(A) An agency of this State owning or licensing computerized data or other data that includes personal identifying information shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose unencrypted and unredacted personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(B) An agency maintaining computerized data or other data that includes personal identifying information that the agency does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.
(C) The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation.
(D) For purposes of this section:
(1) "Agency" means any agency, department, board, commission, committee, or institution of higher learning of the State or a political subdivision of it.
(2) "Breach of the security of the system" means unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromise the security, confidentiality, or integrity of personal identifying information maintained by the agency, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the consumer. Good faith acquisition of personal identifying information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.
(3) "Personal identifying information" has the same meaning as "personal identifying information" in Section 16-13-510(D).
(E) The notice required by this section may be provided by:
(1) written notice;
(2) electronic notice, if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 USC and Chapter 6, Title 26 of the 1976 Code;
(3) telephonic notice; or
(4) substitute notice, if the agency demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the agency has insufficient contact information. Substitute notice consists of:
(a) e-mail notice when the agency has an e-mail address for the subject persons;
(b) conspicuous posting of the notice on the agency's web site page, if the agency maintains one; or
(c) notification to major statewide media.
(F) Notwithstanding subsection (E), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
(G) A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:
(1) institute a civil action to recover damages;
(2) seek an injunction to enforce compliance; and
(3) recover attorney's fees and court costs, if successful.
(H) An agency that knowingly and wilfully violates this section is subject to an administrative fine up to one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.
(I) If the agency provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 USC Section 1681a(p), of the timing, distribution, and content of the notice.
HISTORY: 2008 Act No. 190, Section 4.A, eff July 1, 2009.