States with Notice of Security Breach Laws

Notice of Security Breach State Laws
Last updated July 11, 2011

Alaska A.S. 45.48.010, effective July 1, 2009. Requires customer notification in breach of unencrypted, unredacted personal information in any form. An information collector shall make the disclosure required by (a) of this section in the most expeditious time possible and without unreasonable delay, except as provided in AS 45.48.020 and as necessary to determine the scope of the breach and restore the reasonable integrity of the information system. No notice required if, after a reasonable investigation and notification to the state attorney general, it is determined that no reasonable likelihood of harm to consumers. Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation. Written documentation of the investigation must be kept for 5 years. Entities subject to compliance with the Gramm-Leach-Bliley Act are exempt.

Arizona – A.R.S. 44-7501, effective December 31, 2006. Requires notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. No notice if a reasonable investigation determines there is no reasonable likelihood of harm to consumers. If entity complies with federal rules, then it is deemed to be in compliance with Arizona law.

Arkansas – Ark. Code Ann. 4-110-101 to 108, effective March 31, 2005. Requires notice to consumers of breach in the security of unencrypted, computerized personal information and medical information in electronic or physical form. Notice is not required if no reasonable likelihood of harm to consumers. If entity complies with state or federal law that provides greater protection, and at least as thorough disclosure and in compliance with the state or federal law, then it is deemed in compliance. 

California - Civil Code Sec. 1798.80-1798.82, effective July 1, 2003. Requires notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. Disclosure shall be made if the information was, or is reasonably believed to have been accessed by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. If the person or business has its own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law, or provides greater protection and disclosure, then it is deemed in compliance.

Colorado – Co. Rev. Stat. 6-1-716(1)(a), effective September 1, 2006. Requires notice to consumers of breach in the security of unencrypted, unredacted computerized personal information. Immediate notification required if the individual or entity does not own or license the personal information. Notice given unless investigation determines misuse of information has not occurred or is not reasonably likely to occur. If entity is regulated by state or federal law and maintains procedures pursuant to laws, rules, regulations or guidelines, it is deemed in compliance.

Connecticut - 699 Gen. Stat. Conn. 36a-701, effective January 1, 2006. Requires notice of security breach by persons who conduct business in the state and have a breach in the security of unencrypted computerized data, electronic media or electronic files, containing personal information. Notice is not required if the breached entity determines in consultation with federal, state, and local law enforcement agencies that the breach will not likely result in harm to the individuals. Governmental entities not required to provide notice under this section. Entities are also deemed compliant if notification is in compliance with rules or guidelines established by the primary function of the regulator under the Gramm-Leach Bliley Act.

Delaware – Del. Code Ann. Title 6 Section 12B-101 to 12-B-106, effective June 28, 2005. Requires notice to consumers by individuals and entities operating within the state of breach in the security of unencrypted computerized personal information if the investigation determines that misuse of information about a Delaware resident has occurred or is reasonably likely to occur. If the entity is regulated by state or federal law and maintains procedures for a breach pursuant to the laws, rules, regulations, guidance or guidelines established by its primary or functional state or federal regulator, then it is deemed in compliance with this chapter provided it notifies affected residents in accordance with the maintained procedures when a breach occurs.

District of Columbia - DC Code Sec 28-3851 et seq., effective January 1, 2007. Requires notice to consumers of breach in the security, confidentiality, or integrity of unencrypted computerized or other electronic personal information held by a business or a government agency. The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation but shall be made as soon as possible after the law enforcement agency determines that the notification will not compromise the investigation. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act. This section also does not apply to a person or business with its own notification procedures with consistent timing requirements in compliance with notification requirements of this section and the person or business provides notice in accordance with its policies and which is reasonably calculated to give actual notice.

Florida - Fla. Stat. Ann. 817.5681 et seq., effective July 1, 2005. Requires notice to consumers of breach in the security, confidentiality or integrity of computerized, unencrypted personal information held by a person who conducts business in the state. Notice not required if, after appropriate investigation or consultation with law enforcement, person reasonably determines breach has not and will not likely result in harm to individuals. Determination must be documented in writing and maintained for five years. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or maintaining notification procedures established by person’s primary or functional federal regulator.

Georgia – Ga. Code Ann. 10-1-912. Effective May 24, 2007. Covers “information brokers and data collectors.” If circumstances require notifying more than 10,000 persons, the data collector or information broker must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nation-wide basis. Requires expedient notice of breach that compromises the security, confidentiality, or integrity of computerized personal information held by an info broker or data collector. 

Hawaii Haw. Rev. Stat. § 487N-2, effective January 1, 2009. Requires notice to consumers of breach in the security of personal information in any form (computerized, paper, or otherwise) by any business or government agency operating within the state. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.  Notice under this section not required by a financial institution subject to Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice or by any health plan or healthcare provider under HIPAA.

Idaho - Id. Code Ann. 28-51-105, effective July 1, 2006. Requires notice to consumers of breach in the security of unencrypted, computerized personal information if after a reasonable investigation, the agency, individual or entity determines that misuse of information of Idaho resident has occurred or is reasonably likely to occur. Requires governmental agencies to notify the Idaho Attorney General within 24 hours. Notice under this section not required by a person regulated by state or federal law and who complies with procedures under that law.

Illinois – 815 ILCS § 530/1 et seq., effective June 26, 2006. Requires entities to expediently notify consumers of breach in the security, confidentiality, or integrity of personal information of the system data held by a person or a government agency. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this Act. 

Indiana - Ind. Code Sec. 4-1-11 et seq., effective June 30, 2006. Requires expedient notice to consumers of breach in the security, confidentiality, or integrity of computerized personal information held by a government agency. 
(private entities) Ind. Code Sec. 24-2-9 et seq. Requires expedient notice when a data collector knows, should know, or should have known that the unauthorized acquisition of computerized data, including computerized data that has been transferred to another medium, constituting the breach has resulted in or could result in identity deception, ID theft or fraud. If any person or entity is required to notify more than 1,000 persons of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Notice not required under this section if entity maintains own disclosure procedures, is under federal USA Patriot Act, Exec. Order 13224, FCRA, Financial Modernization Act, HIPAA or financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice.

Iowa – Iowa Code § 715C.2, effective July 1, 2008. Any person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security following discovery of such breach of security, or receipt of notification, to any consumer whose personal information was included in the information that was breached. Written documentation of the investigation must be kept for 5 years. The consumer notification shall be made in the most expeditious manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to sufficiently determine contact information for the affected consumers, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data. This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act or to entities with their own notification policies that comply with this Code section.

Kansas - Kansas Stat. 50-7a01, 50-7a02, effective January 1, 2007. Requires governmental agencies and private individuals and entities conducting business in Indiana to give expedient notice to Indiana consumers about a breach in the security of unencrypted, unredacted computerized personal information if investigation determines misuse has occurred or is reasonably likely occur.

Louisiana - La. Rev. State. Ann. Sec. 51 3071-3077, effective January 1, 2006. Requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice not required by financial institutions in compliance with federal guidance.

Maine - Me. Rev. Stat. Ann. 10-21-B-1346 to 1349, effective January 31, 2006. Covers only information brokers. Requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information if the personal information has been or is reasonably believed to have been acquired by an unauthorized person. Notice under this section is not required by persons regulated by state or federal law and which complies with procedures under that law.

Maryland - Md. Code, Com. Law § 14-3501 et seq., effective January 1, 2009. Requires notice to consumers of any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information. No notice if, after a reasonable investigation, the data holder determines that there is no reasonable likelihood of harm to customers. Notice must be expeditious, but may be delayed to accommodate law enforcement needs.

Massachusetts Title 15, Ch. 93H-§ 3, effective February 3, 2008. Requires notice to consumers of breach of personal data in an encrypted or unencrypted form when the business or government agency knew or should have known that a breach occurred. Data is defined as personal information in any format (electronic or physical). Notification must be given as soon as practicable and without unreasonable delay.  A person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay.

MichiganMich. Comp. Law § 445.72, effective April 1, 2011. Requires a person or agency that owns or licenses personal data to notify Michigan residents if unencrypted and unredacted personal information in computerized form was accessed and acquired by an unauthorized person, or that person’s personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key. Notice not required if the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to 1 or more residents of this state.  Notification must be given without unreasonable delay, unless a delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database, or is necessary for law enforcement purposes.  Does not apply to financial institutions or HIPAA entities.

Minnesota - Minn. Stat. 324E.61 et seq., effective January 1, 2006. Requires notice of breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons doing business in the state. Does not apply to financial institutions or HIPAA entities.

Mississippi2010 H.B. 583, effective July 1, 2011. Requires notification for a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Disclosure shall be made without unreasonable delay, unless, after appropriate investigation, the person determines that the breach will not likely result in harm to the affected individuals. Notification may also be delayed depending upon the needs of law enforcement.  This section does not pertain to person or entity subject to the Gramm-Leach Bliley Act or to entities with their own notification policies with timing requirements that are consistent with this section.

Missouri - Mo. Rev. Stat. § 407.1500, effective August 28, 2010. Requires notification to customers in the event of unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Written documentation of the investigation must be kept for 5 years. Notification must be made without unreasonable delay, unless law enforcement determines that it would disrupt a criminal investigation. Notification is not required if the person, after investigation or consultation with law enforcement, determines that identity theft or fraud is not reasonably likely to occur.  Entities subject to and in compliance with the Gramm-Leach-Bliley Act and or the Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.

Montana - Mont. Code Ann. 30-14-1704, effective October 1, 2007. Requires notice to consumers of breach in security, confidentiality, or integrity of computerized personal information held by a person or business if the breach causes or is reasonably believed to have caused loss or injury to a Montana resident. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. 

Nebraska - Neb. Rev. Stat. 87-801 et seq., effective July 16, 2006. Requires notice to consumers of a breach in the security of unencrypted, computerized personal information if an investigation determines use of information has occurred or is reasonably likely to occur. Deemed in compliance if person’s own notification procedure is otherwise consistent with the timing requirements of this section, or if notification procedures established by person’s primary or functional federal regulator.

Nevada - Nev. Rev. Stat. 603A.010 et seq., effective January 1, 2006. Requires notice of breach of the security, confidentiality, or integrity of unencrypted computerized personal information by data collectors, which are defined to include government, business entities and associations who handle, collect, disseminate or otherwise deal with nonpublic personal information. Notification must be made without unreasonable delay, unless law enforcement determines that it would disrupt a criminal investigation. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or is subject to compliance with the Gramm-Leach-Bliley Act.

New Hampshire - N.H. Rev. Stat. §§ 359-C:19 et seq., effective January 1, 2007. Requires notice of unauthorized acquisition of unencrypted, computerized data if the determination is that information has been or will likely be misused. Notice must be given if there is a determination that misuse of information has occurred or is reasonably likely to occur or if a determination cannot be made. If any person or entity is required to notify more than 1,000 persons of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Notice under this section not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section or if the entity is a person engaged in trade or commerce under RSA 358-A:3 and maintains notification procedures established by its primary or functional regulator.  Entities subject to the Gramm-Leach-Bliley Act are exempt.

New Jersey - NJ Stat 56:8-163, effective July 2, 2006. Requires notice of breach of security of unencrypted computerized personal information held by a business or public entity. No notice if a thorough investigation finds misuse of the information is not reasonably possible. Written documentation of the investigation must be kept for 5 years. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

New York – NY Bus. Law Sec. 899-aa., effective December 8, 2005. Requires notice to consumers of breach of security of computerized unencrypted, or encrypted with acquired encryption key, personal information held by both public and private entities if the private information was, or reasonably believed to have been, acquired by a person without authorization. If any person or entity is required to notify more than 5,000 New York residents of a breach of security, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Notice must be expeditious, but may be delayed to accommodate law enforcement needs.

North Carolina - N.C. Gen. Stat. 75-65, effective December 1, 2005. Requires notice of breach of security of personalized information in any form if the breach causes, is reasonably likely to cause, or creates a material risk of harm to residents of North Carolina. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.  Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.

North Dakota - N.D. Cent. Code 51-30, effective June 1, 2005. Requires notice of a breach of the security of unencrypted, computerized, personal information by persons doing business in the state. Includes an expanded list of sensitive personal information, including date of birth, mother’s maiden name, employee ID number, and electronic signature. Exception for those financial institutions which are in compliance with federal guidance.

Ohio - O.R.C. Ann. 1349.19 et seq., effective February 17, 2006. Requires notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business where reasonably believed it will cause a material risk of identity theft or fraud to a person or property of a resident of Ohio. Notice under this section is not required by financial institutions, trust companies or credit unions or any affiliate required by federal law to notify customers of information security breach and who is in compliance with federal law.

Oklahoma – Okla. Stat. § 24-163, effective Nov. 1, 2008. Requires government agencies and private companies to notify consumers of any breach of computerized personal data in unredacted and unencrypted form, or encrypted form, if the security key is accessed without authorization. Notification is required if the information has caused, or is reasonably believed to cause, identity theft. Notification must be made as soon as practicable after discovering the breach. Notice under this section is not required if the entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Oregon - O.R.S. 646A.604, effective October 1, 2007. Requires notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.

Pennsylvania -  73 Pa. Cons. Stat. 2303, effective June 20, 2006. Requires notice of breach of the security or confidentiality of computerized personal information, held by a state agency, political subdivision or business and is reasonably believed to have been accessed or acquired by an unauthorized person. Notification may be delayed if law enforcement determines it would impede a criminal investigation. Notice under this section not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.

Puerto Rico - 10 L.P.R.A. 4051 et seq., effective January 5, 2006. Requires notice of breach of the security, confidentiality and integrity of unencrypted personal information, where access has been permitted to unauthorized persons or it is known or reasonably suspected that authorized persons have accessed the information with intent to use it for illegal purposes.

Rhode Island - RI Gen. Law 11-49.2-1 to 11.49.2-7, effective March 1, 2006. Requires notice of a breach of the security, confidentiality or integrity of unencrypted, computerized, personal information by persons and by state agencies if breach poses significant risk of identity theft when unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. No notice is required if after an appropriate investigation or after consultation with relevant federal, state, and local law enforcement agencies, determine the breach has not and will not likely result in harm to individuals. Does not apply to HIPAA entities or financial institutions in compliance with Federal Interagency Guidelines. Entities covered by another state or federal law are exempt only if that other law provides greater protection to consumers.

South Carolina - SC Code §39-1-90, effective January 1, 2009. Requires notice of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a "material risk of harm" to the consumer. Notice under this section is not required if entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Tennessee – Tenn. Code Ann. 47-18-2107, effective July 1, 2005. Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of computerized data, to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. An information holder that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the timing requirements of this section, shall be deemed to be in compliance with the notification requirements of this section.  Entities subject to the Gramm-Leach-Bliley Act are exempt.

Texas - Tex. Bus. & Com. Code § 521.053, effective Sept. 1, 2009. Requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons who conduct businesses in the state. A person may delay providing notice as required at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Utah - Utah Code 13-44-101 et seq., effective January 1, 2007. Requires notice of a breach of the security of computerized personal information that is not protected by a method that makes the information unusable and there is a reasonable likelihood of identity theft or fraud. The disclosure shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Entities covered by another state or federal law are exempt if the person notifies each affected Utah resident in accordance with law.

Vermont - Vt. Stat. Tit 9 Sec. 2435, effective January 1, 2007. Requires notice if investigation reveals misuse of personal information for identity theft or fraud has occurred, or is reasonably likely to occur. Notice is not required if the data collector establishes that misuse of personal information is not reasonably possible. Must provide notice and explanation to the Attorney General or department of banking, insurance, securities and health care administration in the event data collector is a person/entity licensed with that department. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt. 

Virgin Islands - 14 V.I.C. 2208 et seq., effective October 17, 2005. Requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information reasonably believed to have been acquired by unauthorized persons. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Virginia - VA Code § 18.2-186.6, effective July 1, 2008; Virginia Code § 32.1-127.1:05 (breach of medical information), effective January 1, 2011. Requires notice of any breach of the security of computerized, unencrypted and unredacted personal or medical information, or encrypted information with a key that has also been compromised, if an individual or entity reasonably believes such information has been accessed and acquired by an unauthorized person and has caused or will cause identity theft or other fraud. Notice under this section is not required if an entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section, or if the entity has notification procedures established by a federal regulator. Does not apply to any entity that is subject to compliance with HIPAA the Gramm-Leach-Bliley Act.

Washington – RCW § 42.56.590 (government agencies), effective 2007; RCW § 19.255.010 (private entities and individuals), effective 2005. Requires notification of breach of unencrypted, computerized personal data if the information was, or is reasonably believed to have been acquired by an unauthorized person. Notification must be made expeditiously. A person may delay providing notice as required at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

West Virginia - WV Code 46A-2A-101 et seq., effective June 26, 2008. Requires notice of any breach of the security of computerized, unencrypted and unredacted personal information, or encrypted information with a key that has also been compromised, reasonably believed to have been accessed and acquired by an unauthorized person and has caused, or will cause, identity theft or other fraud. A person may delay providing notice as required at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section. Financial institutions subject to compliance with Federal Interagency Guidance on Response Programs for Unauthorized Access to Member Info and Member Notice are exempt.

Wisconsin - Wis. Stat. § 134.98 et seq., effective March 16, 2006. Requires persons or entities operating within the state to provide notice to the consumer when personal information is taken in a security breach that is not encrypted, redacted or altered in any manner rendering the information unreadable. This includes DNA and biometric data. Notice must be provided in a reasonable time, not to exceed 45 days of the breach. Notice not required if the acquisition of personal information does not create a material risk of ID theft or fraud. A person may delay providing notice as required at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. Notice under this section not required if the entity maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Wyoming - W.S. 40-12-501 to 509, effective July 1, 2007. Requires notice of the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information of an investigation determines misuse of the personal identifying information has occurred or is reasonably likely to occur. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. Financial institutions subject to the Gramm-Leach-Bliley Act or credit unions under 12 USC §1752 are exempt from providing notice under this section. 

States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota.

Updated 7/11/2011