Linkedin-in

Cybersecurity & Corporate Tax Incentives Blog

Subscribe

Subscribe for Full Access to Corporate Tax & Cybersecurity Legislative Updates, Regulatory Changes, State Tax Credits, and Cybersecurity Legal Guidance

Cybersecurity State by State Data Breach Notification Laws Cont.

As promised to our readers, we have continued our list of State by State Data Breach Notification laws below for ease of access. 

Subscribe for more insights and access!

Kansas Stat. §  50‐7a01 

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3)   financial account or credit or debit card number, along with any required   code or password. 

Exceptions   to notice requirement: (1) If the information is encrypted, which the   statute defines as “transformation of data through the use of algorithmic   process into a form in which there is a low probability of assigning meaning   without the use of a confidential process or key, or securing the information   by another method that renders the data elements unreadable or unusable;” (2)   if an investigation concludes that “the misuse of information” has not   occurred and is not “reasonably likely to occur;” (3) a company regulated by   state or federal law that “maintains procedures for a breach of the security   of the system pursuant to the laws, rules, regulations, guidances or   guidelines established by its primary or functional state or federal   regulator;” or (4) if the company maintains and follows “its own notification   procedures as part of an information security policy for the treatment of   personal information,” consistent with the timing requirements of the Kansas   breach notice law. 

Timing   of notice to individuals: In the “most expedient time possible and   without unreasonable delay, consistent with the legitimate needs of law   enforcement and consistent with any measures necessary to determine the scope   of the breach and to restore the reasonable integrity of the computerized   system.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the cost of providing notice   would exceed $100,000, the “affected class of consumers to be notified”   exceeds 5,000, or the company does not have sufficient contact information.   Substitute notice consists of email to available addresses, conspicuous   posting of the notice on the company’s website, and notification to major   statewide media. 

Notice   to state regulators or consumer reporting agencies/credit bureaus: A   company must notify credit reporting agencies of the timing, content, and   distribution of notices if the company notified more than 1,000 Kansas   residents.

Kentucky Ky.   Rev. Stat. § 365.732

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3)   financial account or credit or debit card number, along with any required   code or password. 

Exceptions   to notice requirement: (1) If the information is encrypted or redacted;   (2) if the company does not “reasonably believe” that the breach “has caused   or will cause, identity theft or fraud” against any Kentucky resident; (3) a   company subject to GLBA or HIPAA; or (4) if the company follows and maintains   “its own notification procedures as part of an information security policy   for the treatment of personally identifiable information, and is otherwise   consistent with the timing requirements” of the Kentucky breach notice law. 

Timing of   notice to individuals: In the “most expedient time possible and without   unreasonable delay,” consistent with legitimate law enforcement needs and   “any measures necessary to determine the scope of the breach and restore the   reasonable integrity of the data system.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the cost of providing notice   would exceed $250,000, the “affected class of subject persons to be notified”   is greater than 500,000 people, or the company does not have sufficient   contact information. Substitute notice consists of email to available   addresses, conspicuous posting of the notice on the company’s website, and   notification to major statewide media. 

Notice   to state regulators or consumer reporting agencies/credit bureaus: A   company must notify credit reporting agencies of the timing, content, and   distribution of notices if the company notified more than 1,000 Kentucky   residents.

Louisiana La.   Stat. § 51:3071 et seq

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; (3) account or   credit or debit card number, along with any required code or password, (4)   passport number, or (5) biometric data. 

Exceptions   to notice requirement: (1) If the information is encrypted or redacted;   (2) if “after a reasonable investigation, the person or business determines   there is no reasonable likelihood of harm” to Louisianans, provided that the   business retains a written copy of the determination for five years from the   breach’s discovery; (3) a financial institution subject to and in compliance   with Interagency Guidance; or (4) if the company follows the security breach   notification procedures of its information security policy, consistent with   this statute’s timing requirements. 

Timing of   notice to individuals: Within 60 days of discovery of the breach, and “in   the most expedient time possible and without unreasonable delay,” consistent   with legitimate law enforcement needs and measures that are necessary to   determine the scope of the breach, prevent further disclosure, and restore   system integrity. If the notification is delayed, the company must provide a   written explanation to the state Attorney General within 60 days. 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the cost of providing notice   would exceed $100,000, the “affected class of persons to be notified” is   greater than 100,000 people, or the company does not have sufficient contact   information. Substitute notice consists of email to available addresses,   conspicuous posting of the notice on the company’s website, and notification   to major statewide media. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: A company   must notify the Consumer Protection Section of the Office of the Louisiana   Attorney General within ten days of notifying Louisiana residents. The notice   should include the names of all Louisiana citizens who were notified of the   breach.

Maine Me. Rev.   Stat. tit. 10, § 1346 et seq

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; (3) financial   account or credit or debit card number, along with any required code or   password; or (4) account passwords or PIN numbers or other access codes.   Alternatively, any of those four data elements, without the individual’s   name, if the information “would be sufficient to permit a person to   fraudulently assume or attempt to assume the identity of the person whose   information was compromised.” 

Exceptions   to notice requirement: (1) If the information is encrypted or redacted   (the statute defines “encryption” as “disguising of data using generally   accepted practices”); (2) if after conducting “in good faith a reasonable and   prompt investigation” the company determines that it is not “reasonably   possible” that the information could be misused (though this exception does   not apply to information brokers); (3) if the company “complies with the   security breach notification requirements of rules, regulations, procedures   or guidelines established pursuant to federal law” or Maine law, provided   they are at least as protective as the requirements of the Maine breach   notice law. 

Timing of   notice to individuals: Disclosure must occur “as expediently as possible   and without unreasonable delay, consistent with the legitimate needs of law   enforcement pursuant” or “with measures necessary to determine the scope of   the security breach and restore the reasonable integrity, security and   confidentiality of the data in the system.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the cost of providing notice   would exceed $5000, the “affected class of individuals to be notified exceeds   1,000,” or the company does not have sufficient contact information.   Substitute notice consists of email to available addresses, conspicuous   posting of the notice on the company’s website, and notification to major   statewide media. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: A company   that notifies Maine residents must notify the Maine Department of   Professional and Financial Regulation or, if not regulated by that   department, the Maine Attorney General. If the company notifies more than   1,000 Maine residents, the company must notify credit reporting agencies of   the breach date, estimated number of people affected, and date of individual   notification. 

Maryland Md.   Code, Com. Law § 14‐3501 et seq

Categories of covered   personal information: An individual’s first name or first initial and   last name along with at least one of the following: (1) Social Security or   passport number; (2) driver’s license or state ID card number; (3) financial   account or credit or debit card number, along with any required code or   password; (4) an individual taxpayer identification number; (5) health   information; (6) health insurance information; and (7) biometric data.   Separately, the law covers a “user name or e‐mail address in combination with   a password or security question and answer that permits access to an   individual’s e‐mail account.” 

Exceptions to notice   requirement: (1) If the information is encrypted or redacted (the statute   defines “encrypted” as “the protection of data in electronic or optical form   using an encryption technology that renders the data indecipherable without   an associated cryptographic key necessary to enable decryption of the data”);   (2) if an investigation determines there is not a reasonable likelihood of   misuse of the information, provided that the company retains written   documentation of this determination for three years; (3) if the company is   subject to rules of a primary or functional federal or state regulator; or   (4) a financial institution subject to and complies with GLBA. 

Timing of notice to   individuals: Notification should be provided within 45 days of the   conclusion of an investigation, and “as soon as reasonably practicable.”   Delay is permitted if “a law enforcement agency determines that the   notification will impede a criminal investigation or jeopardize homeland or   national security” or to “determine the scope of the breach of the security   of a system, identify the individuals affected, or restore the integrity of   the system.” 

Requirements for notice to   individual (form and content): (1) Written notice; (2) electronic notice;   (3) telephone notice; or (4) substitute notice, if the cost of providing   notice would exceed $100,000, the “affected class of individuals to be   notified exceeds 175,000,” or the company does not have sufficient contact   information. Substitute notice consists of email to available addresses,   conspicuous posting of the notice on the company’s website, and notification   to major statewide media. Notices must   contain descriptions of the types of data breached; the company’s contact   information; the toll‐free phone numbers and addresses for the credit   reporting agencies; the toll‐free telephone number, addresses, and websites   for the FTC and Maryland Attorney General; and a statement that individuals   can obtain information about identity theft from these sources. 

Notice to state regulators   or consumer reporting agencies/credit bureaus: A company must notify the   Maryland Attorney General before notifying Maryland residents. If more than   1,000 Maryland residents are notified, credit bureaus also should be   notified, and the notice should state the timing, content, and distribution   of the individual notices.

Massachusetts   Mass. Gen. Laws ch. 93H, § 3

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3)   financial account or credit or debit card number, along with any required code   or password. 

Exceptions   to notice requirement: (1) If the information is encrypted with at least   a 128‐bit process and the key was not accessed; or (2) if the company   maintains and follows “procedures for responding to a breach of security   pursuant to federal laws, rules, regulations, guidance, or guidelines,”   provided that the company notifies Massachusetts residents and Massachusetts   officials. The statute does not have   the standard risk‐of‐harm exception. Instead, it requires notification if a   company “(1) knows or has reason to know of a breach of security or (2) when   the person or agency knows or has reason to know that the personal   information of such resident was acquired or used by an unauthorized person   or used for an unauthorized purpose.” 

Timing of   notice to individuals: Notification must be provided “as soon as   practicable and without unreasonable delay.” Delay is permitted “if a law   enforcement agency determines that provision of such notice may impede a   criminal investigation and has notified the attorney general, in writing,   thereof and informs the person or agency of such determination.” The company   must “cooperate with law enforcement in its investigation of any breach of   security or unauthorized acquisition or use, which shall include the sharing   of information relevant to the incident, provided however, that such   disclosure shall not require the disclosure of confidential business   information or trade secrets.”

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the cost of providing notice   would exceed $250,000, more than 500,000 Massachusetts residents would have   to be notified, or the company does not have sufficient contact information.   Substitute notice consists of email to available addresses, conspicuous   posting of the notice on the company’s website, and notification to major   statewide media. The notice must   include the consumer’s right to obtain a police report, and instructions to   request a security freeze, including fees paid to consumer reporting   agencies. The notice must not describe the nature of the breach or the number   of Massachusetts residents affected. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: A company   must notify the Massachusetts Attorney General and Director of Consumer   Affairs and Business Regulation. The notice should describe the breach, the   number of affected Massachusetts residents, and steps taken to remediate   harm.

Michigan Mich. Comp.   Laws §§ 445.63, 445.72

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3) financial   account or credit or debit card number, along with any required code or   password. 

Exceptions   to notice requirement: (1) If the personal information was encrypted and   the key was not disclosed (the statute defines “encrypted” as “transformation   of data through the use of an algorithmic process into a form in which there   is a low probability of assigning meaning without use of a confidential   process or key, or securing information by another method that renders the   data elements unreadable or unusable”); (2) if the company determines that   the breach “has not or is not likely to cause substantial loss or injury to,   or result in identity theft of” a Michigan resident; (3) “financial   institution that is subject to, and has notification procedures in place that   are subject to examination by the financial institution’s appropriate   regulator for compliance with” the Interagency Guidance under GLBA; or (4) a   company subject to and in compliance with HIPAA. 

Timing of   notice to individuals: Notice must be provided “without unreasonable   delay,” except as needed legitimately for law enforcement or to “take any   measures necessary to determine the scope of the security breach and restore   the reasonable integrity of the database.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   telephonic notice, subject to consent and format restrictions specified in   the statute; (3) electronic notice, subject to consent and format   restrictions specified in the statute; or (4) substitute notice, if the total   cost of notification will exceed $250,000, more than 500,000 Michigan   residents must be notified, or the company does not have sufficient contact   information. Substitute notice consists of email notice if the company has   email addresses; conspicuous posting of the notice on the company’s website,   and notice to major statewide media that includes a telephone number to   obtain assistance and information. Notices must be written in a “clear and conspicuous manner;” describe   the breach in general terms; describe the type of personal information that   is the subject of the unauthorized access or use, if applicable; describe   remediation steps to prevent further breaches; include phone number for   additional information; and remind recipients of the need to remain vigilant   for identity theft and fraud. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: Notice to   major credit reporting agencies is required if more than 1,000 Michigan   residents receive breach notices (though this does not apply to GLBA‐covered   companies). The notice must state the date of the notices that were sent to   individuals.

Minnesota Minn.   Stat. § 325E.61 et seq

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3)   financial account or credit or debit card number, along with any required code   or password. 

Exceptions   to notice requirement: (1) if the personal information was “secured by   encryption or another method of technology that makes electronic data   unreadable or unusable,” provided that the key was not accessed; (2) a   company that qualifies as a “financial institution” under GLBA; or (3) a   company that follows “its own notification procedures as part of an   information security policy for the treatment of personal information,”   provided that the timing of notification is consistent with the Minnesota   breach notice law. 

Timing   of notice to individuals: Notice must be provided “in the most expedient   time possible and without unreasonable delay,” except as needed legitimately   for law enforcement or “any measures necessary to determine the scope of the   breach, identify the individuals affected, and restore the reasonable   integrity of the data system.”

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice, if the total cost of   notification will exceed $250,000, the “affected class of subject persons to   be notified exceeds 500,000,” or the company does not have sufficient contact   information. Substitute notice consists of email notice if the company has   email addresses, conspicuous posting of the notice on the company’s website,   and notice to major statewide media. 

Notice   to state regulators or consumer reporting agencies/credit bureaus: If a   company determines that more than 500 Minnesota residents must be notified,   the company must notify the major consumer reporting agencies, within 48   hours of the determination, of the timing, distribution, and content of the   notices.

Mississippi   Miss. Code § 75‐24‐29

Categories   of covered personal information: An individual’s first name or first   initial and last name along with at least one of the following: (1) Social   Security number; (2) driver’s license or state ID card number; or (3)   financial account or credit or debit card number, along with any required code   or password. 

Exceptions   to notice requirement: (1) If the personal information was “secured by   encryption or by any other method or technology that renders the personal   information unreadable or unusable;” (2) if after “appropriate   investigation,” the company “reasonably determines that the breach will not   likely result in harm to the affected individuals;” (3) a company that   maintains and follows a breach notice procedure under the rules of GLBA; or   (4) a company that follows “an information security policy for the treatment   of personal information” and the timing is consistent with this statute. 

Timing   of notice to individuals: Notice must be provided “without unreasonable   delay,” except as needed legitimately for law enforcement to “determine the   nature and scope of the incident, to identify the affected individuals, or to   restore the reasonable integrity of the data system.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   telephone notice; (3) electronic notice; or (4) substitute notice, if the   total cost of notification will exceed $5,000, the “affected class of subject   persons to be notified” is greater than 5,000 people, or the company does not   have sufficient contact information. Substitute notice consists of email   notice if the company has email addresses; conspicuous posting of the notice   on the company’s website; and notice to major statewide media, including   newspapers, radio, and television. 

Notice   to state regulators or consumer reporting agencies/credit bureaus: Not   required.

Nebraska Neb. Rev. Stat. § 87‐801 et seq

Categories of covered personal information: (a) An individual’s first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; (3) financial account or credit or debit card number, along with any required code or password; (4) unique electronic identification number or routing code, in combination with any required security code, access code, or password; or (5) “unique biometric data,” such as a fingerprint, voice print, or retinal or iris image, or other unique physical representation; or (b) a user name or email address, along with the password or security question that allows access to an online user account. 

Exceptions to notice requirement: (1) If the information is encrypted, provided that the key was not accessed, or if the information was redacted (the statute defines “encrypted” as “converted by use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key”); (2) if an investigation determines that use of information about a Nebraska resident for an unauthorized purpose has not occurred and is not “reasonably likely” to occur; (3) a company “regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator;” or (4) if the company follows “its own notice procedures which are part of an information security policy for the treatment of personal information,” consistent with this statute’s timing requirements. 

Timing of notice to individuals: Notice must be made “as soon as possible and without unreasonable delay,” consistent with “the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.”

Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; (3) telephone notice; or (4) substitute notice, if the cost of providing notice would exceed $75,000, more than 100,000 Nebraska residents would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email to available addresses, conspicuous posting of the notice on the company’s website, and notification to major statewide media. If the company has ten or fewer employees and the cost of notice would exceed $10,000, substitute notice consists of (1) email to known addresses; (2) notification by a paid advertisement in a local newspaper in the geographic area in which the company is located, provided that the ad covers at least a quarter of a page in the newspaper and is published at least once a week for three consecutive weeks; (3) conspicuous posting on the company’s website; and (4) notification to major media outlets in the geographic area in which the company is located. 

Notice to state regulators or consumer reporting agencies/credit bureaus: If a company notifies Nebraska residents of a data breach, it must also notify the Nebraska Attorney General concurrently or before it notifies the individuals.

Nevada   Nev. Rev. Stat. § 603A.010 et seq

Categories   of covered personal information: First name or first initial and last   name in combination with one or more of the following: (1) Social Security   number (not including last four digits of number); (2) driver’s license or   state ID number; (3) financial account number, credit card number, or debit   card number, in combination with any code or password necessary to access   financial account; (4) medical identification number or health insurance   identification number; or (5) a “user name, unique identifier or electronic   mail address in combination with a password, access code or security   question and answer that would permit access to an online account.” 

Exceptions   to notice requirement: (1) If personal information is encrypted; (2) if   the company is subject to and complies with GLBA’s breach notice   requirements; or (3) if the business follows “its own notification policies   and procedures as part of an information security policy for the treatment of   personal information” and is otherwise consistent with the law’s timing   requirements. 

Timing of   notice to individuals: Individual notice must be made in the “most   expedient time possible and without unreasonable delay,” consistent with the   needs of law enforcement or “any measures necessary to determine the scope of   the breach and restore the reasonable integrity of the system data.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   electronic notice; or (3) substitute notice if the cost of notifying would   exceed $250,000, the “affected class of subject persons to be notified” is   greater than 500,000, or the company does not have sufficient contact   information. Substitute notice consists of email notice when an address is   available, conspicuous posting of the notice on the company’s website, and   notification to major statewide media. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: If more   than 1,000 Nevada residents are notified for one incident, the company must   notify the major consumer reporting agencies of the time the notification was   distributed and the content of the notification.

New Mexico H.B. 15 (2017)

Categories of covered personal information: First name or   first initial and last name in combination with one or more of the following:   (1) Social Security number; (2) driver’s license or government ID number; (3)   financial account number, credit card number, or debit card number in   combination with any code or password necessary to access financial account;   or (4) biometric data. 

Exceptions to notice requirement: (1) If personal information   is encrypted or redacted, provided that the key was not acquired; (2) if   “after an appropriate investigation,” the company “determines that the   security breach does not give rise to a significant risk of identity theft or   fraud;” (3) if the business follows “its own notice procedures as part of an   information security policy for the treatment of personal identifying   information” and its procedures are consistent with the New Mexico statute’s   timing requirements and is otherwise consistent with the timing requirements   of that law. 

Timing of notice to individuals: Within 45 calendar days of   discovering the breach, and in “the most expedient time possible,” unless a   delay is necessary to “determine the scope of the security breach and restore   the integrity, security and confidentiality of the data system” or is   requested by law enforcement. Requirements for notice to individual (form and   content): (1) Written notice; (2) email notice; or (3) substitute notice if   the cost of notifying would exceed $100,000, more than 50,000 residents of   New Mexico would have to be notified, or the company does not have sufficient   contact information. Substitute notice consists of email notice when an   address is available, conspicuous posting of the notice on the company’s   website, and notification to statewide media and the state Attorney General. 

Notice must include: The company’s contact information; Categories of personal information   suspected to have been breached; Date of the breach; A “general description”   of the breach; Toll‐free phone numbers for the credit bureaus; “advice that   directs the recipient to review personal account statements and credit   reports, as applicable, to detect errors resulting from the security breach”   and Advice about the individual’s rights under the federal Fair Credit   Reporting Act.

Notice to state regulators or consumer reporting agencies/credit   bureaus: If a single data breach results in notice to more than 1,000 New   Mexico residents, the company must notify the state Attorney General and   major credit bureaus within 45 days, unless a delay is permitted. The   notification must include the number of notified New Mexico residents and a   copy of the notice to individuals.

New York N.Y. Gen. Bus. Law § 899‐aa

Categories of covered personal information: Any “information   concerning a natural person which, because of name, number, personal mark, or   other identifier, can be used to identify such natural person” along with at   least one of the following: (1) Social Security number; (2) driver’s license   or state ID card number; or (3) financial account or credit or debit card   number, along with any required code or password. 

Exceptions to notice requirement: (1) If the personal   information was encrypted and the key was not accessed; (2) if the company   determines that the unauthorized acquisition did not compromise “the   security, confidentiality, or integrity of personal information,” after   considering the following factors: (a) indications that the information is in   the “physical possession and control of an unauthorized person;” (b)   indications that “the information has been downloaded or copied;” and (c)   indications that the information was “used by an unauthorized person, such as   fraudulent accounts opened or instances of identity theft reported.”

Timing of notice to individuals: Notice must be provided in   the “most expedient time possible and without unreasonable delay,” except as   needed legitimately for law enforcement and “any measures necessary to   determine the scope of the breach and restore the reasonable integrity of the   system.” 

Requirements for notice to individual (form and content): (1)   Written notice; (2) telephone notice; (3) electronic notice; or (4)   substitute notice, if the total cost of notification will exceed $250,000,   the “affected class of subject persons to be notified” is greater than   500,000, or the company does not have sufficient contact information.   Substitute notice consists of email notice if the company has email   addresses, conspicuous posting of the notice on the company’s website, and   notice to major statewide media. The   notice must include contact information for the company, and a description of   the categories of information believed to have been acquired. 

Notice to state regulators or consumer reporting agencies/credit bureaus:   Any time that New York residents are notified of a data breach, the   company should notify the New York Attorney General, the New York Department   of State, and the New York Division of State Police of the timing, content,   and distribution of the notices and the approximate number of New York   residents affected. The notice must not delay notification of   individuals. If more than 5,000 New   York residents are notified at one time, the company must notify the consumer   reporting agencies of the timing, content, and distribution of the notices   and approximate number of New York residents affected.

North Carolina N.C. Gen. Stat § 75‐65

Categories of covered personal information: An individual’s first name or first initial and last name along with at least one of the following: (1) Social Security number; (2) driver’s license or state ID card number; or (3) checking account number; (4) savings account number; (5) credit card number; (6) debit card number; (7) personal identification code; (8) electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names; (9) digital signatures; (10) any other numbers or information that can be used to access a person’s financial resources; (11) biometric data; (12) fingerprints; (13) passwords; or (14) parent’s legal surname prior to marriage. 

Exceptions to notice requirement: (1) If the personal information was encrypted and the key has not been accessed (“encryption” is defined as the “use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key”); (2) if “illegal use of the personal information” has not occurred, is not “reasonably likely to occur,” and does not create “a material risk of harm to a consumer;” or (3) a financial institution that complies with the GLBA Interagency Guidance. 

Timing of notice to individuals: Notice must be provided “without unreasonable delay,” except as needed legitimately for law enforcement and “consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.” 

Requirements for notice to individual (form and content): (1) Written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the total cost of notification will exceed $250,000, the “affected class of subject persons to be notified exceeds 500,000,” or the company does not have sufficient contact information. Substitute notice consists of email notice if the company has email addresses; conspicuous posting of the notice on the company’s website, and notice to major statewide media. The notice must contain a description of the incident “in general terms;” a description of the categories of personal information that were subject to unauthorized access; a description of the steps the business took to prevent further unauthorized access; a phone number for further information and assistance; advice to “remain vigilant by reviewing account statements and monitoring free credit reports;” toll‐free numbers and addresses for the major consumer reporting agencies; and toll‐free numbers, addresses, and website addresses for the FTC and North Carolina Attorney General’s office, along with a statement that the individual “can obtain information from these sources about preventing identity theft.” 

Notice to state regulators or consumer reporting agencies/credit bureaus: If any North Carolina residents are notified, the company must notify the North Carolina Attorney General’s Consumer Protection Division, without unreasonable delay, of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. If a company notifies more than 1,000 North Carolina residents at once, the company must notify the consumer reporting agencies of the timing, distribution, and content of the individual notices.

North Dakota N.D. Cent. Code § 51‐30‐01 et seq

Categories of covered personal information: An individual’s   first name or first initial and last name along with at least one of the   following: (1) Social Security number; (2) driver’s license or state ID card   number; (3) financial account or credit or debit card number, along with any   required code or password; (4) date of birth; (5) mother’s maiden name; (6)   medical information; (7) health insurance information; (8) employee   identification number along with any required code or password; or (9)   digitized or other electronic signature. 

Exceptions to notice requirement: (1) If the information is   encrypted or otherwise rendered “otherwise unreadable or unusable;” (2) a   financial institution that complies with notice requirements of the   Interagency Guidance; or (3) if the company follows “its own notification   procedures as part of an information security policy for the treatment of   personal information,” consistent with the timing requirements of the North   Dakota breach notice law. 

Timing of notice to individuals: In the “most expedient time   possible and without unreasonable delay,” consistent with legitimate law   enforcement needs and “any measures necessary to determine the scope of the   breach and to restore the integrity of the data system.” 

Requirements for notice to individual (form and content): (1)   Written notice; (2) electronic notice; or (3) substitute notice, if the cost   of providing notice would exceed $250,000, the “affected class of subject   persons to be notified” is greater than 500,000 people, or the company does   not have sufficient contact information. Substitute notice consists of email   to available addresses, conspicuous posting of the notice on the company’s website,   and notification to major statewide media. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: If a company notifies more than 250 individuals of a data   breach, it must disclose the breach to the North Dakota Attorney General by   mail or email.

Ohio Ohio Rev. Code §   1349.19 et seq

Categories of   covered personal information: First name or first initial and last name   in combination with at least one of the following: (1) Social Security   number; (2) driver’s license or ID card number; or (3) account number or   credit or debit card number, along with code or password necessary to access   financial account. Personal information does not include information that   already had lawfully been made publicly available by or to the news media.

Exceptions to   notice requirement: (1) Encrypted or redacted personal information (the   statute defines “encryption” as “the use of an algorithmic process to   transform data into a form in which there is a low probability of assigning   meaning without use of a confidential process or key”); (2) if the company   does not “reasonably” believe that the breach will cause a “material risk of   identity theft or other fraud” to Ohio residents; (3) if the company is a   financial institution, trust company, or credit union or affiliate of such,   and is required by federal law to issue breach notices to affected customers;   or (4) if the company is a covered entity that is regulated under HIPAA. 

Timing of notice   to individuals: Disclosure must be provided in the “most expedient time   possible,” but no later than 45 days after discovery or notification of the   breach, subject to legitimate needs of law enforcement and “consistent with   any measures necessary to determine the scope of the breach, including which   residents’ personal information was accessed and acquired, and to restore the   reasonable integrity of the data system.” 

Requirements for   notice to individual (form and content): (1) Written notice; (2)   telephonic notice; (3) electronic notice, if that is the company’s primary   method of communicating with the individual; or (4) substitute notice if the   company demonstrates that the cost of notice exceeds $250,000, at least   500,000 Ohio residents would have to be notified, or the company does not   have sufficient contact information. Substitute notice consists of email   notice when available; conspicuous posting of the notice on the company’s   website; and notification to major media outlets, when the cumulative total   readership, viewing audience, or listening audience combined is equal to at   least 75 percent of Ohio’s population. Separately, Ohio allows another form   of substitute notice if the company has ten or fewer employees and the cost   of notice would exceed $10,000. In this case, the substitute notice must   include (1) notice by a paid advertisement in a local newspaper that is   distributed in the area in which the company is located, with the   advertisement covering at least one‐quarter of a page and published at least   weekly for three consecutive weeks; (2) conspicuous posting of the notice on   the company’s website; and (3) notice to major media outlets in the company’s   geographic area. 

Notice to state   regulators or consumer reporting agencies/credit bureaus: Notice to state   regulators not required. Notice to credit reporting agencies is required if   more than 1,000 Ohio residents are notified. The notice to credit reporting   agencies must describe the timing, distribution, and content of the   individual breach notices.

Oklahoma Okla.   Stat. tit. 24, §§ 162–164

Categories of covered personal information:  First name or first initial and last name in combination with at least one of   the following: (1) Social Security number; (2) driver’s license or ID card   number; or (3) financial account number or credit or debit card number, along   with code or password necessary to access financial accounts. 

Exceptions to notice requirement: (1)   Redacted or encrypted personal information, provided that the key was not   accessed; (2) if the breach did not cause and is not reasonably believed to   cause “identity theft or other fraud;” (3) a financial institution that   complies with the federal Interagency Guidance on breach notification; (4) a   company that “complies with the notification requirements or procedures   pursuant to the rules, regulation, procedures, or guidelines established by   the primary or functional federal regulator;” or (5) if the company follows   “its own notification procedures as part of an information privacy or   security policy for the treatment of personal information” and is consistent   with the timing requirements of the Oklahoma breach notice law. 

Timing of notice to individuals: Disclosure   must be provided “without unreasonable delay,” though delay is permitted “if   a law enforcement agency determines and advises the individual or entity that   the notice will impede a criminal or civil investigation or homeland or   national security.” 

Requirements for notice to individual (form and   content): (1) Written notice to postal address listed in company’s   records; (2) telephonic notice; (3) electronic notice; (4) substitute notice   if the company demonstrates that the cost of notice exceeds $50,000, at least   100,000 Oklahoma residents would have to be notified, or the company does not   have sufficient contact information. Substitute notice consists of at least   two of the following methods: email notice when available, conspicuous   posting of the notice on the company’s website, and notification to major   statewide media. 

Notice to state regulators or consumer reporting   agencies/credit bureaus: Not required.

Oregon   Or. Rev. Stat. § 646A.600 et seq

Categories   of covered personal information: First name or first initial and last   name in combination with at least one of the following: (1) Social Security   number; (2) driver’s license or ID card number; (3) passport number or other   identification number issued by the United States; (4) financial account   number or credit or debit card number, along with code or password necessary   to access financial account, or “any other information or combination of   information that a person reasonably knows or should know would permit access   to the consumer’s financial account;” (5) data from “automatic measurements   of a consumer’s physical characteristics” (e.g., fingerprint or retinal   scans) that are used to authenticate a consumer’s identity for a transaction;   (6) health insurance policy number or health insurance subscriber   identification number in combination with unique identifiers used by health   insurers; or (7) information about medical history, medical or physical   condition, medical diagnosis, or treatment. These seven categories of   information—without an individual’s name—still could be considered personal   information if they would enable identity theft. 

Exceptions   to notice requirement: (1) Encrypted or redacted personal information;   (2) if, after an appropriate investigation or consultation with law enforcement,   the company “reasonably determines” that the consumers are “unlikely to   suffer harm” (this determination must be documented in writing and retained   for at least five years); (3) if a company follows notification rules that   its “primary or functional federal regulator adopts, promulgates or issues in   rules, regulations, procedures, guidelines or guidance, if the rules,   regulations, procedures, guidelines or guidance provide greater protection to   personal information and disclosure requirements at least as thorough as the   protections and disclosure requirements provided” under the Oregon breach   notice law; (4) the company is a financial institution that complies with   GLBA; or (5) if the company follows its internal notification procedures and   those procedures are consistent with the statute’s timing requirements. 

Timing of   notice to individuals: Disclosure must be provided within 45 days of   discovery or notification of the breach, and in the most “expeditious manner   possible” and “without unreasonable delay,” consistent with legitimate needs   of law enforcement and “consistent with any measures that are necessary to   determine sufficient contact information for the affected consumer, determine   the scope of the breach of security and restore the reasonable integrity,   security and confidentiality of the personal information.” 

Requirements   for notice to individual (form and content): (1) Written notice; (2)   telephonic notice, if the company directly contacts the consumer by that   means; (3) electronic notice, if that is the company’s customary method of   communicating with the individual; or (4) substitute notice if the company   demonstrates that the cost of notice exceeds $250,000, the “affected class of   consumers exceeds 350,000,” or the company does not have sufficient contact   information. Substitute notice consists of email notice when available, conspicuous   posting of the notice on the company’s website, and notification to major   statewide television and media. Notice   must contain a description of the data breach “in general terms;” the   approximate date of the breach; the type of personal information that was   subject to the breach; contact information for the company that was subject   to the breach; contact information for credit bureaus; and advice to report   suspected identity theft to law enforcement, including the Attorney General   and the Federal Trade Commission. If the company provides free credit   monitoring or identity theft prevention and mitigation services, the company   cannot condition the services on the individual providing a credit card or   debit card number, or on the purchase of any other service. If the services   are offered for a fee, the company “must separately, distinctly, clearly, and   conspicuously disclose in the offer for the additional credit monitoring   services or identity theft prevention and mitigation services” that the   company will charge a fee. 

Notice to   state regulators or consumer reporting agencies/credit bureaus: If the   number of affected Oregon residents exceeds 250, the company, either in   writing or electronically, must provide the Oregon Attorney General with the   same notice provided to consumers. Notice to credit reporting agencies   without unreasonable delay is required, provided that more than 1,000 Oregon   residents are affected. The notice to credit bureaus should include the   notice provided to individuals, and any police report number assigned to the   data breach.

Pennsylvania   73 Pa. Cons. Stat. § 2301 et seq

Categories   of covered personal information: First name or first initial and last   name in combination with at least one of the following: (1) Social Security   number; (2) driver’s license or ID card number; or (3) financial account   number or credit or debit card number, along with code or password necessary   to access financial account. 

Exceptions   to notice requirement: (1) Redacted or encrypted information, if the key   was not accessed; (2) if the company does not “reasonably” believe that the   breach has caused or will cause “loss or injury” to a Pennsylvania resident;   (3) if a company “complies with the notification requirements or procedures   pursuant to the rules, regulations, procedures or guidelines established by   the entity’s primary or functional Federal regulator;” (4) if the company is   a financial institution that complies with the Interagency Guidance   procedures; or (5) if the company follows “its own notification procedures as   part of an information privacy or security policy for the treatment of   personal information,” provided that the policy is “consistent with the   notice requirements” of the Pennsylvania breach notice law. 

Timing of   notice to individuals: Disclosure must be provided “without unreasonable   delay,” except to determine the scope of the breach and restore the   reasonable integrity of the data system, or at the written request of law   enforcement. 

Requirements   for notice to individual (form and content): (1) Written notice to the   last known postal address; (2) telephonic notice, if the individual can   reasonably be expected to receive it and the notice clearly and conspicuously   describes the incident generally and verifies personal information but does not   require the customer to provide personal information, and the customer is   provided with a phone number or website for further information or   assistance; (3) electronic notice, if a prior business relationship exists   and the company has a valid email address for the individual; or (4)   substitute notice if the company demonstrates that the cost of notice exceeds   $100,000, the “affected class of subject persons to be notified exceeds   175,000,” or the company does not have sufficient contact information. Substitute   notice consists of email notice when available, conspicuous posting of the   notice on the company’s website, and notification to major statewide media.

Notice to   state regulators or consumer reporting agencies/credit bureaus: Notice to   state regulators is not required. Notice to credit reporting agencies is   required, provided that more than 1,000 Pennsylvania residents are notified.   The notice to credit reporting agencies must state the timing, distribution,   and number of individual notices.

Rhode Island R.I. Gen. Laws § 11‐49.3‐3 et seq

Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; (4) medical or health insurance information; or (5) email address with any security code, access code, or password that would allow access to a personal, medical, insurance, or financial account. 

Exceptions to notice requirement: (1) Encrypted personal information (the statute defines “encrypted” as “transformation of data through the use of a one hundred twenty‐eight (128) bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Data shall not be considered to be encrypted if it is acquired in combination with any key, security code, or password that would permit access to the encrypted data”); (2) if the company determines that the breach does not pose “a significant risk of identity theft” to Rhode Island residents; (3) if the company follows “a security breach procedure pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional regulator;” (4) the company is a financial institution that complies with the GLBA Interagency Guidelines; (5) the company is a health‐related company that complies with HIPAA’s breach notification procedures; or (6) if the company follows “its own security breach procedures as part of an information security policy for the treatment of personal information” and is consistent with the timing requirements of the Rhode Island breach notice law. 

Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible,” but no later than 45 days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements, “consistent with the legitimate needs of law enforcement.” 

Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $25,000, the “affected class of subject persons to be notified exceeds” 50,000 people, or the company does not have sufficient contact information. Substitute notice consists of email 

notice when available, conspicuous posting of the notice on the company’s website, and notification to major statewide media. The individual notices should contain (1) a “general and brief description” of the breach, including how it occurred and the number of affected individuals; (2) the type of information that was breached; (3) date (or estimated date) of the breach; (4) date of discovery of the breach; (5) description of remediation services, including toll‐free phone numbers and websites for credit reporting agencies, remediation service providers, and the Rhode Island Attorney General; and (6) a “clear and concise” description of the consumer’s ability to file or obtain a police report regarding the data breach, how the individual can request a security freeze on financial accounts, and the fees that consumers may be required to pay to credit bureaus for these remedies. 

Notice to state regulators or consumer reporting agencies/credit bureaus: Notice to the Attorney General and the major credit bureaus is required if more than 500 Rhode Island residents are notified. The notices should describe the timing, content, and distribution of the individual notices and the approximate number of affected individuals. These notices are not grounds to delay individual notifications.

South Carolina S.C. Code § 39‐1‐90

Categories of covered personal information: First name or   first initial and last name in combination with at least one of the   following: (1) Social Security number; (2) driver’s license or ID card   number; (3) financial account number or credit or debit card number, along   with code or password necessary to access financial account; or (4) “other   numbers or information which may be used to access a person’s financial   accounts or numbers or information issued by a governmental or regulatory   entity that uniquely will identify an individual.”

Exceptions to notice requirement: (1) if the information has   been “rendered unusable through encryption, redaction, or other methods;” (2)   if the company concludes that “illegal use of the information” has not   occurred, is “not reasonably likely to occur,” and does not create a   “material risk of harm” to a South Carolina resident; (3) if a company is a   financial institution or bank subject to GLBA; (4) if the company is a   financial institution subject to and complying with the GLBA Interagency   Guidance; or (5) if the company follows “its own notification procedures as   part of an information security policy for the treatment of personal   identifying information” and issues a notification that is consistent with   the timing requirements of the South Carolina breach notice law. 

Timing of notice to individuals: Disclosure must be provided   in the “most expedient time possible and without unreasonable delay,” subject   to law enforcement’s legitimate needs, or consistent with “measures necessary   to determine the scope of the breach and restore the reasonable integrity of   the data system.” 

Requirements for notice to individual (form and content): (1)   Written notice; (2) telephonic notice; (3) electronic notice, if that is the   company’s primary method of communicating with the individual; or (4)   substitute notice if the company demonstrates that the cost of notice exceeds   $250,000, the “affected class of subject persons to be notified” is greater   than 500,000 people, or the company does not have sufficient contact   information. Substitute notice consists of email notice when available,   conspicuous posting of the notice on the company’s website, and notification   to major statewide media. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: If more than 1,000 South Carolina residents are notified, the   company must notify without unreasonable delay the Consumer Protection   Division of the South Carolina Department of Consumer Affairs and the major   credit bureaus of the timing, distribution, and content of the notices to   individuals.

South Dakota S.B. 62, 2018 (to be codified)

Categories of covered personal information: First name or   first initial and last name in combination with at least one of the   following: (1) Social Security number; (2) driver’s license or ID card   number; (3) financial account number or credit or debit card number, along   with code or password necessary to access financial accounts; (4) health   information; or (5) “an identification number assigned to a person by the   person’s employer in combination with any required security code, access   code, password, or biometric data generated from measurements of human body   characteristics for authentication purposes.” 

Exceptions to notice requirement: (1) Encrypted or redacted   personal information; (2) if the company, after investigating and notifying   the state Attorney General, “reasonably determines that the breach will not   likely result in harm to the affected person,” provided that the company   retains the written documentation of this determination for at least three   years; (3) if a company is regulated by a federal law or regulation, such as   HIPAA or GLBA, regarding data breach notification; (4) if the company   concludes that illegal use of the information has not occurred, is “not   reasonably likely to occur,” and does not create a “material risk of harm” to   a South Carolina resident; or (5) if the company follows its own internal   notification policy. 

Timing of notice to individuals: Disclosure must be provided   within 60 days of discovery or notification of the breach, unless law   enforcement’s legitimate needs require a delay. 

Requirements for notice to individual (form and content): (1)   Written notice; (2) electronic notice, if that is the company’s primary   method of communicating with the individual; or (3) substitute notice if the   company demonstrates that the cost of notice exceeds $250,000, the “affected   class of persons to be notified” is greater than 500,000 people, or the   company does not have sufficient contact information. Substitute notice   consists of email notice when available, conspicuous posting of the notice on   the company’s website, and notification to major statewide media. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: The company must notify the credit bureaus of any breach without   unreasonable delay. If more than 250 residents are notified, the company must   notify the state Attorney General.

Tennessee   Tenn. Code § 47‐18‐2107(a)

Categories of covered personal information: First name or   first initial and last name in combination with at least one of the   following: (1) Social Security number; (2) driver’s license or ID card   number; or (3) account number or credit or debit card number, along with code   or password necessary to access financial account. 

Exceptions to notice requirement: (1) if the data is   encrypted, provided that the key was not accessed; (2) if the company   determines that the breach did not “materially” compromise the security,   confidentiality, or integrity of personal information; (3) if the company is   subject to GLBA; (4) if the company is subject to HIPAA; or (5) if the   company complies with “its own notification procedures as part of an   information security policy for the treatment of personal information” and is   consistent with the timing requirements of the Tennessee breach notification   law. 

Timing of notice to individuals: Disclosure must be provided   immediately, but no later than 45 days from the discovery or notification of   the breach, unless the legitimate needs of law enforcement require a delay. 

Requirements for notice to individual (form and content): (1)   Written notice; (2) electronic notice; or (3) substitute notice if the   company demonstrates that the cost of notice exceeds $250,000, the “affected   class of subject persons to be notified” is greater than 500,000 people, or   the company does not have sufficient contact information. Substitute notice   consists of email notice when available, conspicuous posting of the notice on   the company’s website, and notification to major statewide media. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: Notice to state regulators is not required. Notice to credit   reporting agencies is required, provided that more than 1,000 Tennessee residents   are notified. The notice to credit reporting agencies must describe the   timing, distribution, and content of the individual notices.

Texas Tex. Bus. & Com. Code § 521.001 et seq

Categories of covered personal information: The Texas statute   applies to “sensitive personal information,” which includes two general   categories. The first category includes first name or first initial and last   name in combination with at least one of the following: (1) Social Security number;   (2) driver’s license or ID card number; or (3) financial account number or   credit or debit card number, along with code or password necessary to access   financial account. The second category includes sensitive information that   identifies an individual and relates to (1) the physical or mental health or   condition of the individual; (2) the provision of health care to the   individual; or (3) payment for the provision of health care to the   individual. Some commentators have   suggested that the Texas statute could be read to suggest that it requires   companies to provide notice even if the affected individuals do not live in   Texas, though no court has ruled on this issue. 

Exceptions to notice requirement: (1) Encrypted data, provided   that the accessor does not have the decryption key; or (2) if the company   follows its “own notification procedures as part of an information security   policy for the treatment of sensitive personal information” and is consistent   with the timing requirements of the Texas breach notification statute. 

Timing of notice to individuals: Disclosure must be made “as   quickly as possible,” except if a delay is requested by law enforcement or   “as necessary to determine the scope of the breach and restore the reasonable   integrity of the data system.” 

Requirements for notice to individual (form and content): (1)   Written notice to last known address; (2) electronic notice; or (3)   substitute notice if the company demonstrates that the cost of notice exceeds   $250,000, the “number of affected persons exceeds 500,000,” or the company   does not have sufficient contact information. Substitute notice consists of   email notice when available, conspicuous posting of the notice on the   company’s website, and notification published in or broadcast on major   statewide media. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: Notice to state regulators is not required. Notice to credit   reporting agencies is required, provided that more than 10,000 people are   notified under this law. The notice to credit reporting agencies must state   the timing, distribution, and content of the individual notices.

Utah Code § 13‐44‐101 et seq

Categories of covered personal information: First name or   first initial and last name in combination with at least one of the   following: (1) Social Security number; (2) driver’s license or ID card   number; or (3) financial account number or credit or debit card number, along   with code or password necessary to access financial account. 

Exceptions to notice requirement: (1) If the personal   information is encrypted or protected by another method that renders the data   unreadable or unusable; (2) if a “reasonable and prompt investigation”   conducted in good faith determines that “misuses of personal information for   identity theft or fraud purposes” has neither occurred nor is “reasonably   likely to occur;” (3) if a company is “regulated by state or federal law and   maintains procedures for a breach of system security under applicable law   established by the primary state or federal regulator,” provided that it   follows that system’s notification rules; or (4) if the company follows its   “own notification procedures as part of an information security policy for the   treatment of personal information” that is consistent with the timing   requirements of the Utah breach notice law. 

Timing of notice to individuals: Disclosure must be provided   in “the most expedient time possible and without unreasonable delay,” subject   to the needs of law enforcement and to determine the scope of the breach and   restore system integrity. 

Requirements for notice to individual (form and content): (1)   Written notice via first‐class mail to the individual’s most recent address;   (2) telephonic notice, including via automatic dialing technology that is not   legally prohibited; (3) electronic notice, if that is the company’s primary method   of communicating with the individual; or (4) for Utah residents for whom the   other notification methods are “not feasible,” publishing a notice in a   general circulation newspaper. Unlike most other states, Utah does not allow   the standard form of substitute notice. 

Notice to state regulators or consumer reporting agencies/credit   bureaus: Notice is not required.

Share to:

Facebook
Twitter
LinkedIn
Regardless of industry, corporate tax incentives present opportunities to save money and reclaim revenue for you and your business.

Quick Links

Services

Contact Us

Linkedin-in

Copyright © 2023 KC & Associates LLC – All Rights Reserved.