Following our previous post, KC & Associates has received numerous inquiries regarding State-specific data breach notification laws. As such, our team has compiled a list in alphabetical order to serve as an accessible resource.
For full access, please subscribe with your specific State request and our team will contact you shortly thereafter.
Alabama, SB318 (2018)
Categories of covered personal information: An individual’s first name or first initial and last name, in combination with at least one of the following elements: (1) Social Security number, (2) driver’s license, military ID, or state ID card number, (3) credit card or debit card number and personal code if applicable, and passwords or PINS or other access codes for financial accounts, (4) medical records, health insurance policy number or subscriber ID number, or (5) user name/email address in combination with password or security question and answer that could access the account.
Exceptions to notice requirement: (1) If all of the personal information was encrypted, provided that the encryption key was not also disclosed; (2) if after a good‐faith investigation, the company determines that the incident is not “reasonably likely to cause substantial harm to the individuals to whom the information relates;” and (3) if the company is “subject to or regulated by federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the federal government.”
Timing of notice to individuals: Disclosure must be made within 45 calendar days and “as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation.” Federal or state law enforcement may request a delay if notice “would interfere with a criminal investigation or national security.”
Requirements for notice to individual (form and content): Three options: (1) written document sent to most recent known mailing address; (2) email; or (3) substitute notice if the cost of providing notice would exceed $500,000, the number of “affected individuals” exceeds 100,000, or the company does not have sufficient information to provide notice. Substitute notice consists of email if the address is known, conspicuously posting disclosure on the company’s website for 30 days, and notice to print and broadcast media “including major media in urban and rural areas where the affected individuals reside.” The notice to individuals must include the date of the breach, a description of the affected information, a description of the actions the company is taking in response to the breach, a description of how the individual can protect against identity theft, and contact information for the company.
Notice to state regulators or consumer reporting agencies/credit bureaus: If more than 1,000 Alabama residents receive breach notices, the State Attorney General must be notified within 45 calendar days if the company determines that there is a risk of harm and therefore individual notice is necessary. Notice to the Attorney General must include a synopsis of the breach, the approximate number of Alabama residents affected, and services that the company provided to affected Alabama residents. Notice to credit bureaus “without unreasonable delay” is required if more than 1,000 Alabama residents are notified.
Alaska Stat. § 45.48.010
Categories of covered personal information: An individual’s first name or first initial and last name, in combination with at least one of the following elements: (1) Social Security number, (2) driver’s license or state ID card number, or (3) credit card or debit card number and personal code if applicable, and passwords or PINS or other access codes for financial accounts.
Exceptions to notice requirement: (1) If all of the personal information was encrypted, “and the encryption key has been accessed or acquired;” or (2) if after an appropriate investigation and a written notification to the Alaska Attorney General, the company determines that “there is not a reasonable likelihood that harm to consumers whose personal information has been acquired has resulted or will result from the breach,” but the company must retain this documentation for five years.
Timing of notice to individuals: Disclosure must be made “in the most expeditious time possible and without unreasonable delay” unless a delay is necessary for law enforcement or to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): Three options: (1) written document sent to most recent known mailing address; (2) email if that is the company’s primary method of communication with the individual; or (3) substitute notice if the cost of providing notice would exceed $150,000, the affected class in the state exceeds 300,000, or the company does not have sufficient information to provide notice. Substitute notice consists of email if the address is known, conspicuously posting disclosure on the company’s website, and notice to major statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: The State Attorney General must be notified if the company determines that there is not a risk of harm and therefore individual notice is unnecessary. Notice to credit bureaus is required if more than 1,000 Alaska residents are notified, but this requirement does not apply if the company is subject to the Gramm‐Leach‐Bliley Act
Arizona Ariz. Rev. Stat. § 44‐7501
Categories of covered personal information: An individual’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or state ID number; (3) financial account or credit card or debit card number in combination with required security code, access code, or passcode (if necessary for access); (4) “a private key that is unique to an individual and that is used to authenticate or sign an electronic record;” (5) health insurance ID number; (6) medical record; (7) passport number; (8) taxpayer ID number; or (9) biometric data. Separately, the law covers a user name or email address, when combined with a password or security question and answer that allows access to the account.
Exceptions to notice requirement: The notice requirement does not apply to (1) information that is encrypted or redacted; (2) if after “reasonable investigation” the company determines that the breach did not result in and is not “reasonably likely” to result in “substantial economic loss to affected individuals”; (3) if the company is subject to GLBA or HIPAA; (4) if the company complies with the notification requirements of its “primary or functional federal regulator,” or (5) if the company follows its own notification procedures as part of an information security policy that is consistent with the Arizona law, including the 45‐day notice requirement.
Timing of notice to individuals: Companies must provide notice within 45 days of determination of the breach.
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice if the company has the covered individuals’ email addresses; (3) telephonic notice, provided it is not prerecorded; or (4) substitute notice if the cost of other notice would exceed $50,000, the “affected class of subject individuals to be notified” is greater than 100,000 individuals, or the company does not have sufficient contact information. Substitute notice consists of (1) email notice when available and (2) conspicuous posting of the notice on the company’s website for at least 45 days. The company also must write a letter to the Attorney General explaining the facts that justify the substitute notice.
Notice to state regulators or consumer reporting agencies/credit bureaus: If the company is required to notify at least 1,000 Arizona residents, it also must notify the Arizona Attorney General and the three credit bureaus within 45 days.
Arkansas Ark. Code § 4‐110‐103 et seq
Categories of covered personal information: First name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license or state ID number; (3) financial account number, credit card number or debit card number in combination with any code or password necessary to access financial account; or (4) medical information.
Exceptions to notice requirement: (1) If personal information is encrypted or redacted; (2) if after a reasonable investigation the company determines there is not a “reasonable likelihood of harm” to customers; (3) if the business “is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided” under the Arkansas breach notice law; or (4) if the business “maintains its own notification procedures as part of an information security policy” and is otherwise consistent with the law’s timing requirements, provided that the company follows its internal policies.
Timing of notice to individuals: Individual notice must be made “in the most expedient time and manner possible and without unreasonable delay,” consistent with the needs of law enforcement and to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) email notice; or (3) substitute notice if the cost of notifying would exceed $250,000, the “affected class of persons to be notified” is greater than 500,000, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company’s website, and notification by statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: Not required.
California Cal. Civ. Code § 1798.82
Categories of covered personal information: (1) An individual’s first name or first initial and last name in combination with at least one of the following: (a) Social Security number; (b) driver’s license or state ID card number; (c) financial account number, credit or debit card number, in combination with any required code or password; (d) medical information; (e) health insurance information; or (f) information collected through an automated license plate recognition system; or a user name or email address, in combination with a password or Social Security question and answer that would permit access to an online account.
Exceptions to notice requirement: (1) If the data is encrypted and the key was not acquired by an unauthorized individual; or (2) if a company complies with its internal information security policy notification procedures, consistent with the timing requirements of the statute. If a HIPAA‐covered entity complies with HIPAA’s breach notice requirements, it is not required to follow the California breach notice law’s requirements for specific content to be included in the notification.
Timing of notice to individuals: In the “most expedient time possible and without unreasonable delay,” consistent with needs of law enforcement or to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) email notice; or (3) substitute notice, if the company demonstrates that the cost of notice would exceed $250,000, the “affected class of subject persons to be notified exceeds 500,000,” or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company’s website for at least thirty days; and (3) notification to major statewide media. If the breach only involved the credentials for an online account, the company should send password‐reset credentials. It should not email the notice to the breached email account. The notice must be “written in plain language” and be titled “Notice of Data Breach.” The notice must contain: (1) name and contact information of company; (2) list of categories of personal information compromised; (3) if possible, the date or estimated date or ranges of the breach; (4) date of notice; (5) whether notice was delayed due to law enforcement investigation, if possible; (6) general description of the data breach, if possible; (7) toll‐free phone numbers and addresses of major credit reporting agencies, and an offer for 12 months of free identity theft prevention and mitigation services, if Social Security or ID card number was exposed. Companies also may choose to provide “[i]nformation about what the person or business has done to protect individuals whose information has been breached” and “[a]dvice on steps that the person whose information has been breached may take to protect himself or herself,” though these elements are not mandatory. This notice should be presented under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
Notice to state regulators or consumer reporting agencies/credit bureaus: If a company notifies more than 500 California residents due to a single data breach, the company must submit a single sample copy of the notice to the California Attorney General. Note that these sample copies are made publicly available on the California Attorney General’s website.
Colorado Colo. Rev. Stat. § 6‐1‐716
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; (3) account number or credit or debit card number, along with code or password necessary to access financial account; (4) student, military, or passport identification number; (5) medical records; (6) health insurance number; or (7) biometric data. Separately, the law covers a user name or email address, when combined with a password or security question and answer that allows access to the account. Exceptions to notice requirement: (1) If the personal information is encrypted, redacted, or “secured by any other method rendering the name or the element unreadable or unusable;” (2) if after an investigation the company concludes that misuse of the information “has not occurred and is not reasonably likely to occur;” (3) if a company “is regulated by state or federal law” and “maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator;” or (4) if the company follows its internal notification procedures “as part of an
Exceptions to notice requirement: (1) If the personal information is encrypted, redacted, or “secured by any other method rendering the name or the element unreadable or unusable;” (2) if after an investigation the company concludes that misuse of the information “has not occurred and is not reasonably likely to occur;” (3) if a company “is regulated by state or federal law” and “maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator;” or (4) if the company follows its internal notification procedures “as part of an information security policy for the treatment of personal information” and is consistent with the statute’s timing requirements.
Timing of notice to individuals: Disclosure must be provided within 30 days and “in the most expedient time possible and without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice to mailing address listed in company’s records; (2) telephonic notice; (3) electronic notice, if that is the company’s primary method of communicating with the individual; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, at least 250,000 Colorado residents would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company’s website, and notification to major statewide media. Notice must include: (1) the date of the breach; (2) a description of the personal information at issue in the breach; (3) the company’s contact information; (4) toll‐free phone numbers, addresses, and websites for the three credit bureaus and the FTC; and (5) “a statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.”
Notice to state regulators or consumer reporting agencies/credit bureaus: Notice to the state Attorney General is required if 500 or more Coloradans are notified. Notice to credit reporting agencies is required, provided that more than 1,000 Colorado residents are notified, and the company is not covered by the Gramm‐Leach‐Bliley Act. The notice to credit reporting agencies must state the date that the notice will be provided and the number of Colorado residents who will receive the notices.
Connecticut Conn. Gen. Stat. § 36A‐701b
Categories of covered personal information: An individual’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; or (3) account number, credit or debit card number, in combination with any required code or password to access the financial account.
Exceptions to notice requirement: (1) Information that has been “secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;” (2) if, after investigation and consultation with relevant law enforcement agencies, the company determines that breach will not “likely result in harm” to individuals whose information was exposed; (3) if a company maintains a breach procedure under the rules of the Gramm‐Leach‐Bliley Act, provided that the company notifies the individuals and the Connecticut Attorney General; or (4) if the company maintains its “own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section,” provided that it complies with the statute’s timing requirements and notifies the Connecticut Attorney General.
Timing of notice to individuals: Individuals must be notified without unreasonable delay, and within 90 days of discovery of the incident, subject to the needs of law enforcement, to identify individuals, and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the costs of notification would exceed $250,000, “the affected class of subject persons to be notified” is greater than 500,000 people, or the company does not have sufficient contact information. Substitute notice consists of email when the address is available, conspicuous posting of the notice on the company’s website, and notification to major statewide media, including newspapers, radio, and television. For breaches involving social security numbers, companies must provide “appropriate identity theft protection services, and, if applicable, identity theft mitigation services” for at least 12 months.
Notice to state regulators or consumer reporting agencies/credit bureaus: If any Connecticut residents are notified, the Connecticut Attorney General also must receive notification at the same time or earlier.
Delaware Del. Code tit. 6, § 12B‐101 et seq
Categories of covered personal information: An individual’s first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; (3) account or credit or debit card number, along with any required code or password; (4) user name or email address, when combined with a password or security question and answer that allows access to the account; (5) passport number; (6) medical records; (7) health insurance number; (8) biometric data; and (9) taxpayer identification number.
Exceptions to notice requirement: (1) If the personal information was encrypted, “unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable;” (2) if, after an appropriate investigation, the company “reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached;” (3) a company regulated by state or federal law, including but not limited to HIPAA and GLBA, and “maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator;” or (4) a company that follows the notification requirements of its information security policy, provided that the “procedures are otherwise consistent with the timing requirements” of the Delaware breach notice law.
Timing of notice to individuals: Notice must be provided within 60 days and “without unreasonable delay,” except as needed legitimately for law enforcement, to determine scope of the breach, and to restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) telephonic notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $75,000, more than 100,000 Delaware residents must be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses, conspicuous posting of the notice on the company’s website, and notice to major statewide media. If Social Security numbers were breached, the company must offer credit monitoring services for at least a year.
Notice to state regulators or consumer reporting agencies/credit bureaus: If more than 500 Delaware residents are notified, the company must notify the Delaware Attorney General.
District of Columbia D.C. Code Mun. Regs. § 28‐3851 et seq
Categories of covered personal information: (1) Individual’s first name or first initial and last name, or phone number, or address, and at least one of the following: (a) Social Security number; (b) driver’s license or D.C. ID card number; or (c) credit card or debit card number; or (2) any other number or code or combination of numbers or codes that allows access to or use of a financial or credit account.
Exceptions to notice requirement: (1) If the data is “rendered secure, so as to be unusable by an unauthorized third party” (i.e., encryption); (2) a company that notifies pursuant to the Gramm‐Leach‐Bliley Act; or (3) a company that “maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements” of the D.C. breach notice law, provided that the company notifies individuals “in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given[.]”
Timing of notice to individuals: Notice is required in the “most expedient time possible and without unreasonable delay,” consistent with legitimate needs of law enforcement and with the need to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice, if the company’s total cost of notification would exceed $50,000, the number of D.C. residents requiring notification exceeds 100,000, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company’s website, and notice to major local and, if applicable, national media.
Notice to state regulators or consumer reporting agencies/credit bureaus: No notice to D.C. regulators required. Notice to credit reporting agencies required if more than 1,000 D.C. residents are notified. The credit reporting agency notices must describe the “timing, distribution and content” of the individual notices.
Florida Fla. Stat. § 501.171
Categories of covered personal information: An individual’s first name or first initial and last name in combination with any one or more of the following: (1) Social Security number; (2) driver’s license or ID card number, passport number, military ID number, or similar number on a government document used to verify identity; (3) financial account or credit or debit card number, in combination with required code or password; (4) information regarding medical history, mental or physical condition, or medical treatment or diagnosis by healthcare professional; or (5) health insurance policy number or subscriber ID number and any unique identifier used by health insurer to verify identity. Separately, Florida’s notification law covers a user name or email address, in combination with a password or security question and answer that would permit access to an online account. The notification requirement applies even if the individual’s name is not disclosed.
Exceptions to notice requirement: (1) If the information was “encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable;” (2) if after investigation and consulting with law enforcement, the company “reasonably determines that the disclosure has not and will not likely result in identity theft or any other financial harm” to individuals, provided that the company documents this determination, provides the written documentation to the Florida Department of Legal Affairs within 30 days, and retains the determination for five years; or (3) if the entity follows the breach notice provisions for its primary or functional federal regulator and provides a copy of this notice to the Florida Department of Legal Affairs.
Timing of notice to individuals:Notice must be made “as expeditiously as practicable and without unreasonable delay,” but no longer than 30 days after determination of a breach or reason to believe the breach has occurred, unless there is a written request from a law enforcement agency.
Requirements for notice to individual (form and content): (1) Written notice; (2) email notice; or (3) substitute notice if cost of notifying exceeds $250,000, “the affected individuals exceed 500,000 persons,” or the company does not have contact information. Substitute notice consists of a conspicuous notice on the company’s website and notice in print and broadcast media, including major media in urban and rural areas where the affected individuals reside. Notices to individuals must include the date, estimated date, or date range of the breach, a description of the personal information at issue in the breach, and contact information for the company. Third‐party agents that suffer a data breach must notify the company whose customers’ information is breached within ten days of “the determination of the breach of security or reason to believe the breach occurred.” When the company receives a notice from a third‐party agent, the company should provide the required individual notices.
Notice to state regulators or consumer reporting agencies/credit bureaus: If more than 500 Florida residents’ personal information is compromised, companies must inform the Florida Department of Legal Affairs within 30 days after a breach is discovered. The written notice must include a synopsis of the events surrounding the breach; the number of Floridians affected; services offered for free to individuals related to the breach; a copy of the individual notice; and the name, address, phone number, and email address of the company for more information about the breach. Companies must provide written notice to credit reporting agencies if more than 1,000 Florida residents’ personal information is compromised.
Georgia Ga. Code § 10‐1‐910 et seq
Categories of covered personal information: Georgia’s breach notice law only applies to breaches of the systems of “information brokers” or companies that maintain data on behalf of information brokers. The statute defines “information broker” as “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes.” The statute defines “personal information” as an individual’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; (3) financial account number or credit card or debit card number, along with any required access codes or passwords; (4) account passwords or personal ID numbers or other access codes; or (5) any of the previous four items when not in connection with individual’s name if the information would be sufficient to conduct identity theft.
Exceptions to notice requirement: (1) If the information is encrypted or redacted; or (2) an information broker provides notice pursuant to its internal information security policy, provided that the internal policy’s notice requirements is “otherwise consistent” with the Georgia breach notice statute’s timing requirements.
Timing of notice to individuals: Notice must be provided in the “most expedient time possible and without unreasonable delay,” consistent with the needs of law enforcement and any “measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $50,000, more than 100,000 Georgia residents would be notified, or the information broker does not have sufficient contact information. Substitute notice consists of email notice if addresses are available, conspicuous posting on the information broker’s webpage, and notification to major statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: If more than 10,000 Georgia residents are notified, the information broker must also notify the credit reporting agencies.
Hawaii Haw. Rev. Stat. § 487N‐1 et seq
Categories of covered personal information: A person’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license number or state ID card number; or (3) financial account number, credit or debit card number, access code, or password.
Exceptions to notice requirement: (1) If the information was encrypted, and the “confidential process key” was not accessed; (2) if the information was redacted; (3) if the company determines that there has not been an “illegal use of the personal information,” and that an illegal use is not “reasonably likely to occur” and “create a risk of harm” to individuals; (4) a “financial institution that is subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice;” or (5) a “health plan or healthcare provider that is subject to and in compliance with the standards for privacy or individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.”
Timing of notice to individuals: Notice should be made “without unreasonable delay,” consistent with the needs of law enforcement and with measures necessary to determine contact information and scope of the breach, and “with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.”
Requirements for notice to individual (form and content): (1) Written notice to last available address on record; (2) electronic notice; (3) telephone notice as long as contact is made directly with affected person; or (4) substitute notice if the cost of notice would exceed $100,000, the “affected class of subject persons to be notified” is greater than 200,000, or the business does not have sufficient contact information. Substitute notice consists of email if addresses are available, conspicuous posting of the notice on the company’s website, and notification to major statewide media. Notice must describe the incident in general terms, along with the type of personal information that was breached, the steps the company took to prevent further access, a telephone number for more information, and advice to “remain vigilant by reviewing financial account records and monitoring free credit reports.”
Notice to state regulators or consumer reporting agencies/credit bureaus: If the company notifies more than 1,000 Hawaii residents, it also must notify the Hawaii Office of Consumer Protection and the major credit reporting agencies. The notices should disclose the timing, distribution, and content of the notice.
Idaho Idaho Code § 28‐51‐104 et seq
Categories of covered personal information: An individual’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; or (3) financial account number, or credit or debit card number, along with any required code or password.
Exceptions to notice requirement: (1) If the information is encrypted; (2) if an investigation determines that misuse of information has not occurred and is not “reasonably likely to occur;” (3) a company regulated by state or federal law that maintains procedures for data breach notification, provided that the company complies with those procedures; or (4) if the company “maintains its own notice procedures as part of an information security policy for the treatment of personal information” and those “procedures are otherwise consistent with the timing requirements” of the Idaho breach notice law.
Timing of notice to individuals: Notice must be provided to individuals in the “most expedient time possible and without unreasonable delay,” consistent with needs of law enforcement and “any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system.”
Requirements for notice to individual (form and content): (1) Written notice; (2) telephonic notice; (3) electronic notice; and (4) substitute notice, if the cost of notice would exceed $25,000, more than 50,000 Idaho residents would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice to available addresses, conspicuous posting on the company’s website, and notice to major statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: Not required.
Illinois 815 III. Comp. Stat. § 530/1 et seq
Categories of covered personal information: An individual’s first name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; (3) financial account number or credit or debit card number, along with any required code or password, (4) medical information; (5) health insurance information; or (6) unique biometric data. Separately, the law covers “[u]ser name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.”
Exceptions to notice requirement: (1) If data is encrypted or redacted, provided that “the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security;” or (2) if the company notifies individuals under “its own notification procedures as part of an information security policy for the treatment of personal information,” provided that the internal policy “is otherwise consistent with the timing requirements” of the Illinois breach notice law.
Timing of notice to individuals: Notice must be provided in the “most expedient time possible and without unreasonable delay,” consistent with “any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, the “affected class of subject persons to be notified” is greater than 500,000, or the company does not have sufficient contact information. Substitute notice must be provided via email if an address is available, conspicuous posting on the company’s website, and notification to statewide media. The notice must include toll‐free phone numbers for the credit reporting agencies; toll‐free phone number, address, and web address for the FTC; and a statement that these sources can provide information about fraud alerts and credit freezes. The notice must not include the number of Illinois residents whose data was compromised.
Notice to state regulators or consumer reporting agencies/credit bureaus: Not required.
Indiana Ind. Code § 24‐4.9‐2‐2 et seq
Categories of covered personal information: First name or first initial and last name, along with at least one of the following: (1) driver’s license or state ID card number; (2) credit card number; or (3) financial account number or debit card number in combination with a security code, password, or access code. Separately, an unencrypted and unredacted social security number is considered to be personal information, even if it is not disclosed with an individual’s name.
Exceptions to notice requirement: (1) encrypted information, unless that information “was or may have been acquired by an unauthorized person with access to the encryption key;” (2) if the company does not know or should not have known that the breach “resulted in or could result in identity deception, … identity theft, or fraud;” (3) a company that “maintains its own disclosure procedures as part of an information privacy, security policy, or compliance plan” under the USA PATRIOT Act, Executive Order 13224, Driver’s Privacy Protection Act, Fair Credit Reporting Act, GLBA, or HIPAA, provided that the policy or plan requires that “Indiana residents be notified of a breach of the security of the data without unreasonable delay and the data base owner complies with the data base owner’s information privacy, security policy, or compliance plan;” or (4) a financial institution that complies with the Interagency Guidance’s disclosure rules.
Timing of notice to individuals: Notice is required without unreasonable delay. A delay is reasonable if “necessary to restore the integrity of the computer system,” “necessary to discovery the scope of the breach,” or “in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will … impede a criminal or civil investigation or jeopardize national security.”
Requirements for notice to individual (form and content): (1) Written notice; (2) telephonic notice; (3) fax notice; (4) email; or (5) substitute notice, if the total cost of notice exceeds $250,000 or more than 500,000 “subject persons” would be notified. Substitute notice must be provided via a conspicuous posting on the company’s website and notice to major news reporting media in the geographic area where Indiana residents affected by the data breach reside.
Notice to state regulators or consumer reporting agencies/credit bureaus: If any individuals are notified, the company must notify the Indiana Attorney General. If more than 1,000 Indiana residents are notified, the company also must notify the major credit reporting agencies.
Iowa Code § 715c.1 et seq
Categories of covered personal information: An individual’s first name or first initial in combination with at least one of the following: (1) Social Security number; (2) driver’s license or government identification number; (3) financial account number, credit card number, or debit card number, along with any required code or password; (4) “unique electronic identifier or routing code,” combined with any required security code, access code, or password that would enable access to a financial account; or (5) unique biometric data (i.e., retinal image or fingerprint).
Exceptions to notice requirement: (1) If data is encrypted and key is not accessed, or if the data is redacted (the statute defines “encryption” as “use of an algorithmic process pursuant to accepted industry standards to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key”); (2) after investigation or consulting with law enforcement, the company determines there is “no reasonable likelihood of financial harm” to the affected individuals, provided that the company documents this determination in writing and retains the documentation for five years; (3) the company complies with disclosure “rules, regulations, procedures, guidance, or guidelines” of its “primary or functional federal regulator,” provided that the requirements provide protection at least equal to that under the Iowa law; or (4) the company is covered by GLBA and complies with its notice requirements.
Timing of notice to individuals: In the “most expeditious manner possible and without unreasonable delay,” consistent with the “legitimate needs of law enforcement” and “any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data.”
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice, if the cost of providing notice would exceed $250,000, the “affected class of consumers to be notified” is greater than 350,000 people, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company’s website, and notification to major statewide media. Notices must contain a description of the breach, the approximate date of the breach, the type of personal information breached, contact information for consumer reporting agencies, and advice to the consumer to report suspected identity theft to local law enforcement or the Iowa Attorney General.
Notice to state regulators or consumer reporting agencies/credit bureaus: If 500 or more Iowa residents are notified, the company must notify the director of the consumer protection division of the Iowa Attorney General’s office within five business days of notifying the Iowa residents. The law does not require notification of credit bureaus.
