following methods:
* Written notice mailed to the individual’s residence;
* Telephonic notice, provided that telephonic contact is made directly with
each affected resident of VT, and not through a prerecorded message; or
* Electronic notice, for those individuals for whom the Entity has a valid
email address if (i) the Entity’s primary method of communication with the
individual is by electronic means, the electronic notice does not request or
contain a hypertext link to a request that the individual provide PI, and the
electronic notice conspicuously warns individuals not to provide PI in
response to electronic communications regarding security breaches; or (ii)
the notice provided is consistent with the provisions regarding electronic
records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing written or telephonic
notice to affected residents would exceed $5,000, or that the affected class of
affected residents to be provided written or telephonic notice exceeds 5,000, or
the Entity does not have sufficient contact information. Substitute notice shall
consist of all of the following:
* Conspicuously posting the notice on the Entity’s website, if the Entity
maintains one; and
* Notifying major statewide and regional media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* A financial institution that is subject to the following guidance, and any
revisions, additions, or substitutions relating to said interagency guidance
shall be exempt from this section: (i) The Federal Interagency Guidance
Response Programs for Unauthorized Access to Consumer Information and
Customer Notice, issued on March 7, 2005, by the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance Corporation, the Office
of the Comptroller of the Currency, and the Office of Thrift Supervision; or
(ii) Final Guidance on Response Programs for Unauthorized Access to Member
Information and Member Notice, issued on April 14, 2005, by the National
Credit Union Administration.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The required notice to a consumer shall be delayed
upon request of a law enforcement agency. A law enforcement agency may
request the delay if it believes that notification may impede a law
enforcement investigation, or a national or homeland security investigation,
or jeopardize public safety or national or homeland security interests. In
the event law enforcement makes the request in a manner other than in
writing, the Entity shall document such request contemporaneously in writing,
including the name of the law enforcement officer making the request and the
officer’s law enforcement agency engaged in the investigation. The Entity
shall provide the required notice without unreasonable delay upon receipt of
a written communication, which includes facsimile or electronic
communication, from the law enforcement agency withdrawing its request for
delay.
* Attorney General Enforcement.
* Waiver Not Permitted.
x
UTAH
Name: Utah Code 13-44-101, 13-44-202, 13-44-301 S.B. 193
Effective Date: May 14, 2019
Link to Documentation
APPLICATION
Any Entity who owns or licenses computerized data that includes PI concerning a
UT resident.
SECURITY BREACH DEFINITION
Unauthorized acquisition of computerized data maintained by an Entity that
compromises the security, confidentiality, or integrity of PI.
* Does not include the acquisition of PI by an employee or agent of the Entity
possessing unencrypted computerized data unless the PI is used for an
unlawful purpose or disclosed in an unauthorized manner.
NOTIFICATION OBLIGATION
If investigation reveals that the misuse of PI for identity theft or fraud has
occurred, or is reasonably likely to occur, the person shall provide
notification to each affected UT resident.
* Notification is not required if after a good-faith, reasonable, and prompt
investigation the Entity determines that it is unlikely that PI has been or
will be misused for identity theft or fraud.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall notify and cooperate with the owner or licensee of the
PI of any breach of system security immediately following the Entity’s discovery
of the breach if misuse of the PI occurs or is reasonably likely to occur.
TIMING OF NOTIFICATION
Notification shall be provided in the most expedient time possible without
unreasonable delay, after determining the scope of the breach of system security
and after restoring the reasonable integrity of the system.
PERSONAL INFORMATION DEFINITION
A person’s first name or first initial and last name, combined with any one or
more of the following data elements relating to that person, when either the
name or data element is unencrypted or not protected by another method that
renders the data unreadable or unusable:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to the person’s account.
PI does not include information regardless of its source, contained in federal,
state, or local government records or in widely distributed media that are
lawfully made available to the general public.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* In writing by first-class mail to the most recent address the Entity has for
the resident;
* By telephone, including through the use of automatic dialing technology not
prohibited by other law;
* Electronically, if the Entity’s primary method of communication with the
resident is by electronic means, or if provided consistent with the
provisions regarding electronic records and signatures set forth in 15 U.S.C.
§ 7001 (E-Sign Act); or
SUBSTITUTE NOTICE
If notification in the manner described above is not feasible, by publishing
notice of the breach of system security in a newspaper of general circulation.
Such notice must comply with Utah Code § 45-1-101.
EXCEPTIONS
* Own Notification Policy. If an Entity maintains its own notification
procedures as part of an information security policy for the treatment of PI
the Entity is considered to be in compliance with this chapter’s notification
requirements if the procedures are otherwise consistent with this chapter’s
timing requirements and the Entity notifies each affected UT resident in
accordance with the Entity’s information security policy in the event of a
breach.
* Compliance with Other Laws. An Entity who is regulated by state or federal
law and maintains procedures for a breach of system security under applicable
law established by the primary state or federal regulator is considered to be
in compliance with this part if the Entity notifies each affected UT resident
in accordance with the other applicable law in the event of a breach.
* Financial Institutions. This chapter does not apply to a financial
institution or affiliate of a financial institution, as defined in 15 U.S.C.
§ 6809.
PENALTIES
Violators are subject to a civil fine of no more than $2,500 for a violation or
series of violations concerning a specific consumer and no more than $100,000 in
the aggregate for related violations concerning more than one consumer. The
latter limitation does not apply if the violations concern more than 10,000 Utah
residents and more than 10,000 residents of other states, or if the Entity
agrees to settle for a greater amount.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. An Entity may delay providing notification at the
request of a law enforcement agency that determines that notification may
impede a criminal investigation. Notification shall be provided in good
faith, without unreasonable delay, and in the most expedient time possible
after the law enforcement agency informs the person that notification will no
longer impede the criminal investigation.
* Attorney General Enforcement.
* Waiver Not Permitted.
x
TEXAS
Name: Tex. Bus. & Com. Code 521.002, 521.053 H.B. 4390
Effective Date: January 1, 2020
Link to Documentation 1
Link to Documentation 2
APPLICATION
A person (Entity) that conducts business in TX and owns or licenses computerized
data that includes sensitive PI.
* The provisions governing maintenance of sensitive PI that the Entity does not
own appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in TX.
SECURITY BREACH DEFINITION
Unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of sensitive PI maintained by an Entity, including
data that is encrypted if the person accessing the data has the key required to
decrypt the data.
* Good-faith acquisition of sensitive PI by an employee or agent of the Entity
for the purposes of the Entity is not a breach of system security unless the
sensitive PI is used or disclosed by the person in an unauthorized manner.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of system
security, after discovering or receiving notification of the breach, to any
person, including nonresidents, whose sensitive PI was, or is reasonably
believed to have been, acquired by an unauthorized person.
[Effective January 1, 2020] Attorney General Notification
Any Entity that is required to provide notification of a security breach to at
least 250 Texas residents, shall notify the attorney general of that breach not
later than 60 days after the Entity determines that a breach has occurred. The
notification must include:
1. a detailed description of the nature and circumstances of the breach or the
use of sensitive personal information acquired as a result of the breach;
2. the number of Texas residents affected by the breach at the time of
notification;
3. the measures taken by the Entity regarding the breach;
4. any measures the Entity intends to take regarding the breach after
notification; and
5. information regarding whether law enforcement is investigating the breach.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required by this section to notify at one time more than 10,000
persons of a breach of system security, the Entity shall also notify, without
unreasonable delay, all consumer reporting agencies that maintain files on
consumers on a nationwide basis of the timing, distribution, and content of the
notices.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains computerized data that includes sensitive PI that the
Entity does not own shall notify the owner or license holder of the information
of any breach of system security immediately after discovering the breach, if
the sensitive PI was, or is reasonably believed to have been, acquired by an
unauthorized person.
TIMING OF NOTIFICATION
The disclosure shall be made without unreasonable delay and [effective Jan. 1,
2020] in each case not later than the 60th day after the date on which the
person determines that the breach occurred, consistent with the legitimate needs
of law enforcement, or as necessary to determine the scope of the breach and
restore the reasonable integrity of the data system.
SENSITIVE PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following items, if the name and the items are not
encrypted:
* Social Security number;
* Driver’s license number or government-issued ID number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
Sensitive PI also includes information that identifies an individual and relates
to:
* The physical or mental health or condition of the individual;
* The provision of health care to the individual; or
* Payment for the provision of health care to the individual.
Sensitive PI does not include publicly available information that is lawfully
made available to the general public from the federal government or a state or
local government.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice at the last known address of the individual; or
* Electronic notice, if the notice is consistent with the provisions regarding
electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
However, if the affected person is a resident of a state that has its own breach
notification requirement, the Entity may provide notice under that state’s law
or under Texas’s law.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, the number of affected persons exceeds 500,000, or the Entity does not
have sufficient contact information, the notice may be given by any of the
following:
* Email notice when the Entity has email addresses for the affected persons;
* Conspicuous posting of the notice on the Entity’s website; or
* Notice published in or broadcast on major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of sensitive PI that complies with
the timing requirements for notice under this section complies with this section
if the Entity notifies affected persons in accordance with that policy.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. An Entity may delay providing notice as required
at the request of a law enforcement agency that determines that the
notification will impede a criminal investigation. The required notification
shall be made as soon as the law enforcement agency determines that the
required notice will not compromise the investigation.
* Attorney General Enforcement. Remedies include injunctive relief and civil
penalties of at least $2,000 but not more than $50,000 for each violation.
* Civil penalties for failure to comply with notification requirements are
raised to up to $100 per person to whom notification is due, per day, not to
exceed $250,000 per breach.
x
TENNESSEE
Name: Tenn. Code 47-18-2107 S.B. 547
Effective Date: April 4, 2017
Link to Documentation
APPLICATION
Any person or business that conducts business in TN, or any agency of TN or any
of its political subdivisions (collectively, Entity), that owns or licenses
computerized data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in TN.
SECURITY BREACH DEFINITION
Acquisition of:
* unencrypted computerized data or
* (ii) encrypted computerized data and the encryption key
by an unauthorized person that materially compromises the security,
confidentiality, or integrity of PI maintained by the Entity. “Encrypted” means
computerized data that is rendered unusable, unreadable, or indecipherable
without the use of a decryption process or key and in accordance with the
current version of the Federal Information Processing Standard (FIPS) 140-2.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system, following discovery or notification of the breach in the
security of the data, to any resident of TN whose PI was, or is reasonably
believed to have been, acquired by an unauthorized person. “Unauthorized person”
includes an employee of the Entity who is discovered by the Entity to have
obtained personal information and intentionally used it for an unlawful purpose.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 persons at one time, the
person shall also notify, without unreasonable delay, all consumer reporting
agencies and credit bureaus that compile and maintain files on consumers on a
nationwide basis of the timing, distribution, and content of the notices.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains computerized data that includes PI that the Entity
does not own shall notify the owner or licensee of the information of any breach
of the security of the data if the PI was, or is reasonably believed to have
been, acquired by an unauthorized person. The disclosure must be made no later
than 45 days from the discovery or notification of the breach, unless a longer
period of time is required due to the legitimate needs of law enforcement.
TIMING OF NOTIFICATION
The disclosure shall be made immediately, but no later than 45 days from the
discovery or notification of the breach, unless a longer period of time is
required due to the legitimate needs of law enforcement.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name, in combination with
any one or more of the following data elements:
* Social Security number;
* Driver’s license number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
PI does not include information that is lawfully made available to the general
public from federal, state, or local government records or information that has
been redacted or otherwise made unusable.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of the statute shall be deemed to be in compliance
with the notification requirements of the statute if it notifies subject persons
in accordance with its policies in the event of a breach of security of the
system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
The provisions of this statute shall not apply to any Entity that is subject to:
* The provisions of Title V of the Gramm-Leach-Bliley Act; and/or
* The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42
U.S.C. § 1320d), as expanded by the Health Information Technology for
Clinical and Economic Health Act;
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required may be delayed if a law
enforcement agency determines that the notification will impede a criminal
investigation. The notification required by this section shall be made no
later than 45 days after the law enforcement agency determines that it will
not compromise the investigation.
* Private Right of Action.
x
SOUTH DAKOTA
Name: S.D. CODE 22-40-20 et seq. South Dakota S.B. 62
Effective Date: July 1, 2018
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any person or business that conducts business in South Dakota, and that owns or
licenses computerized personal or protected information of residents of SD
(“Information Holder”).
SECURITY BREACH DEFINITION
The unauthorized acquisition of unencrypted computerized data or encrypted
computerized data and the encryption key by any person that materially
compromises the security, confidentiality, or integrity of personal or protected
information.
* Good-faith acquisition of personal or protected information by an employee or
agent of an Information Holder is not a security breach, provided that the
information is not used for a purpose unrelated to the business or subject to
further unauthorized use.
NOTIFICATION OBLIGATION
Any Information Holder that discovers or is notified of a breach of system
security must notify affected individuals and consumer reporting agencies (see
below).
* Notice is not required if, following appropriate investigation and
notification to the Attorney General, the Information Holder reasonably
believes the incident will not result in harm to affected individuals. The
Information Holder shall document this determination in writing and keep
record of this documentation for 3 years.
ATTORNEY GENERAL NOTIFICATION
If the number of affected individuals exceeds 250 residents, the Information
Holder must notify the Attorney General.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
The Information Holder must notify, without unreasonable delay, all consumer
reporting agencies and any other credit bureau or agency that compiles and
maintains files on consumers on a nationwide basis.
TIMING OF NOTIFICATION
Notice must be given no later than 60 days from when the Information Holder
discovers or is notified of a breach.
PERSONAL INFORMATION DEFINITION
SD’s statute covers both “personal information” and “protected information.”
“Personal information” means a person’s first name or first initial and last
name, in combination with any one or more of the following data elements:
* Social Security number;
* Driver’s license number or any other unique identification number created or
collected by a government body;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, password, routing number, PIN, or
any additional information that is necessary to access the financial account;
* Health information as defined in 45 CFR 160.103 (HIPAA);
* An identification number assigned to a person by the person’s employer in
combination with any required security code, access code, password, or
biometric data generated from measurements or analysis of human body
characteristics for authentication purposes;
The term does not include information that is lawfully made available to the
general public from federal, state, or local government records or information
that has been redacted, or otherwise made unusable.
“Protected information” includes:
* A user name or email address, in combination with a password, security
question answer, or other information that permits access to an online
account; and
* Account number or credit and debit card number, in combination with any
required security code, access code, or password that permits access to a
person’s financial account;
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Electronic notice, if the electronic notice is consistent with the
requirements for electronic records and signatures set forth in 15 U.S.C. §
7001 (E-Sign Act), or if the information holder’s primary method of
communication with the SD resident has been by electronic means.
SUBSTITUTE NOTICE AVAILABLE
Substitute notice is acceptable if notification will exceed $250,000, the
affected class of persons to be notified exceeds 500,000 persons, or the
information holder does not have sufficient contact information and the notice
consists of each of the following:
* Email notice, if the information holder has the affected individual’s email
address;
* Conspicuous posting of the notice on the website of the Information Holder,
if it has a website; and
* Notification to statewide media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* An Information Holder subject to or regulated by federal laws, rules,
regulations, procedures, or guidance (including the Gramm- Leach-Bliley Act
and HIPAA) is considered in compliance with the Act as long as the
Information Holder maintains procedures pursuant to the federal law
requirements and provides notice to consumers pursuant to those requirements.
* An Information Holder that maintains its own notification procedure as part
of its information security policy, and the policy is consistent with the
timing requirements of the Act, is considered in compliance with the
notification requirements of this Act if it notifies affected persons in
accordance with its internal policy.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. The
Information Holder must provide notice within 30 days after the law
enforcement agency determines notice will no longer impede a criminal
investigation.
* Attorney General Enforcement. The Attorney General can bring an action for
civil penalties under the Act.
x
SOUTH CAROLINA
Name: S.C. Code 39-1-90 H.B. 3248
Effective Date: April 23, 2013
Link to Documentation
APPLICATION
A natural person, an individual, or a corporation, government or governmental
subdivision or agency, trust, estate, partnership, cooperative or association
(collectively, Entity) conducting business in SC, and owning or licensing
computerized data or other data that includes PI.
SECURITY BREACH DEFINITION
Unauthorized access to and acquisition of computerized data that was not
rendered unusable through encryption, redaction, or other methods that
compromises the security, confidentiality, or integrity of PI maintained by the
Entity, when illegal use of the information has occurred or is reasonably likely
to occur or use of the information creates a material risk of harm to a
resident.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of its business is not a breach of the security of the system if the
PI is not used or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose a breach of the security
of the system following discovery or notification of the breach in the security
of the data to a resident of SC whose unencrypted and unredacted PI was, or is
reasonably believed to have been, acquired by an unauthorized person when the
illegal use of the information has occurred or is reasonably likely to occur or
use of the information creates a material risk of harm to the resident.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity provides notice to more than 1,000 persons at one time pursuant to
the statute, the Entity shall notify, without unreasonable delay, all consumer
reporting agencies that compile and maintain files on a nationwide basis of the
timing, distribution, and content of the notice.
ATTORNEY GENERAL/AGENCY NOTIFICATION
If an Entity provides notice to more than 1,000 SC residents, the Entity shall
notify, without unreasonable delay, the Consumer Protection Division of the
Department of Consumer Affairs of the timing, distribution, and content of the
notice.
THIRD-PARTY DATA NOTIFICATION
An Entity conducting business in SC and maintaining computerized data or other
data that includes PI that the Entity does not own shall notify the owner or
licensee of the information of a breach of the security of the data immediately
following discovery, if the PI was, or is reasonably believed to have been,
acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure must be made in the most expedient time possible and without
unreasonable delay, consistent with measures necessary to determine the scope of
the breach and restore the reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name in combination with and linked to
any one or more of the following data elements that relate to a resident of SC,
when the data elements are neither encrypted nor redacted:
* Social Security number;
* Driver’s license number or state identification card number issued instead of
a driver license;
* Financial account number, credit card number, or debit card number in
combination with any required security code, access code, or password that
would permit access to a resident’s financial account; or
* Other numbers or information that may be used to access a person’s financial
accounts or numbers or information issued by a governmental or regulatory
entity that uniquely will identify an individual.
PI does not include information that is lawfully obtained from publicly
available information, or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the person’s primary method of communication with the
individual is by electronic means or is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice exceeds $250,000,
or that the affected class of subject persons to be notified exceeds 500,000, or
the person has insufficient contact information. Substitute notice consists of:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of the statute shall be deemed to be in compliance
with the notification requirements of the statute if it notifies subject persons
in accordance with its policies in the event of a breach of security of the
system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act. This section does not apply to a bank or financial
institution that is subject to and in compliance with the privacy and
security provisions of the Gramm-Leach-Bliley Act.
* Interagency Guidance. A financial institution that is subject to and in
compliance with the federal Interagency Guidance Response Programs for
Unauthorized Access to Consumer Information and Customer Notice, issued March
7, 2005, by the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the Office of the Comptroller of the Currency,
and the Office of Thrift Supervision, as amended, is considered to be in
compliance with this section.
PENALTIES
A person who knowingly and willfully violates this section is subject to an
administrative fine of $1,000 for each SC resident whose information was
accessible by reason of the breach, the amount to be decided by the Department
of Consumer Affairs.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by the statute may be
delayed if a law enforcement agency determines that the notification impedes
a criminal investigation. The notification required by the statute must be
made after the law enforcement agency determines that it no longer
compromises the investigation.
* Private Right of Action. A resident of SC who is injured by a violation of
this section, in addition to and cumulative of all other rights and remedies
available at law, may institute a civil action to recover damages in case of
a willful and knowing violation; institute a civil action to recover only
actual damages resulting from a violation in case of a negligent violation;
seek an injunction to enforce compliance; and recover attorney’s fees and
court costs, if successful.
x
RHODE ISLAND
Name: R.I. Gen. Laws § 11- 49.2-1 et seq.; will be repealed effective June 26,
2016 and replaced by 11- 49.3-1, et seq. S.B. 0134
Effective Date: June 26, 2016
Link to Documentation
APPLICATION
A municipal agency, state agency, individual, sole proprietorship, partnership,
association, corporation, joint venture, business or legal entity, trust,
estate, cooperative, or other commercial entity (collectively, Entity) that
stores, owns, collects, processes, maintains, acquires, uses, or licenses data
that includes PI.
SECURITY BREACH DEFINITION
Unauthorized access or acquisition of unencrypted computerized data that
compromises the security, confidentiality, or integrity of PI maintained by the
Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notification of any
disclosure of PI or any breach of the security of the system that poses a
significant risk of identity theft to any resident of RI whose unencrypted PI
was, or is reasonably believed to have been, acquired by an unauthorized person
or entity.
ATTORNEY GENERAL AND CREDIT REPORTING AGENCY NOTIFICATION
In the event that more than 500 RI residents are to be notified, the Entity
shall notify the Attorney General and the major credit reporting agencies as to
the timing, content, and distribution of the notices and the approximate number
of affected individuals. Notification to the Attorney General and the major
credit reporting agencies shall be made without delaying notice to affected RI
residents.
TIMING OF NOTIFICATION
The notification shall be made in the most expedient time possible but no later
than 45 calendar days after confirmation of the breach and the ability to
ascertain the information required to fulfill the notice requirements and shall
be consistent with the legitimate needs of law enforcement.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted or are in hard copy paper format:
* Social Security number;
* Driver’s license number, state identification card number, or tribal
identification number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, password, or personal identification
number that would permit access to an individual’s financial account;
* Medical or health insurance information; or
* Email address with any required security code, access code, or password that
would permit access to an individual’s personal, medical, insurance, or
financial account.
“Encrypted” means the transformation of data through the use of a 128-bit or
higher algorithmic process into a form in which there is a low probability of
assigning meaning without use of a confidential process or key. Data shall not
be considered encrypted if it is acquired in combination with any key, security
code, or password that would permit access to the encrypted data.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by any of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
The notification to individuals must include the following information to the
extent known:
* A general and brief description of the incident, including how the security
breach occurred and the number of affected individuals;
* The type of information that was subject to the breach;
* The date of breach, estimated date of breach, or the date range within which
the breach occurred;
* The date that the breach was discovered;
* A clear and concise description of any remediation services offered to
affected individuals including toll free numbers and websites to contact (i)
credit reporting agencies; (ii) remediation service providers; and (iii) the
Attorney General; and
* A clear and concise description of the consumer’s ability to file or obtain a
police report, how the consumer can request a security freeze and the
necessary information to be provided when requesting the security freeze, and
any fees that may be required to be paid to the consumer reporting agencies.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$25,000, or that the affected class of subject persons to be notified exceeds
50,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own security breach procedures as part of an
information security policy for the treatment of PI and otherwise complies with
the timing requirements of the statute, shall be deemed to be in compliance with
the security breach notification, provided such Entity notifies subject persons
in accordance with such Entity’s policies in the event of a breach of security.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Compliance with Primary Regulator. Any Entity that maintains a security
breach procedure pursuant to the rules, regulations, procedures, or
guidelines established by the primary or functional regulator shall be deemed
to be in compliance with the security breach notification requirements of
this section, provided such Entity notifies subject persons in accordance
with the policies or the rules, regulations, procedures, or guidelines
established by the primary or functional regulator in the event of a breach
of security of the system.
* Federal Interagency Guidance. A financial institution, trust company, credit
union, or its affiliates that is subject to and examined for and found in
compliance with the Federal Interagency Guidelines on Response Programs for
Unauthorized Access to Customer Information and Customer Notice shall be
deemed in compliance with this chapter.
* HIPAA-Covered Entities. A provider of health care, health care service plan,
health insurer, or a covered entity governed by the medical privacy and
security rules issued by the federal Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) shall be deemed in compliance with this chapter.
PENALTIES
Each reckless violation is a civil violation for which a penalty of not more
than $100 per record may be adjudged against a defendant. Each knowing and
willful violation of this chapter is a civil violation for which a penalty of
not more than $200 per record may be adjudged against a defendant. Whenever the
Attorney General has reason to believe that a violation has occurred and that
proceedings would be in the public interest, the Attorney General may bring an
action in the name of the state against the business or person in violation.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by this section may be
delayed if a federal, state, or local law enforcement agency determines that
the notification will impede a criminal investigation. The law enforcement
agency must notify the Entity of the request to delay notification without
unreasonable delay. If notice is delayed due to such determination, then as
soon as the law enforcement agency determines and informs the Entity that
notification no longer poses a risk of impeding an investigation, notice
shall be provided, as soon as practicable. The Entity shall cooperate with
law enforcement in its investigation of any breach of security or
unauthorized acquisition or use, which shall include the sharing of
information relevant to the incident; provided, however, that such disclosure
shall not require the disclosure of confidential business information or
trade secrets.
* Waiver Not Permitted.
x
PENNSYLVANIA
Name: 73 Pa. Stat. 2301 et seq. S.B. 712
Effective Date: June 20, 2006
Link to Documentation
APPLICATION
Any state agency, political subdivision, or an individual or a business
(collectively, Entity) doing business in PA that maintains, stores, or manages
computerized data that includes PI of PA residents.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in PA.
SECURITY BREACH DEFINITION
Unauthorized access and acquisition of computerized data that materially
compromises the security or confidentiality of PI maintained by the Entity as
part of a database of PI regarding multiple individuals and that causes or the
Entity reasonably believes has caused or will cause loss or injury to any
resident of PA.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system if the
PI is not used for a purpose other than the lawful purpose of the Entity and
is not subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notice of any breach of
the security of the system following discovery of the breach of the security of
the system to any individual whose principal mailing address, as reflected in
the computerized data that is maintained, stored, or managed by the Entity, is
in PA whose unencrypted and unredacted PI was or is reasonably believed to have
been accessed and acquired by an unauthorized person.
* An Entity must provide notice of the breach if encrypted information is
accessed and acquired in an unencrypted form, if the security breach is
linked to a breach of the security of the encryption, or if the security
breach involves a person with access to the encryption.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
When an Entity provides notification under this act to more than 1,000 persons
at one time, the Entity shall also notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on consumers on a
nationwide basis of the timing, distribution and number of notices.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains, stores, or manages computerized data on behalf of
another Entity shall provide notice of any breach of the security system
following discovery to the Entity on whose behalf it maintains, stores or
manages the data.
TIMING OF NOTIFICATION
Except to take any measures necessary to determine the scope of the breach and
to restore the reasonable integrity of the data system, the notice shall be made
without unreasonable delay.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
and linked to any one or more of the following data elements when the data
elements are not encrypted or redacted:
* Social Security number;
* Driver’s license number or state identification card number issued in lieu of
a driver license; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by any of the following methods:
* Written notice to the last known home address for the individual;
* Telephonic notice, if the customer can be reasonably expected to receive it
and the notice is given in a clear and conspicuous manner, describes the
incident in general terms, and verifies PI but does not require the customer
to provide PI, and the customer is provided with a telephone number to call
or a website to visit for further information or assistance; or
* Email notice, if a prior business relationship exists and the Entity has a
valid email address for the individual.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$100,000, the affected class of subject persons to be notified exceeds 175,000,
or the Entity does not have sufficient contact information. Substitute notice
shall consist of all of the following:
* Email notice when the Entity has an email address for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information privacy or security policy for the treatment of PI and is consistent
with the notice requirements of this act shall be deemed to be in compliance
with the notification requirements of this act if it notifies subject persons in
accordance with its policies in the event of a breach of security.
EXCEPTION:COMPLIANCE WITH OTHER LAWS
* Compliance with Primary Regulator. An Entity that complies with the
notification requirements or procedures pursuant to the rules, regulations,
procedures, or guidelines established by the Entity’s primary or functional
federal regulator shall be in compliance with this Act.
* Federal Interagency Guidance. A financial institution that complies with the
notification requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice is deemed to be in compliance with this Act.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notification required may be delayed if a law
enforcement agency determines and advises the Entity in writing, specifically
referencing the statute, that the notification will impede a criminal or
civil investigation. The required notification shall be made after the law
enforcement agency determines that it will not compromise the investigation
or national or homeland security.
* Attorney General Enforcement. The Attorney General shall have exclusive
authority to bring an action under the Unfair Trade Practices and Consumer
Protection Law for a violation of the statute.
x
OKLAHOMA
Name: 24 Okla. Stat. 161 et seq., 74-3113.1 H.B. 2245
Effective Date: November 1, 2008
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any corporations, business trusts, estates, partnerships, limited partnerships,
limited liability partnerships, limited liability companies, associations,
organizations, joint ventures, governments, governmental subdivisions, agencies,
or instrumentalities, or any other legal entity, whether for profit or
not-for-profit (collectively, Entity) that owns or licenses computerized data
that includes PI of OK residents.
SECURITY BREACH DEFINITION
Unauthorized access and acquisition of unencrypted and unredacted computerized
data that compromises the security or confidentiality of PI maintained by an
Entity as part of a database of PI regarding multiple individuals and that
causes, or the Entity reasonably believes has caused or will cause, identity
theft or other fraud to any resident of OK.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used for a purpose other than a lawful purpose of
the Entity or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach of the
security of the system to any resident of OK whose unencrypted and unredacted PI
was or is reasonably believed to have been accessed and acquired by an
unauthorized person and that causes, or the individual or entity reasonably
believes has caused or will cause, identity theft or other fraud to any resident
of OK.
* An Entity must disclose the breach of the security of the system if encrypted
information is accessed and acquired in an unencrypted form or if the
security breach involves a person with access to the encryption key and the
individual or entity reasonably believes that such breach has caused or will
cause identity theft or other fraud to any resident of OK.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall notify the owner or licensee of the information of any
breach of the security of the system as soon as practicable following discovery,
if the PI was or if the Entity reasonably believes was accessed and acquired by
an unauthorized person.
TIMING OF NOTIFICATION
The disclosure shall be made without unreasonable delay consistent with any
measures necessary to determine the scope of the breach and to restore the
reasonable integrity of the system.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name of an individual in combination
with and linked to any one or more of the following data elements that relate to
a resident of OK, when the data elements are neither encrypted nor redacted:
* Social Security number;
* Driver’s license or state identification card number issued in lieu of a
driver license; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to the financial accounts of a resident.
PI shall not include information that is lawfully obtained from publicly
available information, or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
Notice means one of the following methods:
* Written notice to the postal address in the records of the Entity;
* Telephonic notice; or
* Electronic notice.
SUBSTITUTE NOTICE AVAILABLE
If an Entity demonstrates that the cost of providing notice would exceed
$50,000, the affected class of residents to be notified exceeds 100,000, or the
Entity does not have sufficient contact information or consent to provide
notice. Substitute notice consists of any two of the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of residents;
* Conspicuous posting of the notice on the Entity’s website if the Entity
maintains one; or
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An entity that maintains its own notification procedures as part of an
information privacy or security policy for the treatment of PI and that are
consistent with the timing requirements of the statute shall be deemed to be in
compliance with the notification requirements of the statute if it notifies
residents of OK in accordance with its procedures in the event of a breach of
security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Interagency Guidance. A financial institution that complies with the
notification requirements prescribed by the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice is deemed to be in compliance with the provisions of the
statute.
* Primary Regulator. An Entity that complies with the notification requirements
or procedures pursuant to the rules, regulation, procedures, or guidelines
established by the primary or functional federal regulator of the Entity
shall be deemed to be in compliance with the provisions of the statute.
PENALTIES
The state Attorney General or a district attorney shall have exclusive authority
to bring an action and may obtain either actual damages for a violation of the
statute or a civil penalty not to exceed $150,000 per breach of the security of
the system or series of breaches of a similar nature that are discovered in a
single investigation.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice required may be delayed if a law
enforcement agency determines and advises the Entity that the notice will
impede a criminal or civil investigation or homeland or national security.
Notice required must be made without unreasonable delay after the law
enforcement agency determines that notification will no longer impede the
investigation or jeopardize national or homeland security.
x
OHIO
Name:Ohio Rev. Code, 1347.12,1349.19, 1349.191, 1349.192
Ohio Rev. Code 1349.19 H.B. 104
Effective Date: February 17, 2006
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
Link to Documentation 4
APPLICATION
Any individual, corporation, business trust, estate, trust, partnership, or
association (collectively, Entity) that conducts business in OH and owns or
licenses computerized data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in OH.
SECURITY BREACH DEFINITION
Unauthorized access to and acquisition of computerized data that compromises the
security or confidentiality of PI owned or licensed by an Entity and that
causes, reasonably is believed to have caused, or reasonably is believed will
cause a material risk of identity theft or other fraud to the person or property
of OH.
* Good faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach, provided that the personal
information is not used for an unlawful purpose or subject to further
unauthorized disclosure.
* Acquisition of personal information pursuant to a search warrant, subpoena,
or other court order, or pursuant to a subpoena, order, or duty of a
regulatory state agency, is not a breach.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system, following its discovery or notification of the breach of
the security of the system, to any individual whose principal mailing address as
reflected in the records of the Entity is in OH and whose PI was, or reasonably
is believed to have been, accessed and acquired by an unauthorized person if the
access and acquisition by the unauthorized person causes or reasonably is
believed will cause a material risk of identity theft or other fraud to the
resident.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity discovers circumstances that require disclosure under this section
to more than 1,000 residents of OH involved in a single occurrence of a breach
of the security of the system, the Entity shall notify, without unreasonable
delay, all consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis of the timing, distribution, and content of the
disclosure given by the Entity to the residents of OH. This requirement does not
apply to “covered entities” as defined in the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
THIRD-PARTY DATA NOTIFICATION
Any Entity that, on behalf of or at the direction of another Entity or on behalf
of or at the direction of any governmental entity, is the custodian of or stores
computerized data that includes PI shall notify that other Entity or
governmental entity of any breach of the security of the system in an
expeditious manner, if the PI was, or reasonably is believed to have been,
accessed and acquired by an unauthorized person and if the access and
acquisition by the unauthorized person causes or reasonably is believed will
cause a material risk of identity theft or other fraud to a resident of OH.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient time possible but not later
than 45 days following discovery or notification of the breach in the security
of the system, consistent with any measures necessary to determine the scope of
the breach, including which residents’ PI was accessed and acquired, and to
restore the reasonable integrity of the data system.
Personal Information Definition An individual’s name, consisting of the
individual’s first name or first initial and last name, in combination with and
linked to any one or more of the following data elements, when the data elements
are not encrypted, redacted, or altered by any method or technology in such a
manner that the data elements are unreadable:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number in combination with
and linked to any required security code, access code, or password that would
permit access to an individual’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or any of the following that are widely distributed:
* Any news, editorial, or advertising statement published in any bona fide
newspaper, journal, or magazine, or broadcast over radio or television, or
any type of media similar in nature;
* Any gathering or furnishing of information or news by any bona fide reporter,
correspondent, or news bureau to any bona fide newspaper, journal, magazine,
radio or television news media, or any types of media similar in nature; or
* Any publication designed for and distributed to members of any bona fide
association or charitable or fraternal nonprofit corporation, or any type of
media similar in nature.
NOTICE REQUIRED
Notice may be provided by any of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the Entity’s primary method of communication with the
resident to whom the disclosure must be made is by electronic means.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing disclosure or notice to
residents to whom disclosure or notification is required would exceed $250,000,
that the affected class of subject residents to whom disclosure or notification
is required exceeds 500,000 persons, or that it does not have sufficient contact
information to provide written, telephonic or electronic notice. Substitute
notice under this division shall consist of all of the following:
* Email notice, if the Entity has an email address for the resident to whom the
disclosure must be made;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major media outlets, to the extent that the cumulative total
of the readership, viewing audience, or listening audience of all of the
outlets so notified equals or exceeds 75% of the population of OH.
SUBSTITUTE NOTICE EXCEPTION
If the Entity demonstrates it has 10 employees or fewer and that the cost of
providing the disclosures or notices to residents to whom disclosure or
notification is required will exceed $10,000. Substitute notice under this
division shall consist of all of the following:
* Notification by a paid advertisement in a local newspaper that is distributed
in the geographic area in which the Entity is located, which advertisement
shall be of sufficient size that it covers at least one-quarter of a page in
the newspaper and shall be published in the newspaper at least once a week
for 3 consecutive weeks;
* Conspicuous posting of the disclosure or notice on the Entity’s website if
the Entity maintains one; and
* Notification to major media outlets in the geographic area in which the
Entity is located.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* A financial institution, trust company, or credit union or any affiliate of a
financial institution, trust company, or credit union that is required by
federal law, including, but not limited to, any federal statute, regulation,
regulatory guidance, or other regulatory action, to notify its customers of
an information security breach with respect to information about those
customers and that is subject to examination by its functional government
regulatory agency for compliance with the applicable federal law, is exempt
from the requirements of the statute.
EXCEPTION: PREEXISTING CONTRACT
Disclosure may be made pursuant to any provision of a contract entered into by
the Entity with another Entity prior to the date the breach of the security of
the system occurred if that contract does not conflict with any provision of
this section and does not waive any provision of this section.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The Entity may delay the disclosure if a law
enforcement agency determines that the disclosure or notification will impede
a criminal investigation or jeopardize homeland or national security, in
which case, the Entity shall make the disclosure or notification after the
law enforcement agency determines that disclosure or notification will not
compromise the investigation or jeopardize homeland or national security.
* Attorney General Enforcement. The Attorney General may conduct an
investigation and bring a civil action upon an alleged failure by an Entity
to comply with this statute.
x
NORTH DAKOTA
Name: N.D. Cent. Code 51-30-01 et seq. S.B. 2214
Effective Date: August 1, 2015
Link to Documentation
APPLICATION
Any Entity that conducts business in ND and that owns or licenses computerized
data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in ND.
SECURITY BREACH DEFINITION
Unauthorized acquisition of computerized data when access to PI has not been
secured by encryption or by any other method or technology that renders the
electronic files, media, or databases unreadable or unusable.
* Good-faith acquisition of PI by an employee or agent of the Entity is not a
breach of the security of the system if the PI is not used or subject to
further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach in the
security of the data to any resident of ND whose unencrypted PI was, or is
reasonably believed to have been, acquired by an unauthorized person.
ATTORNEY GENERAL NOTIFICATION
Any person that experiences a breach of the security system shall disclose to
the Attorney General by mail or email any breach of the security system that
exceeds 250 individuals.
THIRD-PARTY DATA NOTIFICATION
Any person that maintains computerized data that includes PI that the person
does not own shall notify the owner or licensee of the information of the breach
of the security of the data immediately following the discovery if the PI was,
or is reasonably believed to have been, acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure must be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and to restore the integrity of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any of the following data elements, when the name and the data elements are not
encrypted:
* Social Security number;
* The operator’s license number assigned to an individual by the
* Department of Transportation;
* A non-driver color photo identification card number assigned to the
individual by the Department of Transportation;
* An account number, credit card number, or debit card number in combination
with any required security code, access code, or password that would permit
access to an individual’s financial accounts;
* The individual’s date of birth;
* The maiden name of the individual’s mother;
* Medical information;
* Health insurance information;
* An identification number assigned to the individual by the individual’s
employer in combination with any required security code, access code, or
password; or
* The individual’s digitized or other electronic signature.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the person demonstrates that the cost of providing notice would exceed
$250,000, the affected class of subject individuals to be notified exceeds
500,000, or the person does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice when the person has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of this chapter is deemed to be in compliance with
the notification requirements of this chapter if the Entity notifies subject
individuals in accordance with its policies in the event of a breach of security
of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* A financial institution, trust company, or credit union that is subject to,
examined for, and in compliance with the Federal Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice is deemed to be in compliance with this chapter.
* An Entity, business associate, or subcontractor that is subject to the breach
notification requirements of title 45 of the Code of Federal Regulations,
part 164, subpart D, is considered to be in compliance with this chapter.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by this chapter may be
delayed if a law enforcement agency determines that the notification will
impede a criminal investigation. The required notification must be made after
the law enforcement agency determines that the notification will not
compromise the investigation.
* Attorney General Enforcement.
x
NORTH CAROLINA
Name: N.C. Gen. Stat. 75-61, 75-65
Amended by S.B. 1017
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any sole proprietorship, partnership, corporation, association, or other group,
however organized and whether or not organized to operate at a profit, including
a financial institution organized, chartered, or holding a license or
authorization certificate under the laws of any state or country, or the parent
or the subsidiary of any such financial institution, but not including any
government or governmental subdivision or agency (collectively, Entity) that
owns or licenses PI of residents of NC or any Entity that conducts business in
NC that owns or licenses PI in any form (computerized, paper, or otherwise).
SECURITY BREACH DEFINITION
An incident of unauthorized access to and acquisition of unencrypted and
unredacted records or data containing PI where illegal use of the PI has
occurred or is reasonably likely to occur or that creates a material risk of
harm to a consumer. Any incident of unauthorized access to and acquisition of
encrypted records or data containing PI along with the confidential process or
key shall constitute a security breach.
* Good-faith acquisition of PI by an employee or agent of the Entity for a
legitimate purpose is not a security breach, provided that the PI is not used
for a purpose other than a lawful purpose of the Entity and is not subject to
further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notice to the affected
person that there has been a security breach following discovery or notification
of the breach.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event an Entity provides notice to more than 1,000 persons at one time
pursuant to this section, the Entity shall notify, without unreasonable delay,
all consumer reporting agencies that compile and maintain files on consumers on
a nationwide basis of the timing, distribution, and content of the notice.
ATTORNEY GENERAL NOTIFICATION
In the event a business provides notice to an affected person pursuant to this
section, the business shall notify without unreasonable delay the Consumer
Protection Division of the state Attorney General’s office of the nature of the
breach, the number of consumers affected by the breach, steps taken to
investigate the breach, steps taken to prevent a similar breach in the future,
and information regarding the timing, distribution, and content of the notice.
The Attorney General’s website contains a form to be used for notification.
THIRD-PARTY DATA NOTIFICATION
Any business that possesses records containing PI of residents of NC that the
business does not own or license or conducts business in NC that possesses
records containing PI that the business does not own or license, shall notify
the owner or licensee of the PI of any security breach immediately following
discovery of the breach.
TIMING OF NOTIFICATION
The disclosure shall be made without unreasonable delay, consistent with any
measures necessary to determine sufficient contact information, determine the
scope of the breach, and restore the reasonable integrity, security, and
confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
A person’s first name or first initial and last name in combination with any of
the following identifying information:
* Social Security number or employer taxpayer identification numbers;
* Driver’s license, state identification card, or passport numbers;
* Checking account numbers;
* Savings account numbers;
* Credit card numbers;
* Debit card numbers;
* PINs;
* Digital signatures;
* Any other numbers or information that can be used to access a person’s
financial resources;
* Biometric data; or
* Fingerprints.
Additionally, if (but only if) any of the following information “would permit
access to a person’s financial account or resources,” it is considered PI when
taken in conjunction with a person’s first name, or first initial and last name:
* Electronic ID numbers;
* Email names or addresses;
* Internet account numbers;
* Internet ID names;
* Parent’s legal surname prior to marriage; or
* Passwords.
PI does not include publicly available directories containing information an
individual has voluntarily consented to have publicly disseminated or listed,
including name, address, and telephone number, and does not include information
made lawfully available to the general public from federal, state, or local
government records
NOTICE REQUIRED
Notice must be clear, conspicuous, and shall include all of the following:
* A description of the incident in general terms;
* A description of the type of PI that was subject to the unauthorized access
and acquisition;
* A description of the general acts of the business to protect the PI from
further unauthorized access;
* A telephone number for the business that the person may call for further
information and assistance, if one exists;
* Advice that directs the person to remain vigilant by reviewing account
statements and monitoring free credit reports;
* The toll-free numbers and addresses for the major consumer reporting
agencies; and
* The toll-free numbers, addresses, and website addresses for the Federal Trade
Commission and the state Attorney General’s office, along with a statement
that the individual can obtain information from these sources about
preventing identity theft.
It may be provided by one of the following methods:
* Written notice;
* Telephonic notice, provided that contact is made directly with the affected
persons; or
* Electronic notice, for those persons for whom it has a valid email address
and who have agreed to receive communications electronically if the notice
provided is consistent with the provisions regarding electronic records and
signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the business demonstrates that the cost of providing notice would exceed
$250,000 or that the affected class of subject persons to be notified exceeds
500,000, or if the business does not have sufficient contact information or
consent to provide notice as required under the statute, for only those affected
persons without sufficient contact information or consent, or if the business is
unable to identify particular affected persons, for only those unidentifiable
affected persons. Substitute notice shall consist of all the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* A financial institution that is subject to and in compliance with the Federal
Interagency Guidance Response Programs for Unauthorized Access to Consumer
Information and Customer Notice, issued on March 7, 2005, by the Board of
Governors of the Federal Reserve System, the Federal Deposit Insurance
Corporation, the Office of the Comptroller of the Currency, and the Office of
Thrift Supervision, and any revisions, additions, or substitutions relating
to said Interagency Guidance, shall be deemed to be in compliance.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notice required by this section shall be
delayed if a law enforcement agency informs the business that notification
may impede a criminal investigation or jeopardize national or homeland
security, provided that such request is made in writing or the business
documents such request contemporaneously in writing, including the name of
the law enforcement officer making the request and the officer’s law
enforcement agency engaged in the investigation. The notice required shall be
provided without unreasonable delay after the law enforcement agency
communicates to the business its determination that notice will no longer
impede the investigation or jeopardize national or homeland security.
* Attorney General Enforcement. Civil and criminal penalties are available.
* Private Right of Action. An individual injured as a result of a violation of
this section may institute a civil action.
* Waiver Not Permitted.
x
NEW YORK
Name: N.Y. Gen. Bus. Law 899-aa S. 2605-D
Effective Date: March 28, 2013
Link to Documentation
APPLICATION
Any person, business, or state entity (excepting the judiciary, cities,
counties, municipalities, villages, towns, and other local agencies)
(collectively, Entity) that conducts business in New York State and that owns or
licenses computerized data that includes private information.
* The provisions governing maintenance of private information that the Entity
does not own appear applicable to any Entity maintaining private information,
whether or not the Entity conducts business in NY.
SECURITY BREACH DEFINITION
Unauthorized acquisition or acquisition without valid authorization of
computerized data that compromises the security, confidentiality, or integrity
of PI maintained by a business. In determining whether information has been
acquired, or is reasonably believed to have been acquired, by an unauthorized
person or a person without valid authorization, Entities may consider the
following factors, among others:
* Indications that the information is in the physical possession and control of
an unauthorized person, such as a lost or stolen computer or other device
containing information;
* Indications that the information has been downloaded or copied; or
* Indications that the information was used by an unauthorized person, such as
fraudulent accounts opened or instances of identity theft reported.
Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system, provided
that the private information is not used or subject to unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security following discovery or notification of the breach in the security of
the system to any resident of NY whose private information was, or is reasonably
believed to have been, acquired by a person without valid authorization.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If more than 5,000 NY residents are to be notified at one time, the Entity shall
also notify consumer reporting agencies as to the timing, content, and
distribution of the notices and the approximate number of affected persons.
ATTORNEY GENERAL/AGENCY NOTIFICATION
If any NY residents are to be notified, the Entity shall notify the state
Attorney General, the Consumer Protection Board, the Division of State Police,
and the state Office of Information Technology Services as to the timing,
content, and distribution of the notices and approximate number of affected
persons. The state Attorney General’s website has a form to be used for
notifications.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains computerized data that includes private information
that the Entity does not own shall notify the owner or licensee of the
information of any breach of the security of the system immediately following
discovery, if the private information was, or is reasonably believed to have
been, acquired by a person without valid authorization.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and restore the reasonable integrity of the system.
PERSONAL INFORMATION DEFINITION
Information concerning a natural person that, because of name, number, personal
mark, or other identifier, can be used to identify such natural person.
PRIVATE INFORMATION DEFINITION
PI consisting of any information in combination with any one or more of the
following data elements, when either the personal information or the data
element is not encrypted, or encrypted with an encryption key that has also been
acquired:
* Social Security number;
* Driver’s license number or non-driver identification card number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
“Private information” does not include publicly available information that is
lawfully made available to the general public from federal, state, or local
government records.
NOTICE REQUIRED
Notice shall include:
* Contact information for the Entity making the notification; and
* A description of the categories of information that were, or are reasonably
believed to have been, acquired by a person without valid authorization,
including specification of which of the elements of PI and private
information were, or are reasonably believed to have been, so acquired.
The notice required shall be directly provided to the affected persons by one of
the following methods:
* Written notice;
* Telephonic notice, provided that a log of each such notification is kept by
the Entity; or
* Electronic notice, provided that the person to whom notice is required has
expressly consented to receiving said notice in electronic form and a log of
each such notification is kept by the Entity who notifies affected persons in
such form; provided further, however, that in no case shall any Entity
require a person to consent to accepting said notice in said form as a
condition of establishing any business relationship or engaging in any
transaction.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates to the state Attorney General that the cost of
providing notice would exceed $250,000, or that the affected class of subject
persons to be notified exceeds 500,000, or the Entity does not have sufficient
contact information. Substitute notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by this section may be
delayed if a law enforcement agency determines that such notification impedes
a criminal investigation. The required notification shall be made after such
law enforcement agency determines that such notification does not compromise
such investigation.
* Attorney General Enforcement. The Attorney General may bring an action to
enjoin and restrain the continuation of such violation.
x
NEW MEXICO
Name: N.M. Stat. 57-12C-1 et seq. H.B. 15
Effective Date: June 16, 2017
Link to Documentation
APPLICATION
Any person that owns or licenses elements that include PI of a New Mexico
resident (collectively, Entity).
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI of state residents, whether or
not the Entity does business in NM.
SECURITY BREACH DEFINITION
Unauthorized acquisition of unencrypted computerized data, or of encrypted
computerized data and the confidential process or key used to decrypt the
encrypted computerized data, that compromises the security, confidentiality, or
integrity of PI maintained by a person.
* Good-faith acquisition of PI by an employee or agent of a person for a
legitimate business purpose of the person is not a security breach, provided
that the PI is not subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall notify each NM resident whose PI
is reasonably believed to have been subject to a security breach. However,
notification to NM residents is not required if, after an appropriate
investigation, the Entity determines that the security breach does not give rise
to a significant risk of identity theft or fraud.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If more than 1,000 NM residents are to be notified as a result of a single
security breach, the Entity shall also notify major consumer reporting agencies
that compile and maintain files on consumers on a nationwide basis of the
security breach in the most expedient time possible, and no later than 45
calendar days, except if delayed notification is permitted to determine the
scope of the breach or for law enforcement investigation purposes.
ATTORNEY GENERAL/AGENCY NOTIFICATION
If more than 1,000 NM residents are to be notified as a result of a single
security breach, the Entity shall also notify the Office of the Attorney General
of the number of NM residents that received notification pursuant and shall
provide a copy of the notification that was sent to affected residents within 45
calendar days following discovery of the security breach, except if delayed
notification is permitted to determine the scope of the breach or for law
enforcement investigation purposes.
THIRD-PARTY DATA NOTIFICATION
Any business that is licensed to maintain or possess computerized data
containing PI of a New Mexico resident that the business does not own or license
shall notify the owner or licensee of the security breach in the most expedient
time possible, but not later than 45 calendar days following discovery of the
breach, except if delayed notification is permitted to determine the scope of
the breach or for law enforcement investigation purposes. However, notification
to the owner or licensee of the PI is not required if, after an appropriate
investigation, the business determines that the security breach does not give
rise to a significant risk of identity theft or fraud.
TIMING OF NOTIFICATION
Notification shall be made in the most expedient time possible, but not later
than 45 calendar days following discovery of the security breach. Notification
may be delayed as necessary to determine the scope of the security breach and
restore the integrity, security, and confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
one or more of the following data elements that relate to the individual, when
the data elements are not protected through encryption or redaction or otherwise
rendered unreadable or unusable:
* Social Security number;
* Driver’s license number;
* Government-issued identification number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to a person’s financial account; or
* Biometric data.
“Personal information” does not include information lawfully obtained from
publicly available sources or from federal, state or local government records
lawfully made available to the general public.
NOTICE REQUIRED
The notice shall include:
* The name and contact information of the notifying person;
* A list of the types of PI that are reasonably believed to have been the
subject of a security breach, if known;
* The date of the security breach, the estimated date of the breach, or the
range of dates within which the security breach occurred, if known;
* A general description of the security breach incident;
* The toll-free telephone numbers and addresses of the major consumer reporting
agencies;
* Advice that directs the recipient to review personal account statements and
credit reports, as applicable, to detect errors resulting from the security
breach; and
* Advice that informs the recipient of the notification of the recipient’s
rights pursuant to the federal Fair Credit Reporting Act.
The notice shall be provided by one of the following methods:
* United States mail;
* Electronic notification, if the Entity primarily communicates with the NM
resident by electronic means or if the notice provided is consistent with the
requirements of 15 U.S.C. Section 7001 (E- Sign Act)
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notification would exceed
$100,000; or that the number of residents to be notified exceeds 50,000; or that
the Entity does not have a physical address or sufficient contact information
for the residents to be notified. Substitute notice shall consist of all of the
following:
* Sending electronic notification to the email address of those residents for
whom the Entity has a valid email address;
* Posting notification of the security breach in a conspicuous location on the
website of the Entity, if the Entity maintains one; and
* Sending written notification to the Office of the Attorney General and major
media outlets in New Mexico.
EXCEPTION:OWN NOTIFICATION POLICY
An Entity that maintains its own notice procedures as part of an information
security policy for the treatment of PI, and whose procedures are otherwise
consistent with the timing requirements of the statute is deemed to be in
compliance if the Entity notifies affected consumers in accordance with its
policies in the event of a security breach.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Statute does not apply to an Entity subject to the federal Gramm-
Leach-Bliley Act or the federal Health Insurance Portability and
Accountability Act of 1996.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notification may be delayed if a law enforcement
agency determines that the notification will impede a criminal investigation.
* Attorney General Enforcement. The Attorney General may bring an action for an
injunction and damages.
x
NEW JERSEY
Name: N.J. Stat. 56:8-161 et seq. Senate Bill No. 52
Effective Date: September 1, 2019
Link to Documentation 1
Link to Documentation 2
APPLICATION
NJ, and any county, municipality, district, public authority, public agency, and
any other political subdivision or public body in NJ, any sole proprietorship,
partnership, corporation, association, or other entity, however organized and
whether or not organized to operate at a profit, including a financial
institution organized, chartered, or holding a license or authorization
certificate under the law of NJ, any other state, the United States, or of any
other country, or the parent or the subsidiary of a financial institution, that
conducts business in NJ (collectively, Entity), that compiles or maintains
computerized records that include PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
conducts business in NJ.
SECURITY BREACH DEFINITION
Security Breach Definition
Unauthorized access to electronic files, media or data containing PI that
compromises the security, confidentiality, or integrity of PI when access to the
PI has not been secured by encryption or by any other method or technology that
renders the PI unreadable or unusable.
* Good-faith acquisition of PI by an employee or agent of the Entity for a
legitimate business purpose is not a breach of security, provided that the PI
is not used for a purpose unrelated to the business or subject to further
unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of security of
computerized records following discovery or notification of the breach to any
customer who is a resident of NJ whose PI was, or is reasonably believed to have
been, accessed by an unauthorized person.
* Disclosure of a breach of security to a customer shall not be required if the
Entity establishes that misuse of the information is not reasonably possible.
Any determination shall be documented in writing and retained for 5 years.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity discovers circumstances requiring notification pursuant to this
section of more than 1,000 persons at one time, the Entity shall also notify,
without unreasonable delay, all consumer reporting agencies that compile or
maintain files on consumers on a nationwide basis of the timing, distribution,
and content of the notices.
ATTORNEY GENERAL/POLICE NOTIFICATION
Any Entity required under this section to disclose a breach of security of a
customer’s PI shall, prior to disclosure to the customer, report the breach of
security and any information pertaining to the breach to the Division of State
Police in the Department of Law and Public Safety for investigation or handling,
which may include dissemination or referral to other appropriate law enforcement
entities.
THIRD-PARTY DATA NOTIFICATION
An Entity that compiles or maintains computerized records that include PI on
behalf of another Entity shall notify that Entity of any breach of security of
the computerized records immediately following discovery, if the PI was, or is
reasonably believed to have been, accessed by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure to a customer shall be made in the most expedient time possible
and without unreasonable delay, consistent with any measures necessary to
determine the scope of the breach and restore the reasonable integrity of the
data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name linked with any one or
more of the following data elements:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
* User name, email address, or any other account holder identifying
information, in combination with any password or security question and answer
that would access to an online account.
Dissociated data that, if linked, would constitute PI is PI if the means to link
the dissociated data were accessed in connection with access to the dissociated
data. PI shall not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records, or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
* For breaches involving online account credentials only, in “electronic or
other form.”
* Except for breaches involving credentials for an email account, which must
be provided via written notice or via online delivery when the customer is
connected to the online account from an IP address or online location from
which the business or public entity knows the customer customarily accesses
the account.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject individuals to be notified
exceeds 500,000, or the Entity does not have sufficient contact information.
Substitute notice shall consist of all of the following:
* Email notice when the Entity has email addresses;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the requirements of the statute, shall be deemed in compliance with the
notification requirements of the statute if it notifies subject customers in
accordance with its policies in the event of a breach of security of the system.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by this section shall be
delayed if a law enforcement agency determines that the notification will
impede a criminal or civil investigation and that agency has made a request
that the notification be delayed.
x
NEW HAMPSHIRE
Name: N.H. Rev. Stat. 359-C:19 et seq. H.B. 1660
Effective Date: January 1, 2007
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
APPLICATION
Any individual, corporation, trust, partnership, incorporated or unincorporated
association, limited liability company, or other form of entity, or any agency,
authority, board, court, department, division, commission, institution, bureau,
or other state governmental entity, or any political subdivision of the state
(collectively, Entity) doing business in NH that owns or licenses computerized
data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining PI, whether or not the Entity
does business in NH.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security
or confidentiality of PI maintained by an Entity doing business in NH.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity’s business shall not be considered a security breach,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies, when it becomes aware of a security
breach and determines that misuse of PI has occurred or is reasonably likely to
occur, or if a determination cannot be made, shall notify the affected
individuals.
* Notification is not required if it is determined that misuse of the PI has
not occurred and is not reasonably likely to occur.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 consumers, the Entity shall
also notify, without unreasonable delay, all consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis of the anticipated
date of the notification, the approximate number of consumers who will be
notified, and the content of the notice. This obligation does not apply to
entities subject to Title V of the Gramm-Leach-Bliley Act.
ATTORNEY GENERAL/REGULATOR NOTIFICATION
An Entity engaged in trade or commerce that is subject to N.H. Rev. Stat. §
358-A:3(I) (trade or commerce that is subject to the jurisdiction of the Bank
Commissioner, the Director of Securities Regulation, the Insurance Commissioner,
the Public Utilities Commission, the financial institutions and insurance
regulators of other states, or federal banking or securities regulators who
possess the authority to regulate unfair or deceptive trade practices) shall
also notify the regulator that has primary regulatory authority over such trade
or commerce. All other Entities shall notify the state Attorney General. The
notice shall include the anticipated date of the notice to the individuals and
the approximate number of individuals in NH who will be notified.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own, the Entity shall notify and cooperate with the owner or licensee of the
PI of any breach of the security of the data immediately following discovery if
the PI was acquired by an unauthorized person. Cooperation includes sharing with
the owner or licensee information relevant to the breach, except that such
cooperation shall not be deemed to require the disclosure of confidential or
business information or trade secrets.
TIMING OF NOTIFICATION
The Entity shall notify the affected individuals as soon as possible.
PERSONAL INFORMATION DEFINITION
An individual’s first name or initial and last name in combination with any one
or more of the following data elements, when either the name or the data
elements are not encrypted:
* Social Security number;
* Driver’s license number or other government identification number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
Data shall not be considered to be encrypted if it is acquired in combination
with any required key, security code, access code, or password that would permit
access to the encrypted data.
PI shall not include information that is lawfully made available to the general
public from federal, state, or local government records.
NOTICE REQUIRED
Notice shall include at a minimum:
* A description of the incident in general terms;
* The approximate date of the breach;
* The type of PI obtained as a result of the security breach; and
* The telephonic contact information of the Entity.
Notice shall be provided by one of the following methods:
* Written notice;
* Telephonic notice, provided that a log of each such notification is kept by
the person or business who notifies affected persons;
* Electronic notice, if the Entity’s primary means of communication with
affected individuals is by electronic means; or
* Notice pursuant to the Entity’s internal notification procedures maintained
as part of an information security policy for the treatment of PI.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$5,000, the affected class of subject individuals to be notified exceeds 1,000,
or the Entity does not have sufficient contact information or consent to provide
written, electronic or telephonic notice. Substitute notice shall consist of all
of the following:
* Email notice when the Entity has email addresses for the affected
individuals;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. An Entity engaged in trade or commerce that maintains
procedures for security breach notification pursuant to laws, rules,
regulations, guidance, or guidelines issued by a state or federal regulator
shall be deemed to be in compliance with this subdivision if it acts in
accordance with such laws, rules, regulations, guidance or guidelines.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification may be delayed if a law
enforcement agency or national or homeland security agency determines that
the notification will impede a criminal investigation or jeopardize national
or homeland security.
* Attorney General Enforcement.
* Private Right of Action. Any person injured by any violation may bring a
civil action. If the court finds for the plaintiff, recovery shall be in the
amount of actual damages. If the court finds that the act or practice was
willful or knowing, it shall award as much as three times but not less than
two times, such amount. In addition, a prevailing plaintiff shall be awarded
the costs of the suit and attorney’s fees, as determined by the court.
Injunctive relief shall be available to private individuals under this
chapter without bond, subject to the discretion of the court.
* Waiver Not Permitted.
x
NEVADA
Name: Nev. Rev. Stat. 603A.010 et seq., 242.183 A.B. 179
Effective Date: July 1, 2015
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any governmental agency, institution of higher education, corporation, financial
institution or retail operator, or any other type of business entity or
association (collectively, Entity), that owns or licenses computerized data that
includes PI.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that materially compromises the
security, confidentiality, or integrity of PI maintained by Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
legitimate purposes of the Entity is not a breach of the security of the
system if the PI is not otherwise used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system data following discovery or notification of the breach to
any resident of NV whose unencrypted PI was, or is reasonably believed to have
been, acquired by an unauthorized person.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity determines that notification is required to be given to more than
1,000 persons at any one time, the Entity shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nationwide basis of the time the notification is
distributed and the content of the notification.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own, the Entity must notify the owner or licensee of that PI of any breach
of the security of the system data immediately following discovery if the PI
was, or is reasonably believed to have been, acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and restore the reasonable integrity of the system data.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when the name and data elements
are not encrypted:
* Social Security number;
* Driver’s license number, driver authorization card number or identification
card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account;
* A medical identification number or a health insurance identification number;
or
* A user name, unique identifier, or email address in combination with a
password, access code, or security question and answer that would permit
access to an online account.
PI does not include the last four digits of a Social Security number, the last
four digits of a driver’s license or driver authorization card number, or the
last four digits of an identification card number or publicly available
information that is lawfully made available to the general public from federal,
state, or local governmental records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, the affected class of subject persons to be notified exceeds 500,000,
or the Entity does not have sufficient contact information. Substitute notice
shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification policies and procedures as part of
an information security policy for the treatment of PI that is otherwise
consistent with the timing requirements of the statute shall be deemed in
compliance with the notification requirements of the statute if it notifies
subject persons in accordance with its policies and procedures in the event of a
security breach.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act. An Entity that is subject to and complies with the
privacy and security provisions of the Gramm- Leach-Bliley Act shall be
deemed to be in compliance with the notification requirements.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. The notification required by the statute may be
delayed if a law enforcement agency determines that the notification will
impede a criminal investigation. The notification must be made after the law
enforcement agency determines that the notification will not compromise the
investigation.
* Attorney General Enforcement. If the state Attorney General or a district
attorney of any county has reason to believe that any person is violating,
proposes to violate, or has violated the provisions of the statute, he or she
may bring an action against that person to obtain a temporary or permanent
injunction against the violation.
* Right of Action for Data Collector. A data collector that provides the
requisite notice may commence an action for damages against a person that
unlawfully obtained or benefited from PI obtained from records maintained by
the data collector.
* Special Notification Obligations for Government Agencies and Elected
Officers. See Nev. Rev. Stat. § 242.181.
* Special Rules Applicable to Electronic Health Records. See Nev. Rev. Stat. §§
439, 603A.100.
* Waiver Not Permitted.
x
NEBRASKA
Name: Neb. Rev. Stat. 87-801 et seq. L.B. 835
Effective Date: July 20, 2016
Link to Documentation
APPLICATION
An individual, government agency, corporation, business trust, estate, trust,
partnership, limited partnership, limited liability partnership, limited
liability company, association, organization, joint venture, government,
governmental subdivision, agency, or instrumentality, or any other legal entity,
whether for profit or not for profit (collectively, Entity), that conducts
business in NE and that owns or licenses computerized data that includes PI
about a resident of NE.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on NE residents,
whether or not the Entity conducts business in NE.
SECURITY BREACH DEFINITION
An unauthorized acquisition of unencrypted computerized data that compromises
the security, confidentiality, or integrity of PI maintained by an Entity.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system if the
PI is not used or subject to further unauthorized disclosure.
* Acquisition of PI pursuant to a search warrant, subpoena, or other court
order or pursuant to a subpoena or order of a state agency is not a breach of
the security of the system.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall, when it becomes aware of a breach
of the security of the system and determines that the use of information about a
NE resident for an unauthorized purpose has occurred or is reasonably likely to
occur, give notice to the affected NE resident.
* Notification is not required if after a good-faith, reasonable, and prompt
investigation the Entity determines that it is unlikely that PI has been or
will be used for an unauthorized purpose.
ATTORNEY GENERAL/REGULATOR NOTIFICATION
If notice of a security breach to NE residents is required, the Entity shall
also, not later than the time when notice is provided to the NE resident,
provide notice of the breach of security of the system to the Attorney General.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall give notice to and cooperate with the owner or licensee
of the information of any breach of the security of the system when it becomes
aware of a breach if use of PI about a NE resident for an unauthorized purpose
occurred or is reasonably likely to occur. Cooperation includes, but is not
limited to, sharing with the owner or licensee information relevant to the
breach, not including information proprietary to the Entity.
TIMING OF NOTIFICATION
Notice shall be made as soon as possible and without unreasonable delay,
consistent with any measures necessary to determine the scope of the breach and
to restore the reasonable integrity of the computerized data system.
PERSONAL INFORMATION DEFINITION
PI means either of the following:
(a) A NE resident’s first name or first initial and last name in combination
with any one or more of the following data elements that relate to the resident
if either the name or the data elements are not encrypted, redacted, or
otherwise altered by any method or technology in such a manner that the name or
data elements are unreadable:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to a resident’s financial account;
* Unique electronic ID number or routing code, in combination with any required
security code, access code, or password; or
* Unique biometric data, such as a fingerprint, voice print, or retina or iris
image, or other unique physical representation; or
(b) A user name or email address, in combination with a password or security
question and answer, that would permit access to an online account.
Data shall not be considered encrypted if the confidential process or key was or
is reasonably believed to have been acquired as a result of the breach of the
security of the system.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice will exceed
$75,000, that the affected class of NE residents to be notified exceeds 100,000
residents, or that the Entity does not have sufficient contact information to
provide notice. Substitute notice requires all of the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of NE residents;
* Conspicuous posting of the notice on the Entity’s website, if it maintains
one; and
* Notice to major statewide media.
SUBSTITUTE NOTICE EXCEPTION
If the Entity has 10 employees or fewer and demonstrates that the cost of
providing notice will exceed $10,000. Substitute notice requires all of the
following:
* Email notice, if the Entity has email addresses for the members of the
affected class of NE residents;
* Notification by a paid advertisement in a local newspaper that is distributed
in the geographic area in which the Entity is located, which advertisement
shall be of sufficient size that it covers at least one-quarter of a page in
the newspaper and shall be published in the newspaper at least once a week
for 3 consecutive weeks;
* Conspicuous posting of the notice on the Entity’s website, if it maintains
one; and
* Notification to major media outlets in the geographic area in which the
Entity is located.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notice procedures which are part of an
information security policy for the treatment of PI and which are otherwise
consistent with the timing requirements of the statute, is deemed to be in
compliance with the notice requirements of the statute if the Entity notifies
affected NE residents and Attorney General in accordance with its notice
procedures in the event of a breach of the security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. An Entity that is regulated by state or federal law and
that maintains procedures for a breach of the security of the system pursuant
to the laws, rules, regulations, guidance, or guidelines established by its
primary or functional state or federal regulator is deemed to be in
compliance with the notice requirements of the statute if the Entity notifies
affected NE residents and Attorney General in accordance with the maintained
procedures in the event of a breach of the security of the system.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice shall
be made in good faith, without unreasonable delay, and as soon as possible
after the law enforcement agency determines that notification will no longer
impede the investigation.
* Attorney General Enforcement. The Attorney General may issue subpoenas and
seek and recover direct economic damages for each affected NE resident
injured by a violation of the statute.
* Waiver Not Permitted.
x
MONTANA
Name: Mont. Code 2-6-1501 et seq,30-14-1701 et seq., 33-19-321 H.B. 74
Effective Date: October 1, 2015
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
APPLICATION
Any person or business (collectively, Entity) that conducts business in MT and
that owns or licenses computerized data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on MT residents,
whether or not the Entity conducts business in MT.
SECURITY BREACH DEFINITION
Any unauthorized acquisition of computerized data that materially compromises
the security, confidentiality, or integrity of PI maintained by the Entity and
causes or is reasonably believed to cause loss or injury to a MT resident.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purpose of the Entity is not a breach of the security of the data system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the data system following discovery or notification of the breach to
any resident of MT whose unencrypted PI was or is reasonably believed to have
been acquired by an unauthorized person.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If a business notifies an individual of a breach and suggests, indicates, or
implies that the individual may obtain a credit report, the business must
coordinate with the credit reporting agency as to the timing, content and
distribution of notice to the individual (but this may not unreasonably delay
disclosure of the breach).
ATTORNEY GENERAL/INSURANCE COMMISSIONER NOTIFICATION
Any Entity that is required to issue a notification shall simultaneously submit
an electronic copy of the notification and a statement providing the date and
method of distribution of the notification to the Attorney General’s Consumer
Protection office, excluding any information that personally identifies any
individual who is entitled to receive Notification. If a notification is made to
more than one individual, a single copy of the notification must be submitted
that indicates the number of individuals in the state who received notification.
Insurance entities and support organizations must submit the above information
to the Montana Insurance Commissioner (Mont. Code § 33-19-321).
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains computerized data that includes PI that the Entity
does not own shall notify the owner or licensee of the information of any breach
of the security of the data system immediately following discovery if the PI was
or is reasonably believed to have been acquired by an unauthorized person.
TIMING OF NOTIFICATION
Disclosure is to be made without unreasonable delay, consistent with any
measures necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted:
* Social Security number;
* identification card number;
* Account number or credit or debit card number, in combination with any
required security code, access code, or password that would permit access to
an individual’s financial account;
* Medical record information as defined in § 33-19-104 (PI that (a) relates to
an individual’s physical or mental condition, medical history, medical claims
history, or medical treatment; and (b) is obtained from a medical
professional or medical care institution, from the individual, or from the
individual’s spouse, parent, or legal guardian);
* Taxpayer identification number; or
* An identity protection personal identification number issued by the U.S.
Internal Revenue Service
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of email notice when the Entity has email addresses for the
subject persons and one of the following:
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; or
* Notification to applicable local or statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and that does not
unreasonably delay notice is considered to be in compliance with the
notification requirements of the statute if the Entity notifies subject persons
in accordance with its policies in the event of a breach of security of the data
system.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that it will impede a criminal investigation and requests a delay
in Notification. The notification must be made after the law enforcement
agency determines that it will not compromise the investigation.
x
MISSOURI
Name: Mo. Rev. Stat. 407.1500 H.B. 62
Effective Date: August 28, 2009
Link to Documentation
APPLICATION
Any individual, corporation, business trust, estate, trust, partnership, limited
liability company, association, joint venture, government, governmental
subdivision, governmental agency, governmental instrumentality, public
corporation, or any other legal or commercial entity (collectively, Entity) that
owns or licenses PI of residents of MO or any person that conducts business in
MO that owns or licenses PI of a resident of MO.
SECURITY BREACH DEFINITION
Unauthorized access to and unauthorized acquisition of PI maintained in
computerized form by an Entity that compromises the security, confidentiality,
or integrity of the PI.
* Good-faith acquisition of PI by an Entity or that Entity’s employee or agent
for a legitimate purpose of that Entity is not a breach of security, provided
that the PI is not used in violation of applicable law or in a manner that
harms or poses an actual threat to the security, confidentiality, or
integrity of the PI.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notice to the affected
consumer that there has been a breach of security following discovery or
notification of the breach.
* Notification is not required if, after an appropriate investigation by the
Entity or after consultation with the relevant federal, state, or local
agencies responsible for law enforcement, the Entity determines that a risk
of identity theft or other fraud to any consumer is not reasonably likely to
occur as a result of the breach. Such a determination shall be documented in
writing and the documentation shall be maintained for 5 years.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event an Entity notifies more than 1,000 consumers at one time pursuant
to this section, the Entity shall notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on consumers on a
nationwide basis of the timing, distribution, and content of the notice.
ATTORNEY GENERAL NOTIFICATION
In the event an Entity provides notice to more than 1,000 consumers at one time
pursuant to this section, the Entity shall notify, without unreasonable delay,
the state Attorney General’s office of the timing, distribution, and content of
the notice.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains or possesses records or data containing PI of
residents of MO that the Entity does not own or license, or any Entity that
conducts business in MO that maintains or possesses records or data containing
PI of a resident of MO that the person does not own or license, shall notify the
owner or licensee of the information of any breach of security immediately
following discovery of the breach, consistent with the legitimate needs of law
enforcement as provided in this section.
TIMING OF NOTIFICATION
The disclosure notification shall be made without unreasonable delay and
consistent with any measures necessary to determine sufficient contact
information and to determine the scope of the breach and restore the reasonable
integrity, security, and confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements that relate to the individual if
any of the data elements are not encrypted, redacted, or otherwise altered by
any method or technology in such a manner that the name or data elements are
unreadable or unusable:
* Social Security number;
* Driver’s license number or other unique identification number created or
collected by a government body;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account;
* Unique electronic identifier or routing code, in combination with any
required security code, access code, or password that would permit access to
an individual’s financial account;
* Medical information (information regarding an individual’s medical history,
mental or physical condition, or medical treatment or diagnosis by a health
care professional); or
* Health insurance information (an individual’s health insurance policy number,
subscriber identification number, or any unique identifier used by a health
insurer to identify the individual).
PI does not include information that is lawfully obtained from publicly
available sources, or from federal, state, or local government records lawfully
made available to the general public.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice, if such contact is made directly with the affected
consumers; or
* Electronic notice for those consumers for whom the person has a valid email
address and who have agreed to receive communications electronically, if the
notice provided is consistent with the provisions regarding electronic
records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
The notice shall at minimum include a description of the following:
* The incident in general terms;
* The type of PI that was obtained as a result of the breach of security;
* A telephone number that the affected consumer may call for further
information and assistance, if one exists;
* Contact information for consumer reporting agencies; and
* Advice that directs the affected consumer to remain vigilant by reviewing
account statements and monitoring free credit reports.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$100,000, or that the class of affected consumers to be notified exceeds
150,000, or that the Entity does not have sufficient contact information or
consent, for only those affected consumers without sufficient contact
information or consent, or that the Entity is unable to identify particular
affected consumers, for only those unidentifiable consumers. Substitute notice
shall consist of all the following:
* Email notice when the Entity has an email address for the affected consumer;
* Conspicuous posting of the notice or a link to the notice on the Entity’s
website, if the Entity maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notice procedures as part of an information
security policy for the treatment of PI, and whose procedures are otherwise
consistent with the timing requirements of this section, is deemed to be in
compliance with the notice requirements of this section if the Entity notifies
affected consumers in accordance with its policies in the event of a breach of
security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* An Entity that is regulated by state or federal law and that maintains
procedures for a breach of the security of the system pursuant to the laws,
rules, regulations, guidance, or guidelines established by its primary or
functional state or federal regulator is deemed to be in compliance with this
section if the Entity notifies affected consumers in accordance with the
maintained procedures when a breach occurs.
* A financial institution that is (i) subject to and in compliance with the
Federal Interagency Guidance Response Programs for Unauthorized Access to
Customer Information and Customer Notice, issued on March 29, 2005, by the
board of governors of the Federal Reserve System, the Federal Deposit
Insurance Corporation, the Office of the Comptroller of the Currency, and the
Office of Thrift Supervision, and any revisions, additions, or substitutions
relating to said interagency guidance; or (ii) subject to and in compliance
with the National Credit Union Administration regulations in 12 C.F.R. Part
748; or (iii) subject to and in compliance with the provisions of Title V of
the Gramm- Leach-Bliley Act shall be deemed to be in compliance with this
section.
PENALTIES/ ENFORCEMENT
The state Attorney General shall have exclusive authority to bring an action to
obtain actual damages for a willful and knowing violation of this section and
may seek a civil penalty not to exceed $150,000 per breach of the security of
the system or series of breaches of a similar nature that are discovered in a
single investigation.
OTHER KEY PROVISIONS:
Delay for Law Enforcement. The notice required by this section may be delayed if
a law enforcement agency informs the Entity that notification may impede a
criminal investigation or jeopardize national or homeland security, provided
that such request by law enforcement is made in writing or the Entity documents
such request contemporaneously in writing, including the name of the law
enforcement officer making the request and the officer’s law enforcement agency
engaged in the investigation. The notice required by this section shall be
provided without unreasonable delay after the law enforcement agency
communicates to the Entity its determination that notice will no longer impede
the investigation or jeopardize national or homeland security.
x
MISSISSIPPI
Name: Miss. Code 75-24-29 H.B. 582
Effective Date: July 1, 2011
Link to Documentation
APPLICATION
Any person who conducts business in MS and who, in the ordinary course of the
person’s business functions, owns, licenses, or maintains the PI of any MS
resident.
SECURITY BREACH DEFINITION
An unauthorized acquisition of electronic files, media, databases, or
computerized data containing PI of any MS resident when access to the PI has not
been secured by encryption or by any other method of technology that renders the
PI unreadable or unusable.
NOTIFICATION OBLIGATION
A person who conducts business in MS shall disclose any breach of security to
all affected individuals. Notification is not required if, after an appropriate
investigation, the person reasonably determines that the breach will not likely
result in harm to the affected individuals.
THIRD-PARTY DATA NOTIFICATION
A person who maintains computerized data that includes PI that the person does
not own or license shall notify the owner or licensee of the information of any
breach of security as soon as practical following its discovery, if the PI was,
or is reasonably believed to have been, acquired by an unauthorized person for
fraudulent purposes.
TIMING OF NOTIFICATION
Notice shall be provided without unreasonable delay subject to the completion of
an investigation by the person to determine the nature and scope of the
incident, to identify the affected individuals, or to restore the reasonable
integrity of the system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when the data element is not
secured by encryption or another method of technology that makes electronic data
unreadable or unusable:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice,
* Telephonic notice, or
* Electronic notice, if the Entity’s primary method of communication with the
individual is by electronic means, or if the notice provided is consistent
with the provisions regarding electronic records and signatures set forth in
15 U.S.C. § 7001 (E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$5,000, that the Entity has to provide notice to more than 5,000 residents, or
that the Entity does not have sufficient contact information. Substitute notice
shall consist of all of the following:
* Email notice, if the Entity has Email addresses for subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and whose procedures are
otherwise consistent with the timing requirements of the statute, shall be
deemed to be in compliance with the notification requirements of the statute, if
the Entity notifies subject persons in accordance with its policies in the event
of a breach of security of the system.
EXCEPTION: COMPLIANCE WITH FEDERAL REGULATIONS
* Any person that maintains a security breach procedure pursuant to the rules,
regulations, or guidelines established by the primary federal functional
regulator shall be deemed to be in compliance with this section, provided the
person notifies affected individuals in accordance with the policies or the
rules, regulations, procedures, or guidelines.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Any notification shall be delayed for a reasonable
period of time if a law enforcement agency determines that the notification
will impede a criminal investigation or national security and the law
enforcement agency has made a request that the notification be delayed. Any
such delayed notification shall be made after the law enforcement agency
determines that notification will not compromise the criminal investigation
or national security and so notifies the person of that determination.
* Attorney General Enforcement. Failure to comply with the requirements of the
act shall constitute an unfair trade practice and shall be enforced by the
Attorney General.
x
MINNESOTA
Name: Minn. Stat. 325E.61 and 325E.64 H.F. 2121
Effective Date: January 1, 2006
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any person or business that conducts business in MN, and that owns or licenses
data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on MN residents,
whether or not the Entity conducts business in MN.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI maintained by the Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach in the
security of the data to any resident of MN whose unencrypted PI was, or is
reasonably believed to have been, acquired by an unauthorized person.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity notifies more than 500 persons at one time, the Entity shall also
notify, within 48 hours, all consumer reporting agencies that compile and
maintain files on consumers on a nationwide basis of the timing, distribution,
and content of the notices.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains data that includes PI that the Entity does not own
shall notify the owner or licensee of the information of any breach of the
security of the data immediately following discovery, if the PI was, or is
reasonably believed to have been, acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure must be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach, identify the individuals affected, and restore the
reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when the data element is not
secured by encryption or another method of technology that makes electronic data
unreadable or unusable, or was secured and the encryption key, password, or
other means necessary for reading or using the data was also acquired:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number, in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice to the most recent available address the Entity has in its
records; or
* Electronic notice, if the Entity’s primary method of communication with the
individual is by electronic means, or if the notice provided is consistent
with the provisions regarding electronic records and signatures set forth in
15 U.S.C. § 7001 (E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000 or that the Entity has to provide notice to more than 500,000
residents, or the Entity does not have sufficient contact information.
Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and whose procedures are
otherwise consistent with the timing requirements of the statute, shall be
deemed to be in compliance with the notification requirements of the statute, if
the Entity notifies subject persons in accordance with its policies in the event
of a breach of security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* HIPAA-Covered Entities. A provider of health care, health care service plan,
health insurer, or a covered entity governed by the medical privacy and
security rules issued by the federal Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) shall be deemed in compliance with this chapter.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed to a date certain if a law
enforcement agency determines that the notice will impede a criminal
investigation.
* Attorney General Enforcement.
* Private Right of Action.
* Waiver Not Permitted
* Does not apply to any “financial institution,” as defined by 15 U.S.C. §
6809(3).
x
MICHIGAN
Name: Mich. Comp. Laws 445.63, 72 et seq. H.B. 6406
Effective Date: January 20, 2020
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any individual, partnership, corporation, limited liability company,
association, or other legal entity, or any department, board, commission,
office, agency, authority, or other unit of state government of MI
(collectively, Entity) that owns or licenses data including PI of a MI resident.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on MI residents, whether or not organized or licensed
under the laws of MI.
SECURITY BREACH DEFINITION
The unauthorized access and acquisition of data that compromises the security or
confidentiality of PI maintained by an Entity as part of a database of PI
regarding multiple individuals.
* A good-faith but unauthorized acquisition of PI by an employee or other
individual, where the access was related to the activities of the Entity, is
not a breach of security unless the PI is misused or disclosed to an
unauthorized person. In making this determination an Entity shall act with
the care an ordinarily prudent Entity in a like position would exercise under
similar circumstances.
NOTIFICATION OBLIGATION
An Entity to which the statute applies shall provide notice of the breach to
each resident of MI if (i) the resident’s unencrypted and unredacted PI was
accessed and acquired by an unauthorized person or (ii) the resident’s PI was
accessed and acquired in encrypted form by a person with unauthorized access to
the encryption key.
* Notification is not required if the Entity determines that the security
breach has not or is not likely to cause substantial loss or injury to, or
result in identity theft with respect to, one or more residents of MI.
This section does not apply to the access or acquisition by a person or agency
of federal, state, or local government records or documents lawfully made
available to the general public.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity notifies 1,000 or more MI residents, the Entity shall, after
notifying those residents, notify each consumer reporting agency that compiles
and maintains files on consumers on a nationwide basis of the security breach
without unreasonable delay. A notification under this subsection shall include
the number and timing of notices that the person or agency provided to residents
of this state. This subsection does not apply if the person or agency is subject
to Title V of the Gramm-Leach-Bliley Act.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains a database that includes data that the Entity does not
own or license that discovers a breach of the security of the database shall
provide a notice to the owner or licensor of the information of the security
breach, unless the Entity determines that the security breach has not or is not
likely to cause substantial loss or injury to, or result in identity theft with
respect to one or more residents of MI.
TIMING OF NOTIFICATION
The notification shall be given without unreasonable delay following discovery
of the breach, consistent with measures necessary to determine the scope of the
breach of the security of a system or restore the integrity of the system.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name linked to one or more of the
following data elements of a resident of MI:
* Social Security number;
* Driver’s license number or state personal identification card number; or
* Demand deposit or other financial account number, or credit card or debit
card number, in combination with any required security code, access code, or
password that would permit access to any of the resident’s financial
accounts.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice sent to the recipient at the recipient’s postal address in the
records of the Entity;
* Telephonic notice given by an individual who represents the Entity if (i) the
notice is not given in whole or in part by use of a recorded message, (ii)
the recipient has expressly consented to receive notice by telephone, or if
the recipient has not expressly consented to receive notice by telephone, the
Entity also provides notice pursuant to the above methods if the notice by
telephone does not result in a live conversation between the individual
representing the Entity and the recipient within 3 business days after the
initial attempt to provide telephonic notice; or
* Written notice sent electronically to the recipient if (i) the recipient has
expressly consented to receive electronic notice, (ii) the Entity has an
existing business relationship with the recipient that includes periodic
email communications and based on those communications the Entity reasonably
believes that it has the recipient’s current email address, or (iii) the
Entity conducts its business primarily through Internet account transactions
or on the Internet.
A notice under the statute shall:
* Be written in a clear and conspicuous manner, and shall clearly communicate
the content required;
* Describe the security breach in general terms;
* Describe the type of PI that is the subject of the unauthorized access or
use;
* If applicable, generally describe what the agency or person providing the
notice has done to protect data from further security breaches;
* Include a telephone number where a notice recipient may obtain assistance or
additional information; and
* Remind notice recipients of the need to remain vigilant for incidents of
fraud and identity theft.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000 or that the Entity has to provide notice to more than 500,000 residents
of MI. Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for any of the residents of
MI who are entitled to receive notice;
* Conspicuous posting on the Entity’s website, if the Entity maintains one; and
* Notification to major statewide media, which notice shall include a telephone
number or website address that a person may use to obtain additional
assistance and information.
A public utility that sends monthly billing or account statements to its
customers may provide notice of a security breach to its customers as provided
under the statute or by providing all of the following:
* As applicable, email notice in accordance with the statute;
* Notice to the media reasonably calculated to inform the utility’s customers
of the breach;
* Conspicuous posting of notice of the security breach on the website of the
utility; and
* Written notice sent in conjunction with the billing or account statement sent
to the customer at his or her postal address in the utility’s records.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Federal Interagency Guidance. A financial institution that is subject to and
in compliance with the Federal Interagency Guidance Response Programs for
Unauthorized Access to Consumer Information and Customer Notice, issued on
March 7, 2005, by the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the Office of the Comptroller of the
Currency, and the Office of Thrift Supervision, and any revisions, additions,
or substitutions relating to said interagency guidance, shall be deemed to be
in compliance.
* HIPAA-Covered Entities. A provider of health care, health care service plan,
health insurer, or a covered entity governed by the medical privacy and
security rules issued by the federal Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) shall be deemed in compliance with this chapter.
* (Effective January 20, 2020) Entities subject to, or regulated under
Michigan’s insurance code are exempt from the state’s data breach
notification statute and instead will be governed by HB 6491/Public Act 690
of 2018, which goes into effect January 20, 2021.
PENALTIES
Provides for criminal penalties for notice of a security breach that has not
occurred, where such notice is given with the intent to defraud. The offense is
a misdemeanor, punishable by imprisonment for not more than 30 days or a fine of
not more than $250 per violation (or both). (The penalty is the same for second
and third violations, except that the fine increases to $500 per violation and
$750 per violation, respectively.) Similarly, Entities who distribute an
advertisement or make any other solicitation that misrepresents to the recipient
that a security breach has occurred that may affect the recipient are punishable
by imprisonment for not more than 93 days or a fine of not more than $1,000 per
violation (or both). (The penalty is the same for second and third violations,
except that the fine increases to $2,000 per violation and $3,000 per violation,
respectively.)
Entities who fail to provide notice may be ordered to pay a civil fine of not
more than $250 for each failure to provide notice, capped at $750,000 per
security breach. These penalties do not affect the availability of civil
remedies under state or federal law.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation or jeopardize
homeland or national security. Notification shall be given as soon as
reasonably practicable after the law enforcement agency determines that it
will not impede a criminal investigation and will not jeopardize homeland or
national security.
* Attorney General Enforcement.
* Provides that Entities may deliver notice pursuant to an agreement with
another Entity, if the agreement does not conflict with MI law.
x
MASSACHUSETTS
Name: Mass. Gen. Laws 93H 1 et seq. 201 C.M.R. 17.00 H.B. 4806
Effective Date: April 11, 2019
Link to Documentation
APPLICATION
A natural person, corporation, association, partnership or other legal entity,
or any agency, executive office, department, board, commission, bureau,
division, or authority of MA, or any of its branches, or any political
subdivision thereof (collectively, Entity) that owns, licenses, maintains, or
stores data that includes PI about a resident of MA.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on MA residents, whether or not organized or licensed
under the laws of MA.
SECURITY BREACH DEFINITION
An unauthorized acquisition or unauthorized use of unencrypted data or encrypted
electronic data and the confidential process or key that is capable of
compromising the security, confidentiality, or integrity of PI, maintained by an
Entity that creates a substantial risk of identity theft or fraud against a MA
resident.
* A good-faith but unauthorized acquisition of PI by an Entity, or employee or
agent thereof, for the lawful purpose of such Entity, is not a breach of
security unless the PI is used in an unauthorized manner or subject to
further unauthorized disclosure.
NOTIFICATION OBLIGATION
An Entity to which the statute applies shall provide notice to the affected
residents, as soon as practicable and without unreasonable delay, when the
Entity knows or has reason to know of a breach of security, or when the Entity
knows or has reason to know that the PI of such resident was acquired or used by
an unauthorized person or used for an unauthorized purpose. Note: MA may take
the position that any unauthorized acquisition or use by a third party triggers
the notification obligation, regardless of materiality or ownership of the data.
ATTORNEY GENERAL/AGENCY NOTIFICATION
Notice must be provided to the state Attorney General and the director of
consumer affairs and business regulation.
The notice shall include, but not be limited to:
* the nature of the breach of security or unauthorized acquisition or use;
* the number of residents of MA affected by such incident at the time of
notification;
* the name and address of the person or agency that experienced the breach of
security;
* the name and title of the person or agency reporting the breach of security,
and their relationship to the person or agency that experienced the breach of
security;
* the type of person or agency reporting the breach of security;
* the person responsible for the breach of security, if known;
* the type of personal information compromised, including, but not limited to,
social security number, driver’s license number, financial account number,
credit or debit card number or other data;
* whether the person or agency maintains a written information security
program; and
* any steps the person or agency has taken or plans to take relating to the
incident, including updating the written information security program.
A person who experienced a breach of security shall file a report with the
attorney general and the director of consumer affairs and business regulation
certifying their credit monitoring services comply with the law’s requirements
for providing credit monitoring to individuals if social security numbers are
affected.
Note that both agencies currently promulgate online forms containing the
required information.
* Upon receipt of notice, the director of consumer affairs and business
regulation shall report the incident publicly on its website and make
available electronic copies of the sample notice sent to consumers on its
website.
* Upon receipt of notice, the director of consumer affairs and business
regulation shall identify any relevant consumer reporting agency or state
agency and forward the names of the identified consumer reporting agencies
and state agencies to the notifying Entity. The Entity shall, as soon as
practicable and without unreasonable delay, also provide notice to consumer
reporting agencies and state agencies identified by the director of consumer
affairs and business regulation.
NOTIFICATION OBLIGATION OF AN AGENCY WITHIN THE EXECUTIVE DEPARTMENT
If an agency is within the Executive Department, it shall provide written
notification of the nature and circumstances of the breach or unauthorized
acquisition or use of the information to the Technology Division and the
Division of Public Records as soon as practicable and without unreasonable delay
following discovery of the breach of security or unauthorized acquisition or
use, and shall comply with all policies and procedures adopted by that division
pertaining to the reporting and investigation of such an incident.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains or stores, but does not own or license data that
includes PI about a resident of MA, shall provide notice, as soon as practicable
and without unreasonable delay, when such Entity (i) knows or has reason to know
of a breach of security or (ii) when the Entity knows or has reason to know that
the PI of such resident was acquired or used by an unauthorized person or used
for an unauthorized purpose, to the owner or licensor.
Such Entity shall cooperate with the owner or licensor of such PI. Cooperation
shall include, but not be limited to (i) informing the owner or licensor of the
breach of security or unauthorized acquisition or use, (ii) the date or
approximate date of such incident and the nature thereof, and (iii) any steps
the Entity has taken or plans to take relating to the incident, except that such
cooperation shall not be deemed to require the disclosure of confidential
business information or trade secrets, or to provide notice to a resident that
may not have been affected by the breach of security or unauthorized acquisition
or use.
TIMING OF NOTIFICATION
The notification shall be given as soon as practicable and without unreasonable
delay following discovery of the breach. Entities cannot delay notification “on
the grounds that the total number of residents affected is not yet ascertained.”
PERSONAL INFORMATION DEFINITION
A resident’s first name and last name or first initial and last name in
combination with any one or more of the following data elements that relates to
such resident:
* Social Security number;
* Driver’s license or state-issued identification card number; or
* Financial account number or credit card number, with or without any required
security code, access code, personal ID number, or password, that would
permit access to a resident’s financial account.
PI does not include information that is lawfully obtained from publicly
available information, or from federal, state, or local government records
lawfully made available to the general public.
NOTICE REQUIRED
Notice provided to the resident shall not include the nature of the breach or
unauthorized acquisition or use of the number of residents of MA affected by
said breach or unauthorized access or use. It must, however, include:
* the resident’s right to obtain a police report;
* how a resident may request a security freeze and the necessary information to
be provided when requesting the security freeze;
* that there shall be no charge for a security freeze; and
* mitigation services to be provided pursuant to this chapter.
If the person or agency that experienced a breach of security is owned by
another person or corporation, the notice to the consumer shall include the name
of the parent or affiliated corporation.
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity required to provide notice demonstrates that the cost of providing
written notice will exceed $250,000, or that the affected class of MA residents
to be notified exceeds 500,000 residents, or the Entity does not have sufficient
contact information to provide notice. Substitute notice shall consist of all of
the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of MA residents;
* Clear and conspicuous posting of the notice on the home page of the Entity’s
website, if the Entity maintains one; and
* Publication in or broadcast through media that provide notice throughout MA.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state or federal regulator is sufficient for compliance.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation and has
notified the Attorney General, in writing, thereof and informs the Entity of
such determination. Notice required by the statute must be made without
unreasonable delay and as soon as possible after the law enforcement agency
determines that notification will no longer impede the investigation. The
Entity shall cooperate with law enforcement in its investigation of any
breach of security or unauthorized acquisition or use, which shall include
the sharing of information relevant to the incident; provided, however, that
such disclosure shall not require the disclosure of confidential business
information or trade secrets.
* Attorney General Enforcement. Penalties include civil penalties, damages, and
injunctive relief.
x
MARYLAND
Name: Md. Code Com. Law 14-3501 et seq. H.B. 974
Effective Date: January 1, 2018
Link to Documentation
APPLICATION
A sole proprietorship, partnership, corporation, association, or any other
business entity, whether or not organized to operate at a profit, including a
financial institution organized, chartered, licensed, or otherwise authorized
under the laws of MD, any other state, the United States, or any other country
(collectively, Entity) that owns or licenses computerized data that includes PI
of an individual residing in MD.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on MD residents, whether or not organized or licensed
under the laws of MD.
SECURITY BREACH DEFINITION
The unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of the PI maintained by an Entity.
* A good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the business, provided that the PI is not used or subject to
further unauthorized disclosure, does not constitute a security breach.
NOTIFICATION OBLIGATION
An Entity to which the statute applies, when it discovers or is notified of a
breach of the security of the system, shall notify the individual of the breach.
* Notification is not required if after a good-faith, reasonable, and prompt
investigation the Entity determines that the PI of the individual was not and
will not be misused as a result of the breach. If, after the investigation is
concluded, the Entity determines that notification is not required, the
Entity shall maintain records that reflect its determination for 3 years
after the determination is made. If, after the investigation is concluded,
the Entity determines that the breach of the security of the system creates a
likelihood that PI has been or will be misused, the business shall notify the
individual of the breach.
ATTORNEY GENERAL NOTIFICATION
Prior to giving the notification required under the statute, an Entity shall
provide notice of a breach of the security of a system to the state Office of
the Attorney General.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity must notify 1,000 or more individuals, the Entity also shall
notify, without unreasonable delay, each consumer reporting agency that compiles
and maintains files on consumers on a nationwide basis of the timing,
distribution, and content of the notices.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI of an individual
residing in the state that the Entity does not own or license shall notify the
owner or licensee of the PI of a breach of the security of the system if it is
likely that the breach has resulted or will result in the misuse of PI of an
individual residing in MD.
* Notification required by a third-party Entity shall be given as soon as
practicable but not later than 45 days after the Entity discovers or is
notified of the breach of the security of a system.
* A third-party Entity shall share with the owner or licensee information
relative to the breach.
TIMING OF NOTIFICATION
The notification required shall be given as soon as reasonably practicable, but
no later than 45 days after the business concludes the investigation, consistent
with measures necessary to determine the scope of the breach of the security of
a system, identify the individuals affected, or restore the integrity of the
system.
PERSONAL INFORMATION DEFINITION
1) An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when the name or the data
elements are not encrypted, redacted, or otherwise protected by another method
that renders the information unreadable or unusable:
* Social Security number, individual taxpayer identification number, passport
number, or other identification number issued by the federal government;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number, in combination with
any required security code, access code, or password, that permits access to
an individual’s financial account;
* Health information, including information about an individual’s mental
health;
* Health insurance policy or certificate number or health insurance subscriber
identification number, in combination with a unique identifier used by an
insurer or an employer that is self-insured, that permits access to an
individual’s health information; or
* Biometric data of an individual generated by automatic measurements of an
individual’s biological characteristics such as a fingerprint, voice print,
genetic print, retina or iris image, or other unique biological
characteristic, that can be used to uniquely authenticate the individual’s
identity when the individual accesses a system or account.
2) A user name or email address in combination with a password or security
question and answer that permits access to an individual’s email account.
“Encrypted” means the protection of data in electronic or optical form using an
encryption technology that renders the data indecipherable without an associated
cryptographic key necessary to enable decryption of the data.
PI does not include (i) publicly available information that is lawfully made
available to the general public from federal, state, or local government
records; (ii) information that an individual has consented to have publicly
disseminated or listed; or (iii) information that is disseminated or listed in
accordance with the federal Health Insurance Portability and Accountability Act
of 1996 (HIPAA).
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice sent to the most recent address of the individual in the
records of the business;
* Telephonic notice, to the most recent telephone number of the individual in
the records of the business; or
* Email to the most recent email address of the individual in the records of
the business, if the individual has expressly consented to receive email
notice.
Except for breaches involving loss of information that permits access to an
email account only, notification shall include:
* To the extent possible, a description of the categories of information that
were, or are reasonably believed to have been, acquired by an unauthorized
person, including which of the elements of PI were, or are reasonably
believed to have been acquired;
* Contact information for the business making the notification, including the
business’s address, telephone number, and toll-free telephone number if one
is maintained;
* The toll-free telephone numbers and addresses for the major consumer
reporting agencies; and
* The toll-free telephone numbers, addresses, and website addresses for (i) the
Federal Trade Commission and (ii) the state Attorney General, along with a
statement that the individual can obtain information from these sources about
steps the individual can take to avoid identity theft.
For breaches involving loss of information that permits access to an email
account only (and no other PI), the Entity may provide notice in electronic or
other form that directs the individual whose PI has been breached promptly to:
* Change the individual’s password and security question or answer, as
applicable; or
* Take other steps appropriate to protect the email account with the business
and all other online accounts for which the individual uses the same user
name or email and password or security question or answer.
The notification may be given by a clear and conspicuous notice delivered to the
individual online while the individual is connected to the affected email
account from an IP address or online location from which the business knows the
individual customarily accesses the account, but otherwise may not be given to
the individual by sending notification by email to the email account affected by
the breach.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$100,000, or that the affected class of individuals to be notified exceeds
175,000, or the Entity does not have sufficient contact information to give
notice. Substitute notice shall consist of all of the following:
* Email notice to an individual entitled to notification, if the business has
an email address for the individual to be notified;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains a website; and
* Notification to statewide media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. An Entity that complies with the requirements for
notification procedures under the rules, regulations, procedures, or
guidelines established by the primary or functional federal or state
regulator of the Entity shall be deemed to be in compliance with the statute.
* Gramm-Leach-Bliley Act. An Entity or the affiliate of an Entity that is
subject to and in compliance with the Gramm-Leach-Bliley Act, the federal
Interagency Guidelines Establishing Information Security Standards, and the
federal Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice, and any revisions, additions, or
substitutions, shall be deemed to be in compliance with this subtitle.
* An Entity or affiliate of the Entity that is in compliance with the federal
Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be
deemed to be in compliance.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation or jeopardize
homeland or national security. Notification shall be given as soon as
reasonably practicable but not later than 30 days after the law enforcement
agency determines that it will not impede a criminal investigation and will
not jeopardize homeland or national security.
* Attorney General Enforcement.
* Private Right of Action. Consumers may bring actions under Title 13 of the
Maryland Code, the Unfair and Deceptive Trade Practices Act.
* Waiver Not Permitted.
x
MAINE
Name: 10 ME. REV. STAT. 1346 et seq. H.P. 672
Effective Date: May 19, 2009
Link to Documentation
APPLICATION
Any individual, partnership, corporation, limited liability company, trust,
estate, cooperative, association or other entity, including agencies of state
government, the University of Maine System, the Maine Community College System,
Maine Maritime Academy, and private colleges and universities, or any
information broker, which means a person who, for monetary fees or dues, engages
in whole or in part in the business of collecting, assembling, evaluating,
compiling, reporting, transmitting, transferring, or communicating information
concerning individuals for the primary purpose of furnishing PI to nonaffiliated
third parties (collectively, Entity) that maintains computerized data that
includes PI. The provisions governing maintenance of PI are applicable to any
Entity maintaining information on ME residents, whether or not organized or
licensed under the laws of ME.
SECURITY BREACH DEFINITION
An unauthorized acquisition, release, or use of an individual’s computerized
data that includes PI that compromises the security, confidentiality, or
integrity of PI of the individual maintained by an Entity.
* Good-faith acquisition, release, or use of PI by an employee or agent of an
Entity on behalf of the Entity is not a breach of the security of the system
if the PI is not used for or subject to further unauthorized disclosure to
another person.
NOTIFICATION OBLIGATION
If an Entity that maintains computerized data that includes PI becomes aware of
a breach of the security of the system, the Entity shall give notice of the
breach following discovery or notification of the security breach to a resident
of ME whose PI has been, or is reasonably believed to have been, acquired by an
unauthorized person.
* Notification is not required if after conducting a good-faith, reasonable,
and prompt investigation, the Entity determines that there is not a
reasonable likelihood that the PI has been or will be misused.
ATTORNEY GENERAL/AGENCY NOTIFICATION
When notice of a breach of the security of the system is required, the Entity
shall notify the appropriate state regulators within the Department of
Professional and Financial Regulation, or if the Entity is not regulated by the
Department, the state Attorney General.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity must notify more than 1,000 persons at a single time, the Entity
shall also notify, without unreasonable delay, consumer reporting agencies that
compile and maintain files on consumers on a nationwide basis. Notification must
include the date of the breach, an estimate of the number of persons affected by
the breach, if known, and the actual or anticipated date that persons were or
will be notified of the breach.
THIRD-PARTY DATA NOTIFICATION
A third party that maintains, on behalf of another Entity, computerized data
that includes PI that the third party does not own shall notify the owner of the
PI of a breach of the security of the system immediately following discovery if
the PI was, or is reasonably believed to have been, acquired by an unauthorized
person.
TIMING OF NOTIFICATION
The notices must be made as expediently as possible and without unreasonable
delay, consistent with the legitimate needs of law enforcement or with measures
necessary to determine the scope of the security breach and restore the
reasonable integrity, security, and confidentiality of the data in the system.
Notification may be delayed for no longer than 7 business days after a law
enforcement agency determines that the notification will not compromise a
criminal investigation.
PERSONAL INFORMATION DEFINITION
An individual’s first name, or first initial, and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted or redacted:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number if circumstances
exist wherein such a number could be used without additional identifying
information, access codes, or passwords;
* Account passwords or PI numbers or other access codes; or
* Any of the above data elements when not in connection with the individual’s
first name, or first initial, and last name, if the information compromised
would be sufficient to permit a person to fraudulently assume or attempt to
assume the identity of the person whose information was compromised.
PI does not include information from third-party claims databases maintained by
property and casualty insurers or publicly available information that is
lawfully made available to the general public from federal, state or local
government records or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity maintaining PI demonstrates that the cost of providing notice
would exceed $5,000, that the affected class of individuals to be notified
exceeds 1,000, or that the person maintaining PI does not have sufficient
contact information to provide written or electronic notice to those
individuals. Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the individuals to be
notified;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
PENALTIES
Provides for civil penalties in the amount of $500 per violation, up to a
maximum of $2,500 per day; equitable relief; or enjoinment from future
violations.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. If, after the completion of the required
investigation, notification is required under this section, the notification
required by this section may be delayed for no longer than 7 business days
after a law enforcement agency determines that the notification will not
compromise a criminal investigation.
* Attorney General Enforcement. Enforced by state Attorney General and/or where
applicable, the Department of Professional and Financial Regulation Office of
Consumer Credit Regulation.
x
LOUISIANA
Name: La. Rev. Stat. § 51:3071 et seq. La. Admin. Code tit. 16, pt. III, 701
S.B. 361
Effective Date: August 1, 2018
Link to Documentation
APPLICATION
Any individual, corporation, partnership, sole proprietorship, joint stock
company, joint venture, or any other legal entity that conducts business in LA
or that owns or licenses computerized data that includes PI, or any agency that
owns or licenses computerized data that includes PI (collectively, Entity).
The provisions governing maintenance of PI that the Entity does not own appear
applicable to any Entity maintaining information on LA residents, whether or not
the Entity conducts business in LA.
SECURITY BREACH DEFINITION
The compromise of the security, confidentiality, or integrity of computerized
data that results in, or there is a reasonable basis to conclude has resulted
in, the unauthorized acquisition of and access to PI maintained by an Entity.
Good-faith acquisition of PI by an employee of the Entity for the purposes of
the Entity is not a breach of the security of the system, provided that the PI
is not used for, or is not subject to, unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall, following discovery of a breach
of the security of the system containing such data, notify any resident of the
state whose PI was, or is reasonably believed to have been, acquired by an
unauthorized person.
Notification is not required if after a reasonable investigation the Entity
determines that there is no reasonable likelihood of harm to LA residents. The
Entity shall retain a copy of the written determination and supporting
documentation for 5 years and provide a copy to the Attorney General upon
request.
ATTORNEY GENERAL NOTIFICATION
When notice to LA citizens is required by the statute, the Entity shall provide
written notice detailing the breach of the security of the system to the
Consumer Protection Section of the Attorney General’s Office. Notice shall
include the names of all LA citizens affected by the breach. Notice to the state
Attorney General shall be timely if received within 10 days of distribution of
notice to LA citizens. Each day that notice is not received by the state
Attorney General shall be deemed a separate violation.
THIRD-PARTY DATA NOTIFICATION
Any individual, corporation, partnership, sole proprietorship, joint stock
company, joint venture, or any other legal entity that maintains computerized
data that includes PI that the agency or person does not own shall notify the
owner or licensee of the information if the PI was, or is reasonably believed to
have been, acquired by an unauthorized person through a breach of security of
the system containing such data, following discovery by the agency or person of
a breach of the security system.
TIMING OF NOTIFICATION
The notification required pursuant to the statute shall be made in the most
expedient time possible and without unreasonable delay, but not later than 60
days from discovery of the breach, consistent with any measures necessary to
determine the scope of the breach, prevent further disclosures, and restore the
reasonable integrity of the data system. When notification is delayed by law
enforcement request or due to a determination by the Entity that measures are
necessary to determine the scope of the breach, prevent further disclosures, and
restore the reasonable integrity of the data system, the Entity shall provide
the Attorney General the reasons for the delay in writing within the 60-day
notification period. Upon receipt of the written reasons, the Attorney General
shall allow a reasonable extension of time to provide the consumer notification.
PERSONAL INFORMATION DEFINITION
The first name or first initial and last name of a LA resident in combination
with any one or more of the following data elements, when the name or the data
element is not encrypted or redacted:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account;
* Passport number; or
* Biometric data. “Biometric data” means data generated by automatic
measurements of an individual’s biological characteristics, such as
fingerprints, voice print, eye retina or iris, or other unique biological
characteristic that is used by the owner or licensee to uniquely authenticate
an individual’s identity when the individual accesses a system or account.
“Personal information” shall not include publicly available information that is
lawfully made available to the general public from federal, state, or local
government records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notification; or
* Electronic notification, if the notification provided is consistent with the
provisions regarding electronic records and signatures set forth in 15 U.S.C.
§ 7001 (E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If an Entity demonstrates that the cost of providing notification would exceed
$100,000, or that the affected class of persons to be notified exceeds 100,000,
or the Entity does not have sufficient contact information. Substitute notice
shall consist of all of the following:
* Email notification, when the Entity has email addresses for the subject
persons;
* Conspicuous posting of the notification on the Entity’s website, if the
Entity maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains notification procedures as part of its information
security policy for the treatment of PI that are otherwise consistent with the
timing requirements of the statute shall be deemed to be in compliance with the
notification requirements of the statute if the Entity notifies the subject
persons in accordance with the policy and procedures in the event of a breach of
a security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Federal Interagency Guidance. A financial institution that is subject to and
in compliance with the Federal Interagency Guidance Response Programs for
Unauthorized Access to Consumer Information and Customer Notice, issued on
March 7, 2005, by the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the Office of the Comptroller of the
Currency, and the Office of Thrift Supervision, and any revisions, additions,
or substitutions relating to said interagency guidance, shall be deemed to be
in compliance.
PENALTIES
* A civil action may be instituted to recover actual damages resulting from the
failure to disclose in a timely manner to a person that there has been a
breach of the security system resulting in the disclosure of a person’s PI.
* Failure to provide timely notice may be punishable by a fine not to exceed
$5,000 per violation. Notice to the state Attorney General shall be timely if
received within 10 days of distribution of notice to LA citizens. Each day
that notice is not received by the state Attorney General shall be deemed a
separate violation.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made without unreasonable delay and as soon
as possible after the law enforcement agency determines that notification
will no longer impede the investigation.
* Private Right of Action. A civil action may be instituted to recover actual
damages resulting from the failure to disclose in a timely manner to a person
that there has been a breach of the security system resulting in the
disclosure of a person’s PI.
x
KENTUCKY
Name: KY REV. STAT. 365.732 H.B. 5
Effective Date: January 1, 2015
Link to Documentation 1
Link to Documentation 2
APPLICATION
“Information holder” defined as any person or business entity that conducts
business in the state (collectively, Entity). Specific notification obligations
also apply to “non-affiliated third parties” (NTP) of state and municipal
government agencies and public educational institutions that receive or collect
and maintain PI from the agencies and institutions pursuant to a contract.
SECURITY BREACH DEFINITION
The unauthorized acquisition of unencrypted, unredacted computerized data that
compromises the security, confidentiality, or integrity of PI maintained by the
Entity as part of a database regarding multiple individuals that actually causes
or leads the Entity to believe has caused or will cause, identity theft or fraud
against any KY resident.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system if the
PI is not used or subject to further unauthorized disclosures.
NOTIFICATION OBLIGATION
* Any Entity to which the statute applies must, upon discovery or notification
of breach in the security system, notify any KY resident whose unencrypted
information was or is reasonably believed to have been acquired by an
unauthorized person.
* In the case of an NTP’s security system breach, the contracting agency or
institution must notify the Attorney General within 72 hours of being
notified by the NTP. Private entities do not have an obligation to notify any
state regulatory authority.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity discovers circumstances requiring notification pursuant to this
section of more than 1,000 persons at one time, the Entity shall also notify,
without unreasonable delay, all consumer reporting agencies and credit bureaus
that compile and maintain files on consumers on nationwide basis, as defined by
15 U.S.C. § 1681a, of the timing, distribution, and content of the notices.
THIRD-PARTY DATA NOTIFICATION
* An Entity that maintains computerized data that includes PI that the Entity
does not own shall notify the owner or licensee of the information of any
breach of the security of the data as soon as reasonably practicable
following discovery, if the PI was or is reasonably believed to have been
acquired by an unauthorized person.
* An NTP, upon discovery or notification of breach in the security system, must
notify its contracting agency or institution in the most expedient time
possible and without unreasonable delay, within 72 hours of determining that
a breach occurred. (NTPs following federal law or regulation regarding breach
investigation and notice may satisfy this obligation by providing a copy of
any federally required reports or investigations to the contracting agency or
institution.) The contracting agency or institution bears the responsibility
of notifying any affected individuals.
TIMING OF NOTIFICATION
* Notice should occur in the most expedient time possible and without
unreasonable delay, subject to the legitimate needs of law enforcement or any
measures necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
* The NTP’s notice should occur in the most expedient time possible and without
unreasonable delay, within 72 hours of determining that a breach occurred.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
one or more of the following data elements when the name or data element is not
redacted:
* Social Security number;
* Driver’s license number; or
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account.
For NTPs, PI means an individual’s first name or first initial and last name;
personal mark; or unique biometric or genetic print or image, in combination
with one or more of the following data elements:
* An account number, credit card number, or debit card number that, in
combination with any required security code, access code, or password, would
permit access to an account;
* A Social Security number;
* A taxpayer identification number that incorporates a Social Security number;
* A driver’s license number, state identification card number, or other
individual identification number issued by any agency;
* A passport number of other identification number issued by the United States
government; or
* Individually identifiable health information as defined in 45 C.F.R. §
160.103 except for education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. § 1232g.
Obligations under these statutes apply only to unencrypted, unredacted
computerized data.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice is provided consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity can demonstrate that the cost of providing notice would exceed
$250,000, that the number of individuals to be notified exceeds 500,000, or that
they do not have sufficient contact information for those affected. Substitute
notice shall consist of all of the following:
* Email notification if the Entity has email addresses for the affected
individuals;
* Conspicuous posting regarding the incident on the Entity’s website, if the
Entity maintains a website; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of this section, shall be deemed to be in
compliance with the notification requirements of this section, if it notifies
subject persons in accordance with its policies in the event of a breach of
security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act; Federal Health Insurance Portability and
Accountability Act; KY agency, local governments or political subdivisions.
The provisions of this statute and the requirements for nonaffiliated third
parties in KRS Chapter 61 shall not apply to any Entity subject to the
provisions of Title V of the Gramm-Leach-Bliley Act, the federal Health
Insurance Portability and Accountability Act of 1996 (HIPAA), any KY agency,
or any KY local governments or political subdivisions.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement.
* An Entity’s notice may be delayed if a law enforcement agency determines
that the notification will impede a criminal investigation. The
notification required by this section shall be made promptly after the law
enforcement agency determines that it will not compromise the
investigation.
* An NTP’s notice to its contracting agency may be delayed if a law
enforcement agency determines that the notification will impede a criminal
investigation. The notification required by this section shall be given to
the contracting agency as soon as reasonably feasible.
KENTUCKY BOARD OF EDUCATION REGULATION
The Kentucky Board of Education may promulgate administrative regulations in
accordance with KRS Chapter 13A as necessary to carry out the requirements of
this section.
x
KANSAS
Name: Kan. Stat. 50-7a01 et seq. S.B. 196
Effective Date: January 1, 2007
Link to Documentation
APPLICATION
Any individual, partnership, corporation, trust, estate, cooperative,
association, government, or governmental subdivision or agency or other entity
(collectively, Entity) that conducts business in KS and that owns or licenses
computerized data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on KS residents,
whether or not the Entity conducts business in KS.
SECURITY BREACH DEFINITION
Any unauthorized access to and acquisition of unencrypted or unredacted
computerized data that compromises the security, confidentiality, or integrity
of PI maintained by an Entity and that causes, or such Entity reasonably
believes has caused or will cause, identity theft to any consumer.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used for or is not subject to further
unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall, when it becomes aware of any
breach of the security of the system, give notice as soon as possible to the
affected KS resident.
* Notification is not required if after a good-faith, reasonable, and prompt
investigation the Entity determines that the PI has not been and will not be
misused.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event that an Entity must notify more than 1,000 consumers at one time,
the Entity shall also notify, without unreasonable delay, all consumer reporting
agencies that compile and maintain files on consumers on a nationwide basis of
the timing, distribution, and content of the notices.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall give notice to the owner or licensee of the information
of any breach of the security of the data following discovery of a breach, if
the PI was, or is reasonably believed to have been, accessed and acquired by an
unauthorized person.
TIMING OF NOTIFICATION
Notice must be made in the most expedient time possible and without unreasonable
delay, consistent with any measures necessary to determine the scope of the
breach and to restore the reasonable integrity of the computerized data system.
PERSONAL INFORMATION DEFINITION
A consumer’s first name or first initial and last name linked to any one or more
of the following data elements that relate to the consumer, when the data
elements are neither encrypted nor redacted:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, or debit card number, alone or in
combination with any required security code, access code, or password that
would permit access to a consumer’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity required to provide notice demonstrates that the cost of providing
notice will exceed $100,000, or that the affected class of consumers to be
notified exceeds 5,000, or that the Entity does not have sufficient contact
information to provide notice. Substitute notice shall consist of all of the
following:
* Email notice, if the Entity has email addresses for the affected class of
consumers;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI, and whose procedures are
otherwise consistent with the timing requirements of the statute, is deemed to
be in compliance with the notice requirements of the statute if the Entity
notifies affected consumers in accordance with its policies in the event of a
breach of security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state or federal regulator is sufficient.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice shall
be made in good faith, without unreasonable delay, and as soon as possible
after the law enforcement agency determines that notification will no longer
impede the investigation.
* Attorney General Enforcement. Allows the state Attorney General (or Insurance
Commissioner in the case of an insurance company) to bring actions at law or
equity to enforce compliance and enjoin future violations.
x
ILLINOIS
Personal Information Protection Act.
Effective Date: January 1, 2017
Link to Documentation
APPLICATION
Any data collector, which includes, but is not limited to, government agencies,
public and private universities, privately and publicly held corporations,
financial institutions, retail operators, and any other entity that, for any
purpose, handles, collects, disseminates, or otherwise deals with nonpublic PI
(collectively, Entity) that owns or licenses PI concerning an IL resident.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on IL residents,
whether or not the Entity conducts business in IL.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI maintained by the Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for a
legitimate purpose of the Entity does not constitute a security breach,
provided that the PI is not used for a purpose unrelated to the Entity’s
business or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall notify the resident at no charge
that there has been a breach following discovery or notification of the breach.
Note: Illinois may take the position that any unauthorized acquisition or use by
a third party triggers the notification obligation, regardless of materiality or
ownership of the data.
NOTIFICATION OBLIGATION FOR STATES AGENCIES
Any state agency that collects PI and has had a breach of security of the system
data or written material shall submit a report within 5 business days of the
discovery or notification of the breach to the General Assembly listing the
breaches and outlining any corrective measures that have been taken to prevent
future breaches. Any agency that has submitted a report under the statute shall
submit an annual report listing all breaches of security and the corrective
measures that have been taken to prevent future breaches.
State agencies must report security breaches involving more than 250 IL
residents to the Attorney General, including the types of PI compromised, the
number of IL residents affected, any steps the agency has taken or plans to take
to notify consumers, and the date and timeframe of the breach, if known. Such
notification must be made within 45 days of the agency’s discovery of the
security breach or when the agency provides notice to consumers, whichever is
sooner, unless there is good cause for reasonable delay to determine the scope
of the breach and restore the integrity, security, and confidentiality of the
data system, or when law enforcement requests in writing to withhold disclosure
of some or all of the information required in the Notification. If the date or
timeframe of the breach is unknown at the time the notice is sent to the
Attorney General, the state agency shall send the Attorney General the date or
timeframe of the breach as soon as possible.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains or stores computerized data that includes PI that the
Entity does not own or license shall notify the owner or licensee of the
information of any breach of the security of the data immediately following
discovery, if the PI was, or is reasonably believed to have been, acquired by an
unauthorized person. In addition, such Entities shall cooperate with the data
owner or licensee in matters relating to the breach, including (1) giving notice
of the (approximate) date and nature of the breach and (2) informing the owner
or licensee of steps taken or planned relating to the breach.
TIMING OF NOTIFICATION
The disclosure notification shall be made in the most expedient time possible
and without unreasonable delay, consistent with any measures necessary to
determine the scope of the breach and restore the reasonable integrity,
security, and confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
Either of the following:
(1) An individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the name or the
data elements are not encrypted or redacted, or are encrypted or redacted but
the keys to unencrypt or unredact or otherwise read the name or data elements
have been acquired without authorization through the breach of security:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number, or an account
number or credit card number in combination with any required security code,
access code, or password that would permit access to an individual’s
financial account;
* Medical information (any information regarding an individual’s medical
history, mental or physical condition, or medical treatment or diagnosis by a
healthcare professional, including such information provided to a website or
mobile application);
* Health insurance information (health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer to
identify the individual, or any medical information in an individual’s health
insurance application and claims history, including any appeals records); or
* Unique biometric data generated from measurements or technical analysis of
human body characteristics used by the owner or licensee to authenticate an
individual, such as a fingerprint, retina or iris image, or other unique
physical representation or digital representation of biometric data.
(2) User name or email address, in combination with a password or security
question and answer that would permit access to an online account, when either
the user name or email address or password or security question and answer are
not encrypted or redacted, or are encrypted or redacted but the keys to
unencrypt or unredact or otherwise read the data elements have been obtained
through the breach of security.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Electronic notice, if consistent with the provisions regarding electronic
records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act); or
* For breaches involving user name/email and password/security questions only,
in “electronic or other form.”
CONTENTS OF NOTICE
For a breach of PI other than user name/email and password/security question,
the notice shall include:
* The toll-free numbers and addresses for consumer reporting agencies;
* The toll-free number, address, and website address for the Federal Trade
Commission; and
* A statement that the individual can obtain information from these sources
about fraud alerts and security freezes.
The notice shall not include the number of IL residents affected by the breach.
For a breach of PI involving user name/email and password/security questions,
notice may be provided in electronic or other form directing the IL resident
whose PI has been breached to promptly change his or her user name or password
and security question or answer, as applicable, or to take other steps
appropriate to protect all online accounts for which the resident uses the same
user name or email address and password or security question and answer.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media. or, if the breach impacts residents in
one geographic area, to prominent local media in areas where affected
individuals are likely to reside if such notice is reasonably calculated to
give actual notice to persons whom notice is Required
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of the statute, shall be deemed in compliance with
the notification requirements of the statute if the Entity notifies subject
persons in accordance with its policies in the event of a breach of the security
of the system data.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
Any Entity that is subject to and in compliance with the privacy and security
standards under the Health Insurance Portability and Accountability Act of 1996
and the Health Information Technology for Economic and Clinical Health Act
(“HITECH”) shall be deemed to be in compliance, provided that any Entity
required to provide notification of a breach to the Secretary of Health and
Human Services pursuant to HITECH also provides such notification to the
Attorney General within 5 business days of notifying the Secretary.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation and provides
the Entity with a written request of delay. Notice required by the statute
must be made without unreasonable delay and as soon as possible after the law
enforcement agency determines that notification will no longer impede the
investigation.
* Waiver Not Permitted.
* Violation of the statute constitutes an unlawful practice under the IL
Consumer Fraud and Deceptive Business Practices Act.
x
HAWAII
Name: H.R.S. 487N-1 et seq. S.B. 2402
Effective Date: April 17, 2008
Link to Documentation
APPLICATION
Any sole proprietorship, partnership, corporation, association, or other group,
however organized, and whether or not organized to operate at a profit,
including financial institutions organized, chartered, or holding a license or
authorization certificate under the laws of HI, any other state, the United
States, or any other country, or the parent or the subsidiary of any such
financial institution, and any entity whose business is records destruction, or
any government agency that collects PI for specific government purposes
(collectively, Entity) that owns or licenses PI of residents of HI in any form
(whether computerized, paper, or otherwise).
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on HI residents, whether or not the Entity conducts
business in HI.
SECURITY BREACH DEFINITION
Any unauthorized access to and acquisition of unencrypted or unredacted records
or data containing PI where illegal use of the PI has occurred, or is reasonably
likely to occur, where such unauthorized access and acquisition creates a risk
of harm to a person. Any incident of unauthorized access to and acquisition of
encrypted records or data containing PI along with the confidential process or
key constitutes a security breach.
* Good-faith acquisition of PI by an employee or agent of the Entity for a
legitimate purpose is not a security breach, provided that the PI is not used
for a purpose other than a lawful purpose of the business and is not subject
to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notice to the affected
person of a security breach following discovery or notification of the breach.
ATTORNEY GENERAL/AGENCY NOTIFICATION
If more than 1,000 persons are notified at one time under this section, the
business shall notify the State of Hawaii’s Office of Consumer Protection of the
timing, content, and distribution of the notice.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If more than 1,000 persons are notified at one time pursuant to this section,
the Entity shall notify in writing, without unreasonable delay, all consumer
reporting agencies that compile and maintain files on consumers on a nationwide
basis of the timing, distribution, and content of the notice.
NOTIFICATION OBLIGATION FOR GOVERNMENT AGENCIES
A government agency shall submit a written report to the legislature within 20
days after discovery of a security breach at the government agency that details
information relating to the nature of the breach, the number of individuals
affected by the breach, a copy of the notice of security breach that was issued,
the number of individuals to whom the notice was sent, whether the notice was
delayed due to law enforcement considerations, and any procedures that have been
implemented to prevent the breach from reoccurring. In the event that a law
enforcement agency informs the government agency that notification may impede a
criminal investigation or jeopardize national security, the report to the
legislature may be delayed until 20 days after the law enforcement agency has
determined that notice will no longer impede the investigation or jeopardize
national security.
THIRD-PARTY DATA NOTIFICATION
Any business located in HI or any business that conducts business in HI that
maintains or possesses records or data containing PI of residents of HI that the
business does not own or license, shall notify the owner or licensee of the PI
of any security breach immediately following discovery of the breach.
TIMING OF NOTIFICATION
The disclosure notification shall be made without unreasonable delay, consistent
with any measures necessary to determine sufficient contact information,
determine the scope of the breach, and restore the reasonable integrity,
security, and confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted:
* Social Security number;
* Driver’s license number or state identification card number; or
* Account number, credit card number, debit card number, access code, or
password that would permit access to an individual’s financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice to the last available address the Entity has on record;
* Telephonic notice, provided that contact is made directly with the affected
persons; or
* Email notice, for those persons for whom an Entity has a valid email address
and who have agreed to receive communications electronically if the notice
provided is consistent with the provisions regarding electronic records and
signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
The notice shall be clear and conspicuous and shall include a description of the
following:
* The incident in general terms;
* Type of PI subject to the unauthorized access and acquisition;
* The general acts of the Entity to protect the PI from further unauthorized
access;
* A telephone number that the person may call for further information and
assistance, if one exists; and
* Advice that directs the person to remain vigilant by reviewing account
statements and monitoring free credit reports.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$100,000, or that the affected class of persons to be notified exceeds 200,000,
or if the Entity does not have sufficient contact information or consent to
satisfy the required notice, for only those affected persons without sufficient
contact information or consent, or if the Entity is unable to identify
particular affected persons, for only those unidentifiable affected persons.
Substitute notice shall consist of all the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Federal Interagency Guidance. A financial institution that is subject to and
in compliance with the Federal Interagency Guidance Response Programs for
Unauthorized Access to Customer Information and Customer Notice, issued on
March 7, 2005, by the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the Office of the Comptroller of the
Currency, and the Office of Thrift Supervision, and any revisions, additions,
or substitutions relating to said interagency guidance, shall be deemed to be
in compliance.
* HIPAA-Covered Entities. A provider of health care, health care service plan,
health insurer, or a covered entity governed by the medical privacy and
security rules issued by the federal Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) shall be deemed in compliance with this chapter.
PENALTIES
Any Entity that violates any provisions of the statute is subject to penalties
of not more than $2,500 for each violation.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation or jeopardize
national security and requests a delay; provided that such request is made in
writing, or the Entity documents the request contemporaneously in writing,
including the name of the law enforcement officer making the request and the
officer’s law enforcement agency engaged in the investigation. The notice
shall be provided without unreasonable delay after the law enforcement agency
communicates to the Entity its determination that notice will no longer
impede the investigation or jeopardize national security.
* Attorney General Enforcement.
* Waiver Not Permitted.
x
GEORGIA
Name: Ga. Code § 10-1-910 et seq. S.B. No. 236
Effective Date: May 24, 2007
Link to Documentation
APPLICATION
Any person or entity who, for monetary fees or dues, engages in whole or in part
in the business of collecting, assembling, evaluating, compiling, reporting,
transmitting, transferring, or communicating information concerning individuals
for the primary purpose of furnishing PI to nonaffiliated third parties, or any
state or local agency or subdivision thereof including any department, bureau,
authority, public university or college, academy, commission, or other
government entity (collectively, Entity) that maintains computerized data that
includes PI of individuals. The statute shall not apply to any governmental
agency whose records are maintained primarily for traffic safety, law
enforcement, or licensing purposes or for purposes of providing public access to
court records or to real or personal property information.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on GA residents, whether or not organized or licensed
under the laws of GA.
SECURITY BREACH DEFINITION
An unauthorized acquisition of an individual’s electronic data that compromises
the security, confidentiality, or integrity of PI of such individual maintained
by an Entity.
* Good-faith acquisition or use of PI by an employee or agent of an Entity for
the purposes of such Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity that maintains computerized data that includes PI of individuals
shall give notice of any breach of the security of the system following
discovery or notification of the breach to any resident of GA whose unencrypted
PI was, or is reasonably believed to have been, acquired by an unauthorized
person.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
In the event an Entity discovers circumstances requiring notification of more
than 10,000 residents of GA at one time, the Entity shall also notify, without
unreasonable delay, all consumer reporting agencies that compile and maintain
files on consumers on a nationwide basis of the timing, distribution, and
content of the notices.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data on behalf of another Entity that
includes PI of individuals that the Entity does not own, it shall notify the
other Entity of any breach of the security of the system within 24 hours
following discovery if the PI was, or is reasonably believed to have been,
acquired by an unauthorized person.
TIMING OF NOTIFICATION
The notice shall be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and restore the reasonable integrity, security, and
confidentiality of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted or redacted:
* Social Security number;
* Driver’s license or state identification card number;
* Account number, credit card number, debit card number if circumstances exist
wherein such a number could be used without additional identifying
information, access codes, or passwords;
* Account passwords or personal identification numbers or other access codes;
or
* Any of the above items when not in connection with the individual’s first
name or first initial and last name, if the information compromised would be
sufficient to perform or attempt to perform identity theft against the person
whose information was compromised.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If an Entity demonstrates that the cost of providing notice would exceed
$50,000, that the affected class of individuals to be notified exceeds 100,000,
or that the Entity does not have sufficient contact information to provide
written or electronic notice to such individuals. Substitute notice shall
consist of all of the following:
* Email notice, if the Entity has email addresses for the individuals to be
notified;
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and whose procedures are
otherwise consistent with the timing requirements of the statute shall be deemed
to be in compliance with the notification requirements of the statute if it
notifies the individuals who are the subjects of the notice in accordance with
its policies in the event of a breach of the security of the system.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made without unreasonable delay and as soon
as possible after the law enforcement agency determines that notification
will no longer impede the investigation.
x
FLORIDA
Name: FLA. STAT. 501.171, S.B. 1526
Effective Date: July 1, 2014
Link to Documentation 1
Link to Documentation 2
Link to Documentation 3
APPLICATION
A sole proprietorship, partnership, corporation, trust, estate, cooperative,
association, or other commercial entity that acquires, maintains, stores, or
uses PI (collectively, Entity).
An entity that has been contracted to maintain, store, or process PI on behalf
of an Entity or governmental entity (“third-party agent”).
SECURITY BREACH DEFINITION
The unauthorized access of data in electronic form containing PI.
* Good-faith access of PI by an employee or agent of the Entity is not a breach
of the security of the system, provided the information is not used for a
purpose unrelated to the business or subject to further unauthorized use.
NOTIFICATION TO INDIVIDUALS
Entity must give notice to each individual in Florida whose PI was, or the
Entity reasonably believes to have been, accessed as a result of the breach.
Notice to affected individuals is not required if, after an appropriate
investigation and consultation with relevant federal, state, or local law
enforcement agencies, the Entity reasonably determines that the breach has not
and will not likely result in identity theft or any other financial harm to the
individuals whose PI has been accessed. Such a determination must be documented
in writing and maintained for at least 5 years. The Entity must provide the
written determination to the Department within 30 days after the determination.
ATTORNEY GENERAL NOTIFICATION
Entity must provide notice to the Department of Legal Affairs (“Department”) of
any breach of security affecting 500 or more individuals in Florida.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity discovers circumstances requiring notification pursuant to this
section of more than 1,000 persons at a single time, the Entity shall also
notify, without unreasonable delay, all consumer reporting agencies that compile
and maintain files on consumers on a nationwide basis of the timing,
distribution, and content of the notices.
THIRD-PARTY DATA NOTIFICATION
Any third-party agent shall disclose to the Entity for which the information is
maintained any breach of the security of the system as soon as practicable, but
no later than 10 days following the determination of the breach or reason to
believe the breach occurred. Upon receiving notice from a third-party agent, the
Entity for which the information is maintained shall provide notices to the
Department and Affected Individuals. A third-party agent must provide the Entity
with all information that the Entity needs to comply with notice requirements. A
third-party agent may provide notice to the Department or Affected Individuals
on behalf of the Entity; however, a third-party agent’s failure to provide
proper notice shall be deemed a violation against the Entity.
TIMING OF NOTIFICATION
* To the Department: Notice must be provided as expeditiously as practicable,
but no later than 30 days after the determination of the breach or reason to
believe a breach occurred.
* To the Affected Individuals: Notice must be made as expeditiously as
practicable and without unreasonable delay, taking into account the time
necessary to allow the Entity to determine the scope of the breach of
security, to identify individuals affected by the breach, and to restore the
reasonable integrity of the data system that was breached, but no later than
30 days after the determination of a breach or reasons to believe a breach
occurred. Entity may receive 15 additional days to provide notice to Affected
Individuals if good cause for delay is provided in writing to the Department
within 30 days after determination of the breach or reason to believe a
breach occurred.
PERSONAL INFORMATION DEFINITION
* An individual’s first name or first initial and last name in combination with
any one or more of the following data elements for that individual:
* Social Security number;
* A driver’s license or state identification card number, passport number,
military identification number, or other similar number issued on a
government document used to verify identity;
* A financial account number or credit or debit card number in combination
with any required security code, access code, or password that is necessary
to permit access to an individual’s financial account;
* Any information regarding an individual’s medical history, mental or
physical condition, or medical treatment or diagnosis by a health care
professional; or
* An individual’s health insurance policy number or subscriber identification
number and any unique identifier used by a health insurer to identify the
individual.
* A user name or email address, in combination with a password or security
question and answer that would permit access to an online account.
PI does not include publicly available information that is made publicly
available by a federal, state, or local governmental entity. The term also does
not include information that is encrypted, secured, or modified by any other
method or technology that removes elements that personally identify an
individual or that otherwise renders the information unusable.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* To the Department:
* Written notice must include:
* A synopsis of the events surrounding the breach at the time notice is
provided.
* The number of individuals in FL who were or potentially have been
affected by the breach.
* Any services related to the breach being offered or scheduled to be
offered, without charge, by the Entity to individuals, and instructions
as to how to use such services.
* A copy of the notice required to affected individuals or an explanation
of the other actions taken to give notice to affected individuals.
* The name, address, telephone number, and email address of the employee or
agent of the Entity from whom additional information may be obtained
about the breach.
* Upon the Department’s request, the Entity must provide the following
information to the Department:
* A police report, incident report, or computer forensics report.
* A copy of the policies in place regarding breaches.
* Steps that have been taken to rectify the breach.
* The Entity may provide supplemental information regarding a breach at any
time to the Department.
* To Affected Individuals:
* Notice must contain, at a minimum:
* The date, estimated date, or estimated date range of the breach.
* A description of the PI that was accessed or reasonably believed to have
been accessed as a part of the breach.
* Information that the individual can use to contact the Entity to inquire
about the breach and the PI that the Entity maintained about the
individual.
* Notice may be provided by the following methods:
* Written notice sent to the mailing address of the individual in the
records of the Entity; or
* Email notice sent to the individual’s email address in the Entity’s
records.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, the affected class of subject persons to be notified exceeds 500,000,
or the Entity does not have sufficient contact information. Substitute notice
shall consist of both of the following:
* Conspicuous posting of the notice on the Entity’s website, if the Entity
maintains one; and
* Notification in print and to broadcast media, including major media in urban
and rural areas where the Affected Individuals reside.
PENALTIES
An Entity that violates the statute in the following manner is subject to the
following administrative fines:
* A violation of this section shall be treated as an unfair or deceptive trade
practice in any action brought by the Department against an Entity or
third-party agent.
* An Entity that fails to notify the Department or Affected Individuals shall
be liable for a civil penalty not to exceed $500,000 (i) in the amount of
$1,000 for each day the breach goes undisclosed for up to 30 days and,
thereafter, $50,0000 for each 30-day period or portion therefore for up to
180 days; or (ii) if the violation continues for more than 180 days, in an
amount not to exceed $500,000. The civil penalties under this paragraph apply
per breach, and not per individual affected by the breach.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state regulator is sufficient for compliance.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice to Individuals may be delayed for a
specified period that the law enforcement agency determines is reasonably
necessary in a written request if a law enforcement agency determines that
the notice will impede a criminal investigation. A law enforcement agency
may, by a subsequent written request, revoke such delay as of a specified
date or extend the period specified in the original request made to a
specified date if further delay is necessary.
* Public Records Exemption. All information received by the Department pursuant
to the notification requirements or pursuant to a law enforcement or
Department investigation is confidential and exempt from the Public Records
requirement under the State Constitution and statutes.
x
DISTRICT OF COLUMBIA
Name: D.C. Code § 28-3851 et seq. Council Bill 16-810
Effective Date: July 1, 2007
Link to Documentation
APPLICATION
Any person or entity (collectively, Entity) who conducts business in D.C. and
who, in the course of such business, owns or licenses computerized or other
electronic data that includes PI.
* Provisions governing maintenance of PI that the Entity does not own appear
applicable to any Entity maintaining information on DC residents, whether or
not the Entity conducts business in DC.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized or other electronic data, or any
equipment or device storing such data that compromises the security,
confidentiality, or integrity of PI maintained by the Entity.
* Acquisition of data that has been rendered secure, so as to be unusable by an
unauthorized third party, shall not be deemed to be a breach of the security
of the system.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system if the
PI is not used improperly or subject to further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies, and who discovers a breach of the
security system, shall promptly notify any D.C. resident whose PI was included
in the breach.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If any Entity is required to notify more than 1,000 persons of a breach of
security, the Entity shall also notify, without unreasonable delay, all consumer
reporting agencies that compile and maintain files on consumers on a nationwide
basis, as defined by section § 603(p) of the federal Fair Credit Reporting Act,
of the timing, distribution, and content of the notices. This subsection shall
not apply to an Entity who is required to notify consumer reporting agencies of
a breach pursuant to Title V of the Gramm-Leach-Bliley Act.
THIRD-PARTY DATA NOTIFICATION
Any Entity that maintains, handles, or otherwise possesses computerized or other
electronic data that includes PI that the Entity does not own shall notify the
owner or licensee of the information of any breach of the security of the system
in the most expedient time possible following discovery.
TIMING OF NOTIFICATION
The notification shall be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to determine the
scope of the breach and restore the reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
(1) Any number or code or combination of numbers or codes, such as account
number, security code, access code, or password, that allows access to or use of
an individual’s financial or credit account,
(2) or an individual’s first name or first initial and last name, or phone
number, or address, and any one or more of the following data elements:
* Social Security number;
* Driver’s license number or D.C. identification card number; or
* Credit card number or debit card number.
PI shall not include information that is lawfully made available to the general
public from federal, state, or local government records
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the customer has consented to receipt of electronic
notice consistent with the provisions regarding electronic records and
signatures set forth in 15 U.S.C. § 7001 (E-Sign Act) [but, see “Own
Notification Policy,” below]
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice to persons would
exceed $50,000, that the number of persons to receive notice under the statute
exceeds 100,000, or that the Entity does not have sufficient contact
information. Substitute notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notice to major local and, if applicable, national media.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and whose procedures are
otherwise consistent with the timing requirements of the statute shall be deemed
in compliance with the notification requirements of the statute if the Entity
provides notice, in accordance with its policies, reasonably calculated to give
actual notice to persons to whom notice is otherwise required to be given under
the statute.
* Notice under this section may be given by email if the Entity’s primary
method of communication with the D.C. resident is by email.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Gramm-Leach-Bliley Act. The provisions of this statute shall not apply to any
Entity who is subject to the provisions of Title V of the Gramm-Leach-Bliley
Act.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made without unreasonable delay and as soon
as possible after the law enforcement agency determines that notification
will no longer impede the investigation.
* Attorney General Enforcement. The Attorney General may seek direct damages
and injunctive relief.
* Private Right of Action. Any D.C. resident injured by a violation may
institute a civil action to recover actual damages, the costs of the action,
and reasonable attorney’s fees. Actual damages shall not include dignitary
damages, including pain and suffering.
* Waiver Not Permitted.
x
DELAWARE
Name: Del. Code Ann. tit. 6 12B-101 et seq. House Substitute 1 for HB 180
Effective Date: April 14, 2018
Link to Documentation
APPLICATION
Any person (individual; corporation; business trust; estate trust; partnership;
limited liability company; association; joint venture; government; governmental
subdivision, agency, or instrumentality; public corporation; or any other legal
or commercial entity) who conducts business in DE and who owns or licenses
computerized data that includes PI (collectively, Entity).
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on DE residents,
whether or not the Entity conducts business in DE.
SECURITY BREACH DEFINITION
The unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI. The unauthorized acquisition of such data
is not a breach of security to the extent that PI contained therein is
encrypted, unless such unauthorized acquisition includes, or is reasonably
believed to include, the encryption key and the person that owns or licenses the
encrypted information has a reasonable belief that the encryption key could
render PI readable or useable.
* Good-faith acquisition of PI by an employee or agent of an Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used for an unauthorized purpose] or subject to
further unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall provide notice of any breach of
security following determination of the breach of security to any resident of DE
whose PI was breached or is reasonably believed to have been breached.
Notification is not required if after an appropriate investigation the Entity
reasonably determines that the breach of security is unlikely to result in any
harm to the individuals whose PI has been breached.
ATTORNEY GENERAL NOTIFICATION
If the number of DE residents to be notified exceeds 500 residents, the Entity
shall, not later than the time when notice is provided to the resident, also
provide notice of the breach of security to the Attorney General.
CREDIT MONITORING SERVICES
If the breach of security includes Social Security numbers, the Entity shall
offer to each resident whose PI, including Social Security number, was breached
or is reasonably believed to have been breached, credit monitoring services at
no cost to such resident for a period of 1 year. Such person shall provide all
information necessary for such resident to enroll in such services and shall
include information on how such resident can place a credit freeze on his or her
credit file. Such services are not required if, after an appropriate
investigation, the person reasonably determines that the breach of security is
unlikely to result in harm to the individuals whose PI has been breached.
THIRD-PARTY DATA NOTIFICATION
An Entity that maintains computerized data that includes PI that the Entity does
not own or license shall give notice to and cooperate with the owner or licensee
of the information of any breach of the security of the system immediately
following determination of the breach of security. Cooperation includes sharing
with the owner or licensee information relevant to the breach.
TIMING OF NOTIFICATION
Notice must be made without unreasonable delay but not later than 60 days after
determination of the breach of security, unless a shorter time is required by
federal law. If the Entity cannot, through reasonable diligence, identify within
60 days that the PI of certain DE residents was included in a breach of
security, the Entity must provide notice as soon as practicable after the
determination that the breach of security included the PI of such residents,
unless the Entity provided substitute notice.
PERSONAL INFORMATION DEFINITION
A DE resident’s first name or first initial and last name, in combination with
any one or more of the following data elements that relate to the resident, when
either the name or the data elements are not encrypted:
* Social Security number;
* Driver’s license number or state or federal identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to a resident’s financial account;
* Passport number;
* Username or email address, in combination with a password or security
question and answer that would permit access to an online account;
* Medical history, medical treatment by a healthcare professional, diagnosis of
mental or physical condition by a health care professional, or
deoxyribonucleic acid (DNA) profile;
* Health insurance policy number, subscriber identification number, or any
other unique identifier used by a health insurer to identify the person;
* Unique biometric data generated from measurements or analysis of human body
characteristics for authentication purposes; or
* An individual taxpayer identification number.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or widely-distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act) or if the person’s primary means of communication with the
resident is by electronic means.
For breaches of login credentials for an email account furnished by the Entity,
notice may not be provided to the breached email address, but may be provided
via methods otherwise permitted, or by clear and conspicuous notice delivered to
the resident online when the resident is connected to the online account from an
IP address or online location from which the person knows the resident
customarily accesses the account.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice will exceed
$75,000, or that the number of DE residents to be notified exceeds 100,000, or
the Entity does not have sufficient contact information to provide notice.
Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the members of the
affected class of DE residents;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notice to major statewide media, including newspapers, radio, television, and
publications, on the major social media platforms of the person providing
notice.
EXCEPTION: OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI, and whose procedures are
otherwise consistent with the timing requirements of the statute, is deemed to
be in compliance with the notice requirements of the statute if the Entity
notifies affected DE residents in accordance with its policies in the event of a
breach of the security of the system.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. An Entity that is regulated by state or federal law,
including the Health Insurance Portability and Accountability Act of 1996
(P.L. 104-191, as amended) and the Gramm-Leach-Bliley-Act (15 U.S.C. § 6801
et seq., as amended), and that maintains procedures for a breach of security
pursuant to laws, rules, regulations, guidance, or guidelines established by
an Entity’s primary or functional state or federal regulator is deemed to be
in compliance if the Entity notifies affected DE residents in accordance with
the maintained procedures.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made without unreasonable delay and as soon
as possible after the law enforcement agency determines that notification
will no longer impede the investigation.
* Attorney General Enforcement. The Attorney General may bring an action to
address violations of this chapter and for other relief that may be necessary
to ensure compliance and recover direct economic damages.
x
CONNECTICUT
Name: Conn. Gen. Stat. 36a-701b S.B. 472
Effective Date: Oct 1, 2018
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any person, business or agency (collectively, Entity) that conducts business in
CT and who, in the ordinary course of such Entity’s business, owns, licenses, or
maintains computerized data that includes PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on CT residents,
whether or not the Entity conducts business in CT.
SECURITY BREACH DEFINITION
Unauthorized access to or acquisition of electronic files, media, databases, or
computerized data containing PI when access to the PI has not been secured by
encryption or by any other method or technology that renders the PI unreadable
or unusable.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of security
following the discovery of the breach to any CT resident whose PI was breached
or is reasonably believed to have been breached.
* Notification is not required if, after an appropriate investigation and
consultation with relevant federal, state, and local agencies responsible for
law enforcement, the Entity reasonably determines that the breach will not
likely result in harm to the individuals whose PI has been acquired and
accessed.
NOTIFICATION OBLIGATION TO ATTORNEY GENERAL
Any Entity that is required under the statute to notify CT residents of any
breach of security shall not later than the time when notice is provided to the
resident also provide notice of the breach of security to the Attorney General.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own, the Entity shall notify the owner or licensee of the information of any
breach of the security of the data immediately following its discovery if the PI
was, or is reasonably believed to have been, breached.
TIMING OF NOTIFICATION
The disclosure shall be made without unreasonable delay, but not later than 90
days after the discovery of such breach, unless a shorter time is required under
federal law, consistent with any measures necessary to determine the nature and
scope of the breach, to identify individuals affected, or to restore the
reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name or first initial and last name in combination with
any one or more of the following data elements:
* Social Security number;
* Driver’s license number or state identification card number;
* Credit card number, or debit card number; or
* Account number, in combination with any required security code, access code,
or password that would permit access to such financial account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice; provided it is consistent with the provisions regarding
electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
A person who conducts business in CT, and who, in the ordinary course of such
person’s business, owns or licenses computerized data that includes PI, shall
offer to each resident whose PI that includes Social Security numbers was
breached or is reasonably believed to have been breached, appropriate identity
theft prevention services and, if applicable, identity theft mitigation
services. Such service or services shall be provided at no cost to such resident
for a period of not less than 24 months. Such person shall provide all
information necessary for such resident to enroll in such service or services
and shall include information on how such resident can place a credit freeze on
such resident’s credit file.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000 persons, or the Entity does not have sufficient contact information.
Substitute notice shall consist of all the following:
* Email notice when the Entity has email addresses for the affected persons;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notification to major statewide media, including newspapers, radio and
television.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own security breach procedures as part of an
information security policy for the treatment of PI and otherwise complies with
the timing requirements of the statute shall be deemed to be in compliance with
the security breach notification requirements of the statute, provided such
Entity notifies subject persons in accordance with its policies in the event of
a breach of security.
EXCEPTION: COMPLIANCE WITH OTHER LAWS
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state regulator is sufficient for compliance.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed for a reasonable period of
time if a law enforcement agency determines that the notice will impede a
criminal investigation and such law enforcement agency has made a request
that notification be delayed. Notice required by the statute must be made
after the law enforcement agency determines that notification will no longer
impede the investigation and so notifies the Entity of such determination.
* Attorney General Enforcement. The Attorney General may seek direct damages
and injunctive relief.
* Notice to the Insurance Department. Pursuant to Bulletin IC- 25 (Aug. 18,
2010), all licensees and registrants of the Connecticut Insurance Department
are required to notify the Department of any information security incident
that affects CT residents as soon as the incident is identified, but no later
than 5 calendar days after the incident is identified.
x
ALASKA
Name: Alaska Stat. 45.48.010 et seq. H.B. 65
Effective Date: July 1, 2009
Link to Documentation
APPLICATION
Any person, state, or local governmental agency (excepting the judicial branch),
or person with more than 10 employees (collectively, Entity) that owns or
licenses PI in any form in AK that includes PI of an AK resident. The provisions
governing maintenance of PI that the Entity does not own appear applicable to
any Entity maintaining information on AK residents, whether or not the Entity
conducts business in AK.
SECURITY BREACH DEFINITION
An unauthorized acquisition or reasonable belief of unauthorized acquisition of
PI that compromises the security, confidentiality, or integrity of the PI
maintained by the Entity. Acquisition includes acquisition by photocopying,
facsimile, or other paper-based method; a device, including a computer, that can
read, write, or store information that is represented in numerical form; or a
method not identified in this paragraph. Good-faith acquisition of PI by an
employee or agent of the Entity for a legitimate purpose of the Entity is not a
breach of the security of the information system if the employee or agent does
not use the PI for a purpose unrelated to a legitimate purpose of the Entity and
does not make further unauthorized disclosure of the PI.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose the breach to each AK
resident whose PI was subject to the breach after discovering or being notified
of the breach. Notification is not required if, after an appropriate
investigation and after written notification to the state Attorney General, the
Entity determines that there is not a reasonable likelihood that harm to the
consumers whose PI has been acquired has resulted or will result from the
breach. The determination shall be documented in writing and the documentation
shall be maintained for 5 years.
NOTIFICATION OF CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 AK residents of a breach, the
Entity shall also notify without unreasonable delay all consumer credit
reporting agencies that compile and maintain files on consumers on a nationwide
basis and provide the agencies with the timing, distribution, and content of the
notices to AK residents. Entities subject to the Gramm-Leach-Bliley Act are
exempt from this requirement and are not required to notify consumer reporting
agencies.
THIRD-PARTY DATA NOTIFICATION
If a breach of the security of the information system containing PI on an AK
resident that is maintained by an Entity that does not own or have the right to
license the PI occurs, the Entity shall notify the Entity that owns or licensed
the use of the PI about the breach and cooperate as necessary to allow the
Entity that owns or licensed the use of the PI to comply with the statute.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expeditious time possible and without
unreasonable delay consistent with any measures necessary to determine the scope
of the breach and to restore the reasonable integrity of the information system.
PERSONAL INFORMATION DEFINITION
Information in any form on an individual that is not encrypted or redacted, or
is encrypted and the encryption key has been accessed or acquired, and that
consists of a combination of an individual’s first name or first initial and
last name in combination with any one or more of the following data elements:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number, except if these can
only be accessed with a personal code, then the account, credit card, or
debit card number in combination with any required security code, access
code, or password; or
* Passwords, personal identification numbers, or other access codes for
financial accounts.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice; or
* Electronic notice, if the Entity’s primary method of communication with the
AK resident is by electronic means or is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act). Disclosure is not required if, after an appropriate
investigation and after written notification to the attorney general, the
Entity determines that there is not a reasonable likelihood that harm to the
consumers whose PI has been acquired has resulted or will result from the
breach. The determination shall be documented in writing, and the
documentation shall be maintained for 5 years. The notification required may
not be considered a public record open to inspection by the public.
SUBSTITUTE NOTICE AVAILABLE
If the Entity can demonstrate that the cost of providing notice will exceed
$150,000, that the affected class of persons to be notified exceeds 300,000, or
that the Entity does not have sufficient contact information to provide notice.
Substitute notice shall consist of all of the following:
* Email notice, if the Entity has email addresses for the state resident
subject to the notice;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notification to major statewide media.
PENALTIES
* An Entity that is a governmental agency is liable to the state for a civil
penalty of up to $500 for each state resident who was not notified (the total
penalty may not exceed $50,000) and may be enjoined from further violations.
* An Entity that is not a governmental agency is liable to the state for a
civil penalty of up to $500 for each state resident who was not notified (the
total civil penalty may not exceed $50,000).
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made after the law enforcement agency
determines that notification will no longer impede the investigation.
* Private Right of Action. A person injured by a breach may bring an action
against a non-governmental Entity.
* Waiver Not Permitted.
x
CALIFORNIA
Name: Cal. Civ. Code 1798.29; 1798.80 et seq. A.B. 964, S.B. 570, S.B. 34
Effective Date: January 1, 2016
Link to Documentation 1
Link to Documentation 2
APPLICATION
Any person, business, or state agency (collectively, Entity) that does business
in CA and owns or licenses computerized data that contains PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on CA residents,
whether or not the Entity conducts business in CA.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI maintained by the Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security of the system,
provided that the PI is not used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach in the
security of the data to any CA resident (1) whose unencrypted PI was, or is
reasonably believed to have been, acquired by an unauthorized person, or (2)
whose encrypted PI was, or is reasonably believed to have been, acquired by an
unauthorized person and the encryption key or security credential was, or is
reasonably believed to have been, acquired by an unauthorized person and the
person or business that owns or licenses the encrypted information has a
reasonable belief that the encryption key or security credential could render
that PI readable or useable.
ATTORNEY GENERAL NOTIFICATION
If an Entity is required to notify more than 500 CA residents, the Entity shall
electronically submit a single sample copy of the notification, excluding any
personally identifiable information, to the Attorney General.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own, the Entity must notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery if the PI
was, or is reasonably believed to have been, acquired by an unauthorized person.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law enforcement and
any measures necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
(1) An individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the name or the
data elements are not encrypted (meaning rendered unusable, unreadable, or
indecipherable to an unauthorized person through a security technology or
methodology generally accepted in the field of information security):
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account;
* Medical information (any information regarding an individual’s medical
history, mental or physical condition, or medical treatment or diagnosis by a
health care professional);
* Health insurance information (an individual’s health insurance policy number
or subscriber identification number, any unique identifier used by a health
insurer to identify the individual, or any information in an individual’s
application and claims history, including any appeals records); or
* Information or data collected through the use or operation of an automated
license plate recognition system (a searchable computerized database
resulting from the operation of one or more mobile or fixed cameras combined
with computer algorithms to read and convert images of registration plates
and the characters they contain into computer-readable data).
(2) User name or email address, in combination with a password or security
question and answer that would permit access to an online account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government
records.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Electronic notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act); or
* For breaches of online account credentials only, in “electronic or other
form.”
For breaches of login credentials for an email account furnished by the Entity,
notice may not be provided to the breached email address, but may be provided
via methods otherwise permitted, or via clear and conspicuous notice delivered
to the CA resident online when the CA resident is connected to the online
account from an IP address or online location from which the Entity knows the CA
resident customarily accesses the account.
The notice shall be written in plain language and shall include a description of
the following:
* The date of the notice;
* Name and contact information of the reporting person or Entity;
* Type of PI subject to the unauthorized access and acquisition;
* The date, estimated date, or date range during which the breach occurred, if
it can be determined;
* Whether notification was delayed as a result of law enforcement
investigation, if that can be determined;
* A general description of the breach incident, if that information is possible
to determine at the time the notice is provided;
* The toll-free telephone numbers and addresses of the major credit reporting
agencies if the breach exposed a Social Security number or a driver’s license
or state identification card number.
* If the person or business providing the notification was the source of the
breach, an offer to provide appropriate identity theft prevention and
mitigation services, if any, shall be provided at no cost to the affected
person for not less than 12 months, along with all information necessary to
take advantage of the offer to any person whose information was or may have
been breached if the breach exposed or may have exposed PI involving Social
Security numbers, driver’s license, or state identification card numbers.
At the Entity’s discretion, the notice may also include:
* Information about what the Entity has done to protect individuals whose
information has been breached; and
* Advice on steps that the person whose information was breached may take to
protect him or herself.
For breaches of only user name or email address, in combination with a password
or security question and answer that would permit access to an online account,
notice may be provided in electronic or other form and should direct CA
residents to:
* Promptly change their password, security question or answer, or
* Take other appropriate steps to protect the online account with the Entity
and all other online accounts with the same user name or email address and
password or security question or answer.
The notice shall be titled “Notice of Data Breach,” and shall provide the
information above under the headings:
* “What Happened,”
* “What Information Was Involved,”
* “What We Are Doing,”
* “What You Can Do,” and
* “More Information.”
The notice shall be formatted to call attention to the nature and significance
of the information it contains, shall clearly and conspicuously display the
title and headings, and shall not contain text smaller than 10-point type. (A
model security breach notification form is provided in the statute.)
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of subject persons to be notified exceeds
500,000, or the Entity does not have sufficient contact information. Substitute
notice shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting for at least 30 days of the notice on the Entity’s
website, if the Entity maintains one (meaning providing a link to the notice
on the home page or first significant page after entering the website that is
in larger type than the surrounding text, or in contrasting type, font, or
color to the surrounding text of the same size, or set off from the
surrounding text of the same size by symbols or other marks that call
attention to the link); and
* Notification to major statewide media. State agencies using substitute notice
must also notify the California Office of Information Security within the
Department of Technology.
EXCEPTION:OWN NOTIFICATION POLICY
An Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of the statute shall be deemed in compliance with
the notification requirements of the statute if it notifies subject persons in
accordance with its policies in the event of a security breach.
EXCEPTION: HIPAA-COVERED ENTITIES
A covered entity under the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) will be deemed to have complied with the notice requirements in
this state law if it has complied with the notice requirements in Section
13402(f) of the Health Information Technology for Economic and Clinical Health
Act (HITECH).
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notification may be delayed if the law enforcement
agency determines that the notification will impede a criminal investigation.
The notification required by the statute shall be made promptly after the law
enforcement agency determines that it will not compromise the investigation.
* Private Right of Action. Any customer injured by a violation of this title
may institute a civil action to recover damages. In addition, any business
that violates, proposes to violate, or has violated this title may be
enjoined.
* Waiver Not Permitted.
x
ARKANSAS
Name: Ark. Code 4-110-101 et seq. H.B. 1943
Effective Date: June 1, 2018
Link to Documentation
APPLICATION
Any person, business or state agency (collectively, Entity) that acquires, owns,
or licenses computerized data that includes PI.
* The provisions governing maintenance of PI are applicable to any Entity
maintaining information on AR residents, whether or not organized or licensed
under the laws of AR.
SECURITY BREACH DEFINITION
An unauthorized acquisition of computerized data that compromises the security,
confidentiality, or integrity of PI maintained by an Entity.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
legitimate purposes of the Entity is not a breach of the security of the
system if the PI is not otherwise used or subject to further unauthorized
disclosure.
NOTIFICATION OBLIGATION
Any Entity to which the statute applies shall disclose any breach of the
security of the system following discovery or notification of the breach of the
security of the system to any resident of AR whose unencrypted PI was, or is
reasonably believed to have been, acquired by an unauthorized person.
* Notification is not required if after a reasonable investigation the Entity
determines there is no reasonable likelihood of harm to consumers.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains computerized data that includes PI that the Entity does
not own, that Entity shall notify the owner or licensee of the information of
any breach of the security of the system immediately following discovery if the
PI was, or is reasonably believed to have been, acquired by an unauthorized
person.
TIMING OF NOTIFICATION
The disclosure shall be made in the most expedient time and manner possible and
without unreasonable delay, subject to any measures necessary to determine the
scope of the breach and to restore the reasonable integrity of the data system.
PERSONAL INFORMATION DEFINITION
An individual’s first name, or first initial and his or her last name, in
combination with any one or more of the following data elements when either the
name or the data element is not encrypted or redacted:
* Social Security number;
* Driver’s license number or state identification card number;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, or password that would permit access
to an individual’s financial account; or
* Medical information (any individually identifiable information, in electronic
or physical form, regarding the individual’s medical history or medical
treatment or diagnosis by a health care professional).
* (Effective July 23, 2019) Biometric data (data generated by automatic
measurements of an individual’s biological characteristics) and any other
unique biological characteristics of an individual if used to uniquely
authenticate the individual’s identity for access to a system of account.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Email notice, if the notice provided is consistent with the provisions
regarding electronic records and signatures set forth in 15 U.S.C. § 7001
(E-Sign Act).
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice would exceed
$250,000, or that the affected class of persons to be notified exceeds 500,000,
or the Entity does not have sufficient contact information. Substitute notice
shall consist of all of the following:
* Email notice when the Entity has email addresses for the subject persons;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notification to statewide media.
ATTORNEY GENERAL NOTIFICATION (EFFECTIVE JULY 23, 2019)
If the affected class of persons to be notified exceeds 1,000, the Entity must
disclose the breach to the Attorney General. Notice must be provided at the same
time the Entity notifies the affected class, or 45 days after it determines
there is a reasonable likelihood of harm to individuals, whichever is first.
EXCEPTION: OWN NOTIFICATION POLICY
Any Entity that maintains its own notification procedures as part of an
information security policy for the treatment of PI and is otherwise consistent
with the timing requirements of the statute shall be deemed to be in compliance
with the notification requirements of the statute if the Entity notifies
affected persons in accordance with its policies in the event of a security
breach.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made after the law enforcement agency
determines that notification will no longer impede the investigation.
* Attorney General Enforcement.
* Records Retention. (Effective July 23, 2019) An Entity must retain a copy of
the determination of the breach and any supporting documentation for five
years from the date the breach was determined.
x
ARIZONA
Name: Ariz. Rev. Stat. 18-551 et seq H.B. 2154
Effective Date: August 3, 2018
Link to Documentation
APPLICATION
Any person or entity (collectively, Entity) that conducts business in AZ and
that owns, maintains, or licenses unencrypted and unredacted computerized PI.
* The provisions governing maintenance of PI that the Entity does not own
appear applicable to any Entity maintaining information on state residents,
whether or not the Entity conducts business in the state.
SECURITY BREACH DEFINITION
An unauthorized acquisition of and access that materially compromises the
security or confidentiality of unencrypted and unredacted computerized PI
maintained by an Entity as part of a database of PI regarding multiple
individuals.
* Good-faith acquisition of PI by an employee or agent of the Entity for the
purposes of the Entity is not a breach of the security system if the PI is
not used for a purpose unrelated to the Entity or subject to further
unauthorized disclosure.
NOTIFICATION OBLIGATION
Any Entity that owns or licenses the PI shall notify the individuals affected
within 45 days after its determination that there has been a security breach.
* An Entity is not required to disclose a breach of the system if the Entity,
an independent third-party forensic auditor, or a law enforcement agency,
after a reasonable investigation, determines that a breach has not resulted
in or is not reasonably likely to result in substantial economic loss to
affected individuals.
ATTORNEY GENERAL NOTIFICATION
If an Entity is required to notify more than 1,000 AZ residents, the Entity
shall notify the Attorney General, in writing, in a form prescribed by rule or
order of the Attorney General, or by providing a copy of the individual
notification.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If an Entity is required to notify more than 1,000 AZ residents, the Entity
shall also notify the three largest nationwide consumer reporting agencies.
THIRD-PARTY DATA NOTIFICATION
If an Entity maintains unencrypted and unredacted computerized PI that the
Entity does not own or license, the Entity shall notify, as soon as possible,
the owner or licensee of the information, and cooperate with the owner or the
licensee of the information. Cooperation shall include sharing information
relevant to the breach The Entity that maintains the data under an agreement
with the owner or licensee is not required to provide notice to the individual
unless the agreement stipulates otherwise.
TIMING OF NOTIFICATION
The disclosure shall be made within 45 days after the Entity’s determination
that there has been a security breach.
PERSONAL INFORMATION DEFINITION
1. An individual’s first name or first initial and last name in combination with
any one or more of the following data elements:
* Social Security number;
* Number on a driver’s license issued pursuant to § 28-3166 or number on a
nonoperating identification license issued pursuant to § 28-3165;
* Financial account number or credit number or debit card number in combination
with any required security code, access code, or password that would permit
access to the individual’s financial account.
* A private key that is unique to an individual and that is used to
authenticate or sign an electronic record;
* An individual’s health insurance identification number;
* Information about an individual’s medical or mental health treatment or
diagnosis by a health care professional;
* Passport number;
* Individual’s taxpayer identification number or an identity protection
personal identification number issued by the IRS; and
* Unique biometric data generated from a measurement or analysis of human body
characteristics to authenticate an individual when the individual accesses an
online account.
2. An individual’s user name or email address, in combination with a password or
security question and answer, that allows access to an online account.
PI does not include publicly available information that is lawfully made
available to the general public from federal, state, or local government records
or widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice;
* Telephonic notice, if made directly with the affected individuals and not
through a pre-recorded message; or
* Email notice, if the Entity has email addresses for the individuals subject
to the notice.
The notice shall include at least the following:
* The approximate date of the breach;
* Type of PI included in the breach;
* The toll-free telephone numbers and addresses of the three largest credit
reporting agencies; and
* The toll-free number, address, and website for the FTC or any federal agency
that assists consumers with identity theft matters.
If the breach involves only online account credentials and no other PI, the
Entity may comply with this section by providing the notification in an
electronic or other form that directs the individual whose PI has been breached
to promptly change the individual’s password and security question or answer, as
applicable, or to take other steps that are appropriate to protect the online
account with the person and all other online accounts for which the individual
whose PI has been breached uses the same user name and email address and
password or security question or answer.
For the breach of credentials to an email account furnished by the Entity, the
Entity is not required to comply with this section by providing the notification
to that email address, but may comply with this section by providing
notification by another method described in this subsection or by providing
clear and conspicuous notification delivered to the individual online when the
individual is connected to the online account from an IP address or online
location from which the Entity knows the individual customarily accesses the
account. The Entity satisfies the notification requirement with regard to the
individual’s account with the person by requiring the individual to reset the
individual’s password or security question and answer for that account, if the
person also notifies the individual to change the same password or security
question and answer for all other online accounts for which the individual uses
the same user name or email address and password or security question or answer.
*
SUBSTITUTE NOTICE AVAILABLE
If the Entity can demonstrate that the cost of providing notice will exceed
$50,000 or that the affected class of persons to be notified exceeds 100,000, or
the Entity does not have sufficient contact information. Substitute notice shall
consist of all of the following:
* A written letter to the attorney general that demonstrates the facts
necessary for substitute notice;
* Conspicuous posting of the notice on the website of the Entity, if the Entity
maintains one; and
* Notification to major statewide media.
EXCEPTION:
Compliance with Other Laws
* Primary Regulator. Notification pursuant to laws, rules, regulations,
guidance, or guidelines established by an Entity’s primary or functional
state regulator is sufficient for compliance.
* Gramm-Leach-Bliley Act. The provisions of this statute shall not apply to any
Entity who is subject to the provisions of Title V of the Gramm-Leach-Bliley
Act.
* HIPAA-Covered Entities. The provisions of the statute do not apply to a
covered entity or business associate as defined under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) or a charitable
fund-raising foundation or nonprofit corporation whose primary purpose is to
support a specified covered entity, if they comply with applicable provisions
of HIPAA.
* Own Notification PolicyAny Entity that maintains its own notification
procedures as part of an information security policy for the treatment of PI
and is otherwise consistent with the timing requirements of the statute shall
be deemed to be in compliance with the notification requirements of the
statute if the Entity notifies affected persons in accordance with its
policies in the event of a security breach.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation. Notice
required by the statute must be made within 45 days after the law enforcement
agency determines that notification will no longer impede the investigation.
* Attorney General Enforcement. A knowing and willful violation of this section
is an unlawful practice pursuant to ARS 44-1522, enforced by the Attorney
General. The Attorney General may impose a civil penalty for a violation of
this article not to exceed the lesser of $10,000 per affected individual or
the total amount of economic loss sustained by affected individuals, but the
maximum civil penalty from a breach or series of related breaches may not
exceed $500,000.
x
ALABAMA
Name: Ala. Stat. 8-38-1 et seq. Alabama S.B. 318
Effective Date: June 1, 2018
Link to Documentation
APPLICATION
A person or commercial entity (collectively, Entity) that acquires or uses
sensitive personally identifying information.
SECURITY BREACH DEFINITION
The unauthorized acquisition of data in electronic form containing sensitive
personally identifying information. Good-faith acquisition of sensitive
personally identifying information by an employee or agent of an Entity is not a
security breach, provided that the information is not used for a purpose
unrelated to the business or subject to further unauthorized use. A security
breach also does not include the release of a public record not otherwise
subject to confidentiality or nondisclosure requirements, nor does it include
any lawful, investigative, protective, or intelligence activity of a law
enforcement or intelligence agency of the state, or a political subdivision of
the state.
NOTIFICATION OBLIGATION
Any Entity that determines that, as a result of a breach of security, sensitive
personally identifying information has been acquired by an unauthorized person
and is reasonably likely to cause substantial harm to an AL resident to whom the
information relates, shall give notice of the breach to each AL resident to whom
the information relates.
NOTIFICATION TO CONSUMER REPORTING AGENCIES
If the number of affected individuals exceeds 1,000, the Entity must notify all
consumer reporting agencies without unreasonable delay once it is determined
that a breach has occurred and is reasonably likely to cause substantial harm to
affected individuals.
ATTORNEY GENERAL/AGENCY NOTIFICATION
If the number of affected individuals exceeds 1,000, the Entity must notify the
Attorney General as expeditiously as possible and without unreasonable delay,
and within 45 days once it is determined that a breach has occurred and is
reasonably likely to cause substantial harm to affected individuals.
TIMING OF NOTIFICATION
Notice shall be made as expeditiously as possible and without unreasonable
delay, taking into account the time necessary to conduct an investigation, and
within 45 days of discovering that a breach has occurred and is reasonably
likely to cause substantial harm to affected individuals.
PERSONAL INFORMATION DEFINITION
An AL resident’s first name or first initial and last name, in combination with
one or more of the following data elements that relate to the resident, when
either the name or the data elements are not truncated, encrypted, secured, or
modified in a way that removes elements that personally identify an individual
or render the data unusable:
* Social Security number;
* Driver’s license number or state identification card number, passport number,
military identification number, or other unique identification number issued
on a government document used to verify the identity of a specific
individual;
* Account number, credit card number, or debit card number in combination with
any required security code, access code, password, expiration date, or PIN,
that is necessary to access the financial account or to conduct a transaction
that will credit or debit the financial account;
* Any information regarding an individual’s medical history, mental or physical
condition, or medical treatment or diagnosis by a health care professional;
* An individual’s health insurance policy number or subscriber identification
number and any unique identifier used by a health insurer to identify the
individual; or
* A user name or email address, in combination with a password or security
question and answer that would permit access to an online account affiliated
with the Entity that is reasonably likely to contain or is used to obtain
sensitive personally identifying information. Sensitive personally
identifying information does not include information about an individual that
is lawfully made public by a federal, state, or local government record or
widely distributed media.
NOTICE REQUIRED
Notice may be provided by one of the following methods:
* Written notice; or
* Email notice.
SUBSTITUTE NOTICE AVAILABLE
If the Entity demonstrates that the cost of providing notice is excessive
relative to the Entity’s resources, (provided that the cost of notification is
considered excessive if it exceeds $500,000), or that the affected AL residents
to be notified exceeds 100,000 persons, or the Entity does not have sufficient
contact information to provide notice. Substitute notice shall consist of the
following:
* Conspicuous posting of the notice on the website of the Entity if the Entity
maintains one, for a period of 30 days; and
* Notice to major print and broadcast media, including major media in urban and
rural areas where the affected individuals reside.
EXCEPTION:
Compliance with Other Laws
* An Entity subject to or regulated by federal laws, rules, regulations,
procedures, or guidance is exempt as long as the Entity maintains procedures
pursuant to those requirements, provides notice to consumers pursuant to
those requirements, and timely provides notice to the Attorney General when
the number of affected individuals exceeds 1,000.
* An Entity subject to or regulated by state laws, rules, regulations,
procedures, or guidance—that are at least as thorough as the notice
requirements in this law—is exempt as long as the Entity maintains procedures
pursuant to those requirements, provides notice to consumers pursuant to
those requirements, and timely provides notice to the Attorney General when
the number of affected individuals exceeds 1,000.
OTHER KEY PROVISIONS:
* Delay for Law Enforcement. Notice may be delayed if a law enforcement agency
determines that the notice will impede a criminal investigation or national
security, and the law enforcement agency has submitted a written request for
the delay. The law enforcement agency may revoke the delay as of a specified
date or extend the delay, if necessary.
* Government entities are subject to the Act as well and must provide notice in
line with the provisions of the law.
* Attorney General Enforcement. The Attorney General has exclusive authority to
bring an action for civil penalties under the Act
x
MAINE
Name: An Act to Protect the Privacy of Online Customer Information
Effective Date: 7/1/20
Link to Documentation
SUMMARY OF LAW:
Maine’s (35-A M.R.S. c.94) Privacy Statute prohibits Internet Service Providers
(ISPs) from using, disclosing, selling, or permitting access to a significant
amount of information generated by customers’ use of their internet service.
TO WHOM DOES THE LAW APPLY?
The Act only applies to Internet Service Providers (ISPs) serving customers that
are physically located and billed for service received in Maine. The statute
does not cover search engines or social networks.
Note: Like a number of other state statutes, this law adopts Internet
regulations protective of consumer rights that were originally implemented by
the Federal Communications Commission, but were overturned by Congress in 2017.
WHAT INFORMATION IS COVERED UNDER THE ACT?
The Statute covers consumers’ personal identifying information, inclusive of a
consumer’s web browsing history, application usage history, precise geolocation
information, device identifiers, the origin and destination Internet protocol
addresses, and the content of a customer’s communications.
WHAT OBLIGATIONS DOES THE STATUTE CREATE FOR BUSINESS?
The Act prohibits ISPs from using, disclosing, selling, or permitting access to
most of the consumer information generated by a consumer’s use of the Internet,
i.e. web browsing history, application usage history, precise geolocation
information, device identifiers, the origin and destination Internet protocol
addresses, and the content of a customer’s communication.
WHAT MECHANICS ARE AVAILABLE TO ENFORCE THE LAW?
The Act is silent as to who will enforce the law on behalf of Maine customers or
what penalties would apply for noncompliance. Maine’s legislature failed to
provide the state’s Attorney General with either the enforcement authority or
funding to enforce the statute.
The Act does not specifically enable Internet users to sue ISP’s for
noncompliance. However, it remains to be seen if Maine’s courts will interpret
the Act to implicitly create a private cause of action for consumers to sue an
ISP.
STEPS TO COMPLIANCE:
*Opt-In Requirement: For an ISP to use, disclose, sell, or permit access to the
customer’s information, the consumer must first “opt-in” by providing their
“express, affirmative consent”. ISPs’ are prohibited from offering financial or
other incentives to entice their customers to opt-in.
*Customer Notice of Rights: The Act requires ISPs to provide customers with
“clear, conspicuous and nondeceptive notice” of the customer’s rights under the
Act and the ISPs’ statutory obligations.
*Protection of Consumer Information: The Statute requires ISPs to take
“reasonable measures” to protect their customer information from unauthorized
use such as being subject to theft and security breaches.
*No discrimination against Customers: ISPs are prohibited from refusing to serve
customers who fail to opt-in and have withheld their consent for their ISP to
access their customer information.
x
NEVADA
Name: SB 220
Effective Date: 10/1/19
Link to Documentation
SUMMARY OF LAW:
Nevada’s privacy law requires operators of Internet websites and online services
to comply with Nevada residents’ Opt out requests not to sell their personal
data. Under NRS 603A.340 Website Operators are already required to provide
notice to consumers of the categories of covered information the operator
collects through its website or service.
TO WHOM DOES THE LAW APPLY?
SB 220 imposes new obligations on “operators” of websites. The law covers those
who own or operate a website or online service for commercial purposes and
collects and maintains “covered information” from consumers residing in Nevada
and who use or visit the website or online service. However, the definition of
an operator excludes i) financial institutions that are subject to the
Gramm-Leach- Bliley Act; ii) entities that are subject to HIPAA, and iii)
certain manufacturers and repairers of motor vehicles.
WHAT INFORMATION IS COVERED UNDER THE ACT?
1. A first and last name.
2. A home or other physical address which includes the name of a street and the
name of a city or town.
3. An electronic mail address;.
4. A telephone number.
5. A Social Security number.
6. An identifier that allows a specific person to be contacted either
physically or online.
7. Any other information concerning a person collected from the person through
an operator’s website or online service and maintained by the operator in
combination with an identifier in a form that makes the information
personally identifiable.
WHAT OBLIGATIONS DOES THE STATUTE CREATE FOR BUSINESS?
1)Website Operators must establish a “designated request address,” through which
a consumer may submit an opt-out request. The designated request address must be
either an email address, a toll-free phone number, or a website.
2) Operators who receive opt-out requests from consumers must cease making sales
of any covered information that the operator has collected, or will collect,
about the consumer. Operators need act only on “verified requests,” which are
requests submitted to the designated request address, and for which the Operator
has been reasonably able to verify the authenticity of the request and the
identity of the consumer.
3) Operators are required to respond to verified consumer requests within 60
days of receipt. The Operator may extend the 60-day response deadline for up to
30 days by notifying the consumer, when considered reasonably necessary.
WHAT MECHANICS ARE AVAILABLE TO ENFORCE THE LAW?
Although there is not a “private right of action” against the Website Operator,
Nevada’s AG is able to enforce the law by seeking either a civil penalty of up
to $5,000 per violation or injunctive relief.
STEPS TO COMPLIANCE:
1) 1) Covered businesses need to conduct Data Audits of their Inventories to
determine what data transfers their business engages in that may be defined
under SB 220 as a “sale” from which a consumer may opt-out.
2) 2) Organizations need to update their privacy policies to cover consumer
opt-out requests and ensure that they have created a designated consumer request
address to manage opt-out requests.
x
CALIFORNIA
Name: California Consumer Privacy Act
Effective Date: 1/1/20
Link to Documentation
SUMMARY OF LAW:
The CCPA was created to protect the privacy and security of the personal
information of California residents. The law compels organizations conducting
business with California residents to make structural changes to their privacy
policies while providing California consumers with greater control over the
collection, use, and sale of their personal information.
TO WHOM DOES THE LAW APPLY?
THE CCPA COVERS FOR-PROFIT ORGANIZATIONS OF LEGAL ENTITIES THAT:
1. do business in California,
2. collect consumers’ personal information, either directly or through a third
party on its behalf, and
3. either alone or jointly with others, determines the purposes and means of
processing consumers’ personal information. The “purposes and means of
processing” language resembles the GDPR’s “data controller” concept.
AS LONG AS THESE ENTITIES SATISFY ONE OF THE THREE THRESHOLDS SHOWN BELOW:
1. the entity has annual gross revenues in excess of $25 million,
2. the business annually buys, receives for the business’s commercial purposes,
sells, or shares for commercial purposes the personal information of 50,000
or more consumers, households, or devices, or
3. the business derives 50 percent or more of its annual revenue from selling
consumers’ personal information.
WHAT INFORMATION IS COVERED UNDER THE ACT?
The CCPA encompasses “Personal Information” which includes any information that
“identifies, relates to, describes, references, is capable of being associated
with, or could reasonably be linked, directly or indirectly, with a particular
consumer or household.” Excluded from the Act’s definition of personal
information is “aggregated consumer information,” which is defined as data that
is “not linked or reasonably linkable to any consumer or household, including
via a device”. Information that is publicly available from federal, state, or
local government records is also excluded.
WHAT OBLIGATIONS DOES THE STATUTE CREATE FOR BUSINESSES?
The CCPA is intended to provide California consumers with an effective way to
control their personal information by creating the following new data privacy
rights that CCPA covered organizations need to facilitate:
1. Right to receive notice of collection of personal information.
2. Right of access to personal information and data portability.
3. Right to request deletion of personal information.
4. Right to opt out of the sale of personal information to third parties. (Opt
in requirements for minors).
5. Right to receive equal service and price and not to be discriminated against
for exercising CCPA rights.
Businesses must ensure that personnel responsible for handling consumer
inquiries regarding these new privacy rights are properly trained as to the
CCPA’s requirements and how to direct consumers to exercise their rights.
WHAT MECHANICS ARE AVAILABLE TO ENFORCE THE LAW?
The Attorney General may bring a civil action for intentional violations of the
CCPA, seeking civil penalties of up to $7,500 per violation. Other violations
lacking intent are subject to a $2,500 preset maximum fine. A business will be
in violation of the CCPA if it fails to cure the violation within 30 days of
being notified of its alleged noncompliance.
A consumer bringing a civil action under the CCPA may recover the greater of (1)
statutory damages in an amount not less than $100 and not greater than $750 per
consumer per incident, or (2) actual damages. Injunctive relief, and other
court-ordered remedies are also available.
STEPS TO COMPLIANCE:
The estimated 500,000 companies domiciled inside and outside of California that
come under the purview of the Act will need to reassess their collection and use
of personal information on California consumers and implement training for their
personnel on how to properly accommodate these new consumer rights.
More specifically, organizations will need to conduct internal audits to
identify and map where consumer personal information is collected and stored
within their business as well as those companies with whom they share consumer
personal information. Covered businesses need to carefully consider how they are
to fulfill the following obligations:
1. Ensure that the company Privacy Policy is accessible, written in plain
English and is consistent with the CCPA.
2. Create/review Data Retention Schedules and Written Information Security
Programs (WISP) to avoid unauthorized access, theft or disclosure of
personal information.
3. Provide required CCPA notices, toll free consumer lines, and opt-out and
opt-in rights procedures.”
4. Respond properly to consumer requests to delete their data where subject to
the CCPA’s right of deletion.
5. Provide disclosure of personal information within the CCPA’s 12 month
lookback period upon a consumer request and be prepared to submit in a
“readily useable format,”.
6. Ensure that agreements with service providers are CCPA-compliant.
7. Train and document the training of personnel in order to properly process
requests to exercise privacy rights.
x
X
x
X
X
X
JAVASCRIPT IS DISABLED
Javascript is disabled on your browser. Please enable it in order to use this
form.
Loading
* Data Security Breach Calculator
* GDPR Breach Calculator
Our Data Security Breach Calculator is designed to show you how a breach could
impact your specific business. A recent breach of a Specialty Physician
Practice Group in the US with 8 locations and 30 Physicians affected over
500,000 patient records. The cost was so staggering that the Practice lost over
$150M in enterprise value and was sold for $0.00 within 1 year of the breach.
Those that survive suffer significant damage to both their reputations and their
brands – damage that can often take years to repair.
To use our Data Breach Calculator all you have to do is answer three questions
and click “calculate.” The potential impact just may astound you.
CALCULATE YOUR RISK:
PLEASE IDENTIFY THE NATION WHERE YOUR OPERATIONS ARE BASED OR WHERE YOU CONDUCT
BUSINESS.
United StatesCanadaGermanyMiddle EastFranceJapanItalySouth AfricaUnited
KingdomASEANBrazilIndia United States
PLEASE IDENTIFY THE INDUSTRY SECTOR WHICH BEST FITS YOUR COMPANY OR
ORGANIZATION.
HealthFinancialServicesEducationLife
ScienceTechnologyRetailCommunicationsIndustrialEnergyConsumerEntertainmentHospitality
& HotelRestaurantsTransportationMediaResearchPublic Sector Health
ServicesFinancialTechnologyEnergyMediaIndustrialRetailConsumerEducationTransportationHospitality
& HotelPublic Sector
ServicesFinancialTechnologyEnergyMediaIndustrialRetailConsumerTransportationHospitality
& HotelPublic SectorCommunicationsLife Science
Financial
ServicesTechnologyEnergyMediaIndustrialRetailConsumerTransportationHospitality &
HotelPublic SectorCommunicationsLife ScienceServices
FinancialTechnologyEnergyMediaIndustrialRetailConsumerTransportationPublicCommunicationsLife
ScienceEducationServices
Financial ServicesTechnologyServicesMediaIndustrialRetailConsumerPublic
SectorCommunicationsLife ScienceHospitality
FinancialTechnologyIndustrialLife
ScienceServicesCommunicationsEducationConsumerRetailTransportationPublic
ServicesFinancialTechnologyEnergyIndustrialTransportationCommunicationsEducationRetailPublic
FinancialServicesTechnologyCommunicationsIndustrialEducationMediaHospitality &
HotelRetailTransportationPublic
FinancialServicesIndustrialTechnologyTransportationConsumerMediaRetailPublic
FinancialServicesTechnologyLife
ScienceEnergyCommunicationsConsumerIndustrialHospitality &
HotelTransportationRetailPublic
FinancialServicesIndustrialTechnologyLife ScienceHospitality &
HotelRetailConsumerEnergyCommunicationsTransportationResearchPublic Sector
FinancialTransportationTechnologyServicesIndustrialCommunicationsConsumerPublicHospitality
& Hotel
PLEASE ESTIMATE HOW MANY RECORDS YOUR COMPANY RETAINS IN TOTAL.
i.e. 12000 - no commas
GIVEN YOUR INPUT, HERE IS A ROUGH ESTIMATE OF THE OVERALL FINANCIAL COSTS THAT
YOU COULD EXPECT TO ENCOUNTER GIVEN THE NUMBER OF RECORDS AT RISK IN A BREACH.
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
$ 0.00
HOW WE CALCULATED YOUR SCORE:
The average data cost per stolen record stems from highly regarded research
sponsored by IBM and independently conducted by Ponemon Institute LLC (June 2017
report). The research was conducted with 419 participating organisations. Data
breaches ranged from a low of 2,600 to slightly less than 100,000 compromised
records.
Other variables include:
Cost for ID Fraud Incident Investigation/Forensic Audit: Forensic auditors often
charge by the individual unit or location being investigated. These numbers can
be anywhere between $8,000 – $20,000 a location for small businesses and can far
exceed $30,000 for companies that engage in substantial e-commerce business
and/or a material volume of credit transactions.
Reissuance of Cards (PCI-DSS): Banks often insist that a breached company’s
customers be reissued new credit cards. This cost can range from $3 to $10 a
card.
Merchant Acquirer/Processor Fines and Penalties (PCI-DSS): These fines that are
contractually implemented per your card processing agreements can range from
$50,000 to $500,000 depending on the size, nature and severity of the PCI-DSS
infractions.
Fraud Chargebacks (PCI-DSS): These depend upon such variables as the amount of
time that a hacker spends undetected in a company’s internal systems (average
amount of time is 150-170 days)
Remediation Costs: The price of fixing the problems that gave rise to the breach
may be considerable. The type of expensive stringent assessments and analysis
required of large companies that utilize a substantial amount of credit cards
will be imposed on small and medium sized companies that experience a breach.
Customer Notification and Credit Monitoring: Most states now require that
customers be notified in writing and in a timely manner. Many breached
organisations feel a responsibility to offer its consumer customers an annual
credit monitoring service. These are not inexpensive costs.
Litigation: Within this litigious society, there are law firms specializing in
breach litigation. The expense of defending a single case can be considerable.
Loss of Consumer Confidence: Cybersecurity experts have extrapolated from actual
data breach experience that businesses may lose as many as 40% of their
customers post breach. Between the tangible and intangible costs of a breach,
it is no wonder that so many companies are put out of business by a significant
breach.
Health Organization Costs: Like Personally Identifiable Information (PII),
patient records can be much more valuable than credit card data on the black
market which explains why hackers have targeted patient records. It is a virtual
treasure trove for a hacker as they are often able to obtain DOB and Social
Security numbers which make it easy to create false identities which enable
fraudsters to make false insurance claims, loans, and tax returns. From a
patient’s point of view, it is often much harder to repair the damage that they
may experience with a compromised credit card and may even require obtaining a
new Social Security Number to replace the stolen one. From a Healthcare
company’s perspective, not only are they dealing with the aftermath of deeply
upset patient customers, but they are also more vulnerable to State Attorney
General actions, class action lawsuits, Federal Trade Commission fines, and HHS
penalties.
Now that you have a better sense for the profound financial cost of a data
breach, please see our video and take the Educational Assessment Tests to better
determine your organisation’s CyberSecurity, PCI-DSS and GDPR vulnerability to a
breach and how to minimize your exposure.
Small Text Title*
Write here
The GDPR provides for a mechanism to deliver two-tiered sanctions dependent upon
the extent of violations determined by the regulators. As both levels of
sanctions are determined by your organisation’s annual global turnover
(revenue), the following question is both relevant and material to obtain the
range of penalties in the event of a data security breach.
PLEASE INSERT THE AMOUNT OF YOUR ORGANISATION’S ANNUAL GLOBAL TURNOVER (REVENUE)
IN YOUR LAST FISCAL YEAR.
i.e. 15230000
EGREGIOUS PENALTY
The following calculation takes into account what happens with a finding by the
regulators of the most serious of GDPR infractions wherein regulatory fines may
go as high as 20 million Euros or 4% of your organisation’s annual global
turnover for the preceding financial year, whichever is greater.
€ 0.00
€ 20,000,000.00
NON-EGREGIOUS PENALTY
The following calculation takes into account what happens for a finding by the
regulators of lesser violations, wherein regulatory fines could be imposed up to
10 million Euros or 2% for global annual turnover (revenue) for the preceding
financial year, whichever is greater.
€ 0.00
€ 20,000,000.00
Now that you have a better sense for the profound financial cost of a data
breach, please see our videos and take the Educational Assessment Tests to
better determine your organisation’s Cyber Security, PCI-DSS and GDPR
vulnerability to a breach and how to minimize your exposure.
Small Text Title*
Write here
Previous Next
YOUR FORM HAS BEEN SUBMITTED
Thank you for giving your answers
SERVER SIDE ERROR
We faced problems while connecting to the server or receiving data from the
server. Please wait for a few seconds and try again.
If the problem persists, then check your internet connectivity. If all other
sites open fine, then please contact the administrator of this website with the
following information.
TextStatus: undefined
HTTP Error: undefined
Processing you request
ERROR
Some error has occured.
X
x
Please select your company name:
* *
Company NameData Security UniversityBluefinPaychexJimmy Johns
X
Schedule a Demo
SCHEDULE DEMO
x
Notifications