Reporting requirements for security breaches

1. Alabama

Requirements

Notice is required to affected Alabama residents if the Entity determines that, because of a breach of security, personal information has been acquired by an unauthorized person and is reasonably likely to cause substantial harm. Notably, however, “biometric information” is not included in Alabama’s definition of personal information, as is a typical inclusion for other states.

If an Entity is required to notify more than 1,000 Alabama residents of a breach, the Entity shall also notify without unreasonable delay all nationwide consumer credit reporting agencies of the timing, distribution, and content of the notices to Alabama residents.

If the number of individuals requiring notice exceeds 1,000, the Entity must notify the Attorney General as expeditiously as possible and without unreasonable delay, and within 45 days once it is determined that a breach has occurred and is reasonably likely to cause substantial harm to affected individuals.

Exceptions

An Entity is exempt from this chapter if it:

Is subject to or regulated by federal laws, rules, regulations, procedures, or guidance or state laws, rules, regulations, procedures, or guidance that are at least as thorough as the notice requirements in this law; and
Maintains procedures pursuant to those requirements; and
Provides notice to consumers pursuant to those requirements, and
Timely provides notice to the Attorney General when the number of affected individuals exceeds 1,000.

2. Alaska

Requirements

An Entity to which the statute applies shall disclose the breach to each Alaska resident whose PI was subject to the breach. If an Entity is required to notify more than 1,000 Alaska residents of a breach, the Entity shall also notify without unreasonable delay all nationwide consumer credit reporting agencies of the timing, distribution, and content of the notices to Alaska residents.

If an Entity is required to notify more than 1,000 AK residents of a breach, the Entity shall also notify without unreasonable delay all nationwide consumer credit reporting agencies of the timing, distribution, and content of the notices to AK residents.

Exceptions

Entities subject to the Gramm-Leach-Bliley Act are exempt from this requirement and are not required to notify consumer reporting.

3. Arizona

Requirements

Any Entity that owns or licenses the PI shall notify the individuals affected within 45 days after its determination that there has been a security breach. If an Entity is required to notify more than 1,000 Arizona residents, the Entity shall notify the Attorney General and the Director of the Arizona Department of Homeland Security, in writing. If an Entity is required to notify more than 1,000 Arizona residents, the Entity shall also notify the three largest nationwide consumer reporting agencies.

If an Entity is required to notify more than 1,000 AZ residents, the Entity shall also notify the three largest nationwide consumer reporting agencies.

Exceptions

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.
The provisions of this statute shall not apply to any Entity who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act.
The provisions of the statute do not apply to a covered entity or business associate as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
or a charitable fund-raising foundation or nonprofit corporation whose primary purpose is to support a specified covered entity if they comply with applicable provisions of HIPAA.
Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies affected persons in accordance with its policies.

4. Arkansas

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the system to any resident of Arkansas whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

If the affected class of persons to be notified exceeds 1,000, the Entity must disclose the breach to the Attorney General. Notice must be provided at the same time the Entity notifies the affected class, or 45 days after it determines there is a reasonable likelihood of harm to individuals, whichever is first.

Exceptions

Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies affected persons in accordance with its policies in the event of a security breach.

5. California

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification to any California resident whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

If an Entity is required to notify more than 500 CA residents, the Entity shall electronically submit a single sample copy of the notification, excluding any personally identifiable information, to the Attorney General

Exceptions

A covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be deemed to have complied with the individual notice content requirements in this state law if it has complied with the individual notice content requirements in Section 13402(f) of the Health Information Technology for Economic and Clinical Health Act (HITECH).

6. Colorado

Requirements

An Entity that owns or licenses the affected PI shall, when it becomes aware of a breach of the security of the system, give notice as soon as possible to the affected Colorado resident.

If notice is provided to more than 500 Colorado residents, the Entity must provide notice to the Attorney General not later than 30 days after the date of determination that the breach occurred.

If an Entity is required to notify more than 1,000 Colorado residents, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the anticipated date of the notification and the approximate number who are to be notified.

Exceptions

Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected CO customers in accordance with its policies in the event of a breach of the security of the system.

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

The provisions of this statute shall not apply to any Entity who is subject to Title V of the Gramm-Leach-Bliley Act.

7. Connecticut

Requirements

An Entity to which the statute applies shall disclose any breach of security following the discovery of the breach to any Connecticut resident whose PI was breached or is reasonably believed to have been breached.

Any Entity that is required under the statute to notify Connecticut residents of any breach of security shall provide notice of the breach of security to the Attorney General not later than the time notice is provided to the residents.

Exceptions

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

Compliance with HIPAA and HITECH is deemed compliance with the statute, provided that the Entity provides notice to the state Attorney General no later than when notice is provided to residents.

8. Delaware

Requirements

An Entity to which the statute applies shall provide notice of any breach of security following determination of the breach of security to any resident of Delaware whose PI was breached or is reasonably believed to have been breached.

If the number of Delaware residents to be notified exceeds 500 residents, the Entity shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General.

Exceptions

An Entity is deemed in compliance with this chapter if it is regulated by state or federal law, including HIPAA or GLBA, and it maintains procedures for a breach of security pursuant to requirements established by its primary or functional state or federal regulator; and it notifies affected Delaware residents in accordance with the maintained procedures.

9. Florida

Requirements

An entity must give notice to everyone in Florida whose PI was, or the Entity reasonably believes to have been, accessed because of the breach. Entity must provide notice to the Department of Legal Affairs (Department) of any breach of security affecting 500 or more individuals in Florida. If notice is required to more than 1,000 Florida residents, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Any third-party agent shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable, but no later than 10 days following the determination of the breach or reason to believe the breach occurred.

Exceptions

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

10. Georgia

Requirements

Any Entity that maintains computerized data that includes PI of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach to any resident of Georgia whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

In the event an Entity discovers circumstances requiring notification of more than 10,000 residents of Georgia at one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Exceptions

Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies the individuals who are the subjects of the notice in accordance with its policies in the event of a breach of the security of the system.

11. Hawaii

Requirements

An Entity shall provide notice to the affected person of a security breach following discovery or notification of the breach. If more than 1,000 persons are notified at one time under this section, the business shall notify the State of Hawaii’s Office of Consumer Protection of the timing, content, and distribution of the notice.

A government agency shall submit a written report to the legislature within 20 days after discovery of a security breach at the government agency that details information relating to the nature of the breach, the number of individuals affected by the breach, a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent, whether the notice was delayed due to law enforcement considerations, and any procedures that have been implemented to prevent the breach from reoccurring.

Exceptions

A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 7, 2005, and any revisions, additions, or substitutions relating to said interagency guidance, shall be deemed to be in compliance.

A provider of health care, health care service plan, health insurer, or a covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed in compliance with this chapter.

12. Idaho

Requirements

An Entity to which the statute applies shall give notice as soon as possible to the affected Idaho resident.

Exceptions

Any Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute is deemed to be in compliance with the notice requirements if the Entity notifies affected Idaho residents in accordance with its policies in the event of a breach of the security of the system.

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

13. Illinois

Requirements

Any Entity to which the statute applies shall notify the resident at no charge that there has been a breach following discovery or notification of the breach.

Any Entity required to notify more than 500 Illinois residents must provide notice to the Attorney General of the breach.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute, shall be deemed in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with its policies in the event of a breach of the security of the system data.

Any Entity that is subject to and in compliance with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996(HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) shall be deemed to be in compliance, provided that any Entity required to provide notification of a breach to the Secretary of Health and Human Services pursuant to HITECH also provides such notification to the Attorney General within 5 business days of notifying the Secretary.

14. Indiana

Requirements

An Entity shall disclose the breach to affected Indiana residents if the Entity knows, or should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in Ind. Code § 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.

If the Entity makes such a disclosure, the database owner shall also disclose the breach to the Attorney General.

An Entity required to make a disclosure to more than 1,000 consumers shall also disclose to all nationwide consumer reporting agencies that compile and maintain files on consumers on a nationwide basis information necessary to assist the consumer reporting agency in preventing fraud, including PI of an Indiana resident affected by the breach of the security of a system.

Exceptions

Any Entity that maintains its own disclosure procedures as part of an information privacy policy or a security policy is not required to make a separate disclosure under the statute if the Entity’s information privacy policy or security policy is at least as stringent as the disclosure requirements under the statute.

This section does not apply to an Entity that maintains its own data security procedures as part of an information privacy, security policy, or compliance plan under The Gramm-Leach-Bliley Act; The Health Insurance Portability and Accountability Act of 1996 (HIPAA); The USA Patriot Act (P.L. 107-56); Executive Order 13224; The Driver Privacy Protection Act (18 U.S.C. § 2781 et seq.); or The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.).

15. Iowa

Requirements

An Entity to which the statute applies shall give notice of the breach of security following discovery, or receipt of notification of such breach, to any Iowa resident whose PI was included in the information that was breached.

An Entity required to notify more than 500 Iowa residents must give written notice, within 5 business days of giving notice to any consumer, to the director of the consumer protection division of the Attorney General’s office.

Exceptions

This statute does not apply to an Entity that complies with notification requirements or breach of security procedures that provide greater protection to PI and at least as thorough disclosure requirements than that provided by this section pursuant to the rules, regulations, procedures, guidance, or guidelines established by the Entity’s primary or functional federal regulator.

This statute does not apply to an Entity that complies with a state or federal law that provides greater protection to PI and at least as thorough disclosure requirements for a breach of security or PI than that provided by the statute.

This statute does not apply to an Entity that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act.

This statute does not apply to an Entity that is subject to and complies with the regulations promulgated pursuant to the Title II, subtitle F of the Health Insurance Portability and Accountability Act (HIPAA) and Title XIII, subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH).

16. Kansas

Requirements

An Entity to which the statute applies shall, when it becomes aware of any breach of the security of the system, give notice as soon as possible to the affected Kansas resident.

In the event that an Entity must notify more than 1,000 consumers at one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Exceptions

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state or federal regulator is sufficient. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected consumers in accordance with its policies.

17. Kentucky

Requirements

An Entity to which the statute applies must, upon discovery or notification of breach in the security system, notify any Kentucky resident whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person.

If an Entity is required by this section to notify more than 1,000 persons, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section, if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

The provisions of this statute do not apply to any Entity subject to the provisions of Title V of the Gramm-Leach-Bliley Act, the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This statute does not apply to any Kentucky agency, or any Kentucky local governments or political subdivisions. (But see KY Rev. Stat. §61.931 et seq.)

18. Louisiana

Requirements

An Entity shall notify any resident of the state whose PI was, or is reasonably believed to have been, acquired by an unauthorized person.

When notice to Louisiana citizens is required by the statute, the Entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s Office. Notice to the state Attorney General shall be timely if received within 10 days of distribution of notice to Louisiana citizens.

Exception

Any Entity that maintains notification procedures as part of its information security policy for the treatment of PI that are otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if the Entity notifies the subject persons in accordance with the policy and procedures in the event of a breach of a security of the system.

A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, and any revisions, additions, or substitutions relating to said interagency guidance, shall be deemed to be in compliance.

19. Maine

Requirements

An Entity shall give notice of the breach to a resident of Maine whose PI has been, or is reasonably believed to have been, acquired by an unauthorized person.

When notice of a breach of the security of the system is required, the Entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the Department, the state Attorney General.

If an Entity must notify more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, the nationwide consumer reporting agencies of the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.

Exceptions

An entity that complies with the security breach notification requirements of rules, regulations, procedures, or guidelines established pursuant to Maine or federal law is deemed to be in compliance with the requirements as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements outlined above.

20. Maryland

Requirements

An Entity that discovers or is notified of a breach of the security of the system, shall notify the individual of the breach.

Prior to giving the notification required under the statute, an Entity shall provide notice of a breach of the security of a system to the state Office of the Attorney General.

If an Entity must notify 1,000 or more individuals, the Entity also shall notify, without unreasonable delay, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Exceptions

An Entity that complies with the requirements for notification procedures under the rules, regulations, procedures, or guidelines established by the primary or functional federal or state regulator of the Entity shall be deemed to be in compliance with the statute.

An Entity or the affiliate of an Entity that is subject to and in compliance with the Gramm-Leach-Bliley Act, the federal Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and any revisions, additions, or substitutions, shall be deemed to be in compliance with this subtitle.

An Entity or affiliate of the Entity that is in compliance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) shall be deemed to be in compliance.

21. Massachusetts

Requirements

An Entity that owns or licenses the data shall provide notice to the affected residents, when the Entity knows or has reason to know of a breach of security, OR that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose. When notice is provided to a Massachusetts resident, notice must be provided to both the state Attorney General and the director of Consumer Affairs and Business Regulation.

An Entity that maintains or stores, but does not own or license data that includes PI about a resident of Massachusetts, shall provide notice, as soon as practicable and without unreasonable delay, when such Entity knows or has reason to know of a breach of security or when the Entity knows or has reason to know that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the owner or licensor.

Exceptions

Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an Entity’s primary or functional state or federal regulator is sufficient for compliance.

22. Michigan

Requirements

An Entity that owns or licenses data including Michigan residents shall provide notice of the breach to each resident of Michigan if the resident’s unencrypted and unredacted PI was accessed and acquired by an unauthorized person or the resident’s PI was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.

If an Entity notifies 1,000 or more Michigan residents, the Entity shall, after notifying those residents, notify each nationwide consumer reporting agency without unreasonable delay of the number and timing of notices that the person or agency provided to residents of this state

Exceptions

This does not apply if the person or agency is subject to Title V of the Gramm-Leach-Bliley Act.

Entities subject to, or regulated under Michigan’s insurance code are exempt from the state’s data breach notification statute and instead will be governed by HB 6491/Public Act 690 of 2018, which went into effect January 20, 2021

23. Minnesota

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Minnesota whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

If an Entity notifies more than 500 persons at one time, the Entity shall also notify, within 48 hours, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute, shall be deemed to be in compliance with the notification requirements of the statute, if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the system.

24. Mississippi

Requirements

A person who conducts business in Mississippi shall disclose any breach of security to all affected individuals.

Exceptions

Any person that maintains a security breach procedure pursuant to the rules, regulations, or guidelines established by the primary federal functional regulator shall be deemed to be in compliance with this section, provided the person notifies affected individuals in accordance with the policies or the rules, regulations, procedures, or guidelines.

25. Missouri

Requirements

Any Entity to which the statute applies shall provide notice to the affected consumer that there has been a breach of security. In the event an Entity notifies more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

In the event an Entity provides notice to more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, the state Attorney General’s office of the timing, distribution, and content of the notice.

Exceptions

An Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the Entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system.

An Entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section if the Entity notifies affected consumers in accordance with the maintained procedures when a breach occurs.

A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 29, 2005, and any revisions, additions, or substitutions relating to said interagency guidance shal be deemed in compliance.

A financial institution that is subject to and in compliance with A financial institution that is subject to and in compliance with National Credit Union Administration regulations in 12 C.F.R. Part 748; or subject to and in compliance with the provisions of Title V of the Gramm-Leach-Bliley Act shall be deemed to be in compliance with this section.

26. Montana

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person.

Any Entity that is required to issue a notification shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the Attorney General’s Consumer Protection office. Insurance entities and support organizations must submit the above information to the Montana Insurance Commissioner.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and that does not unreasonably delay notice is considered to be in compliance with the notification requirements of the statute if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the data system.

27. Nebraska

Requirements

Any Entity to which the statute applies shall, when it determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, give notice to the affected Nebraska resident. If notice of a security breach to Nebraska residents is required, the Entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the Attorney General.

Exceptions

An Entity that maintains its own notice procedures which are part of an information security policy for the treatment of PI and which are otherwise consistent with the timing requirements of the statute, is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected Nebraska residents and Attorney General in accordance with its notice procedures in the event of a breach of the security of the system.

An Entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with the notice requirements of the statute if the Entity notifies affected Nebraska residents and Attorney General in accordance with the maintained procedures in the event of a breach of the security of the system.

28. Nevada

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the system data to any resident of Nevada whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

If an Entity determines that notification is required to be given to more than 1,000 persons at any one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing and content of the notice.

Exceptions

An Entity that maintains its own notification policies and procedures as part of an information security policy for the treatment of PI that is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies and procedures in the event of a security breach.

An Entity that is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act shall be deemed to be in compliance with the notification requirements.

29. New Hampshire

Requirements

Any Entity to which the statute applies, when it determines that misuse of PI has occurred or is reasonably likely to occur, or if a determination cannot be made, shall notify the affected individuals.

If an Entity is required to notify more than 1,000 consumers, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

An Entity engaged in trade or commerce that is subject to New Hampshire Rev. Stat. § 358-A:3(I) shall also notify the regulator that has primary regulatory authority over such trade or commerce. All other Entities shall notify the state Attorney General. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in NH who will be notified.

Exceptions

This obligation does not apply to entities subject to Title V of the Gramm-Leach-Bliley Act.
An Entity engaged in trade or commerce that maintains procedures for security breach notification pursuant to laws, rules, regulations, guidance, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if it acts in accordance with such laws, rules, regulations, guidance, or guidelines.

30. New Jersey

Requirements

An Entity to which the statute applies shall disclose any breach of security of computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose PI was, or is reasonably believed to have been, accessed by an unauthorized person.

If an Entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Any Entity required under this section to disclose a breach of security of a customer’s PI shall, prior to disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the requirements of the statute, shall be deemed in compliance with the notification requirements of the statute if it notifies subject customers in accordance with its policies in the event of a breach of security of the system.

31. New Mexico

Requirements

An Entity to which the statute applies shall notify each New Mexico resident whose PI is reasonably believed to have been subject to a security breach. If more than 1,000 New Mexico residents are to be notified as a result of a single security breach, the Entity shall also notify major consumer reporting agencies in the most expedient time possible, and no later than 45 calendar days, except if delayed notification is permitted to determine the scope of the breach or for law enforcement investigation purposes.

If more than 1,000 New Mexico residents are to be notified as a result of a single security breach, the Entity shall also notify the Office of the Attorney General of the number of New Mexico residents that received notification pursuant and shall provide a copy of the notification that was sent to affected residents within 45 calendar days following discovery of the security breach, except if delayed notification is permitted to determine the scope of the breach or for law enforcement investigation purposes.

Exceptions

An Entity that maintains its own notice procedures as part of an information security policy for the treatment of PI, and whose procedures are otherwise consistent with the timing requirements of the statute is deemed to be in compliance if the Entity notifies affected consumers in accordance with its policies in the event of a security breach.

Statute does not apply to an Entity subject to the federal GrammLeach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.

32. New York

Requirements

Any Entity to which the statute applies shall disclose any breach of the security following discovery or notification of the breach in the security of the system to any resident of New York whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. If more than 500 New York residents are affected, the Entity shall provide the written determination to the state Attorney General within ten days after the determination.

If more than 5,000 New York residents are to be notified at one time, the Entity shall also notify consumer reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected persons.

If any New York residents are to be notified, the Entity shall notify the state Attorney General, the department of state consumer protection board, and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons and shall provide a copy of the template notice sent to affected persons.

Exceptions

If notice of the breach of the security of the system is made pursuant to any of the following laws, nothing in this statute shall require separate notice to affected individuals, but notice must still be provided to the regulators noted above and the consumer reporting agencies.

Regulations promulgated pursuant to Title V of the federal GrammLeach-Bliley Act (GLBA)
Regulations implementing the Health Insurance Portability and
Accountability Action of 1996 (HIPAA) and the Health Information
Technology for Economic and Clinical Health Act (HITECH)
Part 500 of Title 23 of the Code of the State of New York (NY DFS Cybersecurity Regulation)
Any other data security rules and regulations of, and the statutes administered by, any official department, division, commission, or agency of the federal or New York state government.

33. North Carolina

Requirements

Any Entity to which the statute applies shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. If an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice. In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the state Attorney General’s office.

Exceptions

34. North Dakota

Requirements

Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of North Dakota whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Any person that experiences a breach of the security system shall disclose to the Attorney General by mail or email any breach of the security system that exceeds 250 individuals.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notification requirements of this chapter if the Entity notifies subject individuals in accordance with its policies in the event of a breach of security of the system.

A financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this chapter.

A covered entity, business associate, or subcontractor that is subject to the breach notification requirements of HIPAA title 45 of the Code of Federal Regulations, part 164, subpart D, is considered to be in compliance with this chapter.

35. Ohio

Requirements

Any Entity to which the statute applies shall disclose any breach of the security of the system to any individual whose principal mailing address as reflected in the records of the Entity is in Ohio and whose PI was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.

If an Entity notifies more than 1,000 residents of Ohio, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice. This requirement does not apply to HIPAA covered entities.

A financial institution, trust company, or credit union or any affiliate thereof that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of the statute.

Exceptions

36. Oklahoma

Requirement

Any Entity to which the statute applies shall disclose any breach of the security of the system to any resident of Oklahoma who’s unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Oklahoma.

Exceptions

An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and that are consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies residents of Oklahoma in accordance with its procedures in the event of a breach of security of the system.

A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the provisions of the statute.

An Entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the primary or functional federal regulator of the Entity shall be deemed to be in compliance with the provisions of the statute..

37. Oregon

Requirements

An Entity to which the statute applies shall give notice of the breach of security to any consumer to whom the PI pertains.

If an Entity notifies more than 1,000 individuals under this section, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notification. The Entity shall include the police report number, if available, in its notification to the consumer reporting agencies.

The entity must provide notice to the Attorney General, either in writing or electronically, if the number of Oregon residents affected exceeds 250. The Entity shall disclose the breach of security to the Attorney General in the same manner as to consumers.

Exceptions

In each of the following cases, Oregon’s notification requirements do not apply, except that any person claiming one of these exemptions and notifying more than 250 Oregon residents must provide a copy of the individual notice and any notice to any primary or functional regulator, to the Oregon Attorney General:

Primary Regulator. Personal information that is subject to, and an Entity that complies with the notification requirements or breach of security procedures that the person’s primary or functional federal regulator adopts, promulgates, or issues in rules, regulations, procedures, guidelines or guidance.
Gramm-Leach-Bliley Act. An Entity that complies with regulations regarding notification requirements or breach of security procedures that provide greater protection to PI and at least as thorough disclosure requirements promulgated pursuant to Title V of the Gramm-Leach-Bliley Act.
HIPAA/HITECH. An Entity that complies with regulations promulgated under HIPAA or the HITECH Act.
More Restrictive State or Federal Law. An Entity that complies with a state or federal law that provides greater protection to PI and at least as thorough disclosure requirements for a breach of security of PI than that provided by this section.

38. Pennsylvania

Requirements

Any Entity to which the statute applies shall provide notice of any breach of the security of the system to any individual whose principal mailing address, as reflected in the computerized data that is maintained, stored, or managed by the Entity, is in Pennsylvania and who’s unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person.

There is no generally applicable attorney general notification requirement, but multiple, different, very short deadlines apply to state agencies, their contractors, counties, municipalities, and schools. When an Entity provides notification under this act to more than 1,000 persons at one time, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and number of notices.

Exceptions

An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security.

An Entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the Entity’s primary or functional federal regulator shall be in compliance with this act.

39. Rhode Island

Requirements

Any Entity to which the statute applies shall provide notification of any disclosure of PI or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

If more than 500 Rhode Island residents are to be notified, the Entity shall notify the Attorney General as to the timing, content, and distribution of the notices and the approximate number of affected individuals. State and municipal agencies must also report cybersecurity incidents to the Rhoden Island state police within 24 hours.

In the event that more than 500 Rhode Island residents are to be notified, the Entity shall notify the major credit reporting agencies as to the timing, content, and distribution of the notices and the approximate number of affected individuals.

Exceptions

Any Entity that maintains its own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute, shall be deemed to be in compliance with the security breach notification, provided such Entity notifies subject persons in accordance with such Entity’s policies in the event of a breach of security.Any Entity that maintains a security breach procedure pursuant to the rules, regulations, procedures, or guidelines established by the primary or functional regulator shall be deemed to be in compliance with the security breach notification requirements of this section, provided such Entity notifies subject persons in accordance with the policies or the rules, regulations, procedures, or guidelines established by the primary or functional regulator in the event of a breach of security of the system.

A financial institution, trust company, credit union, or its affiliates that is subject to and examined for and found in compliance with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice shall be deemed in compliance with this chapter.

40. South Carolina

Requirements

Any Entity to which the statute applies shall disclose a breach of the security of the system to a resident of South Carolina who’s unencrypted and unredacted PI was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.

If an Entity provides notice to more than 1,000 persons at one time pursuant to the statute, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

If an Entity provides notice to more than 1,000 South Carolina residents, the Entity shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the Gramm-Leach-Bliley Act.

A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as amended, is considered to be in compliance with this section.

41. South Dakota

Requirements

Any Entity that discovers or is notified of a breach of system security must notify affected individuals. Notice is not required if, following appropriate investigation and notification to the Attorney General, the Entity reasonably believes the incident will not result in harm to affected individuals.

If the number of affected individuals exceeds 250 residents, the Entity must notify the Attorney General. The Entity must notify, without unreasonable delay, all nationwide consumer reporting agencies.

Exceptions

An Entity that maintains its own notification procedure as part of its information security policy, and the policy is consistent with the timing requirements of the Act, is considered in compliance with the notification requirements of this Act if it notifies affected persons in accordance with its internal policy.

An Entity subject to or regulated by federal laws, rules, regulations, procedures, or guidance (including the Gramm-LeachBliley Act and HIPAA) is considered in compliance with the Act as long as the Entity maintains procedures pursuant to the federal law requirements and provides notice to consumers pursuant to those requirements.

42. Tennessee

Requirements

Any Entity to which the statute applies shall disclose any breach of the security of the system to any resident of Tennessee whose PI was, or is reasonably believed to have been, acquired by an unauthorized person. “Unauthorized person” includes an employee of the Entity who is discovered by the Entity to have obtained personal information and intentionally used it for an unlawful purpose.

If an Entity is required to notify more than 1,000 persons at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

The provisions of this statute shall not apply to any Entity that is subject to:

The provisions of Title V of the Gramm-Leach-Bliley Act; and/or
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (42 U.S.C. § 1320d), as expanded by the Health Information Technology for Clinical and Economic Health Act.

43. Texas

Requirements

An Entity to which the statute applies shall disclose any breach of system security to any person, including nonresidents, whose sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Any Entity that is required to provide notification of a security breach to at least 250 Texas residents, shall notify the attorney general of that breach as soon as practicable and not later than 30 days after the Entity determines that a breach has occurred. If an Entity is required by this section to notify at one time more than 10,000 persons of a breach of system security, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Exceptions

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of sensitive PI that complies with the timing requirements for notice under this section complies with this section if the Entity notifies affected persons in accordance with that policy.

44. Utah

Requirements

If investigation reveals that the misuse of PI for identity theft or fraud has occurred, or is reasonably likely to occur, the person shall provide notification to each affected Utah resident.

If an Entity must notify 500 or more Utah residents, it must also notify the Office of the Attorney General, and the Utah Cyber Center. If an Entity must notify 1,000 or more UT residents, the Entity must also notify each nationwide consumer reporting agency.

Exceptions

If an Entity maintains its own notification procedures as part of an information security policy for the treatment of PI, the Entity is considered to be in compliance with this chapter’s notification requirements if the procedures are otherwise consistent with this chapter’s timing requirements and the Entity notifies each affected Utah resident in accordance with the Entity’s information security policy in the event of a breach.

An Entity who is regulated by state or federal law and maintains procedures for a breach of system security under applicable law established by the primary state or federal regulator is considered to be in compliance with this part if the Entity notifies each affected Utah resident in accordance with the other applicable law in the event of a breach. This chapter does not apply to a financial institution or affiliate of a financial institution, as defined in 15 U.S.C. § 6809.

45. Vermont

Requirements

An Entity shall notify affected individuals residing in Vermont that there has been a security breach following discovery or notification to the Entity of the breach. In the event an Entity is required to provide notice to more than 1,000 residents of Vermont at one time, the Entity shall notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice.

An Entity shall notify the Attorney General or Department of Financial Regulation of any breach within 14 business days of the date the Entity discovers the breach or the date the Entity provides notice to consumers, whichever is sooner.

Exceptions

This shall not apply to a person who is licensed or registered under Title 8 by the Department of Banking, Insurance, Securities, and Health Care Administration.

A financial institution that is subject to the following guidance, and any revisions, additions, or substitutions relating to said interagency guidance shall be exempt from this section: The Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, or Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005.

A data collector that is subject to the privacy, security, and breach notification rules adopted pursuant to the federal Health Insurance Portability and Accountability Act(HIPAA), is deemed to be in compliance with this subchapter if the data collector experiences a security breach that is limited to health records or records of a wellness program or similar program of health promotion or disease prevention, a health care professional’s medical diagnosis or treatment of the consumer, or a health insurance policy number; and the data collector provides notice to affected consumers pursuant to the requirements of the HIPAA breach notification rule.

46. Virginia

Requirements

An Entity to which the statute applies shall disclose any breach of the security of the system to any affected resident of Virginia.

In the event an Entity provides notice to more than 1,000 persons at one time pursuant to the general security breach section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1682(a)(p), of the timing, distribution, and content of the notice.

The state AG must be notified whenever any Virginia residents are notified under the criteria above. In the event an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the state Attorney General of the timing, distribution, and content of the notice.

For health information, the Entity must also notify the state AG must be notified whenever any Virginia residents are notified under the criteria above. In the event an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the state Attorney General of the timing, distribution, and content of the notice. For health information, the Entity must also notify the Commissioner of Health.

Employers or payroll service providers that own or license computerized data relating to state income tax withheld must notify the Attorney General of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. For employers, the notification obligation applies only to information regarding its employees (not customers or other non-employees).

Exceptions

An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of VA in accordance with its procedures in the event of a breach of the security of the system.

An entity that is subject to Title V of the Gramm-Leach-Bliley Act and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that Act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this section.

An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional state or federal regulator shall be in compliance with this section.

The notification requirements for incidents involving medical information do not apply to (i) a “covered entity” or “business associate” subject to requirements for notification in the case of a breach of protected health information or (ii) a person or entity who is a non–HIPAA-covered entity subject to the Health Breach Notification Rule promulgated by the Federal Trade Commission pursuant to 42 U.S.C. § 17937 et seq.

47. Washington

Requirements

Any Entity to which the statute applies shall disclose any breach of the security of the system to any resident of Washington whose PI was, or is reasonably believed to have been, acquired by an unauthorized person and the PI was not “secured” (i.e., encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the PI is rendered unreadable, unusable, or undecipherable by an unauthorized person).

Any Entity that is required to issue a notification to more than 500 Washington residents as a result of a single breach shall, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.

Exceptions

A financial institution under the authority of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, or the Federal Reserve system is deemed to have complied with respect to “sensitive customer information” as defined in the interagency guidelines establishing information security standards, 12 C.F.R. Part 30, Appendix B, 12 C.F.R. Part 208, Appendix D-2, 12 C.F.R. Part 225, Appendix F, and 12 C.F.R. Part 364, Appendix B, and 12 C.F.R. Part 748, Appendices A and B, if the financial institution provides notice to affected consumers pursuant to the interagency guidelines and the notice complies with the customer notice provisions of the interagency guidelines establishing information security standards and the interagency guidance on response programs for unauthorized access to customer information and customer notice under 12 C.F.R. Part 364 as it existed on the effective date of this section. The entity shall comply with the Attorney General notification requirements here in addition to providing notice to its primary federal regulator.

A covered entity under Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed to have complied with respect to protected health information if it has complied with section 13402 of the federal Health Information Technology for Economic and Clinical Health Act, Public Law 111-5.Covered entities must notify the Attorney General in compliance with the timeliness of notification requirements of the aforementioned section 13402, notwithstanding the timing of notification requirements here.

An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section is in compliance with the notification requirements of this section if the Entity notifies subject persons in accordance with its policies in the event of a breach of security.

48. West Virginia

Requirements

Any Entity to which the statute applies shall give notice of any breach of the security of the system to any resident of West Virginia who’s unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of West Virginia.

If an Entity is required to notify more than 1,000 persons of a breach of security pursuant to this article, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices. Nothing in this subsection shall be construed to require the entity to provide to the consumer reporting agency the names or other PI of breach notice recipients.

Exceptions

An Entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of PI that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if the Entity notifies residents of West Virginia in accordance with its procedures in the event of a breach of security of the system.

A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article.

An Entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established by the Entity’s primary or functional regulator shall be in compliance with this article.

49. Wisconsin

Requirements

Any Entity to which the statute applies shall make reasonable efforts to notify each subject of the PI. s. If, as the result of a single incident, an Entity is required to notify 1,000 or more individuals that PI pertaining to the individuals has been acquired, the Entity shall without unreasonable delay notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notices sent to the individuals.

Exceptions

An Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, or a person that has a contractual obligation to such an Entity, if the Entity or person has in effect a policy concerning breaches of information security.

A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form, if the Entity complies with the requirements of 45 C.F.R. pt. 164.

50. Wyoming

Requirements

Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be misused.

If the investigation determines that the misuse of PI about a Wyoming resident has occurred or is reasonably likely to occur, the Entity shall give notice as soon as possible to the affected Wyoming resident.

Exceptions

Any financial institution as defined in 15 U.S.C. § 6809 or federal credit union as defined by 12 U.S.C. § 1752 that maintains notification procedures subject to the requirements of 15 U.S.C. § 6801(b)(3) and 12 C.F.R. pt. 364 App. B or pt. 748 App. B, is deemed to be in compliance with the statute if the financial institution notifies affected Wyoming customers in compliance with the requirements of 15 U.S.C. § 6801 through 6809 and 12 C.F.R. pt. 364 App. B or pt. 748 App. B.

A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the regulations promulgated under that Act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of HIPAA and 45 C.F.R. Parts 160 and 164.

For in-depth information regarding reporting requirements and to read the whole article please see the following link.