Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
There is specific information that must be included in consumer notifications.
Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
Failure to comply with breach notification requirements constitutes an unfair trade practice. Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.
Data owner’s written contract with vendors must guarantee the vendor’s implementation of security practices.
There are specific security requirements for handling social security numbers.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
Vendors are prohibited from charging a fee to provide any necessary information to a data owner regarding a breach..
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.