Data Breach Map

Breach Definition

Unauthorized acquisition or reasonable belief of unauthorized acquisition of personal identification (“PI”) that compromises security, confidentiality, or integrity of PI maintained.

PII Definition

Information on individual, that is not encrypted, that consists of individual’s name and one or more of these: social security number, driver’s license number, account number, password, or other access codes.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

Either: email (if available) or conspicuously posting the disclosure on the website of information collector if collector maintains one; plus providing notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If required to notify more than 1,000 state residents of breach.

This State’s Law

None.

State Government Agency Notification Required

None.

Breach Definition

Unauthorized acquisition of data in electronic form containing sensitive personally identifying information.

PII Definition

The Alabama law defines sensitive personal information as individual’s first name or first initial, plus last name in combination with any of these:

1. Non-truncated Social Security number or tax identification number;
2. Non-truncated driver’s license, passport or government-issued identification number;
3. Financial account number combined with security/access code, password, PIN, or expiration date;
4. Individual’s medical history, mental/physical condition, medical treatment/diagnosis by health care professional, health insurance policy/subscriber number, or other insurance identifier; or
5. User name or email address combined with password or security question/answer permitting access to online account affiliated with covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

Third Party Notice

If data maintainer maintains covered data for someone else, it must notify data owner if it becomes aware of breach of security that has or may have occurred in relation to sensitive personal identifying information.

How to Notify

Must include, at a minimum:

1. Estimated date of breach;
2. Description of sensitive personal identifying information acquired;
3. Remedial measures taken;
4. General description of protective measures individual may take; and
5. Contact information for notifying person or entity.

Substitute Notice

Both: (a) conspicuous posting of notice on covered entity’s website; and (b) notice in print and in broadcast media, including major media in urban and rural areas where affected individuals reside.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Alabama residents must be notified.

This State’s Law

Data owners and their service providers must implement and maintain reasonable cybersecurity measures. Consideration is given to covered entity’s size, amount of sensitive personally identifying information it has, and cost of such measures.

State Government Agency Notification Required

If more than 1,000 Alabama residents must be notified, must notify Alabama Attorney General.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a person or business.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or Arkansas identification card number;
3. Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and
4. Medical information.

Third Party Notice

If data owner maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: 1. Email when person or business has an email address for the subject persons; 2. Conspicuous posting of notice on website of person or business if person or business maintains website; and 3. Notification by statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of and access that materially compromises security or confidentiality of unencrypted and unredacted computerized personal information as part of database and that causes or is reasonably likely to cause substantial economic loss to individual.

PII Definition

Individual’s first name or first initial and last name in combination with any of these:

• Social security number;
• Driver’s license number or nonoperating identification number;
• Private key unique to an individual and used to authenticate or sign an electronic record;
• Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to account;
• Health insurance identification number;
• Information about individual’s medical or mental health treatment or diagnosis by health care professional;
• Passport number;
• Taxpayer identification number or id number issued by the IRS;
• Biometric data; or
• User name or email, in combination with password or security question and answer that allows access to online account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach without unreasonable delay.

How to Notify

Notice shall include:

• Approximate date of the breach;
• Description of personal information involved;
• Toll-free number and address for major credit reporting agencies;
• Toll-free number, address, and website address for FTC and website address for FTC or any federal agency that assists consumers with identity theft matters.

Substitute Notice

Both: (a) written letter to the Arizona Attorney General that demonstrates facts for substitute notice; and (b) conspicuous posting of notice for at least 45 days on website of person if person maintains one.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 persons involved.

This State’s Law

None.

State Government Agency Notification Required

Yes, to Arizona Attorney General if more than 1,000 persons involved.

Breach Definition

Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality or integrity of personal information; or of encrypted personal information, if encryption key or security credential was acquired by unauthorized person.

PII Definition

A. Individual’s first name or first initial and last name in combination with any of these if unencrypted:

1. Social security number; or
2. Driver’s license number or California identification card number; or
3. Account number, credit or debit card number, in combination with security code, access code or password that would permit access to financial account; or
4. Medical information; or
5. Health insurance information;
6. Information or data collected through use or operation of automated license plate recognition system; OR

B. User name or email address, in combination with password or security question and answer that would permit access to online account.

Third Party Notice

If you maintain covered information for someone else, you must notify them immediately after discovery of breach.

How to Notify

All of the following must be included:

• Use plain language, in at least 10 point type;
• Must title as “Notice of Data Breach,” and have headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information”;
• Must include:
  1. Name and contact information of reporting person or business;
  2. Types of personal information that were subject of breach;
  3. If possible to determine, date or estimated date of breach or its time range;
  4. Whether notification delayed as result of law enforcement investigation;
  5. Description of breach incident;
  6. Toll-free phone numbers and addresses of major credit reporting agencies, if breach exposed social security numbers, driver’s license or California identification card numbers;
  7. If person or business making notification was source of breach, it must offer to provide free identity theft prevention services for at least 12 months.

Substitute Notice

All: (a) email; (b) conspicuous posting of notice on company’s website for at least 30 days; and (c) notification of major statewide media.

Credit Monitoring

If you were source of breach, you must offer free identity theft prevention services for at least 12 months.

When to Notify Credit Agencies

No requirement.

This State’s Law

If you are required to notify California Attorney General, must do so electronically through its website.

State Government Agency Notification Required

If more than 500 California residents must be notified.

Breach Definition

Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of personal information maintained by individual or commercial entity.

PII Definition

Colorado resident’s first name or first initial and last name in combination with any of these, when not encrypted, redacted, or secured by any other method:

1. Social Security number;
2. Driver’s license number or identification card number;
3. Student, military or passport identification number;
4. Medical information;
5. Health insurance identification number; or
6. Biometric data.

Also includes Colorado resident’s username or email address in combination with a password or security questions and answers that would enable access to an online account and account number or credit or debit card number in combination with any required security code, access code or password that would enable access to that account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

Notice must contain (1) date, estimated date, or estimated date range of breach; (2) description of personal information breached or reasonably believed to have been breached; (3) entity’s contact information; (4) toll-free numbers, addresses and websites for consumer reporting agencies and FTC; and (5) statement that Colorado resident can obtain information from FTC and credit reporting agencies regarding fraud alerts and security freezes. If breach involves Colorado resident’s username or email address in combination with password or security questions and answers that would enable access, must also include appropriate steps to protect online accounts.

Substitute Notice

All: (a) email if individual or commercial entity has email addresses for members of affected class of Colorado residents; (b) conspicuous posting of notice on website page of individual or commercial entity if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Colorado residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Colorado Attorney General, if more than 500 Colorado residents are affected or believed to be affected.

Breach Definition

Unauthorized access to or acquisition of electronic files, media, databases, or computerized data containing PII when access to PII has not been secured by encryption or by any other method or technology that renders PII unreadable or unusable.

PII Definition

Individual’s first name or first initial and last name in combination with any one or more of these:

1. Social Security Number;
2. Driver license number or state identification card number; or
3. Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to individual’s financial account; or
4. Financial account number in combination with any required security code, access code or password that would permit access to an individual’s financial account.

Third Party Notice

If entity maintains computerized data for someone else, entity must notify owner or licensee of information of any breach immediately following its discovery.

How to Notify

No specific content requirement.

Substitute Notice

All:  (a) email notice when entity has email address for affected persons; (b) conspicuous posting of notice on web site of entity if it maintains one; and (c) notification to major statewide media, including newspapers, radio and television.

Credit Monitoring

Entity must offer to each resident whose PII was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services free for at least 24 months.

When to Notify Credit Agencies

No notification required.

This State’s Law

None.

State Government Agency Notification Required

Yes, Attorney General, not later than when the affected residents are notified.

Breach Definition

Unauthorized acquisition of data, or any equipment or device storing such data, that compromises security, confidentiality, or integrity of personal information maintained by person or business.

PII Definition

Individual’s first name or first initial and last name, or phone number, or address, and any of these:

1. Social Security number;
2. Driver’s license number or District of Columbia Identification Card number;
3. Credit card number or debit card number; or
4. Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach in most expedient time possible.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email when person or business has email address for subject persons; (b) conspicuous posting of notice on website page of person or business if it maintains one; and (c) notice to major local and, if applicable, national media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 D.C. residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of personal information.

PII Definition

Delaware resident’s first name or first initial and last name in combination with any of these:

1. Social Security number;
2. Driver’s license number or state or federal identification card;
3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to resident’s financial account;
4. Passport number;
5. A username or email address, in combination with password or security question and answer that would permit access to online account;
6. Medical history, medical treatment by healthcare professional, diagnosis of mental or physical condition by health care professional, or DNA profile;
7. Health insurance policy number, subscriber identification number, or any other unique identifier used by health insurer to identify the person;
8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; or
9. Individual taxpayer identification number.

Third Party Notice

If you maintain covered info on behalf of another entity, must notify them immediately following determination of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email if person has email addresses for members of affected class of Delaware residents;  (b) conspicuous posting of notice on website of person if it maintains one; and (c) notice to major statewide media, including newspapers, radio, and television and publication on major social media platforms of person providing notice.

Credit Monitoring

If breach includes a Social Security number, credit monitoring services shall be offered to resident whose personal information was breached or is reasonably believed to have been breached, at no cost for 1 year. Not required if appropriate investigation determines that breach of security is unlikely to result in harm to individuals whose personal information has been breached.

When to Notify Credit Agencies

Not required.

This State’s Law

If relying on substitute notice, must post notice on your major social media accounts.

State Government Agency Notification Required

Notice must be provided to Delaware Attorney General’s Office of any breach of security requiring notice to more than 500 Delaware residents.

Breach Definition

Unauthorized access of data in electronic form containing personal information.

PII Definition

Individual’s first name or first initial and last name in combination with any of these:

1. Social Security number;
2. Driver’s license or identification card number, passport number, military identification number, or other similar number issued on government id;
3. Financial account number or credit or debit card number, in combination with any required security code, access code, or password necessary to permit access to financial account;
4. Information regarding individual’s medical history, mental or physical condition, or medical treatment or diagnosis by health care professional; or
5. Individual’s health insurance policy number or subscriber identification number and any unique identifier used by health insurer.

OR

1. User name or e-mail address, in combination with password or security question and answer that would permit access to online account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach as expeditiously as practicable, but no later than 10 days following determination of breach.

How to Notify

Notice must include date of breach, description of covered info that was or reasonably believed to have been accessed, and covered entity’s contact info.

Substitute Notice

maintains one; and (b) notice in print and to broadcast media, including major media in urban and rural areas where affected individuals reside.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Florida residents notified.

This State’s Law

Upon request of Florida Attorney General, covered entity may be required to provide police report, incident report, or computer forensics report, and entity’s policies in place regarding breaches.

State Government Agency Notification Required

Yes, Florida Department of Legal Affairs, if 500 or more Florida residents affected. Must be made no later than 30 days after determination of breach.

Breach Definition

Unauthorized acquisition of individual’s electronic data that compromises security, confidentiality, or integrity of personal information of such individual maintained by information broker or data collector.

PII Definition

Individual’s first name or first initial and last name in combination with any of these when not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or state identification card number;
3. Account number, credit card number, or debit card number, if such number could be used without additional identifying information, access codes, or passwords;
4. Account passwords or personal identification numbers or other access codes; or
5. Any of above when not in connection with first name or first initial and last name, if information compromised would be sufficient to perform or attempt to perform identity theft against person whose information was compromised.

Third Party Notice

If entity maintains covered information for someone else, it must notify them within 24 hours after discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All:  (a) email , if the Entity has email address for individuals to be notified; (b) conspicuous posting of notice on Entity’s Website, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 10,000 Georgia residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Not required

Breach Definition

Unauthorized access and acquisition of unencrypted and unredacted data that compromises security or confidentiality of personal information of resident of Guam if it causes or entity reasonably believes it will cause identity theft or fraud to resident of Guam.

PII Definition

First name or initial and last name of an individual in combination with one or more of these if not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or Guam identification card number;
3. Financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to financial account.

Third Party Notice

If information is maintained on behalf of third party, third party must be notified.

How to Notify

No specific content requirement.

Substitute Notice

At least two of these: (a) email if entity has email addresses for individuals; (b) conspicuous posting on website if it maintains one; and/or (c) notice to major Guam media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized access to and acquisition of unencrypted or unredacted records or data containing PII where illegal use of PII has occurred, or is reasonably likely to occur, where such unauthorized access and acquisition creates risk of harm to a person. Breach also includes unauthorized access to and acquisition of encrypted records or data containing PII along with key.

PII Definition

Individual’s first name or first initial and last name in combination with any one or more of these, when either name or data elements are not encrypted:

1. Social Security Number;
2. Driver’s license number or Hawaii identification card number; or
3. Account number, credit card number, debit card number, access code, or password that would permit access to individual’s financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Notice must include:

• Incident in general terms;
• Type of PII subject to unauthorized access and acquisition;
• General acts of Entity to protect PII from further unauthorized access;
• Telephone number that the person may call for further information and assistance; and
• Advice that directs person to remain vigilant by reviewing account statements and monitoring free credit reports.

Substitute Notice

All: (a) email notice when entity has email address for subject persons; (b) conspicuous posting of the notice on entity’s website, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Hawaii residents are notified.

This State’s Law

None.

State Government Agency Notification Required

If more than 1,000 Hawaii residents are notified; Hawaii Office of Consumer Protection

Breach Definition

Unauthorized acquisition of computerized personal information that compromises security, confidentiality, or integrity of personal information.

PII Definition

First name or first initial and last name in combination with any of these if not encrypted, redacted, or otherwise made unreadable:

1. Social Security number;
2. Driver’s license number;
3. Financial account, debit or credit card number with required security code, access code, or password that would permit access to individual’s financial account;
4. Unique electronic identifier or routing code with required code or password that would allow access to person’s financial account;
5. Unique biometric data, including fingerprints, retina or iris prints.

Third Party Notice

If data collector maintains or possesses covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Notice shall include:

• Description of breach of security;
• Approximate date of breach of security;
• Type of personal information obtained as a result of breach;
• Contact information for consumer reporting agencies;
• Advice to consumer to report suspected incidents of identity theft to local law enforcement or attorney general.

Substitute Notice

a) Email if entity has email addresses for affected consumers; (b) conspicuous posting of notice or link to notice on website of entity if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Yes, Iowa Attorney General, if more than 500 Iowa consumers are affected.

Breach Definition

Illegal acquisition of unencrypted computerized data that materially compromises security, confidentiality, or integrity of personal information for one or more persons maintained by agency, individual or a commercial entity.

PII Definition

Idaho resident’s first name or first initial and last name in combination with any of these, when either name or data elements are not encrypted:

1. Social Security Number;
2. Driver’s license number or Idaho identification card number; or
3. Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to resident’s financial account.

Third Party Notice

If data owner maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email if agency, individual or the commercial entity has email addresses for affected Idaho residents; (b) conspicuous posting of notice on website of agency, individual or the commercial entity if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information.

PII Definition

First name or initial and last name in combination with any of these if not encrypted, redacted, or otherwise made unreadable:

1. Social Security number;
2. Driver’s license or state identification card number;
3. Account, debit card or credit card number in combination with any code or password that would allow access to account;
4. Medical information;
5. Health insurance information; or
6. Unique biometric data including a fingerprint or retina or iris image.

OR
Username or email address in combination with password or security question that would permit access to online account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach including the approximate date and nature of breach, related steps that have been taken, or plans that have been made in relation to breach.

How to Notify

Notify consumers of definition of personal information; toll free numbers and addresses for consumer reporting agencies; toll-free number, address, and website address for FTC; and statement that individual can obtain information about fraud alerts and security freezes from these entities.

Substitute Notice

All:  (a) email, if entity has residents’ email addresses; (b) conspicuous posting on entity’s website if it maintains one; and (c) notification to major statewide media of breach.  Media notification may be more localized if affected residents only reside in small geographic area.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

Illinois was first state to include biometrics in its definition of personally identifiable information.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized access to information that compromises security confidentiality or integrity of personal information.

PII Definition

Social Security number; or
First name or initial and last name, and any one of these:

1. Driver’s license number;
2. State identification card number;
3. Credit card number;
4. Financial account number or debit card number in combination with security code, password, or access code that would permit access to person’s account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

Conspicuous posting on database owner’s website; and notice to major news media in geographic area where Indiana residents affected by breach reside.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Indiana residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Yes, Indiana Attorney General.

Breach Definition

Unauthorized access and acquisition of unencrypted or unredacted data that compromises security, confidentiality or integrity of personal information maintained by individual or commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer.

PII Definition

Consumer’s first name or first initial and last name in combination with any of these, when not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or state identification card number; or
3. Financial account number, or credit or debit card number, alone or in combination with required security code, access code or password that would permit access to consumer’s financial account.

Third Party Notice

If individual or entity maintains computerized data that includes personally identifiable that individual or entity does not own, must notify owner or licensee of breach following discovery.

How to Notify

No specific content requirement.

Substitute Notice

(a) email if individual or commercial entity has email addresses for affected class of consumers;
(b) conspicuous posting of notice on website of individual or commercial entity if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Kansas consumers must be notified.

This State’s Law

Person or business shall take reasonable steps to destroy or arrange for destruction of customer’s records within its custody or control containing personal information that is no longer to be retained by shredding, erasing or otherwise modifying to make unreadable or undecipherable.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of unencrypted and unredacted computerized data that compromises security, confidentiality, or integrity of personally identifiable information maintained by information holder as part of database that actually causes, or leads information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky.

PII Definition

Individual’s first name or first initial and last name; personal mark; or unique biometric or genetic print or image, in combination with one of these:

1. Account number, credit card number, or debit card number, that in combination with required security code, access code, or password, would permit access to account;
2. Social Security number;
3. Taxpayer identification number that incorporates Social Security number;
4. Driver’s license number, state identification card number, or other individual identification number;
5. Passport number or other identification number issued by United States government; or
6. Individually identifiable health information.

Third Party Notice

Entity that maintains computerized data that includes PI shall notify owner or licensee of information of any breach as soon as reasonably practicable following discovery.

How to Notify

No content requirement.

Substitute Notice

All: (a) email if Entity has e-mail addresses for affected individuals; (b) conspicuous posting regarding incident on Entity’s website, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Kentucky residents much be notified.

This State’s Law

None.

State Government Agency Notification Required

No

Breach Definition

Unauthorized acquisition of and access to personal information maintained by agency or person.

PII Definition

Individual’s first name or first initial and last name in combination with any of these, when not encrypted or redacted:

1. Social Security number;
2. Driver’s license number;
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual’s financial account;
4. Passport number; or
5. Biometric data, such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristic.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email when agency or person has email address for subject persons; (b)  conspicuous posting of notification on Internet site of agency or person, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

If notice is required to Louisiana Attorney General, must include names of all Louisiana citizens affected.

State Government Agency Notification Required

Yes, Consumer Protection Section of Louisiana Attorney General’s office. Must include names of all Louisiana citizens affected.

Breach Definition

Unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and confidential process or key that is capable of compromising security, confidentiality, or integrity of personal information, maintained by person or agency that creates substantial risk of identity theft or fraud against Massachusetts resident.

PII Definition

Resident’s first name and last name or first initial and last name in combination with any of these that relate to such resident:

1. Social security number;
2. Driver’s license number or state-issued identification number; or
3. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach as soon as practicable and without unreasonable delay.

How to Notify

Notice shall include:

• Consumer’s right to obtain police report;
• How consumer requests security freeze and necessary information to be provided when requesting it, and fees required;
• Name of parent or affiliated corporation if the organization that experienced breach is owned by another person or corporation.

Substitute Notice

All: (a) email, if person or agency has email addresses for affected class of Massachusetts residents; (b) clear and conspicuous posting of notice on home page of person or agency if it maintains website; and (c) publication in or broadcast through media that provides notice throughout Massachusetts.

Credit Monitoring

Required to be offered for “not less than 18 months” when the incident involves a Social Security number. Must certify this offer to the agencies below.

When to Notify Credit Agencies

If directed by Massachusetts Attorney General or Director of Consumer Affairs and Business Regulation.

This State’s Law

Notice to consumers shall not include nature of breach or number of residents affected.

State Government Agency Notification Required

Yes, to Massachusetts Attorney General and Director of Consumer Affairs and Business Regulation; and to CRAs or other state agencies if they direct. Specific information to be provided includes types of PI compromised, steps taken relating to incident, and whether breached organization maintains written information security program.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a business.

PII Definition

Individual’s first name or first initial and last name in combination with any of these when not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

1. Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by federal government;
2. Driver’s license number or State identification card number;
3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password, that permits access to individual’s financial account;
4. Health information, including information about individual’s mental health;
5. Health insurance policy or certificate number or health insurance subscriber identification number, in combination with unique identifier used by insurer or employer that is self-insured, that permits access to individual’s health information; or
6. Biometric data of individual generated by automatic measurements of individual’s biological characteristics such as fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate individual’s identity when individual accesses system or account; OR

User name or e-mail address in combination with password or security question and answer that permits access to individual’s email account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

Notification shall include:

• Description of categories of information that were, or are reasonably believed to have been, acquired by unauthorized person, including which elements of personal information were, or are reasonably believed to have been, acquired;
• Contact information for business making notification, including business’ address, telephone number, and toll-free telephone number if one is maintained;
• Toll-free telephone numbers and addresses for major consumer reporting agencies; and
• Toll-free telephone numbers, addresses, and website addresses for FTC and Maryland Attorney General; and
• tatement that individual can obtain information from these sources about steps individual can take to avoid identity theft.

Substitute Notice

All: (a) emailing notice to individual entitled to notification, if business has email address for individual to be notified; (b) conspicuous posting of notice on website of business, if it maintains one; and (c) notification to statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If notice must be given to 1,000 or more Maryland residents.

This State’s Law

If breach affects only email account, entity may provide notification in electronic or other form that directs individual whose personal information has been breached promptly to:
1. Change password and security question or answer; or
2. Take other steps appropriate to protect email account and all other online accounts for which individual uses same user name or email and password or security question or answer.
Notification cannot be sent to affected email account.

State Government Agency Notification Required

Yes, to Maryland Attorney General, before giving consumer notice.

Breach Definition

Unauthorized access, acquisition, release or use of individual’s data that includes personal information that compromises security, confidentiality or integrity of personal information of individual.

PII Definition

Individual’s first name, or first initial, and last name in combination with any of these, when not encrypted or redacted:

1. Social Security number;
2. Driver license number or state identification card number;
3. Account number or credit card number or debit card number if such number could be used without additional identifying information, access codes or passwords;
4. Account passwords or PII numbers or other access codes; or
5. Any of above when not in connection with individual’s first name, or first initial, and last name, if information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume identity of person whose information was compromised.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email, if entity has email addresses for individuals to be notified; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

No requirement noted.

When to Notify Credit Agencies

If more than 1,000 Maine residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Yes, Maine Attorney General.

Breach Definition

Unauthorized access and acquisition of data that compromises security or confidentiality of personal information maintained by person or agency as part of database of personal information regarding multiple individuals.

PII Definition

First name or initial and last name, in combination with one of these:

1. Social Security number
2. Driver’s license or personal identification number; or
3. Financial account number, or credit or debit card number, in combination with any required security code or password that would permit access to account.

Third Party Notice

If entity maintains information for third party, it must be notified of breach.

How to Notify

If notice is written, it must be written in clear and conspicuous manner.  If telephonic, information must be clearly conveyed. In either case communication must contain the following content:

1. Describe breach in general terms;
2. Describe type of personal information that is the subject of unauthorized access or use;
3. Describe what entity has done to protect data from further breaches;
4. Include telephone number where notice recipient may obtain assistance or additional information; and
5. Remind notice recipients of need to remain vigilant for incidents of fraud and identity theft.

Substitute Notice

All: (a) email, if entity has consumer’s email address; (b) conspicuous posting on entity’s website, if it maintains one; and (c) notifying major statewide media, including telephone number or website address consumers can use to obtain more information.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Michigan residents are affected.

This State’s Law

Criminal penalties for not complying with notice statute.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by person or business, not including good faith access by entity’s employees.

PII Definition

First name or first initial and last name along with one or more of these if not encrypted, or otherwise protected or made unreadable:

1. Social Security number;
2. Driver’s license or state identification card number; or
3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual’s financial account.

Third Party Notice

If entity maintains data for third party, third party must immediately be notified of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email when person or business has email address for subject persons; (b) conspicuous posting of notice on website page of person or business, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 500 Minnesota consumers are notified.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized access or acquisition of computerized personal information that compromises security, confidentiality, or integrity of personal information.

PII Definition

First name or initial and last name in combination with any of these if not encrypted, redacted or otherwise altered:

1. Social Security number;
2. Driver’s license number;
3. Financial account, credit card, or debit card number in combination with code or password that would permit access;
4. Unique electronic identifier or routing number with required code or password that would permit access to person’s financial account;
5. Medical information; or
6. Health insurance information.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Notice shall include:

• Incident in general terms;
• Type of personal information that was obtained as result of breach;
• Telephone number that affected consumer may call for further information and assistance;
• Contact information for consumer reporting agencies;
• Advice that directs affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

Substitute Notice

a) Email if entity has email addresses for consumers subject to notice; (b) conspicuous posting of notice on website of entity if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Missouri residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Yes, Missouri Attorney General; without unreasonable delay if more than 1,000 Missouri residents must be notified.

Breach Definition

Unauthorized acquisition of data containing personal information of any Mississippi resident when access to personal information has not been secured by encryption or by any other method or technology that renders personal information unreadable or unusable.

PII Definition

Individual’s first name or first initial and last name in combination with any of these:

1. Social Security number;
2. Driver’s license number or state identification card number; or
3. Account number or credit or debit card number in combination with any required security code, access code or password that would permit access to individual’s financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them as soon as practicable following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email if entity has email addresses for subject persons; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that materially compromises security, confidentiality, or integrity of personal information maintained by person or business and causes or is reasonably believed to cause loss or injury to Montana resident.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted:

1. Social Security number;
2. Driver’s license number, state identification card number, or tribal identification card number;
3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
4. Medical record information;
5. Taxpayer identification number; or
6. Identity protection personal identification number issued by U.S. IRS.

Third Party Notice

If person or business maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Include dates of breach and elements of personal information that were likely acquired.

Substitute Notice

All: (a) email when person or business has email addresses for subject persons; (b) conspicuous posting of notice on website of person or business if they maintain one; and (c) notification to applicable local or statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If consumer notice “suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual.”

This State’s Law

None.

State Government Agency Notification Required

Yes, attorney general; same time as consumers. Submit electronic copy of notice and statement of date and method of distribution.

Breach Definition

Unauthorized access and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of personal information has occurred or is reasonably likely to occur or that creates material risk of harm to consumer. Also includes unauthorized access to and acquisition of encrypted records or data containing personal information along with confidential process or key.

PII Definition

Resident’s first name or first initial and last name in combination with any of these that relate to such resident:

1. Social Security number or employer taxpayer identification number;
2. Driver’s license number, state identification card, or passport numbers;
3. Checking account, savings account, credit card or debit card numbers;
4. Personal identification (PIN) code;
5. Electronic identification numbers, email names or addresses, Internet account numbers, or Internet identification names, parent’s legal surname prior to marriage, or passwords if such information would permit access to person’s financial account or resources;
6. Digital signatures; any other numbers or information that can be used to access person’s financial resources;
7. Biometric data; or
8. Fingerprints.

Third Party Notice

If data collector maintains or possesses covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Notice must be clear and conspicuous and shall include:

• Description of incident in general terms;
• Description of type of personal information involved;
• Description of acts of covered entity to protect information from further unauthorized access;
• Telephone number of covered entity for further information and assistance;
• Advice that directs consumer to remain vigilant by reviewing account statements and monitoring free credit reports;
• Toll-free number and address for major credit reporting agencies;
• Toll-free number, address, and website address for FTC and North Carolina Attorney General’s office, along with a statement that person can obtain information from these sources about preventing identity theft.

Substitute Notice

All: (a) email, when business has email addresses for subject persons; (b) conspicuous posting of notice on web site of business if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 North Carolina residents are notified.

This State’s Law

None.

State Government Agency Notification Required

Yes, to North Carolina Attorney General.

Breach Definition

Unauthorized acquisition of computerized data, if not made unreadable or unusable.

PII Definition

Individual’s first name or first initial and last name in combination with any of the following if not encrypted:

1. Social Security number;
2. Operator’s license number;
3. Non-driver color photo identification card;
4. Individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to individual’s financial accounts;
5. Individual’s date of birth;
6. Maiden name of individual’s mother;
7. Medical information;
8. Health insurance information;
9. Identification number assigned to individual by individual’s employer in combination with any required security code, access code, or password; or
10. Individual’s digitized or other electronic signature.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

(a) Email notice when the entity has email address for subject persons; (b) conspicuous posting on person’s website, if it maintains one, and (c) notification to major statewide media.

Credit Monitoring

Not stated.

When to Notify Credit Agencies

Not stated.

This State’s Law

None.

State Government Agency Notification Required

Yes, North Dakota Attorney General must be notified if more than 250 ND residents must be notified. North Dakota Health Information Technology Office must be notified within 5 days if the data breach involves personal health information.

Breach Definition

Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of personal information maintained by individual or commercial entity.

PII Definition

Individual’s first name or first initial and last name, and any of these if not encrypted, redacted, or otherwise made unreadable,

1. 1. Social Security number;
   2. Motor vehicle operator’s license or state identity card;
   3. Account number or credit or debit card number, in combination with required security code, access code, or password that would permit access to individual’s financial account;
   4. Electronic identification number or routing code, in combination with required security code, access code, or password; or
   5. Unique biometric data, including fingerprints, voice print, or retina or iris image; OR

User name or email address, in combination with password or security question and answer that would permit access to online account.

Third Party Notice

If data collector maintains data for a third party, it must notify them after becoming aware of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email if entity has email addresses of affected people; (b) conspicuous posting on entity’s website, if it maintains one, and (c) notice to major statewide media outlets.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

For substitute notice, slightly different procedures if entity has fewer than 10 employees and notification will cost more than $10,000.

State Government Agency Notification Required

Yes, Nebraska Attorney General before or at the same time as notice to consumer.

Breach Definition

Unauthorized acquisition of computerized data that compromises security or confidentiality of personally identifiable information maintained by entity doing business in New Hampshire.

PII Definition

Individual’s first name or first initial and last name in combination with any of these, when not encrypted:

1. Social Security number;
2. Driver’s license number or other government identification number; or
3. Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to individual’s financial account.

Data is not considered encrypted if acquired in combination with any required key, security code, access code, or password that would permit access.

Third Party Notice

If entity maintains computerized data that includes personally identifiable that entity does not own, entity shall notify and cooperate with owner or licensee of breach immediately following discovery.

How to Notify

Notice must include description of incident, approximate date of breach, type of personally identifiable information obtained as a result of breach, and phone contact of entity.

Substitute Notice

All: (a) email when entity has email address for affected individuals; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If entity required to notify more than 1,000 New Hampshire consumers.

This State’s Law

None.

State Government Agency Notification Required

Yes, New Hampshire Attorney General.

Breach Definition

Unauthorized access to electronic files, media or data containing PII that compromises security, confidentiality or integrity of PII when access to PII has not been secured by encryption or any other method that renders PII unreadable or unusable.

PII Definition

Individual’s first name or first initial and last name in combination with any of these:

1. Social Security number;
2. Driver license number or state identification card number; or
3. Account number or credit card or debit card number in combination with any required security code, access code or password that would permit access to financial account.

Third Party Notice

If entity maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email notice when entity has email address; (b) conspicuous posting of notice on website of entity if entity maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 New Jersey residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Yes, must report to New Jersey Division of State Police in the Department of Law and Public Safety before disclosure to consumers.

Breach Definition

Unauthorized acquisition of unencrypted data, or of encrypted data and confidential process or key used to decrypt encrypted computerized data, that compromises security, confidentiality or integrity of personal identifying information.

PII Definition

Individual’s first name or first initial and last name in combination with any of these, when not protected through encryption or redaction or otherwise rendered unreadable or unusable:

1. Social Security number;
2. Driver’s license number;
3. Government-issued identification number;
4. Account number, credit card number or debit card number in combination with required security code, access code or password that would permit access to person’s financial account; or
5. Biometric data.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach, not later than 45 calendar days following discovery of breach.

How to Notify

Notice must include:

• Name and contact information of notifying person;
• List of types of personal identifying information that are reasonably believed to have been subject of breach;
• Date of breach, estimated date of breach or range of dates within which breach occurred;
• Description of breach incident;
• Toll-free telephone numbers and addresses of major consumer reporting agencies;
• Advice that directs recipient to review personal account statements and credit reports to detect errors resulting from breach; and
• Advice that informs recipient of notification of recipient’s rights pursuant to federal Fair Credit Reporting Act.

Substitute Notice

All: (a) email to email address of residents for whom person has valid email address; (b) notification in conspicuous location on website of person required to provide notification if person maintains one; and (c) written notification to New Mexico Attorney General and major media outlets in New Mexico.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 New Mexico residents are affected as result of single security breach.

This State’s Law

New Mexico requires reference to FCRA in consumer notice.

State Government Agency Notification Required

Yes, if more than 1,000 New Mexico residents are affected as result of single breach, notify New Mexico Attorney General no later than 45 calendar days.

Breach Definition

Unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of personal information maintained by data collector.

PII Definition

Natural person’s first name or first initial and last name in combination with of these if not encrypted:

1. Social Security number.
2. Driver’s license number, driver authorization card number or identification card number;
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to person’s financial account;
4. Medical identification number or health insurance identification number;
5. User name, unique identifier or electronic mail address in combination with password, access code or security question and answer that would permit access to online account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email if data collector has email addresses for subject persons; (b) conspicuous posting of notice on website of data collector if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1000 Nevada residents must be notified.

This State’s Law

Business shall take reasonable measures to ensure the destruction of customer’s records that contain personal information when business decides that it will no longer maintain records. Data collector that provides required notification may file civil action for damages against person who unlawfully obtained or benefited from information obtained and may recover restitution including notification costs.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition or acquisition without valid authorization of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a business.

PII Definition

Any information concerning natural person which can be used to identify such natural person, in combination with any of these, when not encrypted, or encrypted with an encryption key that has also been acquired:

1. Social Security number;
2. Driver’s license number or non-driver identification card number; or
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual’s financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email when business has email address for subject persons; (b) conspicuous posting of notice on business’s website page, if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 5,000 New York residents are to be notified at one time.

This State’s Law

None.

State Government Agency Notification Required

Yes, New York Attorney General, Department of State and Division of State Police.

Breach Definition

Unauthorized acquisition of computerized data that compromises security or confidentiality of personal information owned or licensed by person and that causes, reasonably is believed to have caused, or reasonably is believed will cause material risk of identity theft or other fraud to person or property of Ohio resident.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if unencrypted, redacted, or altered by any other method rendering the data element unreadable:

1. Social Security number;
2. Driver’s license or state identification card number; or
3. Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to account.

Third Party Notice

If person or business maintains covered information for someone else, it must notify them in expeditious manner following determination of breach.

How to Notify

No specific content requirement.

Substitute Notice

If no sufficient contact information or cost of providing notice would exceed $250,000 or affected class of residents exceeds 500,000, all: (a) email if person has email address for resident to whom disclosure must be made; (b) conspicuous posting of notice on website of person if person maintains one; and (c) notification to major statewide media so that audience exceeds 75% of state population.

If person required to provide notice is business with 10 or fewer employees and cost to provide notice would exceed $10,000, all: (a) advertisement in local newspaper covering at least 1/4 of page at least once a week for 3 consecutive weeks; (b) conspicuous posting of notice on website of person if person maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Ohio residents must be notified.

This State’s Law

Businesses that create, maintain and comply with specific cybersecurity standards may qualify for safe harbor from breach litigation. If data security policies conform to one of several industry-recognized cybersecurity frameworks, business entity can invoke safe harbor as affirmative defense. Safe harbor only applies to tort claims that are based on Ohio law or brought in Ohio courts.

State Government Agency Notification Required

None.

Breach Definition

Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises security or confidentiality of personal information that causes, or will cause, identity theft or other fraud to any Oklahoma resident.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or state identification card number; or
3. Financial account number or credit card or debit card number in combination with any required security code, access code or password that would permit access to financial account.

Third Party Notice

If individual or entity maintains covered information for someone else, individual or entity must notify them as soon as practicable following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

Any two of: (a) email notice; (b) conspicuous posting of notice on website of individual or entity if individual or entity maintains a one; or (c) notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that materially compromises security, confidentiality or integrity of personal information that a person maintains.

PII Definition

Consumer’s first name or first initial and last name in combination with any of these, if encryption, redaction or other methods have not rendered them unusable or if data elements are encrypted and encryption key has been acquired:

1. Social Security number;
2. Driver’s license number or state identification card number issued by Department of Transportation;
3. Passport number or other U.S. identification number;
4. Financial account number, credit card number or debit card number, in combination with required security code, access code or password that would permit access to financial account;
5. Data from automatic measurements of consumer’s physical characteristics, such as image of fingerprint, retina or iris, that are used to authenticate identity in financial or other transaction;
6. Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that insurer uses to identify consumer; or
7. Medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of consumer; or
8. Any other information or combination of information that a person reasonably knows or should know would permit access to consumer’s financial account; or
9. Any of above without consumer’s first name or first initial and last name if encryption, redaction or other methods have not rendered data element unusable; and data element or combination of data elements would enable person to commit identity theft.

Third Party Notice

If person maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

Notice must include description of breach of security in general terms, approximate date of breach, type of personal information subject to breach, contact information for person that was subject to breach, contact information for consumer reporting agencies, and advice to consumer to report suspected identity theft to law enforcement, including Oregon Attorney General and FTC.

Substitute Notice

(a) Posting of notice or link to notice conspicuously on website of person if person maintains one; and (b) notification to major statewide television and newspaper media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1000 Oregon residents must be notified.

This State’s Law

Consumer reporting agencies are prohibited from charging consumer a fee for credit freeze. Notes specifics on administrative, technical, and physical safeguards for information security program.

State Government Agency Notification Required

Yes, Oregon Attorney General, if more than 250 Oregon residents affected.

Breach Definition

Unauthorized access and acquisition of data that materially compromises security or confidentiality of personally identifiable information that causes or will cause loss or injury to any Pennsylvania resident.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or state identification card number; and
3. Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to financial account.

Third Party Notice

If vendor maintains covered information on behalf of another entity, it must provide notice of breach to entity, but entity is responsible for making determinations and discharging duties under statute.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email notice when entity has email address; (b) conspicuous posting of notice on website of entity if it maintains one; and (c) notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 persons must be notified at one time.

This State’s Law

None.

State Government Agency Notification Required

None.

Breach Definition

Unauthorized access to data files so that security, confidentiality or integrity of information has been compromised; or when authorized persons or entities access data and it is known or there is reasonable suspicion they have violated professional confidentiality or obtained authorization under false representation with intent to make illegal use of information.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if can be accessed without special cryptographic code:

1. Social Security Number;
2. Driver’s license number, voter’s identification or other official identification;
3. Bank or financial account number of any type, with or without password or access code;
4. Names of users and passwords or access codes to public or private information systems;
5. Medical information protected by HIPAA;
6. Tax information;
7. Work-related evaluations.

Third Party Notice

If any entity maintains covered information for someone else, it must notify them if access to data by unauthorized persons occurs.

How to Notify

Notice must describe breach in general terms and type of sensitive information compromised. Notice must include toll-free number and Internet site for residents to obtain information or assistance.

Substitute Notice

All: (a) prominent display on webpage and in any informative flier published and sent through mail and email mailing lists; and (b) notification to major media including entity contact information.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Yes, Department of Consumer Affairs within 10 days of breach.

Breach Definition

Unauthorized access or acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of PII.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if unencrypted or in hard copy format:

1. Social Security number;
2. Driver license number, identification card number or tribal identification number;
3. Account number or credit card number or debit card number in combination with any required security code, access code, password, or personal identification number that would permit access to financial account;
4. Medical or health insurance information;
5. Email address in combination with any required security code, access code, or password that would permit access to personal, medical, insurance, or financial account.

Third Party Notice

Not required.

How to Notify

Notice must include all: (a) general and brief description of incident, including how breach occurred and number affected; (b) type of information subject to breach; (c) date of breach, estimated date of breach, or date range within which breach occurred; (d) date breach discovered; (e) clear and concise description of remediation services offered to affected individuals including toll-free numbers and websites to contact credit reporting agencies, remediation service providers, and attorney general; and (f) clear and concise description of consumer’s ability to file or obtain police report; how consumer requests security freeze and necessary information to provide when requesting and that fees may have to be paid to consumer reporting agencies.

Substitute Notice

All: (a) email if entity has email address for subject persons; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 500 Rhode Island residents must be notified.

This State’s Law

Entities that maintain PII must implement and maintain risk-based information security program that contains reasonable security procedures and practices appropriate to size and scope of organization; nature of information; and purpose for which information collected.

State Government Agency Notification Required

Yes, Rhode Island Attorney General if more than 500 Rhode Island residents must be notified.

Breach Definition

Unauthorized access to and acquisition of unencrypted or unredacted computerized data that compromises security, confidentiality or integrity of personal information maintained by person, when illegal use of information has occurred or is reasonably likely to occur or use of information creates material risk of harm to resident.

PII Definition

Individual’s first name or first initial and last name in combination with any of these, when not encrypted nor redacted:

1. Social Security number;
2. Driver’s license number or state identification card number;
3. Financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to financial account; or
4. Other numbers or information which may be used to access person’s financial accounts or numbers or information issued by governmental or regulatory entity that uniquely identify individual.

Third Party Notice

If person or business maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

(a) Email notice when person has email address for subject person; (b) conspicuous posting of notice on web site page of person, if person maintains one; or (c) notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If business provides notice to more than 1,000 South Carolina residents at one time.

This State’s Law

None.

State Government Agency Notification Required

Yes, if business provides notice to more than 1,000 South Carolina residents at one time, must notify the South Carolina Consumer Protection Division of the Department of Consumer Affairs.

Breach Definition

Unauthorized acquisition of unencrypted computerized data, or encrypted computerized data and encryption key, that materially compromises security, confidentiality, or integrity of personal or protected information.

PII Definition

Individual’s first name or first initial and last name, in combination with any one or more of the following:

1. Social Security number;
2. Driver’s license number or other unique identification number created or collected by government body;
3. Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to account;
4. Health information as defined in 45 CFR 160.103; or
5. Identification number assigned by employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

“Protected information” does not require the below to be used in combination with person’s name. Includes:

1. User name or email address, in combination with password, security question answer, or other information that permits access to online account; and
2. Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to person’s financial account

Third Party Notice

None.

How to Notify

No specific content requirement.

Substitute Notice

(a) Email notice, if entity has email address for affected individuals; (b) conspicuous posting on entity’s website, if it maintains one; and (c) notification to statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Without unreasonable delay, of timing, distribution, and content of notice to affected individuals.

This State’s Law

Includes notification requirements for defined “protected information” (see above) as well as defined “personal information” (see above).

State Government Agency Notification Required

Yes, South Dakota Attorney General must be notified if more than 250 SD residents must be notified.

Breach Definition

Unauthorized acquisition of unencrypted computerized data that materially compromises security, confidentiality or integrity of personal information maintained by information holder.

PII Definition

Individual’s first name or first initial and last name in combination with any of these when unencrypted:

1. Social Security number;
2. Driver’s license number; or
3. Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to financial account.

Third Party Notice

If entity maintains covered information for someone else, it must notify them no later than 45 days from discovery or notification of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email notice when entity has email address; (b) conspicuous posting of notice on website of entity if entity maintains a one; or (c) notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 persons must be notified at one time.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of sensitive personal information maintained by person, including data that is encrypted if person accessing data has key to decrypt.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted:

1. Social Security number;
2. Driver’s license number or government-issued identification number; or
3. Account number or credit or debit card number in combination with required security code, access code, or password that would permit access to individual’s financial account; or
4. Information that identifies individual and relates to:
   1. Physical or mental health or condition of individual;
   2. Provision of health care to individual; or
   3. Payment for provision of health care to individual.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them following discovery of breach.

How to Notify

No content requirement.

Substitute Notice

Any of these: (a) email, if person has email addresses for affected persons; (b) conspicuous posting of notice on person’s website; or (c) notice published in or broadcast on major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 10,000 Texas residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

No.

Breach Definition

Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if unencrypted or protected by another method that renders data unreadable or unusable:

1. Social Security number;
2. Financial account number, or credit or debit card number in combination with any required security code, access code or password that would permit access to account; or
3. Driver’s license number or state identification card number.

Third Party Notice

If person maintains covered data for someone else, it must notify them immediately discovery of breach if misuse of personal information occurs or is reasonably likely to occur.

How to Notify

No specific content requirement.

Substitute Notice

None.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud.

PII Definition

Individual’s first name or first initial and last name in combination with any of these, when the data elements are neither encrypted nor redacted:

1. Social security number;
2. Driver’s license number or state identification card number issued in lieu of a driver’s license number; or
3. Financial account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to financial accounts.

The health information breach law applies to the first name or first initial and last name with any of the following:

1. Any information regarding an individual’s medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
2. Individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Third Party Notice

If data collector maintains covered info on behalf of another entity, it must notify them without unreasonable delay.

How to Notify

Notice must include: (a) description of incident in general terms; (b) description of type of personal information subject to unauthorized access and acquisition; (c) general acts of individual or entity to protect personal information from further unauthorized access; (d) telephone number to call for further information and assistance if one exists; and (e) advice directing person to remain vigilant by reviewing account statements and monitoring credit reports.

For health information, the entity must notify both the subject of the medical information and any affected resident of Virginia, if not same person.

Substitute Notice

If no contact information or cost of providing notice will exceed $50,000 or the affected class of residents exceeds 100,000, all: (a) email notice if entity has email addresses for affected class of residents; (b) conspicuous posting of notice on website of entity if entity maintains one; and (c) notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1000 Virginia residents must be notified.

This State’s Law

Income tax return preparers who have primary responsibility for accuracy of the preparation of a return or refund claim must notify Virginia’s Department of Taxation, without unreasonable delay, if they discover or are notified of a breach of return information on a Virginia individual income tax return. Va. Code Ann. § 58.1-341.2.
The separate provision covering health information applies only to government entities, defined as any authority, board, bureau, commission, district or agency of the Commonwealth or of any political subdivision of the Commonwealth, including cities, towns and counties, municipal councils, governing bodies of counties, school boards and planning commissions; boards of visitors of public institutions of higher education; and other organizations, corporations, or agencies in Virginia supported wholly or principally by public funds.

Additionally, specific requirements for notifying Attorney General of breach of computerized data relating to income tax information for employers or payroll service providers.

State Government Agency Notification Required

If more than 1000 Virginia residents must be notified. As part of the notification, the Virginia Attorney General’s Office requests:
1. Cover letter on official letterhead to the Virginia Attorney General’s Office as notification of breach;
2. Approximate date of incident to include how breach was discovered;
3. Cause of breach;
4. Number of Virginia residents affected by breach;
5. Steps taken to remedy breach; and
6. A sample of notification made to the affected parties, to include any possible offers of free credit monitoring.

For health information, entity must also notify Commissioner of Health.

Any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld pursuant to Article 16 (§ 58.1-460 et seq.) of Chapter 3 of Title 58.1 must notify the Attorney General without unreasonable delay after discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing taxpayer identification number in combination with income tax withheld for that taxpayer that compromises confidentiality of such data and creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this requirement applies only to information regarding employer’s employees and does not apply to information regarding employer’s customers or non-employees. Notification to the Attorney General must include name and federal employer identification number of the employer as defined in § 58.1-460 that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.

Breach Definition

Unauthorized acquisition of data that compromises security, confidentiality, or integrity of personal information maintained by agency.

PII Definition

Individual’s first name or first initial and last name in combination with any one or more of these, when either name or data elements are not encrypted:

1. Social Security number;
2. Driver’s license number; or
3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to individual’s financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

No specific content requirement.

Substitute Notice

All: (a) email when agency has email address for subject persons; (b) conspicuous posting of notice on agency’s website page, if it maintains one; and (c) notification to major territory-wide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of electronic data or reasonable belief of such unauthorized acquisition that compromises security, confidentiality, or integrity of personally identifiable information.

PII Definition

Individual’s first name or first initial and last name in combination any of these if not encrypted, redacted, or protected by another method rendering them unreadable or unusable:

1. Social Security number;
2. Motor vehicle operator’s license number or non-driver identification card number;
3. Account number or credit or debit card number if number could be used without additional identifying information, access codes, or passwords; or
4. Account passwords or personal identification numbers or other access codes for  financial account.

Third Party Notice

If data collector maintains covered information for someone else, it must notify them immediately following discovery of breach.

How to Notify

Notice must include description of these: (a) incident in general terms; (b) type of personally identifiable information subject to breach; (c) acts of data collector to protect personally identifiable information from further breach; (d) telephone number (toll-free, if available) that consumer may call for further information and assistance; (e) advice that directs consumer to remain vigilant by reviewing account statements and monitoring free credit reports; and (f) approximate date of breach.

Substitute Notice

All: (a) conspicuous posting of notice on data collector’s website if it maintains one; and (b) notification to major statewide and regional media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1,000 Vermont residents must be notified. Does not apply to data collector licensed or registered with Vermont Department of Banking, Insurance, Securities, and Health Care administration.

This State’s Law

Data brokers that regularly sell or license brokered personal information must register annually with the state of Vermont. The data broker must provide certain information on its business practices, including the number of security breaches it has experienced in the previous year. Vt. HB 764.

State Government Agency Notification Required

Yes, must notify Vermont Attorney General or Department of Financial Regulation within 14 business days of discovery of breach or date of notice to consumers, whichever is sooner. Data collector must send copy of consumer notice and number of Vermont residents affected.

Breach Definition

Wash. Rev. Code § 19.255.010(4): For purposes of this section, “breach of the security of the system” means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure..

PII Definition

Wash. Rev. Code § 19.255.010(5) For purposes of this section, “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:

1. Social security number;
2. Driver’s license number or Washington identification card number; or
3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Wash. Rev. Code § 19.255.010(6):  For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Third Party Notice

Wash. Rev. Code § 19.255.010(2): Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

How to Notify

Wash. Rev. Code § 19.255.010(14): Any person or business that is required to issue notification pursuant to this section shall meet all of the following requirements:

• The notification must be written in plain language; and
• The notification must include, at a minimum, the following information:
  • The name and contact information of the reporting person or business subject to this section;
  • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.

Substitute Notice

Wash. Rev. Code § 19.255.010(8)(c): […] [s]ubstitute notice, if the person or business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following:

• Email notice when the person or business has an email address for the subject persons;
  [1] “A person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section is in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the system.” See Wash. Rev. Code § 19.255.010(9).
  [2] “A covered entity under the federal health insurance portability and accountability act of 1996 […] is deemed to have complied with the requirements of this section with respect to protected health information if it has complied with section 13402 of the federal health information technology for economic and clinical health act […] Covered entities shall notify the attorney general pursuant to subsection (15) of this section in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act.”  See Wash. Rev. Code § 19.255.010(10).
• Conspicuous posting of the notice on the web site page of the person or business, if the person or business maintains one; and
• Notification to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required to report, but most provide the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information. See Wash. Rev. Code § 19.255.010(14)(b)(iii).

This State’s Law

The Attorney General’s office put together a 2017 Data Breach Report: http://agportal-s3bucket.s3.amazonaws.com/uploadedfiles/Home/Safeguarding_Consumers/Data_Breach/2017%20Data%20Breach%20Report%20Final.pdf

State Government Agency Notification Required

Wash. Rev. Code § 19.255.010(15): Any person or business that is required to issue a notification pursuant to this section to more than five hundred Washington residents as a result of a single breach shall, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the attorney general. The person or business shall also provide to the attorney general the number of Washington consumers affected by the breach, or an estimate if the exact number is not known.

** If a single breach affects more than five hundred Washington residents, the person or business shall electronically submit a single sample copy of the security breach notification to the AG.**

Breach Definition

Unauthorized acquisition of personally identifiable information, whether electronic or hard copy.

PII Definition

Individual’s last name and the individual’s first name or first initial and one or more of the following if not encrypted, redacted, or otherwise made unreadable:

1. Social Security number;
2. Driver’s license number or state ID number;
3. Financial account number, credit or debit card account number, or any security code, access code, or password that would permit access to individual’s financial account;
4. DNA profile;
5. Unique biometric data (fingerprint, voice print, or retina or iris image).

Third Party Notice

If data is maintained for third party, data owner must notify third party in event of breach.

How to Notify

No specific content requirement.

Substitute Notice

Method reasonably calculated to provide actual notice to subject of personal information.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If 1,000 or more individuals must be notified.

This State’s Law

There are some entities that are exempt such as health plans, health care clearing houses, and some health care providers, as well as certain government actors.

State Government Agency Notification Required

None.

Breach Definition

Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information.

PII Definition

Individual’s first name or first initial and last name in combination with any of these if not encrypted or redacted:

1. Social Security number;
2. Driver’s license number or state identification card number; or
3. Financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to financial accounts.

Third Party Notice

If data collector maintains covered information on behalf of another entity, it must notify them as soon as practicable following discovery of a breach.

How to Notify

Notice must include: (a) to extent possible, description of categories of information reasonably believed to have been accessed or acquired by an unauthorized person; (b) telephone number or website address individual may use to contact entity to learn what types of information entity maintained about that individual or individuals in general and whether entity maintained information about that individual; and (c) toll-free telephone numbers and addresses for major credit reporting agencies and information on how to place fraud alert or security freeze.

Substitute Notice

Two of these: (a) email if entity has email address for affected residents; (b) conspicuous posting of notice on entity’s website if it maintains one; and (c) notice to major statewide media.

Credit Monitoring

Not required.

When to Notify Credit Agencies

If more than 1000 West Virginia residents must be notified.

This State’s Law

None.

State Government Agency Notification Required

Not required.

Breach Definition

Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information and causes or is reasonably believed to cause loss or injury to a resident of this state.

PII Definition

Individual’s first name or first initial and last name in combination with one or more of these:

1. Social security number or individual taxpayer identification number;
2. Driver’s license number, tribal identification card, or federal or state government issued identification card;
3. Account number, credit card or debit card number in combination with any security code, access code or password that would allow access to a financial account;
4. Shared secrets or security tokens known to be used for data based authentication;
5. Username or email address, in combination with password or security question and answer that would permit access to online account;
6. Birth or marriage certificate;
7. Medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by health care professional;
8. Health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person, or information related to a person’s application and claims history; or
9. Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes.

Third Party Notice

If person maintains covered information on behalf of another entity, it must notify them as soon as practicable following determination that the information was or is reasonably to have been acquired.

How to Notify

Notice must include: (a) toll-free number to contact data collector or its agent from which individual may learn contact numbers and addresses for the major credit reporting agencies; (b) types of personal identifying information that were or are reasonably believed to have been subject of breach; (c) general description of breach incident; (d) approximate date of breach if determinable at time of notice; (e) actions taken by entity to protect system containing information from further breach; (f) advice directing person to remain vigilant by reviewing account statements and monitoring credit reports; and (g) whether notice was delayed as result of a law enforcement investigation if determinable at time of notice.

Substitute Notice

If no sufficient contact information, cost of providing notice would exceed $10,000 for Wyoming-based persons or businesses and $250,000 for businesses operating but not based in Wyoming, or affected class of residents exceeds 10,000 for Wyoming-based persons or businesses and 500,000 for businesses operating but not based in Wyoming, all of the following: (a)  conspicuous posting on the entity’s website if it maintains one; and (b) notification to major statewide media, including toll-free telephone number where residents can learn whether information is included in breach.

Credit Monitoring

Not required.

When to Notify Credit Agencies

Not required.

This State’s Law

Broad definition of PII.

State Government Agency Notification Required

Not required.