DATA BREACH. State-by-State Notification & Response Reference Guide
|
|
- Clinton Lang
- 7 years ago
- Views:
Transcription
1 DATA BREACH State-by-State Notification & Response Reference Guide *At this time, these states do not have data breach statutes.
2 ALASKA Alaska Stat et seq. Date Enacted or Last Revised: 2009 Personal Information (of Alaska residents): Information in any form on an individual, that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of (A) an individual s name; and (B) one or more the following information elements: (i) social security number; (ii) driver s license or state ID card number; (iii) the individual s account number, credit card number, or debit card number, if no access code, personal identification number, or password is required access the account; (iv) the individual s account number, credit card number, or debit card number in combination with an access code, a personal identification number, or password required access the account; (v) passwords, personal ID numbers, or other access codes for financial accounts. Security Breach: Unauthorized acquisition or reasonable belief of unauthorized acquisition of personal information that compromises the security, confidentiality or integrity of the personal information maintained by the information collecr. Acquisition includes acquisition by (A) phocopying, facsimile, or other paper-based method; (B) a device, including a computer, that can read, write, or sre information that is represented in numerical form; or (C) a method not identified by (A) or (B). Who Must Report: Any person doing business, any person with more than 10 employees, and any state or local governmental agency, that owns or licenses personal information on a state resident. Individual Notice: Yes. Notice must be given each state resident whose personal information was subject the breach. Substitute notice is available if the information collecr demonstrates that the cost of providing notice would exceed $150,000, that the affected class of state residents be notified exceeds 300,000, or that the information collecr does not have sufficient contact information provide notice. Credit Reporting Agency Notice: Yes. If an entity is required notify more than 1,000 state residents of a breach, it must also notify without unreasonable delay all consumer credit reporting agencies that compile and maintain files on consumers on a nationwide basis. Government Notice: No. Third Party Notice: Yes. Immediately after an information recipient discovers a security breach, the information recipient shall notify the information distribur who owns the personal information or who licensed the use of the personal information the information recipient. Timing: Written or electronic notice must be provided in the most expeditious time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. Risk of Harm Analysis: Yes. Disclosure is not required if, after an appropriate investigation and after written notification the Atrney General of this state, the covered person determines that there is not a reasonable likelihood that harm the consumers whose personal information has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for five years. The notification required by this subsection shall not be considered a public record open inspection by the public. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Exemption for good-faith acquisition by an employee, so long as personal information not used for an illegitimate purpose or further subject unauthorized disclosure. Violations subject the violar a civil penalty of up $500 for each consumer who was not provided notice, up a maximum penalty of $50,000. Yes. Page 2
3 ARIZONA Ariz. Rev. Stat Date Enacted or Last Revised: 2007 Personal Information (of Arizona residents): Name plus SSN, driver s license number, account numbers, credit or debit card numbers; passwords, PINs or other access codes for financial accounts. Security Breach: An unauthorized acquisition of unencrypted or unredacted computerized data that materially compromises the security or confidentiality of PI maintained by a covered entity as part of a data base of PI regarding multiple individuals and that causes or is reasonably likely cause substantial economic loss an individual. Who Must Report: Any person that conducts business in Arizona and owns or licenses unencrypted computerized data that includes personal information. Individual Notice: Yes. Written, electronic or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of larger breaches. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Yes. If covered entity maintains unencrypted data that includes PI that covered entity does not own, covered entity shall notify and cooperate with the owner or licensee of the information of any breach following discovery of the breach without unreasonable delay. Cooperation shall include sharing information relevant the breach with the owner or licensee. The owner or licensee of the data shall provide notice the individual, unless any agreement between the covered entity and the owner or licensee provides otherwise. Risk of Harm Analysis: Yes. A person is not required disclose a breach of the security of the system if the person or a law enforcement agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely occur. A breach occurs only if the security or confidentiality of an individual s personal information is materially compromised and if the event causes or is reasonably likely cause substantial economic loss an individual. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Exemption for good-faith acquisition by an employee or agent, so long as PI not used for a purpose unrelated the covered entity or subject further willful unauthorized disclosure. Entities that comply with the notification requirements or security breach procedures pursuant the rules, regulations, procedures, guidance or guidelines established by the entities primary or functional federal regular are exempt. Entities subject Title V of the GLBA as well as entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are exempt. Actual damages for a willful and knowing violation of the statute. Civil penalty not exceed $10,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation. No. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Page 3
4 ARKANSAS Ark. Code et seq. Date Enacted or Last Revised: April 13, 2005 Personal Information (of Arkansas residents): First name or initial and last name of an individual, with any one (1) or more of the following data elements when either the name or the data element is not encrypted or redacted: (A) social security number; (B) driver s license number or Arkansas identification card number; (C) account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access an individual s financial account; and (D) medical information. Security Breach: A breach of the security system is the unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a person or business. Who Must Report: Individuals, businesses, and state agencies that acquire, own, or license personal information about Arkansas residents. Individual Notice: Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed if the cost of providing service exceeds $250,000, if the affected class of consumers exceeds 500,000 persons, or if the individual does not have sufficient contact information provide notice. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Covered entity must notify owner or licensee of data that includes PI of any breach of security immediately following discovery. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. In case of investigation, notice be made only after law enforcement determines notification will not compromise investigation. Risk of Harm Analysis: Yes. Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm cusmers. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Entities regulated by any state or federal law that provides greater protection personal information and similar disclosure requirements are exempt. Any covered entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of PI and is otherwise consistent with timing requirements of statute is deemed be in compliance. Data destruction or encryption mandary when personal information records are discarded. Action may be brought by Atrney General, under deceptive trade practices statute. No. Page 4
5 CALIFORNIA Cal. Civ. Code , , et. seq. Date Enacted or Last Revised: Jan. 1, 2016 (expands notification requirements and definition of PI) Personal Information (of California residents): An individual s first name or first initial and last name in combination with any one or more of the following: social security number; driver s license number or CA ID card; account number, credit or debit card number, in combination with any required security code, or password that would permit access an individual s financial account; medical information; health insurance information; and information or data collected through the use or operation of an aumated license plate recognition system. Personal information also includes a user name or address, in combination with a password or security question and answer that would permit access an online account. Security Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by a covered entity. Who Must Report: Any person or business that conducts business in California or any state or local agency that owns or licenses computerized data that includes personal information. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Requires specific notice content, including a general description of the incident, the type of information breached, the time of the breach and ll-free numbers and addresses of the major credit card reporting agencies in CA, whether notification was delayed as result of law enforcement investigation; the name and contact information of the reporting person, a list of types of PI believed be in breach, an offer provide identity theft services not less than 12 months, and other requirements. Must be in plain language. Additional discretionary language as permitted under statute. If the personal information compromised in the data breach only includes a user name or address in combination with a password or security question and answer (and no other personal information), then notice may be provided in electronic or other form that directs the person whose personal information has been breached promptly change his or her password and security question and answer (or take other steps protect the online account). Credit Reporting Agency Notice: No. Government Notice: Yes. Notice California Atrney General must be given if a single breach affects more than 500 Californians. Submission of online reporting form required: Third Party Notice: Yes. If a covered entity maintains computerized data that includes PI that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery. Timing: Individual notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. 5-day notice requirement ( state agency) in event of breach of medical/health information. Risk of Harm Analysis: No, except the extent the definition of breach may incorporate elements of such a test. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further willful unauthorized disclosure. Compliance cannot be waived by the affected individual. Any covered entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of personal information and is otherwise consistent with timing requirements of statute is deemed be in compliance. Entity responsible for data required take all reasonable steps destroy a cusmer s records that contain personal information when the entity will no longer retain those records. Civil remedies available for violation of the statute. Yes. Action may also be brought by State. Page 5
6 COLORADO Colo. Rev. Stat et seq. Date Enacted or Last Revised: 2006 Personal Information (of Colorado residents): First name or first initial and last name in combination with any one or more of the following data elements that relate the resident (when not encrypted, redacted, or secured ): (A) social security number; (B) driver s license number or identification card number; (C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access a resident s financial account. Security Breach: An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of the PI. Who Must Report: Individual or commercial entity that conducts business in Colorado and owns or licenses computerized data that includes personal information. Individual Notice: Yes. Written, electronic, or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed if the cost of providing service exceeds $250,000, if the affected class of consumers exceeds 250,000 persons, or if the individual does not have sufficient contact information provide notice. Credit Reporting Agency Notice: An entity that must notify more than 1,000 persons at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Entities subject Title V of the GLBA are exempt. Government Notice: No. Third Party Notice: Yes. If covered entity maintains computerized data including PI that entity does not own or license, the entity shall give notice and cooperate with the owner or licensee of the information of any breach immediately following discovery, if misuse or PI about a Colorado resident occurred or is likely occur. Cooperation includes sharing with the owner or licensee information relevant the breach, except that such cooperation shall not be deemed require the disclosure of confidential business information or trade secrets. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. After a reasonable investigation, a commercial entity must give notice of a breach unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely occur. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further willful unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted, redacted or secured by any other method rendering it unreadable or unusable. Any entity that maintains and proceeds in compliance with its own notification procedures as part of an information security policy for treatment of PI and is otherwise consistent with timing requirements of statute is deemed be in compliance. Entities regulated by state or federal law that maintain procedures for addressing security breaches pursuant those laws are exempt. Atrney General may bring action in law or equity and may seek direct economic damages. No. Page 6
7 Conn. Gen. Stat. 36a-701b Date Enacted or Last Revised: Ocber 1, 2015 Personal Information (of Connecticut residents): An individual s first name or first initial and last name in combination with any one, or more, of the following data: social security number; driver s license or state ID; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an individual s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state or local government records or widely distributed media. Security Breach: means unauthorized access or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Who Must Report: Any person who conducts business in Connecticut, and who, in the ordinary course of such person s business, owns, licenses, or maintains computerized data that includes personal information. CONNECTICUT Written notice the Insurance Commissioner ( permissible) as soon as the incident is identified but no later than five (5) calendar days after the incident is identified. Credit Reporting Agency Notice: No. Government Notice: Yes. Notice the Atrney General required within the same time frame as notice affected individuals. An information security incident at a vendor or business associate of an entity regulated by the Insurance Department which has the potential of affecting a Connecticut insured should be reported by the licensee or registrant the Commissioner. Third party notification: Yes. If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery if the personal information was, or is reasonably believed have been, accessed by an unauthorized person. Timing: Notice must be provided without unreasonable delay but not later than ninety days after discovery, unless disclosure impedes law enforcement investigation. All entities regulated by the Insurance Department of the State of Connecticut Individual Notice: Yes. Written, electronic or telephonic notice must be provided residents whose personal information was breached or is reasonably believed have been breached. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. If a breach exposes social security numbers, the notice residents must include appropriate theft mitigation services. Such service or services shall be provided at no cost such resident for a period of not less than twelve months. The covered entity shall provide all information necessary for such resident enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident s credit file. Consumers have the right place a security freeze on their credit reports. Risk of Harm Analysis: Yes. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm the individuals whose personal information has been acquired and accessed. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is secured by encryption or by any other method or technology that renders it unreadable or unusable Any person that maintains a security breach procedure pursuant the rules, regulations, procedures or guidelines established by the primary or functional regular is exempt Enforcement by Atrney General only pursuant unfair trade practice laws. Maximum penalty of $25,000. No. Page 7
8 Del. Code Ann. Tit. 6, 12B-101, et. seq. Date Enacted or Last Revised: June 28, 2005 Personal Information (of Delaware residents): First name or first initial and last name in combination with any one, or more, of the following data elements that relate the resident when either the name or the data elements are not encrypted: social security number; driver s license or Delaware identification card; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an resident s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state, or local government record. Security Breach: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or commercial entity DELAWARE Government Notification: No. Third Party Notification: Yes. If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any breach of security immediately following discovery. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. If an investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely occur, the individual or the commercial entity shall give notice as soon as possible the affected Delaware resident. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Who Must Report: Individual or a commercial entity that conducts business in Delaware and owns or licenses computerized data that includes personal information about a resident of Delaware. Commercial entity includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit. Individual Notice: Yes. Written, telephonic, or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of large breaches. Credit Reporting Agency Notification: No. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject further unauthorized disclosure. Entities regulated by any state or federal law that provides greater protection personal information are exempt. The Atrney General may bring an action in law or equity address violations and for other relief that may be appropriate ensure proper compliance with this chapter or recover direct economic damages resulting from a violation, or both. No. Page 8
9 Fla. Stat Date Enacted or Last Revised: July 1, 2014 Personal Information (of Florida residents): Either (a) An individual s first name or first initial and last name in combination with a SSN; driver s license or ID card number, passport number, military ID number or similar number, financial account number or credit or debit card number in combination with a security code, access code or password necessary permit access the account; medical information; or health insurance information; or (b) A user name or address, in combination with a password or security question and answer that would permit access an online account. Security Breach: Unauthorized access of data in electronic form containing personal information. FLORIDA Notice Atrney General must be provided no later than 30 days after determination of breach. (Additional notification time may be obtained by providing a written notice the Atrney General Department of Legal Affairs within the 30 day period). Risk of Harm Analysis: Yes. Notice the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years. The covered entity shall provide the written determination the department within 30 days after the determination. Who Must Report: Any sole propriership, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, sres, or uses personal information. Individual Notice: Yes. Written or electronic notice must be provided Florida residents whose personal information was, or is reasonably believed have been, accessed as a result of a security breach. Specific content requirements for notice individuals. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Credit Reporting Agency Notification: Yes. An entity that must notify more than 1,000 persons at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Government Notice: Yes. Notice FL Atrney General required if a single breach affects more than 500 Florida residents. Specific content requirements for Atrney General notification. Third Party Notice: Yes. If data was held by a person for another business entity, then notification the business entity must be given within 10 days. Timing: Notice must be provided individuals no later than 30 days following the determination of the breach. The notification may be delayed upon the written request of law enforcement. Personal information does not include information that is encrypted, secured or modified remove elements that personally identify an individual or otherwise render the information unusable. Entities notifying individuals in compliance with requirements of federal regular are deemed comply with requirement notify individuals. Deemed compliance with FL Atrney General notification requirement if a copy of the notice is timely provided FL Atrney General Department of Legal Affairs. Exemption for good-faith acquisition by an employee or agent, so long as personal information is not used for purposes unrelated the business or subject further unauthorized use. Allows the Department of Legal Affairs assess and collect the fines. For failure provide notice of the security breach within 30 days: (i) $1,000 per day per breach, then (ii) up $50,000 for each 30-day period up 180 days, then (iii) an amount not exceed $500,000. Penalties apply per breach, not per affected individual. Penalties do not apply government entities. No. Page 9
10 Ga. Code Ann., , et. seq. Date Enacted or Last Revised: 2007 Personal Information (of Georgia residents): An individual s first name or first initial and last name in combination with any one, or more, of the following data: social security number; driver s license or state ID; any account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access an individual s financial account; account passwords or personal identification numbers or other access codes; any of the above items when not in connection with the individual s first name or first initial and last name, if the information compromised would be sufficient perform or attempt perform identity theft against the person whose information was compromised. Security Breach: An unauthorized acquisition of an individual s electronic data that compromises the security, confidentiality, or integrity of Pl. Who Must Report: Any information broker that maintains computerized data that includes personal information. Information broker defined as any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information nonaffiliated third parties, but does not include any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes. GEORGIA in the case of very large breaches or if the information broker does not have sufficient contact information notify affected individuals. Consumer Reporting Agency Notice: Yes. A data broker that must notify more than 10,000 Georgia residents at one time of a security breach is required also promptly notify all consumer reporting agencies of the breach. Government Notice: No. Third Party Notice: Yes. If information is being held by another entity, notice by the holding entity the owner entity must be given immediately after the breach. Notice other entities is required within 24 hours of discovery of the breach if the personal information was, or is reasonably believed have been acquired by an unauthorized person. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes a criminal investigation. Risk of Harm Analysis: No, except as the definition of breach may incorporate elements of such a test. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Exemption for good-faith acquisition by an employee or agent, so long as PI not used or subject further willful unauthorized disclosure. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed Not specified. No. Page 10
11 HAWAII Haw. Rev. Stat 487n-1 et seq. Date Enacted or Last Revised: 2008 Personal Information (of Hawaii residents): an individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) social security number; (2) driver s license number or Hawaii identification card number; or (3) account number, credit or debit card number, access code, or password that would permit access an individual s financial account. Personal information does not mean publicly available information that is lawfully made available the general public from federal, State, or local government records. Security Breach: Any unauthorized access and acquisition of unencrypted or unredacted records or data containing PI. Any incident of unauthorized access and acquisition of encrypted records or data containing PI along with the confidential process or key constitutes a security breach. Who Must Report: Any agency, individual, or commercial entity that conducts business in Hawaii and owns or licenses computerized data that includes personal information or maintains such data containing personal information of residents of Hawaii. Individual Notice: Yes. Notice must be given the affected person. Notice can be written, electronic, or telephonic. Notice must be clear and conspicuous. Notices must include description of the security breach. Substitute notice is available if more than 200,000 people affected, or would cost more than $100,000, or if the business or government agency does not have sufficient contact information. Consumer Reporting Agency Notice: Yes. If more than 1,000 persons are notified at one time, notification all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required. Government Notice: Yes. If more than 1,000 persons are notified at one time, notification Hawaii s Office of Consumer Protection is required. Third Party Notice: Yes. Any business located in Hawaii or that conducts business in Hawaii that maintains or possesses records or data containing personal information of residents of Hawaii that the business does not own or license, or any government agency that maintains or possesses records or data containing personal information of any residents of Hawaii shall notify the owner or licensee of the information of any security breach immediately following the discovery of the breach. Timing: Notice must be made without unreasonable delay, consistent with the legitimate needs of law enforcement... and consistent with any measures necessary determine sufficient contact information, determine the scope of the breach, and resre the reasonable integrity, security, and confidentiality of the data system. Risk of Harm Analysis: Yes. A breach occurs only when illegal use of the personal information has occurred, or is reasonably likely occur and that creates a risk of harm a person. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject further unauthorized disclosure. At most $2,500 per violation and for any actual damages faced by an individual. The Atrney General or the executive direcr of the office of consumer protection may bring an action. No such action may be brought against a government agency. Yes. Any business that violates any provision of this chapter shall be liable the injured party in an amount equal the sum of any actual damages sustained by the injured party as a result of the violation. Page 11
12 IDAHO Idaho Code Date Enacted or Last Revised: March 30, 2006 Personal Information (of Idaho residents): First name or first initial and last name in combination with any one (1) or more of the following data elements that relate the resident, when either the name or the data elements are not encrypted:(a) social security number; (b) driver s license number or Idaho identification card number; or (c) account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access a resident s financial account. Personal information does not include publicly available information that is lawfully made available the general public from federal, state, or local government records or widely distributed media. Security Breach: An illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of PI for one or more persons. Who Must Report: A city, county, or state agency, individual or a commercial entity that conducts business in Idaho and owns or licenses computerized data that includes personal information about a resident of Idaho. Individual Notice: Yes. Written, electronic or telephonic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of larger breaches: where the cost of notice exceeds $25,000 or the number of state residents exceeds 50,000. Consumer Reporting Agency Notice: No. Government Notice: Yes. Covered government agencies must give notice the state AG within 24 hours of discovery of a breach. Third Party Notice: Yes. Notice third party entities required if misuse of personal information about an Idaho resident occurred or is likely occur. Cooperation includes sharing with the owner or licensee information relevant the breach. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. Notice must only be given if the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely occur. Notification required solely in the case of breaches that materially compromise the security, the security confidentiality, or integrity of personal information for one or more persons maintained by an agency individual or a commercial entity. Exemption for good-faith acquisition by an employee or agent, so long as personal information not used or subject further unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted. Entities regulated by state or federal law that maintain procedures for addressing security breaches pursuant those laws are exempt. Fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system for any covered entity that intentionally fails give notice. Enforcement action brought by a commercial entity s primary regular. Primary regular... is that commercial entity s or individual s primary federal regular, the primary regular of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regular of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regular is the Atrney General. No. Page 12
13 815 III. Comp Stat /1-40 Date Enacted or Last Revised: January 1, 2006 Personal Information (of Illinois residents): An individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (1) social security number; (2) driver s license number or State identification card number; (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access an individual s financial account. Security Breach: An unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information. ILLINOIS was, or is reasonably believed have been, acquired by an unauthorized person. In addition providing such notification the owner or licensee, the data collecr shall cooperate with the owner or licensee in matters relating the breach. NOTE: Illinois may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation, regardless of materiality or ownership of the data. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, but notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation. Risk of Harm Analysis: No, except as definition of breach may incorporate elements of such a test. Who Must Report: Any data collecr that owns or licenses personal information concerning a resident of Illinois. Data collecr definition includes, but is not limited government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operars, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed where cost of actual notice exceeds $250,000 or affected persons exceeds 500,000, or if data collecr lacks sufficient contact information. Specific Notice Content required. Notices must include contact information for credit reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from these sources about fraud alerts and security freezes. Credit Reporting Agency Notice: No. Government Notice: No. Third Party Notice: Yes. Any data collecr that maintains or sres, but does not own or license, computerized data that includes personal information that the data collecr does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information Exemption for good-faith acquisition by an employee or agent, so long as PI not used or subject further unauthorized disclosure. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted or redacted. Notwithstanding any other subsection in this Section, a data collecr that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act, shall be deemed in compliance with the notification requirements of this Section if the data collecr notifies subject persons in accordance with its policies in the event of a breach of the security of the system data. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach; provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject further unauthorized disclosure. Effective 1/1/2012: Statute includes standards for disposing of material containing PI in a manner that renders the PI unreadable, unusable and undecipherable. A violation of the statute constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Violation of disposal provisions subject civil penalty of not more than $100 for each individual, not exceed $50,000 for each instance of improper disposal (plus an additional $10,000 Page 13
14 if victim is 65 years of age or older). AG may impose a civil penalty and may also file a civil action in circuit court recover penalties imposed under disposal provisions and may bring action in circuit court remedy violation. Yes, but only under the Consumer Fraud and Deceptive Business Practices Act. Page 14
15 Ind. Code Date Enacted or Last Revised: July 1, 2009 INDIANA Government Notice: Notice must be provided Atrney General of any breach. Personal Information (of Indiana residents): (1) a social security number that is not encrypted or redacted; or (2) an individual s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) a driver s license number; (B) a state identification card number; (C) a credit card number; (D) a financial account number or debit card number in combination with a security code, password, or access code that would permit access the person s account. Security Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person, including non-electronic media including paper, microfilm, or similar medium. Who Must Report: Any company owning or using computerized personal information of an Indiana resident for commercial purposes. Individual Notice: Yes. Written or electronic notice must be provided victims of a security breach. Substitute notice by means prescribed in the statute allowed in the case of very large breaches. Credit Reporting Agency Notice: Yes. If breach includes more than 1000 consumers, data base owner shall also disclose each consumer reporting agency. Timing: Notice must be provided within the most expedient time possible and without unreasonable delay, unless disclosure impedes law enforcement investigation. Risk of Harm Analysis: Yes. Notice is required only if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. Statute not applicable if the personal data that was lost, slen, or accessed by an unauthorized individual is encrypted, unless unauthorized person has access encryption key. Good faith acquisition of personal information by an employee or agent of the person for lawful purposes of the person, if the personal information is not used or subject further unauthorized disclosure. The Atrney General may bring an action or obtain any or all of the following: (1) an injunction enjoin future violations of the statute; (2) a civil penalty of not more than one hundred fifty thousand dollars ($150,000) per deceptive act; (3) the Atrney General s reasonable costs in: (a) the investigation of the deceptive act; and (b) maintaining the action; (4) reasonable atrney s fees; and (5) costs of the action. No. Page 15
16 Iowa Code 715C Date Enacted or Last Revised: July 1, 2014 IOWA Credit Reporting Agency Notice: No. Government Notice: Yes. Notice Atrney General required if more than 500 Iowa residents are affected. Personal Information (of Iowa residents): An individual s first name or first initial and last name in combination with any one or more of the following data elements: Social security number; driver s license number or other unique identification number; financial account number, credit card number, or debit card number; unique electronic identifier or routing code; unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation. Security Breach: Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Breach of security also means unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat the security, confidentiality, or integrity of the personal information form. Who Must Report: Any person who owns or licenses computerized data that includes a consumer s personal information is used in the course of the person s business, vocation, occupation, or volunteer activities. Any person who maintains or otherwise possesses personal information on behalf of another person. The definition of person includes governmental subdivisions, agencies, or instrumentalities. Individual Notice: Yes. Written or electronic notice must be given any consumer whose personal information was included in the information that was breached. Substitute notice by means prescribed in the statute allowed where cost exceeds $250,000 or consumers exceed 350,000 or if the person does not have sufficient contact information provide notice. Notice must include (1) a description of the breach of security; (2) approximate date of the breach; (3) type of personal information obtained as a result of the breach; (4) contact information for consumer reporting agencies; (5) advice the consumer report suspected identity theft local law enforcement or the AG. Third Party Notice: Yes. Any person who maintains or otherwise possesses personal information on behalf of another person shall notify the owner or licensor of the information of any breach of security immediately following discovery of such breach of security if a consumer s personal information was included in the information that was breached. Timing: Notice individuals must be provided in the most expeditious manner possible and without unreasonable delay, unless a law enforcement agency determines that notification will impede a criminal investigation and the agency has made a written request that the notification be delayed. AG notice must be provided within five days after notice residents. Risk of Harm Analysis: Yes. Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years. Statute not applicable if the personal data that was breached was encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable.** Statute does not apply a person that: (1) complies with notification requirements or breach of security established by a person s primary or functional federal regular or by a state or federal law that provides greater protection personal information and at least as thorough disclosure requirements for form in which the data appropriate breach of security or personal information than that provided by this statute, or (2) is subject in compliance with Title V of the GLBA. Atrney General may seek and obtain an order that a party held violate this section pay damages the Atrney General on behalf of a person injured by the violation. No. Page 16
DATA BREACH CHARTS (Current as of December 31, 2015)
DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification
More informationComparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015
Comparison of US State and Federal Security Breach Notification Laws Current through August 26, 2015 Alaska...2 Arizona...6 Arkansas...9 California...11 Colorado...19 Connecticut...21 Delaware...26 District
More informationJanuary 2007. An Overview of U.S. Security Breach Statutes
January 2007 An Overview of U.S. Security Breach Statutes An Overview of U.S. Security Breach Statutes Jeffrey M. Rawitz and Ryan E. Brown 1 This Jones Day White Paper summarizes what is generally entailed
More informationSecurity Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments
Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments Jill Moore UNC Institute of Government April 2007 In 2005, the N.C. General Assembly passed
More information2005 -- H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.
00 -- H 11 SUBSTITUTE A AS AMENDED LC0/SUB A/ STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 00 A N A C T RELATING TO IDENTITY THEFT PROTECTION Introduced By: Representatives Gemma, Sullivan,
More information2015 -- S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D
0 -- S 01 SUBSTITUTE B LC000/SUB B/ S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 0 A N A C T RELATING TO CRIMINAL OFFENSES - IDENTITY THEFT PROTECTION Introduced By: Senators
More informationMichie's Legal Resources. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence Act of 1999. [Acts 1999, ch. 201, 2.
http://www.michie.com/tennessee/lpext.dll/tncode/12ebe/13cdb/1402c/1402e?f=templates&... Page 1 of 1 47-18-2101. Short title. This part shall be known and may be cited as the Tennessee Identity Theft Deterrence
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationLegal Education Conference 2015. Cyber/Data Breach Reference Guide: Best Practices, State Surveys, HIPAA Enforcement
Legal Education Conference 2015 Cyber/Data Breach Reference Guide: Best Practices, State Surveys, HIPAA Enforcement DATA BREACH: BEST PRACTICES ASSESS What type of sensitive data do you have? Financial?
More informationExhibit B. State-By-State Data Security Overview
Exhibit B State-By-State Data Security Overview Michele A. Whitham Partner, Founding Co-Chair Security & Privacy Practice Group Foley Hoag LLP 155 Seaport Boulevard Boston, MA 02210 State Statute Citation
More informationIDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE. Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs
IDENTITY THEFT IN SOUTH CAROLINA: 2014 UPDATE Marti Phillips, Esq. Director, Identity Theft Unit South Carolina Department of Consumer Affairs This presentation is not meant to serve as a substitute for
More information51ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, 2014
HOUSE BILL 1ST LEGISLATURE - STATE OF NEW MEXICO - SECOND SESSION, INTRODUCED BY William "Bill" R. Rehm AN ACT RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION
More informationSecurity Breach Notification Laws. Data Privacy Survey 2014
Security Breach Notification Laws Data Privacy Survey 2014 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. Security Breach Notification Laws Data Privacy
More informationData Breach Notification Burden Grows With First State Insurance Commissioner Mandate
Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective
More informationKRS Chapter 61. Personal Information Security and Breach Investigations
KRS Chapter 61 Personal Information Security and Breach Investigations.931 Definitions for KRS 61.931 to 61.934. (Effective January 1, 2015).932 Personal information security and breach investigation procedures
More informationCOLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008
COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft if he or she: Knowingly
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
More informationIdentity Theft Prevention and Security Breach Notification Policy. Purpose:
Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal
More informationCHAPTER 226. C.56:11-44 Short title. 1. This act shall be known and may be cited as the "Identity Theft Prevention Act."
CHAPTER 226 AN ACT concerning identity theft, amending P.L.1997, c.172 and supplementing various parts of the statutory law. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:
More informationNorth Carolina General Statutes Chapter 75 Monopolies, Trusts, and Consumer Protection Article 2A Identity Theft Protection Act
North Carolina General Statutes Chapter 75 Monopolies, Trusts, and Consumer Protection Article 2A Identity Theft Protection Act 75-60. Title. This Article shall be known and may be cited as the "Identity
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationCONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008
CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally
More informationSENATE FILE NO. SF0065. Sponsored by: Senator(s) Johnson and Case A BILL. for. AN ACT relating to consumer protection; providing for
00 STATE OF WYOMING 0LSO-00 SENATE FILE NO. SF00 Identity theft protection. Sponsored by: Senator(s) Johnson and Case A BILL for AN ACT relating to consumer protection; providing for notice to consumers
More informationData Breach Notification: State and Federal Law Requirements. Good News
Data Breach Notification: State and Federal Law Requirements Donna Maassen, CHC Director of Compliance Extendicare Health Services, Inc. & Andrew G. Conkovich, CHC Director of Regulatory Affairs & Compliance
More informationNC General Statutes - Chapter 75 Article 2A 1
Article 2A. Identity Theft Protection Act. 75-60. Title. This Article shall be known and may be cited as the "Identity Theft Protection Act". (2005-414, s. 1.) 75-61. Definitions. The following definitions
More informationPLEASE READ. The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature http://www.njleg.state.nj.
PLEASE READ The official text of New Jersey Statutes can be found through the home page of the New Jersey Legislature http://www.njleg.state.nj.us/ New Jersey Statutes Annotated (N.J.S.A.), published by
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationa. Credit to be used primarily for personal, family, or household purposes. c. Any other purpose authorized under 15 U.S.C. 168l(b).
North Carolina General Statutes Article 2A Identity Theft Protection Act 75-61. Definitions. The following definitions apply in this Article: (1) "Business". A sole proprietorship, partnership, corporation,
More informationBUSINESS AND COMMERCE CODE PERSONAL IDENTITY INFORMATION UNAUTHORIZED USE OF IDENTIFYING INFORMATION
BUSINESS AND COMMERCE CODE TITLE 11. PERSONAL IDENTITY INFORMATION SUBTITLE B. IDENTITY THEFT CHAPTER 521. UNAUTHORIZED USE OF IDENTIFYING INFORMATION SUBCHAPTER A. GENERAL PROVISIONS Sec. 521.001.AASHORT
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationRHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009
RHODE ISLAND IDENTITY THEFT RANKING BY STATE: Rank 34, 56.0 Complaints Per 100,000 Population, 592 Complaints (2007) Updated January 5, 2009 Current Laws: A person commits the crime of identity fraud if
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationMassachusetts Adopts Strict Security Regulations Governing Personal Information LISA M. ROPPLE, KEVIN V. JONES, AND CHRISTINE M.
Massachusetts Adopts Strict Security Regulations Governing Personal Information LISA M. ROPPLE, KEVIN V. JONES, AND CHRISTINE M. SANTARIGA Establishing itself as a leader in the data security area, Massachusetts
More informationGENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 H 2 HOUSE BILL 629 Committee Substitute Favorable 5/18/05
GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 0 H HOUSE BILL Committee Substitute Favorable //0 Short Title: Option to Freeze Credit Report. Sponsors: Referred to: March, 0 (Public) A BILL TO BE ENTITLED
More information(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;
Legal Updates & News Legal Updates Pending Changes to California s Data Breach Law: New Burdens for Retailers? September 2007 by Christine E. Lyon, William L. Stern Related Practices: Privacy and Data
More informationOKLAHOMA LAWS RELATING TO IDENTITY THEFT
OKLAHOMA LAWS RELATING TO IDENTITY THEFT Prepared for VICARS by Legal Aid Services of Oklahoma Introduction: OKLAHOMA LAWS RELATING TO IDENTITY THEFT Identity theft takes place when someone uses your personal
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More informationS. 1193 IN THE SENATE OF THE UNITED STATES
II TH CONGRESS ST SESSION S. To require certain entities that collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of
More informationBarnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule
HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA
More informationArticles. Three Large States Revise Their Security Breach Notification Laws and Texas Applies Its Law to Residents of Some Other States to Boot
Three Large States Revise Their Security Breach Notification Laws and Texas Applies Its Law to Residents of Some Other States to Boot Jeff Dodd IP and Technology Developments - October 2011 October 25,
More informationPENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009
PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009 Current Laws: A person commits the offense of identity theft
More informationGENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 SESSION LAW 2005-414 SENATE BILL 1048
GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 SESSION LAW 2005-414 SENATE BILL 1048 AN ACT ENACTING THE IDENTITY THEFT PROTECTION ACT OF 2005. The General Assembly of North Carolina enacts: SECTION 1.
More informationUpdates on HITECH and State Breach Notification and Security Requirements Robin Campbell
Who s Afraid Of A Big Bad Breach?: Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Overview Identifying the laws that protect personal information and protected
More informationAlabama: Examples of fraud include the following:
Alabama: Alabama law does not provide for civil false claim actions, as does the federal False Claims Act, but prosecutors may bring criminal actions against any person who knowingly makes or causes to
More informationUNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT
UNITED STATES DISTRICT COURT DISTRICT OF CONNECTICUT ATTORNEY GENERAL OF THE : STATE OF CONNECTICUT, and : STATE OF CONNECTICUT : Plaintiffs, : : v. : Civ. No. : HEALTH NET OF THE NORTHEAST, INC., : HEALTH
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationLimited Data Set Data Use Agreement
Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health
More informationIssue Brief. Arizona State Senate IDENTITY THEFT AND CONSUMER PROTECTION INTRODUCTION IDENTITY THEFT. September 17, 2015.
Arizona State Senate Issue Brief September 17, 2015 Note to Reader: The Senate Research Staff provides nonpartisan, objective legislative research, policy analysis and related assistance to the members
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationHSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS
HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and
More informationHealthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.
Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More informationThe Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor
The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on
More informationDATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL
DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL State AGs have been very active in the leadership of data privacy protection initiatives across the country, and have dedicated considerable
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationSECTION-BY-SECTION ANALYSIS
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationData Security. Updated April, 2006. CCIM Institute 430 N. Michigan Avenue Chicago, IL 60611 (312) 321-4460
Data Security Updated April, 2006 CCIM Institute 430 N. Michigan Avenue Chicago, IL 60611 (312) 321-4460 Background As technology has evolved and become vital for businesses, a growing number of public
More informationProtecting Social Security Numbers
Protecting Social Security Numbers: Federal Legislation in Sight STEVEN C. BENNETT, MAURICIO F. PAEZ, and Gwendolynne Chen Due to an alarming increase in identity theft crimes, a bipartisan bill, Protecting
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationTape Vaulting Audit And Encryption Usage Analysis
Tape Vaulting Audit And Encryption Usage Analysis Prepared for Public Presentation (includes SB 1386, Gramm Leach Bliley, and Personal Data Protection and Security Act of 2005 Customer Information Protection
More informationOREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009
OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009 Current Laws: A person commits the crime of identity theft if the
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationThe Rosenthal Fair Debt Collection Practices Act California Civil Code 1788 et seq.
The Rosenthal Fair Debt Collection Practices Act California Civil Code 1788 et seq. 1788. This title may be cited as the Rosenthal Fair Debt Collection Practices Act. 1788.1 (a) The Legislature makes the
More informationWISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009
WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, 175.9 Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009 Current Laws: It is unlawful to intentionally use or attempt
More informationFalse Claims Act Regulations by State
False Claims Act Regulations by State Under the False Claims Act, 31 U.S.C. 3729-3733, those who knowingly submit, or cause another person or entity to submit, false claims for payment of The purpose of
More informationEvolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :
Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)
More informationData Security: Risks, Compliance and How to be Prepared for a Breach
Data Security: Risks, Compliance and How to be Prepared for a Breach Presented by: Sandy B. Garfinkel, Esq. The Data Breach Reality: 2015 AshleyMadison.com (July 2015) Member site facilitating personal
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationHIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act
International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationHealthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010
Healthcare Practice HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act February 2010 HIPAA/HITECH Background Healthcare Practice Stephen Rose srose@gsblaw.com 206.464.3939 Ext 1375 Larry
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationBREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION
BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that
More informationIDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
More informationCommercial Law - Consumer Credit Report Security Freezes
LAWS OF ALASKA 00 Source SCS CSHB (FIN) am S Chapter No. AN ACT Relating to breaches of security involving personal information, credit report and credit score security freezes, protection of social security
More informationBUSINESS ASSOCIATE AGREEMENT TERMS
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
More informationFORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
More informationSUBJECT: Identity Theft / Patient Misidentification POLICY NUMBER: Page 1 of 16 GENERATED BY: Integrity Compliance Office APPROVED BY:
SUBJECT: Identity Theft / Patient Misidentification POLICY NUMBER: ISSUED: 11/7/06 REVISED: 3/16/07; 5/6/08 (web reference updates only) Page 1 of 16 GENERATED BY: Integrity Compliance Office APPROVED
More informationInformation Privacy and Security Program. Title: EC.PS.01.02
Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of
More informationScope All [Name of Facility] operations
Scope All [Name of Facility] operations Purpose To describe the measures to be followed when health care is obtained under a fictitious name or in another person s name. This includes situations when a
More informationFresenius Medical Care North America
Section 6032 of the Deficit Reduction Act of 2005 requires that any entities that receive or make annual Medicaid payments of at least $5,000,000 must establish for all employees and contractors or agents
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
More informationILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, 10304 Complaints (2007) Updated November 30, 2008
ILLINOIS IDENTITY THEFT RANKING BY STATE: Rank 11, 80.2 Complaints Per 100,000 Population, 10304 Complaints (2007) Updated November 30, 2008 Current Laws: A person commits the offense of identity theft
More informationProtecting Personal Information in Third Party Hands An Overview of Legal Requirements
Protecting Personal Information in Third Party Hands An Overview of Legal Requirements Margaret P. Eisenhauer 1 6 January 2006 U.S. companies are increasingly subject to fiduciary-like duties with regard
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
More informationFive Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy
Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health
More informationH. R. 1 144. Subtitle D Privacy
H. R. 1 144 (1) an analysis of the effectiveness of the activities for which the entity receives such assistance, as compared to the goals for such activities; and (2) an analysis of the impact of the
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationPersonal Information Protection Policy
I Personal Information Protection Policy Purpose: This policy outlines specific employee responsibilities in regards to safeguarding personal information. To this end, each employee has a responsibility
More information