Cyber Risk – Security Breach Notification Statutes
Date Posted
Security breaches are making headlines the world over, with high-profile companies, including Target, Home Depot, LinkedIn, and Sony Pictures Entertainment, suffering crippling attacks over the past few years. Such breaches may be devastating to a business’ reputation. However, a breach may trigger important legal obligations under state and federal statutes. Nearly every state has enacted legislation governing a business’ obligation to notify an individual that his or her personal information may have been subject to a security breach. These laws are commonly referred to as “security breach” or “data breach” notification statutes. Fortunately, the expanding cyber liability insurance market offers insurance policies to cover the first-party and third-party expenses arising out of a security breach, including notification expenses. This survey is intended to examine several key, common issues with respect to state security breach notification laws. Below is an explanation of each column in the survey:
Who Must Comply
This column identifies who must comply with the statute. A majority of states provide that a “maintainer” of personal information is not required to provide notice to an impacted individual. Rather, a maintainer is charged with notifying the “owner” or “licensor,” and the “owner” or “licensor” must notify the impacted individual. Please consult the specific statute for the definition and responsibilities of a “maintainer.”
What is Personal Information
This column utilizes icons to define the phrase “personal information.” Please consult our key on the next page for the meaning of each icon
Notification Required Beyond Affected Individual
Every state with a notification statute requires that an individual impacted by the breach be notified. This column identifies whether there are any additional notice obligations.
When Must Notification Must Be Given
This column identifies when the notice obligation is triggered: when the security breach is discovered, or when there is a reasonable belief that “personal information” was acquired by an unauthorized person. This column also identifies the timeframe in which the impacted individual must be notified. A majority of states provide that notice may be delayed if a law enforcement agency determines that notification will impede a criminal investigation, notification shall typically be made after the law enforcement agency determines that notice will not compromise an investigation. A significant minority of states provide that if an entity conducts a good-faith investigation and determines there is not a reasonable likelihood of harm to the consumer, then notification is not required. Typically, the determination must be: (1) in writing, (2) maintained for a statutorily prescribed period of time, and (3) made in conjunction with local, state, and federal law enforcement agencies. Please consult the specific state statute for detailed requirements.
Private Cause of Action
This column identifies whether a law expressly provides an impacted individual with a private cause of action for an entity’s failure to comply with the notification requirements
Fines and Penalties
This column identifies whether the statute allows for fines and/or penalties to be assessed for failure to comply with the statute’s notification requirements.
KEY TO PERSONAL INFORMATION
- General Professional Information: Individual’s name + one of the following: Social Security number, driver’s license number, state issued identification number, and information sufficient to access financial accounts (i.e., personal identification number “PIN,” debit or credit card number, bank account number, account password, etc.)
- Abbreviated Terms:
- AG = State Attorney General
- PI = Personal Information
State | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Alabama |
No Statute | |||||||
Alaska |
Alaska Stat. § 45.48.010, et seq. |
Persons doing business, person with more
than 10 employees, and
gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of a breach | Most expeditious time possible and without unreasonable delay | Yes |
|
Arizona |
Ariz. Rev. Stat. § 44-7501 |
Individuals, businesses,
and gov’t entities who:
|
|
No | Investigation and reasonable likelihood of breach | Most expedient manner and without unreasonable delay | Statute silent |
|
Arkansas |
Ark. Code § 4-110 101, et seq. |
Individuals, businesses,
and gov’t agencies who:
|
|
No | Reasonable belief that PI was acquired by unauthorized person | Most expedient manner and without unreasonable delay | Statute silent | AG may bring suit under Deceptive Trade Practices Act (Ark. Code § 4-88-101 et seq.) |
California |
Cal. Civ
Code § 1798.29; § 1798.80, et seq. |
Persons and businesses who:
|
|
Yes: if over 500 residents, provide copy of sample notification to AG | Reasonable belief that PI was acquired by unauthorized person | Most expedient manner and without unreasonable delay | Yes |
|
Colorado |
Colo. Rev
Stat. § 6-1-716 |
Individuals and businesses who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Investigation and reasonable likelihood of misuse of PI | Most expedient time possible and without unreasonable delay | Statute silent | AG may bring action in law or equity to address violations of statute |
Connecticut |
Conn. Gen.
Stat. §36a-701b |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: simultaneously give notice to AG | Reasonable belief that PI was acquired by unauthorized person |
Without unreasonable delay Note: See Bulletin IC-25 for provisions that apply to registrants and licensees of the CT Insurance Dept. |
Statute silent | Failure to comply with statute constitutes an unfair trade practice under Conn. Gen. Stat. § 42-110b and is enforceable by AG |
Delaware |
Del. Code tit. 6 § 12B-101, et seq. |
Individuals, businesses,
and gov’t agencies who:
|
|
No | Investigation to determine likelihood that PI was or will be misused | Most expedient time possible and without unreasonable delay | Statute silent | AG may bring an action in law or equity for violations of statute and may recover direct economic damages or “other relief that may be appropriate to ensure proper compliance,” or both |
District of Columbia |
D.C. Code § 28-3851, et seq |
Persons and entities
who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of a breach | Most expedient manner and without unreasonable delay | Yes |
|
Florida |
Fla. Stat. § 501.171 |
Businesses and gov’t
entities who:
|
|
Yes: if over 500 residents, notify FL Dept. of Legal Affairs (within 30 days) and if over 1,000 residents, notify national consumer reporting agencies | Reasonable belief that PI was accessed as a result of a breach | 30 days of determination of breach (may be given additional 15 days if good cause is shown) | No |
|
State | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Georgia |
Ga. Code § 10-1-910, et seq |
Persons, entities, and
certain gov’t agencies
who: • Maintain PI Note: for regulations specifically concerned with requirements of telephone records and a telecommunictaion company's obligations, see Ga. Code § 46- 5-214 |
|
Yes: if over 10,000 residents, notify national consumer reporting agencies | A breach where residents’ unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person | PI was, or is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible and without unreasonable delay | Statute silent | Statute silent |
Hawaii |
Haw. Rev.
Stat. § 487N-1, et seq |
Businesses and gov’t
agencies who:
|
|
Yes: if over 1,000 residents, notify Hawai‘i Office of Consumer Protection and national consumer reporting agencies (Gov’t agency does not have to notify consumer reporting agencies) | After breach where illegal use of PI has occurred, or is reasonably like | Without unreasonable delay | No |
|
Idaho |
Idaho Code
Ann. § 28-51 104, et seq |
Individuals, commercial
entities, and gov’t agencies who:
|
|
Yes: when agency becomes aware of a breach notify AG within 24 hours | Investigation to determine the likelihood that PI has been or will be misused | Most expedient time possible and without unreasonable delay | Statute silent |
|
Illinois |
815 Ill Comp. Stat. § 530/5, et seq |
Businesses and gov’t
agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of breach where PI was or is reasonably believed to be acquired by unauthorized person | Without unreasonable delay | Statute silent | Statute silent |
Indiana |
Individuals: Ind. Code § 24-4.9-1-1, et seq |
Individuals and businesses who:
|
|
Yes: notify AG and if over 1,000 residents, notify national consumer reporting agencies | Breach where unencrypted PI was or may have been acquired by unauthorized person or encrypted PI was or may have been acquired by an unauthorized person with access to the encryption key | Without unreasonable delay | No |
|
Gov’t Agencies Ind. Code § 4-1-11-1, et seq |
Gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of breach where PI was or is reasonably believed to be acquired by unauthorized person | Without unreasonable delay | Statute silent | Statute silent | |
Iowa |
Iowa Code § 715C.1,et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 500 residents, notify the Director of Consumer Protection Division of the Office of AG within 5 business days of giving notice to resident | Discovery of a breach | Most expeditious manner possible andwithout unreasonable delay | Statute silent | Any violation of the statute is an unlawful practice (Iowa Code § 714.16) and AG may seek damages andequitable relief pursuant to Iowa Code § 714.16(7),including a civil penalty not to exceed $40,000 |
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Kansas |
Kan. Stat.
Ann. § 50-7a01, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | An investigation to determine likelihood that PI has been or will be misused | Most expedient time possible and without unreasonable delay | Statute silent |
|
Kentucky |
Individuals: Ky. Rev. Stat. Ann. § 365.732 |
Persons and businesses who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person | Most expedient time possible and without unreasonable delay | Statute Silent | Statute silent |
Gov’t Agencies Ky. Rev. Stat. Ann. § 61.933 |
Gov’t agencies who:
|
|
Yes: within 72 hours notify: Commissioner of the KY State Police, Auditor of Public Accounts, and AG. If over 1,000 residents notify national consumer reporting agencies See statute for additional requirements for individual agencies |
Investigation to determine reasonable likelihood of misuse of PI |
|
No | AG’s office may bring an action in the Franklin Circuit Court against an agency or a nonaffiliated third party that is not an agency, or both, for injunctive relief, and for other legal remedies to enforce the statute | |
Louisiana |
La. Stat.
Ann. § 51:3071, et seq.; La. Admin. Code tit. 16, pt. III, § 701 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: notify the Consumer Protection Section of AG’s Office within 10 days of notifying residents | Discovery of a breach that has reasonably resulted in unauthorized acquisition of and access to PI | Most expedient time possible and without unreasonable delay | Yes |
|
Maine |
Me. Stat. titl 10 § 1346, et seq. |
Individuals, businesses,
gov’t agencies, and information brokers who:
|
|
Yes: notify appropriate state regulator within Dept. of Professional and Financial Regulation (if not regulated by the Dept. then give notice to AG). If over 1,000 persons, notify national consumer reporting agencies | Investigation to determine the likelihood that PI has been or will be misused | As expediently as possible and without unreasonable delay | Statute silent |
|
Maryland |
Individuals: Md. Code, Com. Law § 14-3501, et seq. |
Businesses who:
|
|
Yes: notify AG (before notifying residents and even if investigation deems notification unnecessary) and if over 1,000 residents, notify national consumer reporting agencies | Investigation to determine the likelihood that PI has been or will be misused | Without unreasonable delay | Yes | A violation of the statute is an unfair or deceptive trade practice and is subject to enforcement and penalties provided in Md. Code Commercial Law § 13-301 et seq |
Gov't Agencies: Md. Code, State Gov't. § 10-1305, et seq |
Gov’t agency, department, board, commission, authority, public
institution of higher education, public corporation unit or instrumentality of the State, or any political subdivision of
the State who:
|
|
Yes: notify Office of the AG and the Dept. of Information Technology; if 1,000 or more individuals, also notify national consumer reporting agencies | An investigation to determine whether the unauthorized acquisition of PI has resulted or is likely to result in the misuse of the information | As soon as reasonably practicable after investigation | Statute Silent | Statute silent |
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Massachusetts |
Mass. Gen. Laws ch. 93H, § 1 et seq.; 201 Mass. Code Regs. 17.01, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: notify AG and Director of Consumer Affairs & Business Reg. If executive dep’t breach, notify Information Technology Division of Public Records | When a person or agency (1) knows or has reason to know of a breach of security or (2) knows or has reason to know that PI was acquired or used by an unauthorized person or used for an unauthorized purpose | As soon as practicable and without unreasonable delay | Statute silent |
|
Michigan |
Mich. Comp.
Laws § 445.63; § 445.72 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of a breach | Without unreasonable delay | Statute silent |
|
Minnesota |
Individuals: Minn. Stat. § 325E.61 |
Persons and businesses:
|
|
Yes: if over 500 residents, notify national consumer reporting agencies | Discovery of a breach | Most expedient time possible and without unreasonable delay | Statute silent | AG has enforcement powers |
Gov’t Agencies: Minn. Stat. § 13.01; § 13.05, et seq |
Gov’t agencies who:
|
See statute for
definitions of:
|
Yes: if over 1,000 residents, notify national consumer reporting agencies Note: Eventually affected individual must be given a copy of the report detailing the breach |
Discovery of the breach where private confidential data was, or is reasonably believed to have been, acquired by an unauthorized person | Most expedient time possible and without unreasonable delay | Yes |
|
|
Mississippi |
Miss. Code
Ann. § 75-24-29 |
Individuals and businesses who:
|
|
No | Breach of security, where there is an unauthorized acquisition of PI that has not been rendered unreadable or unusable | Without unreasonable delay | No | Failure to comply with the statute constitutes an unfair practice and shall be enforced by AG |
Missouri |
Mo. Rev.
Stat.
§ 407.1500 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify AG and national consumer reporting agencies | Unauthorized access to and unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI | Without unreasonable delay | No | AG has exclusive authority to bring an action for actual damages for a willful and knowing violation and may seek a civil penalty not to exceed $150,000 per security breach or series of breaches of a similar nature (discovered in a single investigation) |
Montana |
Individuals: Mont. Code Ann. § 30- 14-1701, et seq. |
Individuals and businesses who:
|
|
No | Discovery of a breach, where unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person | Without unreasonable delay | Statute silent | Statute silent |
Gov't Agencies: Mont. Code Ann. § 2-6-501 |
State agencies or third
parties on behalf of
state agencies who:
|
|
Yes: simultaneously when issuing notification to affected individuals, send notification to AG’s consumer protection office | Discovery or notification of a breach, where PI was or was reasonably believed to have been acquired by an unauthorized person | Without unreasonable delay | Statute silent | Statute silent |
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Nebraska |
Neb. Rev. Stat. § 87-801, et seq. |
Individuals, businesses,
and gov’t agencies who:
|
|
No | An investigation and determination that PI was used, or is reasonably likely to be used, for an unauthorized purpose | As soon as possible and without unreasonable delay | Statute silent | AG may issue subpoenas and seek and recover direct economic damages for each affected resident injured by a violation of the statute |
Nevada |
Neb. Rev. Stat. § 87-801, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Breach of security where unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person | Most expedient time possible and without unreasonable delay | Statute silent | AG or a district attorney may bring an action to obtain a temporary or permanent injunction against a person who violates, proposes to violate, or has violated the statute |
New Hampshire |
N.H. Rev.
Stat. § 359-C:19, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: notify the regulator who has primary authority over the specific trade/commerce (all others notify AG’s office) and if over 1,000 residents, notify national consumer reporting agencies | A determination of the likelihood that PI has been or will be misused | As soon as possible | Yes |
|
New Jersey |
N.J. Rev.
Stat. § 56:8-161;§ 56:8-163 |
Businesses and gov’t
agencies who:
|
|
Yes: notify Division of State Police in theDept. of Law and Public Safety and if over 1,000 residents, notify national consumer reporting agencies | Discovery of a breach, where aresident’s PI was,or is reasonably believed to have been,accessed by anunauthorized person | Most expedient time possible and without unreasonable delay | Statute silent but see Holmes v. Country wide Fin. Corp., 5:08- CV00205-R, 2012 WL2873892 (W.D. Ky.July 12,2012). |
|
New Mexico |
No statute | |||||||
New York |
N.Y. Gen. Bus. Law§ 899-aa;N.Y. StateTech. Law§ 208 |
|
|
Yes: notify AG, Dept. of State, and Division of State Police. If over5,000 residents, notify national consumer reporting agencies | Any breach of a security system where PI was, or is reasonably believed to havebeen, acquired by aperson without valid authorization | Most expedient time possible and without unreasonable delay | Statute silent |
|
North Carolina |
N.C. Gen.
Stat. § 75-61;§75-65 |
Businesses who:
|
|
Yes: notify Consumer Protection Division ofAG’s Office and if over 1,000 persons, notify national consumer reporting agencies | Discovery of a breach | Without unreasonable delay | Yes |
|
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
North Dakota |
N.D. Cent.
Code § 51-30-01,et seq. |
Persons who:
|
|
No | Discovery of a breach where PIwas, or is reasonably believed to havebeen, acquired by anunauthorized person | Most expedient time possible and without unreasonable delay | Statute silent |
|
Ohio |
Individuals:
Ohio Rev.
Code
§ 1349.19 |
Individuals and businesses who:
|
|
No | Discovery of a breach where PI was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, where there is a reasonable belief of a material risk of identity theft or other fraud | Most expedient time possible but not later than 45 days following discovery of the breach | Statute silent | AG has investigative powers and right to bring a civil action against any person who fails to comply with the statute |
Gov't Agencies: Ohio
Rev. Code § 1347.12 |
Any state agency or
agency of a political
subdivision who:
|
|
No | Discovery of any breach where PI was, or is reasonably believed to have been accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed to cause a material risk of identity theft or other faud to a resident of this state | Most expedient time possible but not later than 45 days following discovery of the breach | Statute silent | AG, pursuant to Ohio Rev. Code § § 1349.191 and 1349.192, may conduct an investigation and bring a civil action upon an alleged failure by a state agency or agency of a political subdivision to comply with the requirements of this section | |
Oklahoma |
Individuals: Okla. Stat. tit. 24, § 161, et seq. |
Individuals, businesses,
and gov’t agencies who:
|
|
No | Discovery of a breach where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and there is a reasonable belief identify theft or fraud has occurred or will occur | Without unreasonable delay | Statute silent |
|
Gov't Agencies: Okla. Stat. § 74-3113.1 |
Any state agency or
agency of a political
subdivision.
|
|
No | Discovery or notification of the breach or is reasonably believed to have been acquired by an unauthorized person. | In the most expedient time possible without unreasonable delay, consistent with the legitimate needs of law enforcement. | Statute silent | Statute Silent | |
Oregon |
Rev.
Stat. § 46A.600; § 46A.602; § 46A.604; § 46A.624; § 46A.626 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | Discovery of a breach, i.e., an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI | Most expeditious time possible and without unreasonable delay |
Possibly, see
Or. Rev.
Stat.
§ 646A.62 4(4) |
|
Pennsylvania |
73 Pa. Stat. § 2301, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 persons, notify national consumer reporting agencies | Discovery of a security breach, where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person | Without unreasonable delay | Statute silent | A violation of the statute is an unfair or deceptive act or practice and AG has exclusive authority to bring an action |
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Rhode Island |
11 R.I. Gen.
Laws
§ 11-49.2-1, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
No | Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person | Most expedient time possible but no later than 45 days after the confirmation of the breach | Statute silent |
|
South Carolina |
S.C. Code
Ann. § 39-1-90 |
Persons who:
|
|
Yes: if over 1,000 residents, notify Consumer Protection Division of the Dept. of Consumer Affairs and national consumer reporting agencies | Discovery of a breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person and there is a material risk of harm to the resident | Most expedient time possible and without unreasonable delay | Yes | A person who knowingly and willfully violates the statute is subject to a $1,000 administrative fine for each resident whose information was accessible by reason of the breach, with the total amount decided by the Dept. of Consumer Affairs |
South Dakota |
No statute | |||||||
Tennessee |
Tenn. Code
Ann. § 47-18-2107 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 persons, notify national consumer reporting agencies | Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person | Immediately but no later than 45 days following the discovery or notification to covered entity of a security breach | Yes | Violations fall unter the Tennessee Consumer protection act and are an unfair or deceptive act |
Texas |
Tex. Bus. &
Com. Code § 521.002; § 521.053; § 521.151 |
Persons who:
|
|
Yes: if over 10,000 persons, notify national consumer reporting agencies | Discovery of a breach, where PIwas, or is reasonably believed to have been, acquired by an unauthorized person | As quickly as possible | Statute silent |
|
Utah |
Utah Code § 13-44-101; § 13-44-202; § 13-44-301 |
Persons who:
|
|
Yes: if over 1,000 residents, notify national consumer reporting agencies | A prompt investigation | With the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach or notification from a third party | Statute silent | Dept. of Financial Regulation, AG, and the state's attorney have sole and full authority to investigate potential violations and to enforce, prosecute, obtain, and impose remedies |
Vermont |
Vt .Stat.
Ann. Tit. 9§ 2430;§ 2435 |
Businesses and gov’t
agencies who:
|
|
Yes: if over 1,000 residents, notify nationalconsumer reportingagencies | A prompt investigation | With the most expedient timepossible and without unreasonable delay,but not later than 45 days after discoveryof the breach ornotification from athird party | Statute silent | Dept. of Financial Regulation, AG, and the state's attorney have sole and full authority to investigatepotential violations and to enforce, prosecute, obtain,and impose remedies |
STATE | Authority | Who Must Comply | What is Personal Information? | Notification Required Beyond Affected Individual | When Must Notification Be Given: | Private Cause of Action | Fines & Penalties | |
Following: | Within: | |||||||
Virginia |
Va. Code
Ann. § 18.2-186.6 |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 persons, notify AG and national consumer reporting agencies | A reasonable belief that unencryptedor unredacted PI was accessed and acquired by an unauthorized person which causes, or the individual or entity reasonably believes will cause, identity theft or fraud | Without unreasonable delay | Yes | AG may impose a civil penalty not to exceed $150,000 per breach of the security of the system or aseries of breaches of a similar nature that are discovered in a single investigation |
Va. Code
Ann. § 32.1- 127.1:05 |
Gov’t agencies who:
|
See Va. Code § 32.1- 127.1:05 |
Yes: notify AG and Commissioner of Health. | If unencrypted or unredacted medical information was or is reasonably believed to have been accessed and acquired by an unauthorized person | Without unreasonable delay | Statute silent | Statute silent | |
Washington |
Individuals: Wash. Rev. Code § 19.255.010, et seq |
Persons and businesses who:
|
|
No | Discovery of a breach | Most expedient time possible and without unreasonable delay | Yes | Any business that violates, proposes to violate, or has violated the statute may be enjoined |
Gov't agencies: Wash. Rev. Code § 42.56.590, et seq |
Gov’t agencyies who:
|
|
Yes: if more than 500 persons, must notify the AG | Following discovery or notification of a breach | Most expedient time possible and without unreasonable delay, no more than 45 days after the breach was discovered | Yes | Any agency that violates or proposes to violate this section may be enjoined | |
West Virginia |
W. Va. Code § 46A-2A101, et seq |
Individuals, businesses,
and gov’t agencies who:
|
|
Yes: if over 1,000 persons, notify national consumer reporting agencies | Discovery of a breach, where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and is reasonably likely to lead to identity theft or fraud | Without unreasonable delay | Statute silent |
|
Wisconsin |
Wis. Stat. § 134.98 |
Businesses who:
|
|
Yes: if over 1,000 persons, notify national consumer reporting agencies | Business’ knowledge that PI, in its possession, has been acquired by an unauthorized person | A reasonable time not to exceed 45 days | Statute silent | Statute silent |
Wyoming |
Wyo. Stat.
Ann. § 40-12-501, et seq. |
Individuals and commercial entities who:
|
|
No | An investigation to determine the likelihood that PI has been or will be misused | As soon as possible, in the most expedient time possible and without unreasonable delay | Statute silent | AG may bring an action in law or equity to address any violation and for other relief that may be appropriate to ensure proper compliance, to recover damages, or both |
Disclaimer: This survey is current as of 5/2018. This material is made available for general informational purposes only. The field of insurance law is ever-evolving, and courts may change their views at any time. Readers are advised to independently verify the information contained herein. This material is not intended to, and does not constitute, legal advice, nor is it intended to constitute a solicitation for the formation of an attorney-client relationship.
For more information or questions on cyber risk strategies, please contact us at coverage@sdvlaw.com.