| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic. |
As quickly as possible, but no later than 60 days after breach is determined. |
Yes, if 250 or more residents are notified. |
|
Subject Entities |
Applies to individuals, businesses, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
|
Definition of Personal Information |
An individual’s first name or first initial and last name, in combination with the following data elements if not encrypted:
Information that identifies an individual and relates to:
|
|
Definition of Breach |
Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information, excluding certain good faith acquisitions. |
|
Type of Data Covered |
Electronic. |
|
Encryption Safe Harbor |
Statute does not apply to encrypted information if the encryption key was not accessed or acquired. |
|
Risk of Harm Analysis |
Notification is not dependent on risk of harm to the consumer. |
|
Consumer Notice Requirements |
Timing: Must be made without unreasonable delay, but no later than sixty (60) days after discovery of the breach, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. Method: By written notice, or electronic notice, if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice is also available under certain circumstances. |
|
Government Notice Requirements |
If 250 or more residents are notified, must also notify the Attorney General no later than sixty days after discovery of the breach. Notification must include:
|
|
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice would exceed $250,000, or that the affected class to be notified exceeds 500,000, or the entity does not have sufficient contact information. Substitute notice may be given by the following:
|
|
Delayed Notice Requirements |
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation. |
|
Third Party Notice Requirements |
If personal information is maintained on behalf of another entity, must notify the owner or licensee immediately following discovery of a breach. |
|
Consumer Reporting Agency Obligations |
If more than 10,000 persons are notified, the entity must notify the nationwide consumer reporting agencies without unreasonable delay of the timing, distribution, and content of the notices. |
|
Potential Penalties |
Violations may result in civil penalties, including penalties to the state of between $2,000 and $50,000 per violation. In addition, failure to comply with the notification provisions may result in civil penalties of up to $100 for each individual for whom notification is due for each day that the affected entity fails to take reasonable action to comply with such notification provisions. The Attorney General can bring enforcement actions under the statute to recover civil penalties, obtain injunctive relief, and recover attorneys’ fees and costs. Violations are also considered deceptive trade practices. |
Last updated: January 2024
