DATA BREACH. State-by-State Notification & Response Reference Guide

Transcription

1 DATA BREACH State-by-State Notification & Response Reference Guide *At this time, these states do not have data breach statutes.

2 ALASKA Alaska Stat et seq. Date Enacted or Last Revised: 2009 Personal Information (of Alaska residents): Information in any form on an individual, that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of (A) an individual s name; and (B) one or more the following information elements: (i) social security number; (ii) driver s license or state ID card number; (iii) the individual s account number, credit card number, or debit card number, if no access code, personal identification number, or password is required access the account; (iv) the individual s account number, credit card number, or debit card number in combination with an access code, a personal identification number, or password required access the account; (v) passwords, personal ID numbers, or other access codes for financial accounts. Security Breach: Unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information maintained by the information collecr. Acquisition includes acquisition by (A) phocopying, facsimile, or other paper-based method; (B) a device, including a computer, that can read, write, or sre information that is represented in numerical form; or (C) a method not identified by (A) or (B). Who Must Report: Any person doing business, any person with more than 10 employees, and any state or local governmental agency, that owns or licenses personal information on a state resident. Individual Notice: Yes. Notice must be given each state resident whose personal information was subject the breach. Substitute notice is available if the information collecr demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents be notified exceeds 300,000, or that the information collecr does not have sufficient contact information provide notice. Credit Reporting Agency Notice: Yes. If an entity is required notify more than 1,000 state residents of a breach, it must also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis. Government Notice: No. Third Party Notice: Yes. Immediately after an information recipient discovers a security breach, the information recipient shall notify the information distribur who owns the personal information or who licensed the use of the personal information the information recipient. Timing: Written or electronic notice must be provided in the most expeditious time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. Risk of Harm Analysis: Yes. Disclosure is not required if, after an appropriate investigation and after written notification the Atrney General of this state, the covered person determines that there is not a reasonable likelihood that harm the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for five years. The notification required by this subsection shall not be considered a public record open inspection by the public. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Exemption for good-faith acquisition by an employee, so long as personal information not used for an illegitimate purpose or further subject unauthorized disclosure. Violations subject the violar a civil penalty of up $500 for each consumer who was not provided notice, up a maximum penalty of $50,000. Yes. Page 2

3 ARIZONA Ariz. Rev. Stat Date Enacted or Last Revised: 2007 Personal Information (of Arizona residents): Name plus SSN, driver s license number, account numbers, credit or debit card numbers; passwords, PINs or other access codes for financial accounts. Security Breach: An unauthorized acquisition of unencrypted or unredacted computerized data that materially compromises the security or confidentiality of PI maintained by a covered entity as part of a data base of PI regarding multiple individuals and that causes or is reasonably likely cause substantial economic loss an individual. Who Must Report: Any person that conducts business in Arizona and owns or licenses unencrypted computerized data that includes personal information. Individual Notice: Yes. Written, electronic or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of larger breaches. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Yes. If covered entity maintains unencrypted data that includes PI that covered entity does not own, covered entity shall notify and cooperate with the owner or licensee of the information of any breach following discovery of the breach without unreasonable delay. Cooperation shall include sharing information relevant the breach with the owner or licensee. The owner or licensee of the data shall provide notice the individual, unless any agreement between the covered entity and the owner or licensee provides otherwise. Risk of Harm Analysis: Yes. A person is not required disclose a breach of the security of the system if the person or a law enforcement agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely occur. A breach occurs only if the security or confidentiality of an individual s personal information is materially compromised and if the event causes or is reasonably likely cause substantial economic loss an individual. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Exemption for good-faith acquisition by an employee or agent, so long as PI not used for a purpose unrelated the covered entity or subject further willful unauthorized disclosure. Entities that comply with the notification requirements or security breach procedures pursuant the rules, regulations, procedures, guidance or guidelines established by the entities primary or functional federal regular are exempt. Entities subject Title V of the GLBA as well as entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are exempt. Actual damages for a willful and knowing violation of the statute. Civil penalty not exceed $10,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation. No. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Page 3

4 ARKANSAS Ark. Code et seq. Date Enacted or Last Revised: April 13, 2005 Personal Information (of Arkansas residents): First name or initial and last name of an individual, with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted: (A) social security number; (B) driver s license number or Arkansas identification card number; (C) account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access an individual s financial account; and (D) medical information. Security Breach: A breach of the security system is the unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a person or business. Who Must Report: Individuals, businesses, and state agencies that acquire, own, or license personal information about Arkansas residents. Individual Notice: Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed if the cost of providing service exceeds $250,000, if the affected class of consumers exceeds 500,000 persons, or if the individual does not have sufficient contact information provide notice. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Covered entity must notify owner or licensee of data that includes PI of any breach of security immediately following discovery. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. In case of investigation, notice be made only after law enforcement determines notification will not compromise investigation. Risk of Harm Analysis: Yes. Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm cusmers. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Entities regulated by any state or federal law that provides greater protection personal information and similar disclosure requirements are exempt. Any covered entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of PI and is otherwise consistent with timing requirements of statute is deemed be in compliance. Data destruction or encryption mandary when personal information records are discarded. Action may be brought by Atrney General, under deceptive trade practices statute. No. Page 4

5 CALIFORNIA Cal. Civ. Code , , et. seq. Date Enacted or Last Revised: Jan. 1, 2016 (expands notification requirements and definition of PI) Personal Information (of California residents): An individual s first name or first initial and last name in combination with any one or more of the following: social security number; driver s license number or CA ID card; account number, credit or debit card number, in combination with any required security code, or password that would permit access an individual s financial account; medical information; health insurance information; and information or data collected through the use or operation of an aumated license plate recognition system. Personal information also includes a user name or address, in combination with a password or security question and answer that would permit access an online account. Security Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by a covered entity. Who Must Report: Any person or business that conducts business in California or any state or local agency that owns or licenses computerized data that includes personal information. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Requires specific notice content, including a general description of the incident, the type of information breached, the time of the breach and ll-free numbers and addresses of the major credit card reporting agencies in CA, whether notification was delayed as result of law enforcement investigation; the name and contact information of the reporting person, a list of types of PI believed be in breach, an offer provide identity theft services not less than 12 months, and other requirements. Must be in plain language. Additional discretionary language as permitted under statute. If the personal information compromised in the data breach only includes a user name or address in combination with a password or security question and answer (and no other personal information), then notice may be provided in electronic or other form that directs the person whose personal information has been breached promptly change his or her password and security question and answer (or take other steps protect the online account). Credit Reporting Agency Notice: No. Government Notice: Yes. Notice California Atrney General must be given if a single breach affects more than 500 Californians. Submission of online reporting form required: Third Party Notice: Yes. If a covered entity maintains computerized data that includes PI that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery. Timing: Individual notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. 5-day notice requirement ( state agency) in event of breach of medical/health information. Risk of Harm Analysis: No, except the extent the definition of breach may incorporate elements of such a test. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further willful unauthorized disclosure. Compliance cannot be waived by the affected individual. Any covered entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of personal information and is otherwise consistent with timing requirements of statute is deemed be in compliance. Entity responsible for data required take all reasonable steps destroy a cusmer s records that contain personal information when the entity will no longer retain those records. Civil remedies available for violation of the statute. Yes. Action may also be brought by State. Page 5

6 COLORADO Colo. Rev. Stat et seq. Date Enacted or Last Revised: 2006 Personal Information (of Colorado residents): First name or first initial and last name in combination with any one or more of the following data elements that relate the resident (when not encrypted, redacted, or secured ): (A) social security number; (B) driver s license number or identification card number; (C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access a resident s financial account. Security Breach: An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of the PI. Who Must Report: Individual or commercial entity that conducts business in Colorado and owns or licenses computerized data that includes personal information. Individual Notice: Yes. Written, electronic, or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed if the cost of providing service exceeds $250,000, if the affected class of consumers exceeds 250,000 persons, or if the individual does not have sufficient contact information provide notice. Credit Reporting Agency Notice: An entity that must notify more than 1,000 persons at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Entities subject Title V of the GLBA are exempt. Government Notice: No. Third Party Notice: Yes. If covered entity maintains computerized data including PI that entity does not own or license, the entity shall give notice and cooperate with the owner or licensee of the information of any breach immediately following discovery, if misuse or PI about a Colorado resident occurred or is likely occur. Cooperation includes sharing with the owner or licensee information relevant the breach, except that such cooperation shall not be deemed require the disclosure of confidential business information or trade secrets. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. After a reasonable investigation, a commercial entity must give notice of a breach unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely occur. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further willful unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted, redacted or secured by any other method rendering it unreadable or unusable. Any entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of PI and is otherwise consistent with timing requirements of statute is deemed be in compliance. Entities regulated by state or federal law that maintain procedures for addressing security breaches pursuant those laws are exempt. Atrney General may bring action in law or equity and may seek direct economic damages. No. Page 6

7 Conn. Gen. Stat. 36a-701b Date Enacted or Last Revised: Ocber 1, 2015 Personal Information (of Connecticut residents): An individual s first name or first initial and last name in combination with any one, or more, of the following data: social security number; driver s license or state ID; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an individual s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state or local government records or widely distributed media. Security Breach: means unauthorized access or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Who Must Report: Any person who conducts business in Connecticut, and who, in the ordinary course of such person s business, owns, licenses, or maintains computerized data that includes personal information. CONNECTICUT Written notice the Insurance Commissioner ( permissible) as soon as the incident is identified but no later than five (5) calendar days after the incident is identified. Credit Reporting Agency Notice: No. Government Notice: Yes. Notice the Atrney General required within the same time frame as notice affected individuals. An information security incident at a vendor or business associate of an entity regulated by the Insurance Department which has the potential of affecting a Connecticut insured should be reported by the licensee or registrant the Commissioner. Third party notification: Yes. If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery if the personal information was, or is reasonably believed have been, accessed by an unauthorized person. Timing: Notice must be provided without unreasonable delay but not later than ninety days after discovery, unless disclosure impedes law enforcement investigation. All entities regulated by the Insurance Department of the State of Connecticut Individual Notice: Yes. Written, electronic or telephonic notice must be provided residents whose personal information was breached or is reasonably believed have been breached. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. If a breach exposes social security numbers, the notice residents must include appropriate theft mitigation services. Such service or services shall be provided at no cost such resident for a period of not less than twelve months. The covered entity shall provide all information necessary for such resident enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident s credit file. Consumers have the right place a security freeze on their credit reports. Risk of Harm Analysis: Yes. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm the individuals whose personal information has been acquired and accessed. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is secured by encryption or by any other method or technology that renders it unreadable or unusable Any person that maintains a security breach procedure pursuant the rules, regulations, procedures or guidelines established by the primary or functional regular is exempt Enforcement by Atrney General only pursuant unfair trade practice laws. Maximum penalty of $25,000. No. Page 7

8 Del. Code Ann. Tit. 6, 12B-101, et. seq. Date Enacted or Last Revised: June 28, 2005 Personal Information (of Delaware residents): First name or first initial and last name in combination with any one, or more, of the following data elements that relate the resident when either the name or the data elements are not encrypted: social security number; driver s license or Delaware identification card; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an resident s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state, or local government record. Security Breach: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or commercial entity DELAWARE Government Notification: No. Third Party Notification: Yes. If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. If an investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely occur, the individual or the commercial entity shall give notice as soon as possible the affected Delaware resident. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Who Must Report: Individual or a commercial entity that conducts business in Delaware and owns or licenses computerized data that includes personal information about a resident of Delaware. Commercial entity includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit. Individual Notice: Yes. Written, telephonic, or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of large breaches. Credit Reporting Agency Notification: No. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject further unauthorized disclosure. Entities regulated by any state or federal law that provides greater protection personal information are exempt. The Atrney General may bring an action in law or equity address violations and for other relief that may be appropriate ensure proper compliance with this chapter or recover direct economic damages resulting from a violation, or both. No. Page 8

9 Fla. Stat Date Enacted or Last Revised: July 1, 2014 Personal Information (of Florida residents): Either (a) An individual s first name or first initial and last name in combination with a SSN; driver s license or ID card number, passport number, military ID number or similar number, financial account number or credit or debit card number in combination with a security code, access code or password necessary permit access the account; medical information; or health insurance information; or (b) A user name or address, in combination with a password or security question and answer that would permit access an online account. Security Breach: Unauthorized access of data in electronic form containing personal information. FLORIDA Notice Atrney General must be provided no later than 30 days after determination of breach. (Additional notification time may be obtained by providing a written notice the Atrney General Department of Legal Affairs within the 30 day period). Risk of Harm Analysis: Yes. Notice the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination the department within 30 days after the determination. Who Must Report: Any sole propriership, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, sres, or uses personal information. Individual Notice: Yes. Written or electronic notice must be provided Florida residents whose personal information was, or is reasonably believed have been, accessed as a result of a security breach. Specific content requirements for notice individuals. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Credit Reporting Agency Notification: Yes. An entity that must notify more than 1,000 persons at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Government Notice: Yes. Notice FL Atrney General required if a single breach affects more than 500 Florida residents. Specific content requirements for Atrney General notification. Third Party Notice: Yes. If data was held by a person for another business entity, then notification the business entity must be given within 10 days. Timing: Notice must be provided individuals no later than 30 days following the determination of the breach. The notification may be delayed upon the written request of law enforcement. Personal information does not include information that is encrypted, secured or modified remove elements that personally identify an individual or otherwise render the information unusable. Entities notifying individuals in compliance with requirements of federal regular are deemed comply with requirement notify individuals. Deemed compliance with FL Atrney General notification requirement if a copy of the notice is timely provided FL Atrney General Department of Legal Affairs. Exemption for good-faith acquisition by an employee or agent, so long as personal information is not used for purposes unrelated the business or subject further unauthorized use. Allows the Department of Legal Affairs assess and collect the fines. For failure provide notice of the security breach within 30 days: (i) $1,000 per day per breach, then (ii) up $50,000 for each 30-day period up 180 days, then (iii) an amount not exceed $500,000. Penalties apply per breach, not per affected individual. Penalties do not apply government entities. No. Page 9

10 Ga. Code Ann., , et. seq. Date Enacted or Last Revised: 2007 Personal Information (of Georgia residents): An individual s first name or first initial and last name in combination with any one, or more, of the following data: social security number; driver s license or state ID; any account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an individual s financial account; account passwords or personal identification numbers or other access codes; any of the above items when not in connection with the individual s first name or first initial and last name, if the information compromised would be sufficient perform or attempt perform identity theft against the person whose information was compromised. Security Breach: An unauthorized acquisition of an individual s electronic data that compromises the security, confidentiality, or integrity of Pl. Who Must Report: Any information broker that maintains computerized data that includes personal information. Information broker defined as any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes. GEORGIA in the case of very large breaches or if the information broker does not have sufficient contact information notify affected individuals. Consumer Reporting Agency Notice: Yes. A data broker that must notify more than 10,000 Georgia residents at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Government Notice: No. Third Party Notice: Yes. If information is being held by another entity, notice by the holding entity the owner entity must be given immediately after the breach. Notice other entities is required within 24 hours of discovery of the breach if the personal information was, or is reasonably believed have been acquired by an unauthorized person. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. Risk of Harm Analysis: No, except as the definition of breach may incorporate elements of such a test. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Exemption for good-faith acquisition by an employee or agent, so long as PI not used or subject further willful unauthorized disclosure. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed Not specified. No. Page 10

11 HAWAII Haw. Rev. Stat 487n-1 et seq. Date Enacted or Last Revised: 2008 Personal Information (of Hawaii residents): an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number; (2) driver s license number or Hawaii identification card number; or (3) account number, credit or debit card number, access code, or password that would permit access an individual s financial account. Personal information does not mean publicly available information that is lawfully made available the general public from federal, State, or local government records. Security Breach: Any unauthorized access and acquisition of unencrypted or unredacted records or data containing PI. Any incident of unauthorized access and acquisition of encrypted records or data containing PI along with the confidential process or key constitutes a security breach. Who Must Report: Any agency, individual, or commercial entity that conducts business in Hawaii and owns or licenses computerized data that includes personal information or maintains such data containing personal information of residents of Hawaii. Individual Notice: Yes. Notice must be given the affected person. Notice can be written, electronic, or telephonic. Notice must be clear and conspicuous. Notices must include description of the security breach. Substitute notice is available if more than 200,000 people affected, or would cost more than $100,000, or if the business or government agency does not have sufficient contact information. Consumer Reporting Agency Notice: Yes. If more than 1,000 persons are notified at one time, notification all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required. Government Notice: Yes. If more than 1,000 persons are notified at one time, notification Hawaii s Office of Consumer Protection is required. Third Party Notice: Yes. Any business located in Hawaii or that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of any residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following the discovery of the breach. Timing: Notice must be made without unreasonable delay, consistent with the legitimate needs of law enforcement... and consistent with any measures necessary determine sufficient contact information, determine the scope of the breach, and resre the reasonable integrity, security, and confidentiality of the data system. Risk of Harm Analysis: Yes. A breach occurs only when illegal use of the personal information has occurred, or is reasonably likely occur and that creates a risk of harm a person. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject further unauthorized disclosure. At most $2,500 per violation and for any actual damages faced by an individual. The Atrney General or the executive direcr of the office of consumer protection may bring an action. No such action may be brought against a government agency. Yes. Any business that violates any provision of this chapter shall be liable the injured party in an amount equal the sum of any actual damages sustained by the injured party as a result of the violation. Page 11

12 IDAHO Idaho Code Date Enacted or Last Revised: March 30, 2006 Personal Information (of Idaho residents): First name or first initial and last name in combination with any one (1) or more of the following data elements that relate the resident, when either the name or the data elements are not encrypted:(a) social security number; (b) driver s license number or Idaho identification card number; or (c) account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access a resident s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state, or local government records or widely distributed media. Security Breach: An illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of PI for one or more persons. Who Must Report: A city, county, or state agency, individual or a commercial entity that conducts business in Idaho and owns or licenses computerized data that includes personal information about a resident of Idaho. Individual Notice: Yes. Written, electronic or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of larger breaches: where the cost of notice exceeds $25,000 or the number of state residents exceeds 50,000. Consumer Reporting Agency Notice: No. Government Notice: Yes. Covered government agencies must give notice the state AG within 24 hours of discovery of a breach. Third Party Notice: Yes. Notice third party entities required if misuse of personal information about an Idaho resident occurred or is likely occur. Cooperation includes sharing with the owner or licensee information relevant the breach. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. Notice must only be given if the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely occur. Notification required solely in the case of breaches that materially compromise the security, the security confidentiality, or integrity of personal information for one or more persons maintained by an agency individual or a commercial entity. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Entities regulated by state or federal law that maintain procedures for addressing security breaches pursuant those laws are exempt. Fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system for any covered entity that intentionally fails give notice. Enforcement action brought by a commercial entity s primary regular. Primary regular... is that commercial entity s or individual s primary federal regular, the primary regular of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regular of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regular is the Atrney General. No. Page 12

13 815 III. Comp Stat /1-40 Date Enacted or Last Revised: January 1, 2006 Personal Information (of Illinois residents): An individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) social security number; (2) driver s license number or State identification card number; (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access an individual s financial account. Security Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information. ILLINOIS was, or is reasonably believed have been, acquired by an unauthorized person. In addition providing such notification the owner or licensee, the data collecr shall cooperate with the owner or licensee in matters relating the breach. NOTE: Illinois may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation, regardless of materiality or ownership of the data. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, but notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation. Risk of Harm Analysis: No, except as definition of breach may incorporate elements of such a test. Who Must Report: Any data collecr that owns or licenses personal information concerning a resident of Illinois. Data collecr definition includes, but is not limited government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operars, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed where cost of actual notice exceeds $250,000 or affected persons exceeds 500,000, or if data collecr lacks sufficient contact information. Specific Notice Content required. Notices must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from these sources about fraud alerts and security freezes. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Yes. Any data collecr that maintains or sres, but does not own or license, computerized data that includes personal information that the data collecr does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information Exemption for good-faith acquisition by an employee or agent, so long as PI not used or subject further unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Notwithstanding any other subsection in this Section, a data collecr that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act, shall be deemed in compliance with the notification requirements of this Section if the data collecr notifies subject persons in accordance with its policies in the event of a breach of the security of the system data. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject further unauthorized disclosure. Effective 1/1/2012: Statute includes standards for disposing of material containing PI in a manner that renders the PI unreadable, unusable and undecipherable. A violation of the statute constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Violation of disposal provisions subject civil penalty of not more than $100 for each individual, not exceed $50,000 for each instance of improper disposal (plus an additional $10,000 Page 13

14 if victim is 65 years of age or older). AG may impose a civil penalty and may also file a civil action in circuit court recover penalties imposed under disposal provisions and may bring action in circuit court remedy violation. Yes, but only under the Consumer Fraud and Deceptive Business Practices Act. Page 14

15 Ind. Code Date Enacted or Last Revised: July 1, 2009 INDIANA Government Notice: Notice must be provided Atrney General of any breach. Personal Information (of Indiana residents): (1) a social security number that is not encrypted or redacted; or (2) an individual s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) a driver s license number; (B) a state identification card number; (C) a credit card number; (D) a financial account number or debit card number in combination with a security code, password, or access code that would permit access the person s account. Security Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person, including non-electronic media including paper, microfilm, or similar medium. Who Must Report: Any company owning or using computerized personal information of an Indiana resident for commercial purposes. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Credit Reporting Agency Notice: Yes. If breach includes more than 1000 consumers, data base owner shall also disclose each consumer reporting agency. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. Notice is required only if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted, unless unauthorized person has access encryption key. Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject further unauthorized disclosure. The Atrney General may bring an action or obtain any or all of the following: (1) an injunction enjoin future violations of the statute; (2) a civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act; (3) the Atrney General s reasonable costs in: (a) the investigation of the deceptive act; and (b) maintaining the action; (4) reasonable atrney s fees; and (5) costs of the action. No. Page 15

16 Iowa Code 715C Date Enacted or Last Revised: July 1, 2014 IOWA Credit Reporting Agency Notice: No. Government Notice: Yes. Notice Atrney General required if more than 500 Iowa residents are affected. Personal Information (of Iowa residents): An individual s first name or first initial and last name in combination with any one or more of the following data elements: Social security number; driver s license number or other unique identification number; financial account number, credit card number, or debit card number; unique electronic identifier or routing code; unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation. Security Breach: Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Breach of security also means unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat the security, confidentiality, or integrity of the personal information form. Who Must Report: Any person who owns or licenses computerized data that includes a consumer s personal information is used in the course of the person s business, vocation, occupation, or volunteer activities. Any person who maintains or otherwise possesses personal information on behalf of another person. The definition of person includes governmental subdivisions, agencies, or instrumentalities. Individual Notice: Yes. Written or electronic notice must be given any consumer whose personal information was included in the information that was breached. Substitute notice by means prescribed in the statute allowed where cost exceeds $250,000 or consumers exceed 350,000 or if the person does not have sufficient contact information provide notice. Notice must include (1) a description of the breach of security; (2) approximate date of the breach; (3) type of personal information obtained as a result of the breach; (4) contact information for consumer reporting agencies; (5) advice the consumer report suspected identity theft local law enforcement or the AG. Third Party Notice: Yes. Any person who maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer s personal information was included in the information that was breached. Timing: Notice individuals must be provided in the most expeditious manner possible and without unreasonable delay, unless a law enforcement agency determines that notification will impede a criminal investigation and the agency has made a written request that the notification be delayed. AG notice must be provided within five days after notice residents. Risk of Harm Analysis: Yes. Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years. Statute not applicable if the personal data that was breached was encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable.** Statute does not apply a person that: (1) complies with notification requirements or breach of security established by a person s primary or functional federal regular or by a state or federal law that provides greater protection personal information and at least as thorough disclosure requirements for form in which the data appropriate breach of security or personal information than that provided by this statute, or (2) is subject in compliance with Title V of the GLBA. Atrney General may seek and obtain an order that a party held violate this section pay damages the Atrney General on behalf of a person injured by the violation. No. Page 16