EXPERIENCED COUNSEL

Privacy, Security and Data Protection

LEADERSHIP: Sharon R. Klein

Breach Notification Statutes

Privacy, Security and Data Protection Data Breach Notification Timelines Map

 

Attorney General (AG) / State Agency Notice Requirements

State

Statute

Who to Notify

When to Notify

Alaska

Alaska Stat. § 45.48.010(c)

Attorney General

At time of notice to residents

California

 

Cal. Civ. Code §§ 1798.29(e); 1798.82(f)

California Health and Safety Code Section 1280.15

Attorney General
 

California Dept. of Health and Human Services

When 500 or more residents are involved

When medical records are involved: 15 business days of unauthorized access to medical information

Connecticut

 

Conn. Gen. Stat. § 36a-701b(b)(2)(A)

 


Conn. Ins. Dept. Bulletin IC-25 (Aug. 18, 2010)

Attorney General
 

 


Insurance Commissioner

Not later than the time when notice is provided to the resident

 

For insurance licensees and registrants: As soon as the incident is identified, but no later than 5 calendar days after incident is identified

Florida

 

Fla. Stat. § 501.171(3)

Dept. of Legal Affairs

As expeditiously as possible, but no later than 30 days after the determination of the breach or reason to believe a breach occurred involving 500 or more

Hawaii

 

Haw. Rev. Stat. § 487N-2(f)

 

 

Haw. Rev. Stat. § 487N-4

Office of Consumer Protection

 

  

State Legislature

Without unreasonable delay when more than 1,000 persons are involved

 

For government agency: Within 20 days after discovery of breach

Idaho

 

Idaho Code § 28-51-105(1)

Attorney General; may also have reporting requirements to Office of Chief Information Officer pursuant to state policies

For public agency: Within 24 hours of discovering breach

Illinois

 

815 Ill. Comp. Stat. 530/12

 

 

 

815 Ill. Comp. Stat. 530/25

Attorney General
 

 

 

 

General Assembly, plus annual report 

For state agency: Earlier of 45 days of discovering breach or when providing notice to consumers involving 250 residents
 

For state agency: Within 5 days of discovery or notification of breach of data or written material

Indiana

Ind. Code § 24-4.9-3-1(c)

Attorney General

When notice is provided to resident

Iowa

 

Iowa Code § 715C.2(8)

Director of the Consumer Protection Division of Attorney General’s Office

Within 5 business days after notifying any consumer when more than 500 residents are involved

Louisiana

 

La. Admin. Code tit. 16:III.701

Consumer Protection Section of Attorney General’s Office

Within 10 days of notification to citizens

Maine

 

Me. Rev. Stat. tit. 10 § 1348(5)

Appropriate state regulators within the Department of Professional and Financial Regulation, or if not regulated by the Department, the Attorney General

When notice is provided to resident

Maryland

Md. Code, Com. Law § 14-3504(h)

Attorney General

Prior to notifying resident

Massachusetts

 

Mass. Gen. Laws ch. 93H, § 3(b)

Attorney General and Director of Consumer Affairs and Business Regulation

As soon as practicable and without unreasonable delay

Missouri

Mo. Rev. Stat. § 407.1500(8)

Attorney General

Without unreasonable delay when more than 1,000 consumers are involved

Montana

 

Mont. Code § 30-14-1704(8)

 


Mont. Code § 33-19-321(5)

Attorney General’s Consumer Protection Office

 

Commissioner of Insurance

Simultaneously with notice to residents
 

For insurance licensees and support organizations: Simultaneously with notice to any individual

Nebraska

Neb. Rev. Stat. § 87-803(1)

Attorney General

Not later than when notice is provided to resident

New Hampshire

 

N.H. Rev. Stat. § 359-C:20(I)(b)

Attorney General, except to regulator with primary regulatory authority if engaged in trade or commerce subject to N.H. Rev. Stat. § 358-A:3(I)

As quickly as possible, after the determination that misuse of information has or is likely to occur, or if a determination cannot be made

New Jersey

 

N.J. Stat. § 56:8-163(c)(1)

Division of State Police in the Department of Law and Public Safety

In advance of disclosure to resident

New Mexico

2017 H.B. 15, Chap. 36 (effective 6/16/2017)

New Mexico Attorney General

When 1,000 New Mexico residents are affected by a data breach

New York

 

 

N.Y. Gen. Bus. § 899-aa(8)(a)

 


 


N.Y. State Tech. § 208(7)(a)

 

 

23 NYCRR § 500.17 (2017)

 

Attorney General, Department of State and the Division of State Police
 

 

Attorney General, Department of State and the State Office of Information Technology Services

 

NY Dept. of Financial Services

Without delaying notice to affected residents


 

 

For state entity: Without delaying notice to affected residents

 

 

For entities regulated by NYDFS: Notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred

North Carolina

N.C. Gen. Stat. § 75-65(e1)

Consumer Protection Division of Attorney General’s Office

Without unreasonable delay

North Dakota

N.D. Cent. Code § 51-30-02

Attorney General

In the most expedient time possible and without unreasonable delay when involvement exceeds 250 individuals

Oregon

 

Or. Rev. Stat. § 646A.604(1)(b)

Attorney General

In the most expeditious manner possible, without unreasonable delay when involvement exceeds 250 consumers

Puerto Rico

P.R. Laws tit. 10, § 4052

 

 

 

P.R. Laws tit. 10, § 4054a

Department of Consumer Affairs (which will make public announcement within 24 hours)

 

Government agency or public corporation shall notify the Citizen’s Advocate Office

Within 10 days after violation detected

Rhode Island

R.I. Gen. Laws § 11-49.3-4(a)(2)

Attorney General

Without delaying notice to affected residents when more than 500 residents involved

South Carolina

 

S.C. Code Ann. § 39-1-90(K)

Consumer Protection Division of the Department of Consumer Affairs

Without unreasonable delay when more than 1,000 persons involved

Vermont

 

Vt. Stat. tit. 9, § 2435(b)(3)

Attorney General, except to the Department of Financial Regulation if regulated by the Department

Within 14 business days of discovering breach or when notice is provided to consumers, whichever is sooner

Notice to Attorney General prior to notifying consumers, if data collector swore in writing to Attorney General, prior to breach, that it had policies and procedures re: PII

If date of breach is not known at the time notice is sent to the Attorney General or to the Department, the Attorney General or Department must be notified as soon as known

Virginia

 

Va. Code § 18.2-186.6(B), (E)

 

 

Va. Code § 32.1-127.1:05(B), (E)

Attorney General (add’l requirements for notice to more than 1,000 persons)

 

Attorney General and Commissioner of Health (add’l requirements for notice to more than 1,000 persons)

Without unreasonable delay

 

 

For medical information: Without unreasonable delay

Washington

 

Wash. Rev. Code §§ 19.255.010(10), (11), (15), (16); 42.56.590(10),(14), (15)

 

 

 

 

 


Wash. Admin. Code § 284-04-625

Attorney General (in addition to notifications required by medical and financial regulations)

 

 

 

 

 

Insurance Commissioner

In the most expedient time possible and without unreasonable delay, no more than 45 calendar days after the breach was discovered (unless HITECH applies) and by the time notice is provided to affected consumers when involving more than 500 residents
 

 

For insurance licensees: Within 2 business days after determining notification must be sent to consumers or customers in compliance with Wash. Rev. Code § 19.255.010 and 45 C.F.R. 164

 

Specific Timeframes for Notice - Residents

California

15 business days for medical records (California Health and Safety Code Section 1280.15)

Connecticut

90 days after discovery of breach (Conn. Gen. Stat. § 36a-701b(b)(1))

Florida

30 days after the determination of a breach or reason to believe a breach occurred (Fla. Stat. § 501.171(4))

Maine

After investigation and no more than 7 business days after law enforcement determines notification will not compromise investigation (Me. Rev. Stat. tit. 10 § 1348(3))

New Mexico

In the most expedient time possible, but not later than 45 calendar days following discovery of the security breach (2017 H.B. 15, Chap. 36 (effective 6/16/2017))

Ohio

45 days after discovery or notification of breach (Ohio Rev. Code § 1349.19(B)(2))

Rhode Island

45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements (R.I. Gen. Laws § 11-49.3-4(a)(2))

Tennessee

Immediately, but no later than 45 days from the discovery or notification of the breach (Tenn. Code Ann. § 47-18-2107(b))

Vermont

45 days after the discovery or notification (Vt. Stat. tit. 9, § 2435(b)(1))

Washington

45 calendar days after the breach was discovered (Wash. Rev. Code §§ 19.255.010(16); 42.56.590(15))

Wisconsin

45 days after the entity learns of the acquisition of personal information (Wis. Stat. § 134.98(3)(a))