EXPERIENCED COUNSEL

Privacy, Security and Data Protection

LEADERSHIP: Sharon R. Klein

Breach Notification Statutes

Privacy, Security and Data Protection Group State Breach Notification Map

 

Attorney General (AG) / State Agency Notice Requirements

State

Statute

Who to Notify

When to Notify

Alabama

S.B. 318 (Effective May 1, 2018)

Attorney General

As expeditiously as possible and without unreasonable delay, within 45 days after discovery of the breach when more than 1,000 residents involved (as of May 1, 2018)

Alaska

Alaska Stat. § 45.48.010(c)

Attorney General

At time of notice to residents

Arizona

Arizona Rev. Stat. Section 18-551

Attorney General

If the breach requires notification to more than 1,000 individuals, notification must also be made to the Attorney General within 45 days of determining that a breach has occurred

California

 

Cal. Civ. Code §§ 1798.29(e); 1798.82(f)

California Health and Safety Code Section 1280.15

Attorney General
 

California Dept. of Health and Human Services

When 500 or more residents are involved

When medical records are involved: 15 business days of unauthorized access to medical information

Colorado

 

C.R.S.A. § 6-1-713

Attorney General
 

Not later than 30 days after determination of the breach when 500 or more Colorado residents are affected (as of Sept. 1, 2018)

Connecticut

 

Conn. Gen. Stat. § 36a-701b(b)(2)(A)

 


Conn. Ins. Dept. Bulletin IC-25 (Aug. 18, 2010)

Attorney General
 

 


Insurance Commissioner

Not later than the time when notice is provided to the resident

 

For insurance licensees and registrants: As soon as the incident is identified, but no later than 5 calendar days after incident is identified

Delaware

 

Del. Code Ann. tit. 6 § 12B-102(d)

Attorney General

Not later than the time notice is provided to resident when more than 500 persons are to be notified

Florida

 

Fla. Stat. § 501.171(3)

Dept. of Legal Affairs

As expeditiously as possible, but no later than 30 days after the determination of the breach or reason to believe a breach occurred involving 500 or more

Hawaii

 

Haw. Rev. Stat. § 487N-2(f)

 

 

Haw. Rev. Stat. § 487N-4

Office of Consumer Protection

 

  

State Legislature

Without unreasonable delay when more than 1,000 persons are involved

 

For government agency: Within 20 days after discovery of breach

Idaho

 

Idaho Code § 28-51-105(1)

Attorney General; may also have reporting requirements to Office of Chief Information Officer pursuant to state policies

For public agency: Within 24 hours of discovering breach

Illinois

 

815 Ill. Comp. Stat. 530/12

 

 

 

815 Ill. Comp. Stat. 530/25

Attorney General
 

 

 

 

General Assembly, plus annual report 

For state agency: Earlier of 45 days of discovering breach or when providing notice to consumers involving 250 residents
 

For state agency: Within 5 days of discovery or notification of breach of data or written material

Indiana

Ind. Code § 24-4.9-3-1(c)

Attorney General

When notice is provided to resident

Iowa

 

Iowa Code § 715C.2(8)

Director of the Consumer Protection Division of Attorney General’s Office

Within 5 business days after notifying any consumer when more than 500 residents are involved

Louisiana

 

La. Admin. Code tit. 16:III.701

Consumer Protection Section of Attorney General’s Office

Attorney General, if (i) law enforcement determines that notification would impede a criminal investigation, or (ii) entity determines that “measures are necessary to determine the scope of the breach, prevent further disclosures and restore the reasonable integrity of the system.”

Within 10 days of notification to citizens


Within 60 days after discovery of breach

Maine

 

Me. Rev. Stat. tit. 10 § 1348(5)

Appropriate state regulators within the Department of Professional and Financial Regulation, or if not regulated by the Department, the Attorney General

When notice is provided to resident

Maryland

Md. Code, Com. Law § 14-3504(h)

Attorney General

Prior to notifying resident

Massachusetts

 

Mass. Gen. Laws ch. 93H, § 3(b)

Attorney General and Director of Consumer Affairs and Business Regulation

As soon as practicable and without unreasonable delay

Missouri

Mo. Rev. Stat. § 407.1500(8)

Attorney General

Without unreasonable delay when more than 1,000 consumers are involved

Montana

 

Mont. Code § 30-14-1704(8)

 


Mont. Code § 33-19-321(5)

Attorney General’s Consumer Protection Office

 

Commissioner of Insurance

Simultaneously with notice to residents
 

For insurance licensees and support organizations: Simultaneously with notice to any individual

Nebraska

Neb. Rev. Stat. § 87-803(1)

Attorney General

Not later than when notice is provided to resident

New Hampshire

 

N.H. Rev. Stat. § 359-C:20(I)(b)

Attorney General, except to regulator with primary regulatory authority if engaged in trade or commerce subject to N.H. Rev. Stat. § 358-A:3(I)

As quickly as possible, after the determination that misuse of information has or is likely to occur, or if a determination cannot be made

New Jersey

 

N.J. Stat. § 56:8-163(c)(1)

Division of State Police in the Department of Law and Public Safety

In advance of disclosure to resident

New Mexico

2017 H.B. 15, Chap. 36 (effective 6/16/2017)

New Mexico Attorney General

Within 45 days after discovery when 1,000 New Mexico residents are affected by a data breach

New York

 

 

N.Y. Gen. Bus. § 899-aa(8)(a)

 


 


N.Y. State Tech. § 208(7)(a)

 

 

23 NYCRR § 500.17 (2017)

 

Attorney General, Department of State and the Division of State Police
 

 

Attorney General, Department of State and the State Office of Information Technology Services

 

NY Dept. of Financial Services

Without delaying notice to affected residents


 

 

For state entity: Without delaying notice to affected residents

 

 

For entities regulated by NYDFS: Notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred

North Carolina

N.C. Gen. Stat. § 75-65(e1)

Consumer Protection Division of Attorney General’s Office

Without unreasonable delay

North Dakota

N.D. Cent. Code § 51-30-02

Attorney General

In the most expedient time possible and without unreasonable delay when involvement exceeds 250 individuals

Oregon

 

Or. Rev. Stat. § 646A.604(1)(b)

Attorney General

In the most expeditious manner possible but not later than 45 days after discovery of the breach

Puerto Rico

P.R. Laws tit. 10, § 4052

 

 

 

P.R. Laws tit. 10, § 4054a

Department of Consumer Affairs (which will make public announcement within 24 hours)

 

Government agency or public corporation shall notify the Citizen’s Advocate Office

Within 10 days after violation detected

Rhode Island

R.I. Gen. Laws § 11-49.3-4(a)(2)

Attorney General

Without delaying notice to affected residents when more than 500 residents involved

South Carolina

 

S.C. Code Ann. § 39-1-90(K)

Consumer Protection Division of the Department of Consumer Affairs

Without unreasonable delay when more than 1,000 persons involved

South Dakota

 

S.B. 62 (Effective July 1, 2018)

Attorney General

Not later than 60 days after discovery of the breach when more than 250 residents involved (as of July 1, 2018)

Vermont

 

Vt. Stat. tit. 9, § 2435(b)(3)

Attorney General, except to the Department of Financial Regulation if regulated by the Department

Within 14 business days of discovering breach or when notice is provided to consumers, whichever is sooner

Notice to Attorney General prior to notifying consumers, if data collector swore in writing to Attorney General, prior to breach, that it had policies and procedures re: PII

If date of breach is not known at the time notice is sent to the Attorney General or to the Department, the Attorney General or Department must be notified as soon as known

Virginia

 

Va. Code § 18.2-186.6(B), (E)

 

 

Va. Code § 32.1-127.1:05(B), (E)

Attorney General (add’l requirements for notice to more than 1,000 persons)

 

Attorney General and Commissioner of Health (add’l requirements for notice to more than 1,000 persons)

Without unreasonable delay

 

 

For medical information: Without unreasonable delay

Washington

 

Wash. Rev. Code §§ 19.255.010(10), (11), (15), (16); 42.56.590(10),(14), (15)

 

 

 

 

 


Wash. Admin. Code § 284-04-625

Attorney General (in addition to notifications required by medical and financial regulations)

 

 

 

 

 

Insurance Commissioner

In the most expedient time possible and without unreasonable delay, no more than 45 calendar days after the breach was discovered (unless HITECH applies) and by the time notice is provided to affected consumers when involving more than 500 residents
 

 

For insurance licensees: Within 2 business days after determining notification must be sent to consumers or customers in compliance with Wash. Rev. Code § 19.255.010 and 45 C.F.R. 164

 

Specific Timeframes for Notice - Residents

Alabama

Within 45 days after determination that the breach has occurred. (S.B. 318 (Effective May 1, 2018)))

California

15 business days for medical records (California Health and Safety Code Section 1280.15)

Colorado

30 days after discovery of breach (C.R.S.A. § 6-1-713) (as of Sept. 1, 2018)

Connecticut

90 days after discovery of breach (Conn. Gen. Stat. § 36a-701b(b)(1))

Delaware

60 days after determination of the breach (Del. Code Ann. tit. 6 § 12B-102(c))

Florida

30 days after the determination of a breach or reason to believe a breach occurred (Fla. Stat. § 501.171(4))

Louisiana

60 days after discovery of breach (La. Rev Stat. Ann § 3074(E) (as of August 1, 2018)

Maine

After investigation and no more than 7 business days after law enforcement determines notification will not compromise investigation (Me. Rev. Stat. tit. 10 § 1348(3))

Maryland

45 days after conclusion of the investigation (Md. Code Ann. Com. Law § 14-3504(b)(3))

New Mexico

In the most expedient time possible, but not later than 45 calendar days following discovery of the security breach (2017 H.B. 15, Chap. 36 (effective 6/16/2017))

Ohio

45 days after discovery or notification of breach (Ohio Rev. Code § 1349.19(B)(2))

Oregon

45 days after discovery of the breach (Or. Rev. Stat. § 646A.604(1)(b))

Rhode Island

45 calendar days after confirmation of the breach and the ability to ascertain the information required to fulfill the notice requirements (R.I. Gen. Laws § 11-49.3-4(a)(2))

South Dakota

60 days after discovery of the breach (S.B. 62 (as of July 1, 2018))

Tennessee

Immediately, but no later than 45 days from the discovery or notification of the breach (Tenn. Code Ann. § 47-18-2107(b))

Vermont

45 days after the discovery or notification (Vt. Stat. tit. 9, § 2435(b)(1))

Washington

45 calendar days after the breach was discovered (Wash. Rev. Code §§ 19.255.010(16); 42.56.590(15))

Wisconsin

45 days after the entity learns of the acquisition of personal information (Wis. Stat. § 134.98(3)(a))

 

Data protection laws have changed, so we have revised our Privacy Policy.

CLOSE