Security Breach Notification Laws: 50-State Survey

Doing business in the age of technology often involves collecting personal information from consumers. When a security breach of a system containing this information occurs, consumers may be exposed to identity theft or other damaging forms of fraud. Thus, each state has enacted laws requiring businesses to notify consumers of a security breach in certain circumstances. (These requirements usually apply to government agencies as well.)

This survey summarizes the main security breach notification laws in each state, describing features such as covered entities, the definition of a breach, and notification to consumers once a covered entity finds out that a breach has happened. However, these laws contain many nuances that are not addressed here. Consumers and business owners who want to comprehensively understand the rights and obligations created by these laws should consult a lawyer in their state who can advise them based on their specific situation.

Alabama Security Breach Notification Laws

  • Key law: Code of Alabama Section 8-38-5
  • Covered entity: Person, sole proprietorship, partnership, government entity, corporation, non-profit, trust, estate, cooperative, association, or other business entity that acquires or uses sensitive personally identifying information
  • Breach defined: Unauthorized acquisition of data in electronic form containing sensitive personally identifying information

A covered entity that determines that sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the people to whom the information relates, must give notice of the breach to each person. This notice must be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation. A covered entity generally must provide notice within 45 days of receiving notice from a third-party agent that a breach has occurred, or determining that a breach has occurred and is reasonably likely to cause substantial harm.

Alaska Security Breach Notification Laws

  • Key law: Alaska Statutes Section 45.48.010
  • Covered entity: Covered person (person doing business, governmental agency, or person with more than 10 employees) that owns or licenses personal information in any form that includes personal information on an Alaska resident
  • Breach defined: Unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the covered entity

A covered entity must disclose a breach to each Alaska resident whose personal information was subject to the breach after discovering it or being notified. The disclosure must be made in the most expeditious time possible and without unreasonable delay, except as necessary to determine the scope of the breach and restore the reasonable integrity of the information system. However, disclosure is not required if the covered entity decides after an appropriate investigation and written notification to the attorney general that there is not a reasonable likelihood that harm to the consumers whose personal information has been acquired has resulted or will result from the breach.

Arizona Security Breach Notification Laws

  • Key law: Arizona Revised Statutes Section 18-552
  • Covered entity: Person (individual, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency, or any other legal or commercial entity) that conducts business in the state and that owns, maintains, or licenses unencrypted and unredacted computerized personal information
  • Breach defined: An unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals

A covered entity must conduct an investigation to promptly determine whether there has been a breach if it becomes aware of a security incident. If the investigation results in a determination that there has been a breach, the entity that owns or licenses the computerized data generally must notify the affected individuals within 45 days after the determination. However, notification is not required if the entity, an independent third-party forensic auditor, or a law enforcement agency determines after a reasonable investigation that a breach has not resulted in substantial economic loss to affected individuals, or is not reasonably likely to result in such loss.

Arkansas Security Breach Notification Laws

  • Key law: Arkansas Code Section 4-110-105
  • Covered entity: Person or business (including a sole proprietorship, partnership, corporation, association, or other group, as well a state agency and an entity that destroys records) that acquires, owns, or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business

A covered entity must disclose a breach after discovery or notification of the breach to any resident of Arkansas whose unencrypted personal information was acquired by an unauthorized person, or reasonably believed to have been acquired. The disclosure must be made in the most expedient time and manner possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the data system. However, notification is not required if a covered entity determines after a reasonable investigation that there is no reasonable likelihood of harm to customers.

California Security Breach Notification Laws

  • Key law: California Civil Code Section 1798.82; Section 1798.29 (state agencies)
  • Covered entity: Person or business (including a sole proprietorship, partnership, corporation, association, or other group, as well as an entity that disposes of records) that conducts business in California and that owns or licenses computerized data that includes personal information; for Section 1798.29, an agency (including most state agencies) that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the covered entity

A covered entity must disclose a breach after discovery or notification to a resident of California whose unencrypted personal information was acquired by an unauthorized person, or is reasonably believed to have been acquired. Disclosure is also required to a California resident whose encrypted personal information was acquired by an unauthorized person (or is reasonably believed to have been acquired) when the encryption key or security credential was acquired by an unauthorized person (or is reasonably believed to have been acquired), and the entity that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could make the personal information readable or usable.

The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the data system.

Colorado Security Breach Notification Laws

  • Key law: Colorado Code Section 6-1-716
  • Covered entity: Person (including an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or any other legal or commercial entity) that maintains, owns, or licenses personal information in the course of their business, vocation, or occupation
  • Breach defined: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity

A covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado must conduct a prompt investigation in good faith to determine the likelihood that personal information has been or will be misused when the entity becomes aware that a security breach may have occurred. The entity must give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.

Notice must be made in the most expedient time possible and without unreasonable delay, but no later than 30 days after the determination that a breach occurred, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

Connecticut Security Breach Notification Laws

  • Key law: Connecticut General Statutes Section 36a-701b
  • Covered entity: Person who owns, licenses, or maintains computerized data that includes personal information
  • Breach defined: Unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that makes the personal information unreadable or unusable

A covered entity must provide notice of a breach after its discovery to any resident of Connecticut whose personal information was breached or is reasonably believed to have been breached. This notice must be made without unreasonable delay but no later than 60 days after the discovery of the breach. If the covered entity identifies additional residents of Connecticut whose personal information was breached or reasonably believed to have been breached more than 60 days after the discovery of the breach, the entity must proceed in good faith to notify these additional residents as expediently as possible.

Notification is not required if a covered entity reasonably determines after an appropriate investigation that the breach will not likely result in harm to the people whose personal information has been acquired or accessed.

Delaware Security Breach Notification Laws

  • Key law: 6 Delaware Code Section 12B-102
  • Covered entity: Person (including an individual, corporation, business trust, estate trust, partnership, LLC, association, joint venture, government, governmental subdivision or agency, public corporation, or any other legal or commercial entity) that conducts business in Delaware and owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information

A covered entity must provide notice of a breach after determination of the breach to any resident of Delaware whose personal information was breached or is reasonably believed to have been breached. However, notice is not required if the covered entity reasonably determines after an appropriate investigation that the breach is unlikely to result in harm to the people whose personal information has been breached. Notice must be made without unreasonable delay but no later than 60 days after the determination of the breach, with a few exceptions.

The statute also notes that a breach does not occur if the personal information is encrypted, unless the unauthorized acquisition includes (or is reasonably believed to include) the encryption key, and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could make the personal information readable or usable.

Florida Security Breach Notification Laws

  • Key law: Florida Statutes Section 501.171
  • Covered entity: Sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity, or a governmental entity, that acquires, maintains, stores, or uses personal information
  • Breach defined: Unauthorized access of data in electronic form containing personal information

A covered entity must give notice to each individual in Florida whose personal information was (or is reasonably believed to have been) accessed as a result of the breach. Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, taking into account the time needed to allow the covered entity to determine the scope of the breach, identify individuals affected by the breach, and restore the reasonable integrity of the data system that was breached. However, it generally must not be made more than 30 days after the determination of a breach or reason to believe that a breach occurred.

Notice is not required if the covered entity reasonably determines after an appropriate investigation and consultation with relevant law enforcement agencies that the breach has not resulted and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.

Georgia Security Breach Notification Laws

  • Key law: Georgia Code Section 10-1-912
  • Covered entity: Information broker or data collector (as defined in Section 10-1-911) that maintains computerized data that includes personal information of individuals
  • Breach defined: Unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of personal information of the individual maintained by an information broker or data collector

A covered entity must give notice of a breach after discovery or notification to any resident of Georgia whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Hawaii Security Breach Notification Laws

  • Key law: Hawaii Revised Statutes Section 487N-2
  • Covered entity: Any business (including a sole proprietorship, partnership, corporation, association, or other group, as well as an entity whose business is records destruction) that owns or licenses personal information of residents of Hawaii, any business (defined as above) that conducts business in Hawaii that owns or licenses personal information in any form, and any government agency (state or county) that collects personal information for specific government purposes
  • Breach defined: Any incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information when illegal use of the personal information has occurred, or is reasonably likely to occur, and creates a risk of harm to a person, as well as any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key

A covered entity must provide notice to an affected person that there has been a security breach following discovery or notification. The disclosure notification must be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

Idaho Security Breach Notification Laws

  • Key law: Idaho Code Section 28-51-105
  • Covered entity: A city, county, or state agency, an individual, or a commercial entity (including a corporation, business trust, estate, trust, partnership, limited partnership, LLP, LLC, association, organization, joint venture, and any other legal entity) that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho
  • Breach defined: Illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more people maintained by an agency, an individual, or a commercial entity

When a covered entity becomes aware of a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual, or commercial entity must give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach, identify the people affected, and restore the reasonable integrity of the computerized data system.

Illinois Security Breach Notification Laws

  • Key law: 815 Illinois Compiled Statutes Section 530/10
  • Covered entity: Any data collector (including a government agency, university, corporation, financial institution, retail operator, and any other entity that handles, collects, disseminates, or otherwise deals with non-public personal information) that owns or licenses personal information concerning an Illinois resident
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector

A covered entity must notify an Illinois resident at no charge that there has been a breach after discovery or notification. The disclosure notification must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Indiana Security Breach Notification Laws

  • Key law: Indiana Code Section 24-4.9-3-1; Section 4-1-11-5 (for government agencies)
  • Covered entity: A person (including an individual, corporation, business trust, estate, trust, partnership, association, non-profit corporation or organization, cooperative, or any other legal entity) that owns or licenses computerized data that includes personal information; any state agency that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person (as defined above), even if the data have been transferred to another medium and are no longer in a computerized format; unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local agency

A private covered entity generally must disclose a breach after discovery or notification to an Indiana resident whose unencrypted personal information was or may have been acquired by an unauthorized person. Disclosure also is required if encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key. However, disclosure is only required if the private covered entity knows, should know, or should have known that the breach has resulted or could result in identity deception, identity theft, or fraud affecting the Indiana resident. A private covered entity must make the disclosure or notification without unreasonable delay, but no more than 45 days after discovery of the breach.

A covered state agency must disclose a breach after discovery or notification to any Indiana resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made without unreasonable delay and consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the data system.

Iowa Security Breach Notification Laws

  • Key law: Iowa Code Section 715C.2
  • Covered entity: Any person (including an individual, corporation, business trust, estate, trust, partnership, LLC, association, joint venture, government, public corporation, or other legal or commercial entity) that owns or licenses computerized data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security
  • Breach defined: Unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information; also unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information

A covered entity must give notice of a breach following discovery or notification to any consumer whose personal information was included in the information that was breached. The consumer notification must be made in the most expeditious manner possible and without unreasonable delay, consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data. However, notification is not required if a covered entity determines after an appropriate investigation or consultation with law enforcement agencies that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.

Kansas Security Breach Notification Laws

  • Key law: Kansas Statutes Section 50-7a02
  • Covered entity: A person (including an individual, partnership, corporation, trust, estate, cooperative, association, or government) that conducts business in the state, or a government, governmental subdivision, or agency that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity, and that causes (or the individual or entity reasonably believes that it has caused or will cause) identity theft to any consumer

A covered entity must conduct a reasonable and prompt investigation in good faith when it becomes aware of a breach, seeking to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the covered entity must give notice as soon as possible to the affected Kansas resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

Kentucky Security Breach Notification Laws

  • Key law: Kentucky Revised Statutes Section 365.732
  • Covered entity: Any person or business entity that conducts business in the state
  • Breach defined: Unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the covered entity as part of a database regarding multiple individuals that actually causes, or leads the covered entity to reasonably believe that it has caused or will cause, identity theft or fraud against any Kentucky resident

A covered entity must disclose a breach after discovery or notification to any Kentucky resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Louisiana Security Breach Notification Laws

  • Key law: Louisiana Revised Statutes Section 51:3074
  • Covered entity: Any person (including an individual, corporation, partnership, sole proprietorship, joint stock company, joint venture, or any other legal entity) that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information
  • Breach defined: The compromise of the security, confidentiality, or integrity of computerized data that results in (or has a reasonable likelihood of resulting in) the unauthorized acquisition of and access to personal information maintained by an agency or person

After discovering a breach, a covered entity must notify any resident of Louisiana whose personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The notification must be made in the most expedient time possible and without unreasonable delay, but no later than 60 days after the discovery of the breach, consistent with any measures needed to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. If notification is delayed, the covered entity must provide the attorney general with the reasons for the delay in writing within the 60-day notification period, and the attorney general will allow a reasonable extension of time.

However, notification is not required if a covered entity determines after a reasonable investigation that there is no reasonable likelihood of harm to the residents of Louisiana.

Maine Security Breach Notification Laws

  • Key law: 10 Maine Revised Statutes Section 1348
  • Covered entity: An information broker (as defined in Section 1347) that maintains computerized data that includes personal information, as well as any other person (including an individual, partnership, corporation, LLC, trust, estate, cooperative, association, or other entity, including government agencies) that maintains computerized data that includes personal information
  • Breach defined: Unauthorized acquisition, release, or use of an individual’s computerized data that includes personal information that compromises the security, confidentiality, or integrity of personal information of the individual maintained by a person

The statute contains slightly different provisions for “information brokers” and for other covered entities. If an information broker becomes aware of a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal information has been or will be misused. It must give notice of a breach following discovery or notification to a resident of Maine whose personal information has been (or is reasonably believed to have been) acquired by an unauthorized person. If another covered entity becomes aware of a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal information has been or will be misused. It must give notice of a breach after discovery or notification to a resident of Maine if misuse of the personal information has occurred, or if it is reasonably possible that misuse will occur.

Notification must be made as expediently as possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data in the system. Notification generally must be made no longer than 30 days after the covered entity becomes aware of a breach and identifies its scope.

Maryland Security Breach Notification Laws

  • Key law: Maryland Commercial Law Section 14-3504
  • Covered entity: A business (including a sole proprietorship, partnership, corporation, association, or any other business entity) that owns, licenses, or maintains computerized data that includes personal information of an individual residing in Maryland
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business

When a covered entity discovers or is notified that it incurred a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. If the covered entity determines after the investigation that the breach creates a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data must notify the individual of the breach.

The notification generally must be given as soon as reasonably practicable, but no later than 45 days after the business completes the investigation. However, the notification may be delayed to determine the scope of the breach, identify the individuals affected, or restore the integrity of the system.

Massachusetts Security Breach Notification Laws

  • Key law: Massachusetts General Laws Chapter 93h Section 3
  • Covered entity: A person (including an individual, corporation, association, partnership, or other legal entity) or agency that owns or licenses data that includes personal information about a resident of Massachusetts
  • Breach defined: Unauthorized acquisition or unauthorized use of unencrypted data, or encrypted electronic data together with the confidential process or key, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a Massachusetts resident

A covered entity must provide notice as soon as practicable and without unreasonable delay when the covered entity knows or has reason to know of a breach, or when the covered entity knows or has reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or used for an unauthorized purpose. Notice must not be delayed on the ground that the total number of residents affected is not yet known. When this happens, a covered entity must provide additional notice as soon as practicable and without unreasonable delay upon learning the additional information.

Michigan Security Breach Notification Laws

  • Key law: Michigan Compiled Laws Section 445.72
  • Covered entity: A person (including an individual, partnership, corporation, LLC, association, or other legal entity) or agency that owns or licenses data that are included in a database
  • Breach defined: Unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals

Unless it determines that a breach has not caused or is not likely to cause substantial loss or injury to one or more Michigan residents, or result in identity theft against them, a covered entity that discovers or receives notice of a breach must provide a notice of the breach to each Michigan resident who fits into one of two categories. Either their unencrypted and unredacted personal information must have been accessed and acquired by an unauthorized person, or their personal information must have been accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.

A covered entity must provide notice without unreasonable delay. However, it may delay providing notice if this is necessary for the covered entity to take any measures necessary to determine the scope of the breach and restore the reasonable integrity of the database. A covered entity still must provide notice without unreasonable delay after it completes the measures necessary to determine the scope of the breach and restore the reasonable integrity of the database.

Minnesota Security Breach Notification Laws

  • Key law: Minnesota Statutes Section 325E.61
  • Covered entity: Any person or business that conducts business in Minnesota, and that owns or licenses data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the covered entity

A covered entity must disclose a breach following discovery or notification to any Minnesota resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

Mississippi Security Breach Notification Laws

  • Key law: Mississippi Code Section 75-24-29
  • Covered entity: Any person (including individuals, corporations, trusts, partnerships, associations, and any other legal entity) who conducts business in Mississippi and who, in the ordinary course of their business functions, owns, licenses, or maintains personal information of any Mississippi resident
  • Breach defined: Unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident when access to the personal information has not been secured by encryption or by any other method or technology that makes the personal information unreadable or unusable

A covered entity must disclose a breach to all affected individuals. The disclosure must be made without unreasonable delay, subject to the completion of an investigation by the covered entity to determine the nature and scope of the incident, identify the affected individuals, or restore the reasonable integrity of the data system. Notification is not required if the covered entity reasonably determines after an appropriate investigation that the breach will not likely result in harm to the affected individuals.

Missouri Security Breach Notification Laws

  • Key law: Missouri Revised Statutes Section 407.1500
  • Covered entity: Any person (including an individual, corporation, business trust, estate, trust, partnership, LLC, association, joint venture, government, public corporation, or any other legal or commercial entity) that owns or licenses personal information of residents of Missouri, or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri
  • Breach defined: Unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information

A covered entity must provide notice to an affected Missouri consumer that there has been a breach following discovery or notification of the breach. The disclosure notification must be made without unreasonable delay and consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. However, notification is not required if the covered entity determines after an appropriate investigation or consultation with law enforcement agencies that a risk of identity theft or other fraud to any Missouri consumer is not reasonably likely to occur as a result of the breach.

Montana Security Breach Notification Laws

  • Key law: Montana Code Section 30-14-1704; Section 2-6-1503 (state agencies); Section 33-19-321 (insurance companies)
  • Covered entity: Any person or business (including a sole proprietorship, partnership, corporation, association, or other group, as well as an entity that destroys records and certain regulated industries) that conducts business in Montana and that owns or licenses computerized data that includes personal information; a state agency that maintains computerized data containing personal information in its data system; any licensee (as defined in Section 33-19-104) or insurance-support organization that conducts business in Montana and that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the covered entity (or by a third party on behalf of a state agency) and that causes or is reasonably believed to cause loss or injury to a Montana resident (or to any person under the state agency statute); under the insurance statute, unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity or a person to whom information is disclosed under related statutes

A covered entity under the main statute must disclose a breach following discovery or notification to any resident of Montana whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

When a covered state agency discovers or receives notification of a breach, it must make reasonable efforts to notify any person whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The same timing rules about notification apply as above. In addition, a third party that receives personal information from a state agency and maintains that information in a computerized data system to perform a state agency function must make reasonable efforts upon discovery or notification of a breach to notify any person whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person as part of the breach. (In this case, the state agency does not have a duty to provide notification of the breach, unless the third party fails to do so in a reasonable time.)

A covered insurance entity must provide notice of a breach after discovery or notice of the breach to any individual whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The same timing rules about notification apply as for private covered entities above.

Nebraska Security Breach Notification Laws

  • Key law: Nebraska Revised Statutes Section 87-803
  • Covered entity: An individual or a commercial entity (including a corporation, business trust, estate, trust, partnership, limited partnership, LLP, LLC, association, organization, joint venture, government, or any other legal entity) that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a Nebraska resident
  • Breach defined: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity

A covered entity must conduct a reasonable and prompt investigation in good faith when it becomes aware of a breach to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the covered entity must give notice to the affected Nebraska resident. Notice must be provided as soon as possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

Nevada Security Breach Notification Laws

  • Key law: Nevada Revised Statutes Section 603A.220
  • Covered entity: A data collector (as defined by Section 603A.030) that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the data collector

A covered entity must disclose a breach following discovery or notification of the breach to any Nevada resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures needed to determine the scope of the breach and restore the reasonable integrity of the system data.

New Hampshire Security Breach Notification Laws

  • Key law: New Hampshire Revised Statutes Section 359-C:20
  • Covered entity: Any person (including an individual, corporation, trust, partnership, association, LLC, or other entity, or a government entity) doing business in New Hampshire that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in New Hampshire

When a covered entity becomes aware of a breach, it must promptly determine the likelihood that the information has been or will be misused. If it determines that misuse of the information has occurred or is reasonably likely to occur, or if it cannot make a determination, the covered entity must notify the affected individuals as soon as possible.

New Jersey Security Breach Notification Laws

  • Key law: New Jersey Revised Statutes Section 56:8-163
  • Covered entity: Any business (including a sole proprietorship, partnership, corporation, association, or other entity) that conducts business in New Jersey, or any public entity (including state and local governments) that compiles or maintains computerized records that include personal information
  • Breach defined: Unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that makes the personal information unreadable or unusable

A covered entity must disclose a breach after discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was (or is reasonably believed to have been) accessed by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. However, disclosure of a breach is not required if the business or public entity establishes that misuse of the information is not reasonably possible.

New Mexico Security Breach Notification Laws

  • Key law: New Mexico Statutes Section 57-12C-6
  • Covered entity: A person that owns or licenses elements that include personal identifying information of a New Mexico resident
  • Breach defined: Unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data together with the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality, or integrity of personal identifying information maintained by a person

A covered entity must provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a breach. Notification must be made in the most expedient time possible, but generally no later than 45 days after discovery of the breach. (Notification may be delayed as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the data system.) However, notification is not required if a covered entity determines after an appropriate investigation that the breach does not give rise to a significant risk of identity theft or fraud.

New York Security Breach Notification Laws

  • Key law: New York General Business Law Section 899-aa
  • Covered entity: Any person or business that owns or licenses computerized data that includes private information
  • Breach defined: Unauthorized access to or acquisition of, or access or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business

A covered entity must disclose a breach following discovery or notification of the breach to any resident of New York State whose private information was (or is reasonably believed to have been) accessed or acquired by a person without valid authorization. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system.

However, notice is not required if the exposure of private information was an inadvertent disclosure by people authorized to access the information, and the covered entity reasonably determines that the exposure will not likely result in misuse of the information or financial harm to the affected people (or emotional harm in certain circumstances).

North Carolina Security Breach Notification Laws

  • Key law: North Carolina General Statutes Section 75-65
  • Covered entity: Any business (including a sole proprietorship, partnership, corporation, association, or other group, but not any government) that owns or licenses personal information of North Carolina residents, or any business that conducts business in the state that owns or licenses personal information in any form (including computerized or paper)
  • Breach defined: An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information when illegal use of the personal information has occurred or is reasonably likely to occur, or that creates a material risk of harm to a consumer; also, an incident of unauthorized access to and acquisition of encrypted records or data containing personal information together with the confidential process or key

A covered entity must provide notice to an affected person that there has been a breach following discovery or notification of the breach. The disclosure notification must be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

North Dakota Security Breach Notification Laws

  • Key law: North Dakota Century Code Chapter 51-30
  • Covered entity: Any person that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that makes the electronic files, media, or databases unreadable or unusable

A covered entity must disclose a breach following discovery or notification of the breach to any North Dakota resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the integrity of the data system.

Ohio Security Breach Notification Laws

  • Key law: Ohio Revised Code Section 1349.19; Section 1347.12 (government agencies)
  • Covered entity: Any person (including an individual, corporation, business trust, estate, trust, partnership, and association, but only including a business entity if it conducts business in Ohio) that owns or licenses computerized data that includes personal information, as well as a state or local government agency that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person (or a state or local government agency) and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of an Ohio resident

A covered entity must disclose a breach following its discovery or notification of the breach to any Ohio resident whose personal information was (or reasonably is believed to have been) accessed and acquired by an unauthorized person if the access and acquisition causes (or if it is reasonably believed that it will cause) a material risk of identity theft or other fraud to the resident. The covered entity must make the disclosure in the most expedient time possible, but no later than 45 days after its discovery or notification of the breach, consistent with any measures necessary to determine the scope of the breach, including which residents’ personal information was accessed and acquired, and to restore the reasonable integrity of the data system.

Oklahoma Security Breach Notification Laws

  • Key law: 24 Oklahoma Statutes Section 163
  • Covered entity: An individual or entity (including corporations, business trusts, estates, partnerships, limited partnerships, LLPs, LLCs, associations, organizations, joint ventures, governments, or any other legal entity) that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes (or the individual or entity reasonably believes that it has caused or will cause) identity theft or other fraud to any Oklahoma resident

A covered entity must disclose a breach following discovery or notification of the breach to any Oklahoma resident whose unencrypted and unredacted personal information was (or is reasonably believed to have been) accessed and acquired by an unauthorized person and that causes, or the covered entity reasonably believes has caused or will cause, identity theft or other fraud to any Oklahoma resident. The disclosure generally must be made without unreasonable delay, except to take any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

A covered entity also must disclose the breach if encrypted information is accessed and acquired in an unencrypted form, or if the breach involves a person with access to the encryption key, and the covered entity reasonably believes that this breach has caused or will cause identity theft or other fraud to any Oklahoma resident.

74 Oklahoma Statutes Section 3113.1 provides an additional requirement for certain government entities. This law covers any state agency, board, commission, or other unit or subdivision of state government that owns or licenses computerized data that includes personal information. A breach is defined as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the covered entity.

A covered entity under this law must disclose a breach following discovery or notification of the breach to any Oklahoma resident whose unencrypted personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Oregon Security Breach Notification Laws

  • Key law: Oregon Revised Statutes Section 646A.604
  • Covered entity: A person (including an individual, private or public corporation, partnership, cooperative, association, estate, LLC, organization, or other entity, as well as a public body) that owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information in the course of their business, vocation, occupation, or volunteer activities
  • Breach defined: An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information that a person maintains or possesses

If a covered entity is subject to a breach or receives notice of a breach from a vendor, the covered entity must give notice of the breach to the consumer to whom the personal information pertains. A covered entity must give notice of a breach in the most expeditious manner possible, without unreasonable delay, but generally no later than 45 days after discovering or receiving notification of the breach. However, before providing notice, a covered entity must undertake reasonable measures that are necessary to determine sufficient contact information for the intended recipient of the notice, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the personal information.

A covered entity does not need to notify consumers of a breach if it reasonably determines after an appropriate investigation or after consulting with law enforcement agencies that the consumers whose personal information was subject to the breach are unlikely to suffer harm.

Pennsylvania Security Breach Notification Laws

  • Key law: 73 Pennsylvania Statutes Section 2303
  • Covered entity: An entity (a state agency or local government, or an individual or a business doing business in Pennsylvania) that maintains, stores, or manages computerized data that includes personal information
  • Breach defined: Unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes (or the entity reasonably believes that it has caused or will cause) loss or injury to any Pennsylvania resident

A covered entity must provide notice of a breach following determination of the breach to any Pennsylvania resident whose unencrypted and unredacted personal information was (or is reasonably believed to have been) accessed and acquired by an unauthorized person. A covered entity also must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the breach is linked to a breach of the security of the encryption, or if the breach involves a person with access to the encryption key.

The notice generally must be made without unreasonable delay, except to take any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. If a state agency determines that it is the subject of a breach of the security of the system affecting personal information maintained by the state agency or state agency contractor, the state agency must provide notice of the breach within seven business days following determination of the breach. If a county, public school, or municipality is the subject of a breach, the county, public school, or municipality must provide notice of the breach within seven business days following determination of the breach.

Rhode Island Security Breach Notification Laws

  • Key law: Rhode Island General Laws Section 11-49.3-4
  • Covered entity: Any municipal agency, state agency, or person (including an individual, sole proprietorship, partnership, association, corporation, joint venture, business, legal entity, trust, estate, cooperative, or other commercial entity) that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information
  • Breach defined: Unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person

A covered entity must provide notification of any disclosure of personal information, or any breach, that poses a significant risk of identity theft to any Rhode Island resident whose personal information was (or is reasonably believed to have been) acquired by an unauthorized person or entity. The notification must be made in the most expedient time possible, but generally no later than 45 days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements. (The deadline is 30 days for state and municipal agencies.)

South Carolina Security Breach Notification Laws

  • Key law: South Carolina Code of Laws Section 39-1-90
  • Covered entity: A person (including individuals, corporations, governments, trusts, estates, partnerships, cooperatives, and associations) conducting business in South Carolina, and owning or licensing computerized data or other data that includes personal identifying information
  • Breach defined: Unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur, or use of the information creates a material risk of harm to a South Carolina resident

A covered entity must disclose a breach following discovery or notification of the breach to a South Carolina resident whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was (or is reasonably believed to have been) acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur, or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

South Dakota Security Breach Notification Laws

  • Key law: South Dakota Codified Laws Section 22-40-20
  • Covered entity: Any person or business that conducts business in South Dakota, and that owns or licenses computerized personal or protected information of South Dakota residents
  • Breach defined: Unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the covered entity

After discovery or notification of a breach, a covered entity must disclose the breach to any South Dakota resident whose personal or protected information was (or is reasonably believed to have been) acquired by an unauthorized person. A disclosure generally must be made no later than 60 days after the discovery or notification of the breach. However, a covered entity is not required to make a disclosure if it reasonably determines after an appropriate investigation and notice to the attorney general that the breach will not likely result in harm to the affected person.

Tennessee Security Breach Notification Laws

  • Key law: Tennessee Code Section 47-18-2107
  • Covered entity: Any person or business that conducts business in Tennessee, or any state or local government agency, that owns or licenses computerized personal information of Tennessee residents
  • Breach defined: Acquisition of unencrypted computerized data, or encrypted computerized data and the encryption key, by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the covered entity

After discovery or notification of a breach, a covered entity must disclose the breach to any Tennessee resident whose personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure generally must be made no later than 45 days after the discovery or notification of the breach.

Texas Security Breach Notification Laws

  • Key law: Texas Business and Commerce Code Section 521.053
  • Covered entity: A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information
  • Breach defined: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data

A covered entity must disclose a breach after discovering or receiving notification of the breach to any individual whose sensitive personal information was (or is reasonably believed to have been) acquired by an unauthorized person. The disclosure must be made without unreasonable delay and generally no later than the 60th day after the date on which the covered entity determines that the breach occurred, except as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Utah Security Breach Notification Laws

  • Key law: Utah Code Section 13-44-202
  • Covered entity: A person that owns or licenses computerized data that includes personal information concerning a Utah resident
  • Breach defined: Unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information

When a covered entity becomes aware of a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes. If the investigation reveals that the misuse of personal information for identity theft or fraud purposes has occurred or is reasonably likely to occur, the covered entity must provide notification to each affected Utah resident. A covered entity must provide the notification in the most expedient time possible without unreasonable delay after determining the scope of the breach and after restoring the reasonable integrity of the system.

Vermont Security Breach Notification Laws

  • Key law: 9 Vermont Statutes Section 2435
  • Covered entity: A data collector (as defined in Section 2430) that owns or licenses computerized personally identifiable information or login credentials
  • Breach defined: An unauthorized acquisition or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker when the brokered personal information is not encrypted, redacted, or protected by another method that makes the information unreadable or unusable by an unauthorized person

A covered entity must notify a consumer that there has been a breach following discovery or notification to the covered entity. Notice must be made in the most expedient time possible and without unreasonable delay, but generally no later than 45 days after the discovery or notification, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

However, notice is not required if the covered entity establishes that misuse of personally identifiable information or login credentials is not reasonably possible, and the covered entity provides notice of this determination as the statute requires. (This generally involves notifying the Vermont Attorney General or the Department of Financial Regulation and providing a detailed explanation of the determination.)

Virginia Security Breach Notification Laws

  • Key law: Code of Virginia Section 18.2-186.6
  • Covered entity: An individual or entity (including corporations, business trusts, estates, partnerships, limited partnerships, LLPs, LLCs, associations, organizations, joint ventures, governments, and any other legal entity) that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals, and that causes (or the individual or entity reasonably believes that it has caused or will cause) identity theft or other fraud to any Virginia resident

If unencrypted or unredacted personal information was (or is reasonably believed to have been) accessed and acquired by an unauthorized person, and it causes (or the covered entity reasonably believes that it has caused or will cause) identity theft or another fraud to any Virginia resident, a covered entity must disclose a breach following discovery or notification to any affected Virginia resident without unreasonable delay. (A covered entity also must disclose a breach if encrypted information is accessed and acquired in an unencrypted form, or if the breach involves a person with access to the encryption key, and the covered entity reasonably believes that the breach has caused or will cause identity theft or other fraud to any Virginia resident.) Notice may be reasonably delayed to allow the covered entity to determine the scope of the breach and restore the reasonable integrity of the system.

Washington Security Breach Notification Laws

  • Key law: Revised Code of Washington Section 19.255.010; Section 42.56.590 (government agencies)
  • Covered entity: A person or business that conducts business in Washington and that owns or licenses data that includes personal information, as well as a government agency that owns or licenses data that includes personal information
  • Breach defined: Unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person, business, or agency

A covered entity must disclose a breach to any Washington resident whose personal information was (or is reasonably believed to have been) acquired by an unauthorized person, and the personal information was not secured. However, notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm. A breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a breach, or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.

Notification to affected consumers must be made in the most expedient time possible, without unreasonable delay, and generally no more than 30 days after the breach was discovered unless the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. (A government agency may delay notification for up to an additional 14 days to allow for notification to be translated into the primary language of the affected consumers.)

Washington, D.C. Security Breach Notification Laws

  • Key law: District of Columbia Code Section 28-3852
  • Covered entity: A person or entity (including a firm, corporation, partnership, company, cooperative, association, trust, or any other organization or legal entity, but not the District government) that conducts business in the District of Columbia and, in the course of their business, owns or licenses computerized or other electronic data that includes personal information
  • Breach defined: Unauthorized acquisition of computerized or other electronic data or any equipment or device storing this data that compromises the security, confidentiality, or integrity of personal information maintained by the covered entity

A covered entity that discovers a breach must promptly notify any District of Columbia resident whose personal information was included in the breach. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

A breach does not include the acquisition of personal information of an individual that a covered entity reasonably determines will likely not result in harm to the individual after a reasonable investigation and consultation with the District of Columbia Attorney General and federal law enforcement agencies.

West Virginia Security Breach Notification Laws

  • Key law: West Virginia Code Section 46A-2A-102
  • Covered entity: An individual or entity (including corporations, business trusts, estates, partnerships, limited partnerships, LLPs, LLCs, associations, organizations, joint ventures, governments, or any other legal entity) that owns or licenses computerized data that includes personal information
  • Breach defined: Unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach has caused or will cause identity theft or other fraud to any West Virginia resident

A covered entity must give notice of a breach following discovery or notification of the breach to any West Virginia resident whose unencrypted and unredacted personal information was (or is reasonably believed to have been) accessed and acquired by an unauthorized person when this causes (or the covered entity reasonably believes that it has caused or will cause) identity theft or other fraud to any West Virginia resident. (A covered entity also must give notice of a breach if encrypted information is accessed and acquired in an unencrypted form, or if the breach involves a person with access to the encryption key, and the covered entity reasonably believes that the breach has caused or will cause identity theft or other fraud to any West Virginia resident.)

The notice generally must be made without unreasonable delay, except to take measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Wisconsin Security Breach Notification Laws

  • Key law: Wisconsin Statutes Section 134.98
  • Covered entity: An entity (as defined in Section 134.98) whose principal place of business is located in Wisconsin, or an entity that maintains or licenses personal information in Wisconsin; also, an entity whose principal place of business is not located in Wisconsin but knows that personal information pertaining to a Wisconsin resident has been acquired by a person whom the entity has not authorized to acquire the personal information
  • Breach defined: Not explicitly defined, but essentially when personal information is acquired by a person whom the entity has not authorized to acquire it

The statute provides two separate notification requirements for two different sets of entities. When an entity whose principal place of business is located in Wisconsin or an entity that maintains or licenses personal information in Wisconsin knows that personal information in its possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity must make reasonable efforts to notify each subject of the personal information. Meanwhile, if an entity whose principal place of business is not located in Wisconsin knows that personal information pertaining to a Wisconsin resident has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity must make reasonable efforts to notify each Wisconsin resident who is the subject of the personal information.

An entity generally must provide notice within a reasonable time, and no more than 45 days after the entity learns of the acquisition of personal information. However, an entity is not required to provide notice of the acquisition of personal information if this does not create a material risk of identity theft or fraud to the subject of the personal information.

Wyoming Security Breach Notification Laws

  • Key law: Wyoming Statutes Section 40-12-502
  • Covered entity: An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a Wyoming resident
  • Breach defined: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information maintained by a person or business and causes (or is reasonably believed to cause) loss or injury to a Wyoming resident

When a covered entity becomes aware of a breach, it must conduct a reasonable and prompt investigation in good faith to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the covered entity must give notice as soon as possible to the affected Wyoming resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

Consumer Protection Law Center Contents   

Related Areas