With this post, this will conclude the current listing of State Data Breach notifications laws. At KC&A, we want to ensure our readers and subscribers have immediate access to key legislative guidelines in both cybersecurity and corporate tax incentives spaces.
Subscribe for more insights and real-time updates.
Vermont Vt. Stat. Ann. tit. 9, § 2430 et seq
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; or (4) account passwords, PINS, or other codes that could access a financial account.
Exceptions to notice requirement: (1) Information that is encrypted, redacted, or “protected by another method that renders [it] unreadable or unusable by unauthorized persons;” (2) the company determines that misuse of personal information is “not reasonably possible” and notifies the Vermont Attorney General or Vermont Department of Financial Regulation of this determination; or (3) if a company is a financial institution that is subject to the GLBA Interagency Guidance.
Timing of notice to individuals: Disclosure must be provided “in the most expedient time possible and without unreasonable delay,” but not later than 45 days after the discovery or notification, subject to law enforcement’s “legitimate needs” or consistent “with any measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data system.”
Requirements for notice to individual (form and content): (1) Written notice to the individual’s residence; (2) telephonic notice, provided that telephonic contact is made directly with each affected individual and not via a prerecorded message; (3) electronic notice, if the company has a valid email address; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $5,000, the “class of affected consumers to be provided written or telephonic notice exceeds 5,000,” or the company does not have sufficient contact information. Substitute notice consists of conspicuous posting of the notice on the company’s website and notification to major statewide and regional media. Individual notices must contain (1) a description of the breach; (2) the type of personal information that was breached; (3) the steps that the company took to protect against further unauthorized access; (4) a toll‐free number for more information; (5) advice to “remain vigilant” by reviewing account statements and free credit reports; and (6) date of the breach.
Notice to state regulators or consumer reporting agencies/credit bureaus: Vermont requires two forms of notice to state regulators. First, the Vermont Attorney General or Department of Financial Regulation must be notified of the dates of the breach and discovery, along with a preliminary description, within 14 business days, consistent with the needs of law enforcement. Companies must notify state regulators no later than when they notify consumers. In other words, if a company notifies consumers seven days after discovering a breach, it must notify Vermont regulators at the same time that it notifies consumers, even though the 14‐day period has not elapsed. If, before the breach occurs, the company swears in writing to the Attorney General that it maintains written security policies and procedures and responds to breaches in a manner consistent with Vermont law, the company need only notify state regulators of the date of the breach and discovery of the breach before it notifies individuals. Second, when companies notify Vermont residents of data breaches, they also must provide Vermont regulators with a copy of the individual notice and the number of Vermont residents who were notified. If more than 1,000 consumers are notified, the company shall notify credit bureaus, without unreasonable delay, of the timing, distribution, and content of the notice.
Data brokers:Separate from its standard data breach notice law, as of 2019, Vermont began requiring data brokers to annually report data breaches to the Vermont Secretary of State. Data brokers must report breaches of individuals’ names, addresses, birth dates, places of birth, mother’s maiden names, biometric data, immediate family members’ names or addresses, social security numbers or other government‐issued identification numbers, or “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.”
Virginia Va. Code § 18.2‐186.6
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account. Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the company does not reasonably believe that the breach “has caused or will cause identity theft or other fraud” to a Virginia resident; (3) if the company follows its internal notification procedures and is consistent with the timing requirements of the statute; or (4) if the company is subject to and complies with the notification requirements of GLBA or the requirements of its primary or functional state or federal regulator.
Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” subject to the needs of law enforcement and to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice to the last known postal address listed in the company’s records; (2) telephonic notice; (3) electronic notice; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $50,000, at least 100,000 Virginia residents would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company’s website, and notification to major statewide media. Notice must describe: (1) the incident “in general terms;” (2) the categories of personal information subject to the breach; (3) the general steps taken to protect the information from further unauthorized access; (4) a phone number for more information, if one exists; and (5) advice to “remain vigilant by reviewing account statements and monitoring free credit reports.”
Notice to state regulators or consumer reporting agencies/credit bureaus: Notice of the timing, distribution, and content of the individual notices must be sent to the Virginia Attorney General and consumer reporting agencies “without unreasonable delay” if more than 1,000 Virginia residents are notified at one time.
Income tax data breach: If a company experiences a breach of “computerized data relating to income tax withheld,” it must notify the Virginia Attorney General “without unreasonable delay.” Covered data includes a taxpayer identification number combined with the income tax withheld, provided that the company “reasonably believes” that the breach “has caused or will cause, identity theft or other fraud.” For employers, the requirement only applies to the company’s own employees, and not to customers or others. If notice is required, the company must provide the Virginia Attorney General with its name and federal employer identification number.
Washington State Wash. Rev. Code § 19.255.010
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
Exceptions to notice requirement: (1) the information is encrypted; (2) if the company determines that the breach is “not reasonably likely to subject consumers to a risk of harm;” (3) if the company follows “its own notification procedures as part of an information security policy for the treatment of personal information” and is consistent with the timing requirements of the Washington state breach notice law; or (4) if the company is subject to and complies with the notification requirements of HIPAA or the GLBA financial institution Interagency Guidelines.
Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible and without unreasonable delay,” and no later than 45 days after discovery of the breach, unless requested by law enforcement or “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that the cost of notice exceeds $250,000, the “affected class of subject persons to be notified” is greater than 500,000 people, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company’s website, and notification to major statewide media. Notices must be written in “plain language” and include (1) name and contact information of the company, (2) a list of the categories of personal information at issue, and (3) toll‐free telephone numbers of the major credit reporting agencies if personal information was exposed.
Notice to state regulators or consumer reporting agencies/credit bureaus: If a company is required to notify more than 500 Washington state residents of a breach, it must electronically submit a sample copy of that notification, without personally identifiable information, to the Washington State Attorney General, along with the number of Washington State residents affected (or an estimate if the exact number is unknown). Credit bureau notification is not required.
West Virginia W. Va. Code § 46A‐2A‐101 et seq
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; or (3) financial account number or credit or debit card number, along with code or password necessary to access financial account.
Exceptions to notice requirement: (1) Encrypted or redacted personal information (“encrypted” is defined as “transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable”); (2) if the company does not “reasonably believe that the breach has caused or will cause identity theft or other fraud” to a West Virginia resident; (3) if the company “complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity’s primary or functional regulator;” (4) if a company is subject to and follows the financial institution federal Interagency Guidance for notifications; or (5) if the company follows “its own notification procedures as part of an information privacy or security policy for the treatment of personal information” and is consistent with the timing requirements of the West Virginia breach notice law.
Timing of notice to individuals: Disclosure must be provided “without unreasonable delay,” subject to “any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.” Additionally, the company may delay notice if “a law‐enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security.”
Requirements for notice to individual (form and content): (1) Written notice to postal address of the individual; (2) telephonic notice; (3) electronic notice; or (4) substitute notice if the company demonstrates that the cost of notice exceeds $50,000, at least 100,000 West Virginia residents would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when available, conspicuous posting of the notice on the company’s website, and notification to major statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: Notice to state regulators is not required. If more than 1,000 West Virginia residents are notified, the company also must notify the credit reporting agencies of the timing, distribution, and content of the notices. This requirement does not apply to financial institutions that are subject to GLBA.
Wis. Stat. § 134.98
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license or ID card number; (3) financial account number or credit or debit card number, along with code or password necessary to access financial account; (4) DNA profile; or (5) unique biometric data, including fingerprint, voice print, retinal or iris image, or other unique physical representation.
Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if the breach “does not create a material risk of identity theft or fraud to the subject of the personal information;” or (3) if a company is subject to and follows the financial institution federal Interagency Guidance for notifications or HIPAA’s notification procedures.
Timing of notice to individuals: Disclosure must be provided “within a reasonable time,” not to exceed 45 days after the company learns of the breach. Reasonableness determinations should consider the number of notices required and methods of communication available. Notice may be delayed at the request of law enforcement.
Requirements for notice to individual (form and content): The notice must be provided by mail or the method the company has previously used to communicate with the individual. If, with reasonable diligence, the company cannot determine the individual’s mailing address and has not previously communicated with the individual, the company must use a “method reasonably calculated to provide actual notice to the subject of the personal information.” The individual notice should indicate that the company knows of a breach of personal information pertaining to the individual.
Notice to state regulators or consumer reporting agencies/credit bureaus: Notice to state regulators is not required. If more than 1,000 Wisconsin residents are notified, the company also must notify the credit reporting agencies of the timing, distribution, and content of the notices.
Wyoming Wyo. Stat. § 40‐12‐501 et seq
Categories of covered personal information: First name or first initial and last name in combination with at least one of the following: (1) Social Security number; (2) driver’s license number; (3) financial account number, credit card number, or debit card number in combination with any security code or password that would allow access to a financial account; (4) tribal identification card; (5) federal or state government‐issued ID card; (6) shared secrets or security tokens that are known to be used for data‐based authentication; (7) username or email address in combination with a password; (8) birth or marriage certificate; (9) medical information; (10) health insurance information; (10) unique biometric data; or (11) individual taxpayer ID number.
Exceptions to notice requirement: (1) Encrypted or redacted personal information; (2) if an investigation determines that misuse of the personal information has not occurred and is not “reasonably likely to occur;” (3) if a company is subject to and follows the financial institution federal Interagency Guidance for notifications; or (4) if the company follows its internal notification procedures and is consistent with the timing requirements of the state statute.
Timing of notice to individuals: Disclosure must be provided in the “most expedient time possible and without unreasonable delay” consistent with legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore reasonable integrity of the data system.
Requirements for notice to individual (form and content): (1) Written notice; (2) electronic notice; or (3) substitute notice if the company demonstrates that “the affected class of subject persons to be notified exceeds ten thousand (10,000) for Wyoming‐based persons or businesses and five hundred thousand (500,000) for all other businesses operating but not based in Wyoming”; or if the company does not have sufficient contact information. Substitute notice consists of conspicuous posting of the notice on the company’s website, and notification to major statewide media. Individual notices must contain, at minimum, (1) a toll‐free phone number to contact the company and learn the contact information for major credit bureaus; (2) the types of personal information that were reasonably believed to have been breached; (3) a general description of the breach; (4) the approximate date of the breach, if determinable; (5) the steps taken by the company to prevent further harm; (6) advice to remain vigilant by reviewing account statements and monitoring credit reports; and (7) whether notification was delayed due to a law enforcement investigation, if that is possible to determine at the time of the notice.
Notice to state regulators or consumer reporting agencies/credit bureaus: Notice to state regulators and credit bureaus is not required.
