DATA BREACH CHARTS (Current as of December 31, 2015)

Transcription

1 DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification statute in 2003, and, as of the writing of this introduction, 46 states have followed with similar statutes. Currently, the only states without data breach notification statutes are Alabama, New Mexico and South Dakota. There are many common features in the majority of statutes. These include provisions addressing a definition of personal information, a definition of covered entities that must provide a notification, a definition of security breach, the persons to whom notification must be provided, the timing for the notification, and a prescribed method for notification. There are, however, significant differences between several of the statutes. Some states require providing notice to a state attorney general or a state agency. Other states require providing notice to credit reporting agencies. Some states specify the contents of the notice that must be provided to affected individuals, such as a general description of the nature of the breach. Other states expressly prohibit revealing the nature of the breach. The bottom line is that one size does not fit all. Unless or until the federal government adopts a uniform scheme, entities that experience a data breach must carefully evaluate the requirements for every state in which any affected person resides. The following summary was last updated in December 2015 and is for informational purposes only. It does not constitute legal advice. As data breach notification laws change rapidly, no reference summary should be consulted as a substitute for reviewing statutory language and consulting with an attorney. It is also important to recognize that the charts below summarize only data breach notification statutes: many states have enacted additional statutes and provisions related to information security. Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming

2 State Encryption Safe Harbor Risk Of Harm Analysis DATA BREACH SUMMARY CHART Specific Content Requirements for Notices to Consumers Specific Timing Requirements for Notices to Consumers Notice to State Regulator Required Notice to Consumer Reporting Agencies Required Specific Provisions for Monetary Penalties Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire Private Cause Of Action Data Breach Charts current as of December 31, 2015 Page 2

3 State Encryption Safe Harbor Risk Of Harm Analysis Specific Content Requirements for Notices to Consumers Specific Timing Requirements for Notices to Consumers Notice to State Regulator Required Notice to Consumer Reporting Agencies Required Specific Provisions for Monetary Penalties New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming Private Cause Of Action Data Breach Charts current as of December 31, 2015 Page 3

4 ALABAMA No legislation. Back to top Data Breach Charts current as of December 31, 2015 Page 4

5 ALASKA: Alaska Stat et seq. Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Risk of Harm Analysis Allowable Delay in Notification Methods of Notice Any person doing business, governmental agency, or person with more than 10 employees that owns or licenses personal information, in any form, which includes personal information of an Alaskan resident. Judicial branch agencies are not covered. Means unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector; "acquisition" includes acquisition by photocopying, facsimile, or other paper-based method; a device, including a computer, that can read, write, or store information that is represented in numerical form; or a method not identified above. Means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of an individual s name; in this subparagraph, "individual s name" means a combination of an individual s o first name or first initial; and o last name; and one or more of the following information elements: o the individual s social security number; o the individual s driver s license number or state identification card number; o the individual s account number, credit card number, or debit card number; o passwords, personal identification numbers, or other access codes for financial accounts. The statute only applies to personal information that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired. If a covered person owns or licenses personal information in any form that includes personal information on an Alaska resident, and a breach of the security of the information system that contains personal information occurs, the covered person shall, after discovering or being notified of the breach, disclose the breach to each Alaska resident whose personal information was subject to the breach. The disclosure shall be made in the most expeditious time possible and without unreasonable delay. Disclosure is not required if, after an appropriate investigation and after written notification to the attorney general, the covered person determines that there is not a reasonable likelihood that harm to the consumers has resulted or will result from the breach. The determination shall be documented in writing and maintained for five years. Notification may be delayed if an appropriate law enforcement agency determines that disclosing the breach will interfere with a criminal investigation or as necessary to determine the scope of the breach and restore the reasonable integrity of the information system. Notification must be made after the law enforcement agency determines that disclosure of the breach will no longer interfere with the investigation. Notice may be provided by any of the following methods: Written notice Electronic notice if the information collector s primary method of communication with the resident is by electronic means or if making the disclosure by the electronic means is consistent with the provisions regarding electronic records and signatures required for notices legally required to be in writing under 15 U.S.C et seq. Data Breach Charts current as of December 31, 2015 Page 5

6 Substitute Notice Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver If the cost of providing notice would exceed $150,000, or the affected class of residents to be notified exceeds 300,000, or the information collector does not have sufficient contact information to provide notice, substitute notice shall consistent of: electronic mail if the information collector has an electronic mail address for the state resident; conspicuously posting the disclosure on the Internet website of the information collector if the information collector maintains an Internet website; and Notification to major statewide media. If more 1,000 state residents are affected, consumer credit reporting agencies shall also be notified of the security breach. Governmental agencies are liable to the state for a civil penalty up to $500 for each state resident who was not notified, not to exceed $50,000. The Department of Administration may enforce this section against a governmental agency. For Non-governmental information collectors who violate AS , the violation is an unfair or deceptive act or practice under AS However, the information collector is not subject to the civil penalties imposed under AS but is liable to the state for a civil penalty of up to $500 for each state resident who was not notified under AS , except that the total civil penalty may not exceed $50,000; and damages that may be awarded against the information collector under AS are limited to actual economic damages that do not exceed $500. A waiver of the notification requirement is void and unenforceable. Back to top Data Breach Charts current as of December 31, 2015 Page 6

7 ARIZONA: Ariz. Rev. Stat Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Risk of Harm Analysis Allowable Delay in Notification Methods of Notice A person that conducts business in Arizona and that owns or licenses or unencrypted computerized data or that includes personal information of Arizona residents; a person that maintains computerized data that includes personal information about Arizona residents that the individual or the commercial entity does not own or license. Means an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information maintained by a person as part of a database of personal information regarding multiple individuals and that causes or is reasonably likely to cause substantial economic loss to an individual. Means an individual s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable: The individual s social security number. The individual s number on a driver license or identification license. The individual s financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the individual s financial account. The statute only applies to computerized data containing personal information that is not encrypted or redacted. When a person becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual s personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected. The notice shall be made in the most expedient manner possible and without unreasonable delay subject to the needs of law enforcement and any measures necessary to determine the nature and scope of the breach, to identify the individuals affected or to restore the reasonable integrity of the data system. A person that maintains unencrypted computerized data that includes personal information that the person does not own shall notify and cooperate with the owner or the licensee of the information of any breach of the security of the system following discovery of the breach without unreasonable delay. Cooperation shall include sharing information relevant to the breach of the security of the system with the owner or licensee. The person that owns or licenses the computerized data shall provide notice to the individual. The person that maintained the data under an agreement with the owner or licensee is not required to provide notice to the individual unless the agreement stipulates otherwise. Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers. The notification may be delayed if a law enforcement agency advises the person that the notification will impede a criminal investigation. The person shall make the notification after the law enforcement agency determines that it will not compromise the investigation. The disclosure shall be provided by one of the following methods: Written notice Electronic notice if the person s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in P.L ; 114 Stat. 464; 15 United States Code Section 7001 Telephonic notice Data Breach Charts current as of December 31, 2015 Page 7

8 Substitute Notice Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver If the person can demonstrate that the cost of providing notice would exceed $50,000 or that the affected class of subject individuals to be notified exceeds 100,000 persons, or the person does not have sufficient contact information. Substitute notice shall consist of all of the following: Electronic mail notice if the person has electronic mail addresses for the individuals subject to the notice; Conspicuous posting of the notice on the web site of the person if the person maintains one; and Notification to major statewide media. A person who maintains the person s own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the person notifies subject individuals in accordance with the person s policies if a breach of the security system occurs. A person that complies with the notification requirements or security breach procedures pursuant to the rules, regulations, procedures, guidance or guidelines established by the person s primary or functional federal regulator is deemed to be in compliance. Only the attorney general may bring an action to obtain actual damages for a wilful and knowing violation of this section and a civil penalty not to exceed $10,000 per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation. Back to top Data Breach Charts current as of December 31, 2015 Page 8

9 ARKANSAS: Ark. Code et seq. Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Risk of Harm Analysis Allowable Delay in Notification Methods of Notice Substitute Notice Any person or business that acquires, owns, or licenses computerized data containing personal information about an Arkansas resident. Means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business. Means an individual s first name or first initial and his or her last name in combination with any one or more of the following data elements when either the name or the data element is not encrypted or redacted: Social security number; Driver s license number or Arkansas identification card number; Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual s financial account; and Medical information. The statute only applies to computerized data containing personal information that is not encrypted. Any person or business shall disclose any breach of the security of the system following discovery or notification of the breach to any resident of Arkansas whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time and manner possible and without unreasonable delay. Notification is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation. Notice may be provided by one of the following methods: Written notice Electronic mail notice if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as it existed on January 1, 2005 Substitute notice may be given if the person or business can demonstrate that: The cost of providing notice would exceed $250,000; The affected class of persons to be notified exceeds 500,000; or The person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: Electronic mail notice when the person or business has an electronic mail address for the subject persons; Conspicuous posting of the notice on the website of the person or business if the person or business maintains a website; and Notification by statewide media. Data Breach Charts current as of December 31, 2015 Page 9

10 Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver A person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the person or business notifies affected persons in accordance with its policies in the event of a breach of the security of the system. The provisions of this chapter do not apply to a person or business that is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided by this chapter. Compliance with the state or federal law shall be deemed compliance with this chapter with regard to the subjects covered by this chapter. Any violation of this chapter is punishable by action of the Attorney General under the provisions of et seq. Any waiver of a provision of the statute is contrary to public policy, void, and unenforceable. Back to top Data Breach Charts current as of December 31, 2015 Page 10

11 CALIFORNIA: Cal. Civ. Code , et seq. Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Content Requirements Any person or business that conducts business in California or any state agency and owns, licenses or maintains computerized data that includes personal information about a California resident. A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Means either of the following: An individual s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: o Social security number. o o Driver s license number or California identification card number. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account. o Medical information. o Health insurance information. o Information or data collected through the use or operation of an automated license plate recognition system. A user name or address, in combination with a password or security question and answer that would permit access to an online account. The statute only applies to computerized data containing personal information that is not encrypted. Encrypted means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. A person or business shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. General: The security breach notification shall be written in plain language, shall be titled Notice of Data Breach, and shall present the following information: The name and contact information of the reporting person or business. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach. If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice. Whether notification was delayed as a result of a law enforcement investigation, if Data Breach Charts current as of December 31, 2015 Page 11

12 that information is possible to determine at the time the notice is provided. A general description of the breach incident, if that information is possible to determine at the time the notice is provided. The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver s license or California identification card number. Risk of Harm Analysis Allowable Delay in Notification Methods of Notice Substitute Notice If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information, specifically an individual s social security number, driver s license number or California identification card number. The information described above must be presented under the following headings: What Happened, What Information Was Involved, What We Are Doing, What You Can Do, and For More Information. The format of the notice shall be designed to call attention to the nature and significance of the information it contains. The title and headings in the notice shall be clearly and conspicuously displayed. And the text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type. Use of a model security breach notification form set forth in the statute or use of the headings and information described above, written in plain language, will be deemed to be in compliance. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification shall be made after the law enforcement agency determines that it will not compromise the investigation. Notice" may be provided by one of the following methods: 1. Written notice 2. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code 3. Breach involving personal information for online account and no other personal information: The person or business may provide the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or address and password or security question or answer. 4. Breach involving login credentials of an account: The person or business shall not provide the security breach notification to that address, but may, instead, comply with this section by providing notice by another method described by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person or business knows the resident customarily accesses the account. Substitute notice is permissible if the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: notice when the Entity has an address for the subject persons. Conspicuous posting, for a minimum of 30 days, of the notice on the Internet Web Data Breach Charts current as of December 31, 2015 Page 12

13 Compliance with Notification Requirements site page of the person or business, if the person or business maintains one. Conspicuous posting on the person s or business s Internet Web site means providing a link to the notice on the home page or first significant page after entering the Internet Web site that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link. Notification to major statewide media. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements shall be deemed to be in compliance with the notification requirements if it notifies subject persons in accordance with its policies in the event of a breach of security of the system. A covered entity under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et seq.) will be deemed to have complied with the notice requirements if it has complied completely with Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). Notice to Consumer Reporting Agencies Notice to Attorney General Any agency that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. Violations Any customer injured by a violation may institute a civil action to recover damages. Also, any business that violates or proposes to violate may be enjoined. Waiver Back to top Any waiver of a provision of the statute is contrary to public policy and is void and unenforceable. Data Breach Charts current as of December 31, 2015 Page 13

14 COLORADO: Colo. Rev. Stat Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Risk of Harm Analysis Allowable Delay in Notification Methods of Notice An individual or a commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a resident of Colorado; an individual or a commercial entity that maintains computerized data that includes personal information about a resident of Colorado that the individual or the commercial entity does not own or license. Means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or commercial entity. Means a Colorado resident s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: Social security number; Driver s license number or identification card number; Account number or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account. The statute only applies to computerized data containing personal information that is not encrypted. An individual or a commercial entity shall, when it becomes aware of a breach of the security of the system, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The individual or the commercial entity shall give notice as soon as possible to the affected Colorado residents. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach; except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets. Notification is not required if the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the individual or commercial entity that conducts business in Colorado not to send notice. Notice shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation and has notified the individual or commercial entity that conducts business in Colorado that it is appropriate to send the notice. Notice may be made by: Written notice Telephonic notice Electronic notice, if a primary means of communication by the individual or commercial entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. sec et seq. Data Breach Charts current as of December 31, 2015 Page 14

15 Substitute Notice Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver If the entity can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 250,000 Colorado residents, or the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: notice if the individual or the commercial entity has addresses for the members of the affected class of Colorado residents; Conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains one; and Notification to major statewide media. An individual or commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with the timing requirements shall be deemed to be in compliance with the notice requirements if the individual or commercial entity notifies affected Colorado customers in accordance with its policies in the event of a breach of security of the system. An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance. If an individual or commercial entity is required to notify more than one thousand Colorado residents of a breach of the security of the system, the individual or commercial entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. sec. 1681a (p), of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. The attorney general may bring an action in law or equity to address violations and for other relief that may be appropriate to ensure compliance or to recover direct economic damages resulting from a violation, or both. The provisions are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law. Back to top Data Breach Charts current as of December 31, 2015 Page 15

16 CONNECTICUT: Conn. Gen Stat. 36a-701b Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Content Requirements Risk of Harm Analysis Allowable Delay in Notification Methods of Notice Substitute Notice Any person who conducts business in Connecticut, and who, in the ordinary course of such person s business, owns, licenses or maintains computerized data that includes personal information. Means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Means an individual s first name or first initial and last name in combination with any one, or more, of the following data: Social Security number; driver s license number or state identification card number; or account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual s financial account. The statute only applies to electronic files, media, databases or computerized data containing personal information that has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Notification of any breach of security is required following the discovery of the breach to any resident of the state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law. Each resident whose personal information was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. Any notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination. Notice of the breach of security may be provided by one of the following methods: Written notice; Telephone notice; or Electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC Substitute notice may be provided if a person demonstrates that the cost of providing notice would $250,000, that the affected class of subject persons to be notified exceeds 500,000 persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: Electronic mail notice when the person has an electronic mail address for the affected persons; conspicuous posting of the notice on the web site of the person if the person maintains one; and Data Breach Charts current as of December 31, 2015 Page 16

17 Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver notification to major state-wide media, including newspapers, radio and television. Any person that maintains such person s own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements, shall be deemed to be in compliance with the security breach notification requirements, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person s policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements, provided (1) such person notifies, as applicable, such residents of CT, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of CT and also notifies the Attorney General not later than the time when notice is provided to the resident. Notice of the breach of security shall be provided to the Attorney General not later than the time when notice is provided to the resident. Failure to comply with the requirements of the statute shall constitute an unfair trade practice for purposes of Section b and shall be enforced by the Attorney General. Back to top Data Breach Charts current as of December 31, 2015 Page 17

18 DELAWARE: Del. Code tit. 6, 12B-101 et seq. Persons Covered Definition of Security Breach Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Risk of Harm Analysis Allowable Delay in Notification Methods of Notice Substitute Notice An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information about a resident of Delaware; an individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license. Means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Means a Delaware resident s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted: Social Security number; Driver s license number or Delaware Identification Card number; or Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident s financial account. The statute only applies to computerized data containing personal information that is not encrypted. When an individual or commercial entity becomes aware of a breach of the security of the system, it shall give notice as soon as possible to the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee information relevant to the breach Notification is not required if a good faith, reasonable and prompt investigation determines that there no reasonable likelihood that personal information has been or will be misused. Notice required may be delayed if a law-enforcement agency determines that the notice will impede a criminal investigation. Notice must be made in good faith, without unreasonable delay and as soon as possible after the law-enforcement agency determines that notification will no longer impede the investigation. Notice may be made by the following methods: Written notice; Telephonic notice; or Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 7001 of Title 15 of the United States Code. Substitute notice may be given if the individual or the commercial entity demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of Delaware residents to be notified exceeds 100,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: notice if the individual or the commercial entity has addresses for the members of the affected class of Delaware residents; and Conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or the commercial entity maintains one; and Data Breach Charts current as of December 31, 2015 Page 18

19 Compliance with Notification Requirements Notice to Consumer Reporting Agencies Notice to Attorney General Violations Waiver Notice to major statewide media. An individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements is deemed to be in compliance with the notice requirements if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system. An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance if the individual or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs. The Attorney General may bring an action in law or equity to address violations and for other relief that may be appropriate to ensure proper compliance or to recover direct economic damages resulting from a violation, or both. The provisions are not exclusive and do not relieve an individual or a commercial entity from compliance with all other applicable provisions of law. Back to top Data Breach Charts current as of December 31, 2015 Page 19

20 FLORIDA: Florida Information Protection Act of 2014 (FIPA), Fla. Stat Persons Covered Definition of Security Breach Definition of Customer Records Definition of Personal Information Encryption Safe Harbor Notice Procedures/Timing Covered entity means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For purposes of the notice requirements, the term includes a governmental entity. Means unauthorized access of data in electronic form containing personal information. Data in electronic form means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices. Means any material, regardless of the physical form, on which personal information is recorded or preserved by any means, including, but not limited to, written or spoken words, graphically depicted, printed, or electromagnetically transmitted that are provided by an individual in this state to a covered entity for the purpose of purchasing or leasing a product or obtaining a service. Means either of the following: An individual s first name or first initial and last name in combination with any one or more of the following data elements for that individual: o o o o o social security number; driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual s financial account; any information regarding an individual s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or an individual s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. A user name or address, in combination with a password or security question and answer that would permit access to an online account. A covered entity shall give notice to each individual in Florida whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach. Notice to individuals shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless. In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred. Upon receiving notice from a third-party agent, a covered entity shall provide required notice. A third-party agent shall provide a covered entity with all information that the covered entity needs to comply with its notice requirements. An agent may provide the required notice on behalf of the covered entity; however, an agent s failure to provide proper notice shall be deemed a violation of this section against the covered entity. Data Breach Charts current as of December 31, 2015 Page 20