Back

Notify the supervisory authority.


CONTROL ID
00472
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Require data controllers to be accountable for their actions., CC ID: 00470

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain approval applications., CC ID: 16778
  • Provide the supervisory authority with any information requested by the supervisory authority., CC ID: 12606
  • Notify the supervisory authority of the safeguards employed to protect the data subject's rights., CC ID: 12605
  • Respond to questions about submissions in a timely manner., CC ID: 16930
  • Include any reasons for delay if notifying the supervisory authority after the time limit., CC ID: 12675


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • right of access to customers' data by overseas authorities such as the police and tax authorities - AIs should generally obtain a legal opinion from an international or other reputable legal firm in the relevant jurisdiction on this matter. This will enable them to be informed of the extent and the … (2.9.1 Bullet 2, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • In addition, AIs should manage the risk associated with fraudulent websites, malicious mobile applications (Apps), fake Internet banking Apps, phishing emails or similar scams which are designed to trick their customers into revealing sensitive customer information such as account numbers, Internet … (§ 4.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Secur… (Article 49-2(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • An institution should notify MAS if any overseas authority were to seek access to its customer information or if a situation were to arise where the rights of access of the institution and MAS set out in paragraph 5.9, have been restricted or denied. (5.10.2 (c), Guidelines on Outsourcing)
  • Every telecommunications service provider shall report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. (PART IX Division 2 Section 42 (1), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • Every telecommunications service provider shall report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. (§ 42.(1), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • it shall be the responsibility of the first provider to satisfy subsection (1). (§ 42.(4) ¶ 1, Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • notify IRAP Administrator of all IRAP engagements (commencement, delays, and conclusion) via asd.irap@defence.gov.au. (IRAP Membership Maintaining IRAP assessor membership Personal qualities ¶ 1 Bullet 6, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • notify the IRAP Administrator of any change of circumstances that may impact endorsement, including when unavailable to undertake assessments, and (IRAP Membership Maintaining IRAP assessor membership Personal qualities ¶ 1 Bullet 5, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • notify the IRAP Administrator of any changes that may impact the IRAP assessor availability lists. (IRAP Membership Maintaining IRAP assessor membership IRAP community ¶ 1 Bullet 3, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • ASD must be informed when certification is being sought. ASD recommends gateway providers allow at least three (3) months for IRAP Assessment and certification activities to occur before certification. (57., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • For formal complaints and disputes concerning IRAP or arising from the operation of IRAP shall be managed by the IRAP Administrator. The complainant should notify the IRAP Administrator in writing, with supporting evidence, via asd.irap@defence.gov.au (72., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The system owner should notify the Certification and Accreditation authorities of the intention to certify and accredit the system, before the accreditation process begins. (Control: 0082, Australian Government Information Security Manual: Controls)
  • A data controller who intends to process personal data or alter registered processing, with the exception of the processing mentioned in Article 18, is required to notify the Office for Personal Data Protection in writing prior to starting any processing of personal data. If the notification to the … (Art 16(1), Art 18(1), Art 19, Czech Republic Personal Data Protection Act, April 4, 2000)
  • Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions… (4.11 58, Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activiti… (4.11 59, Final Report on EBA Guidelines on outsourcing arrangements)
  • Where an importer considers or has reason to consider that a high-risk AI system is not in conformity with this Regulation, it shall not place that system on the market until that AI system has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article … (Article 26 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where a distributor considers or has reason to consider that a high-risk AI system is not in conformity with the requirements set out in Chapter 2 of this Title, it shall not make the high-risk AI system available on the market until that system has been brought into conformity with those requiremen… (Article 27 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII; (Article 46 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Upon receipt of the notification referred to in paragraph 1, the competent authority of the home Member State shall, without undue delay, provide the relevant details of the incident to EBA and to the ECB. That competent authority shall, after assessing the relevance of the incident to relevant auth… (Art 96(2), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • In the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider. (Art 96(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Member States shall ensure that operators of essential services notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authorit… (Art. 14.3, Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Member States shall ensure that digital service providers notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a service as referred to in Annex III that they offer within the Union. Notifications shall include information to… (Art. 16.3, Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Each Member State shall notify the Commission without undue delay of the identity of the competent authority referred to in paragraph 1 and of the single point of contact referred to in paragraph 3, of the tasks of those authorities, and of any subsequent changes thereto. Each Member State shall mak… (Article 8 6., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Within three months of the designation or establishment of the cyber crisis management authority referred to in paragraph 1, each Member State shall notify the Commission of the identity of its authority and of any subsequent changes thereto. Member States shall submit to the Commission and to the E… (Article 9 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Each Member State shall notify the Commission without undue delay of the identity of the CSIRT referred to in paragraph 1 of this Article and the CSIRT designated as coordinator pursuant to Article 12(1), of their respective tasks in relation to essential and important entities, and of any subsequen… (Article 10 9., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The data controller or his/her representative must notify the supervisory authority before executing any wholly or partly automatic processing intended for a single purpose or sets of related purposes. Member States may exempt or simplify the notification requirements only in the following cases/und… (Art 18, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international o… (Art. 49.1.(g) ¶ 1, Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. (Art. 37.7., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlik… (Art. 33.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Authorities shall provide financial entities with an attestation confirming that the test was performed in accordance with the requirements as evidenced in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities. The financial entity s… (Art. 26.7. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important. (Art. 28.3. ¶ 5, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The Data Protection Officer must have the direct right of recitation at any time with the management and must be informed about the events in the government agency and/or company in a comprehensive and timely manner, insofar as these refer to his/her work. He/she must be involved in data protection-… (§ 4.9 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Bodies that are subject to monitoring and persons responsible for managing it must provide the supervisory authority with the necessary information for performing its duties, on request and without delay. Persons who are obliged to provide information may refuse it would expose himself/herself or on… (§ 38(3), German Federal Data Protection Act, September 14, 1994)
  • (Art 6.1, Greece Law Protection of personal data and privacy in electronic telecommunications sector (Law 3471))
  • The data controller must report annually to the Parliamentary Commissioner of Data Protection on the requests that have been refused. (Art 13(3), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • Data controllers who use electronic technology for processing personal data, with the exception of data that only has been and is publicly accessible, must notify the Data Protection Authority of the processing. The notification must be submitted on the appropriate form in a timely manner before the… (Art 31, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • The Office of the Guarantee will communicate any complaints to the data controller within 3 days, unless the complaint has been declared inadmissible or manifestly groundless, and inform the data controller that he/she may notify the Office and the complainant within 10 days that he/she will volunta… (§ 149, Italy Personal Data Protection Code)
  • Before processing data on behalf of the public administration or a private controller, the data controller or his/her representative must notify the Data Protection Agency. Before processing data on behalf of the courts, the data controller or his/her representative must notify the Danish Court Admi… (§ 43, § 44(1), § 44(3), § 46, § 48, § 49, § 51 thru § 53, Denmark, The Act on Processing of Personal Data)
  • A written notification must be sent to the supervisory authority before personal data that is completely or partially automated can be processed. An appointment of or removal of a personal data representative by the personal data controller must be reported to the supervisory authority. The Governme… (§ 36, § 37, § 41, Sweden Personal Data Act (1998:204))
  • When a public sector data controller plans on using a processor, he/she must notify the Data Protection Commission, unless the use is based on an explicit legal authorization or the processor is an organizational unit that is either subordinate or superior to the processor. The data controller must … (§ 10(2), § 17, § 23(2), Austria Data Protection Act)
  • The data controller must notify the Data Protection Ombudsman of the following: automated data processing; transfer of personal data outside the European Union or European Economic Area, if transferred in accordance with section 22, 23(6), or 23(7) and there are no statutory provisions; launch of an… (§ 36, Finland Personal Data Protection Act (523/1999))
  • When an individual starts a legal challenge of a National Security vetting decision, the organization must notify the cabinet office government security secretariat. (Mandatory Requirement 29, HMG Security Policy Framework, Version 6.0 May 2011)
  • In case the processed data are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate. (Art 12(5), Turkish Law on The Protection of Personal Data no. 6698)
  • shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and (Part 1 Division 1 Section 9 (2.2)(a) Notification and response, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • shall notify the Commissioner, in writing and without delay, of the refusal; and (Part 1 Division 1 Section 9 (2.4)(b) Prohibition, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify. (Part 1 Division 1 Section 9 (5) Notice, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • To exercise the election of the controlling person to designate the audit committee for purposes of this regulation, the ultimate controlling person shall provide written notice to the commissioners of the affected insurers. Notification shall be made timely prior to the issuance of the statutory au… (Section 14.F., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • A Medicare Advantage (MA) organization operating a coordinated care plan or a network MSA plan that provides benefits through contracting providers must give written notice of suspensions or terminations of contracts with physicians resulting from deficiencies in quality of care to the licensing or … (§ 422.202(d)(3), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • Organizations desiring to use the Internet for transmittal of HCFA Privacy Act-protected and/or other sensitive HCFA information must notify HCFA of this intent. (§ 9 ¶ 1, HIPAA HCFA Internet Security Policy, November 1998)
  • If an educational agency or institution determines that it cannot comply with the Act or this part due to a conflict with State or local law, it must notify the Office within 45 days, giving the text and citation of the conflicting law. If another recipient of Department funds under any program admi… (§ 99.61 ¶ 1, 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • § 13402(b): A business associate shall notify the covered entity when a breach of unsecured protected health information is discovered. § 13407(a)(2): A vendor of personal health records shall notify the Federal Trade Commission when unsecured PHR identifiable health information was disclosed thro… (§ 13402(b), § 13407(a)(2), § 13407(b), American Recovery and Reinvestment Act of 2009, Division A Title XIII Health Information Technology)
  • TIMING AND FORM OF REPORTING.—The information required to be reported under this subsection shall be reported regularly (but not less often than monthly) and in such form and manner as the Secretary prescribes. Such information shall first be required to be reported on a date specified by the Secr… (§ 1128E(b)(4), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Before an action is filed under Section 202(c) or Section 303(c), the State attorney general must provide a written notice of the action and a copy of the complaint for the action to the Federal Trade Commission (FTC). This notification does not apply if the State attorney general determines that it… (§ 202(c)(2), § 303(c)(2), § 311(b), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body, including the Department, determines that an orga… (III.11.g.ii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body, including the Department, determines that an orga… (iii.11.g.ii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body, including the Department, determines that an orga… (III.11.g.ii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations that persistently fail (a self-certified organization who refuses to comply with a self-regulatory or government body) to comply with these principles must promptly notify the Department of Commerce of this fact. (FAQ-Dispute Resolution and Enforcement "Persistent Failure to Comply" ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Business associates shall notify the covered entities after the discovery of a breach of unsecured protected health information. (§ 164.410(a)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in §164.404(a)(2), notify the Secretary. (§ 164.408(a), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Reported the problem to the Secretary. (§ 164.514(e)(4)(iii)(A)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • If the data integrity board and the director of the Office of Management and Budget disapproves a matching program that the the inspector general of an agency proposed, the inspector general may report the rejection to Congress and the head of the agency. (§ 552a(u)(5)(D), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • The appointing authority shall be notified in writing of the Denial of Access to criminal justice information. (§ 5.12.1.1(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Report the contract violation to the Secretary of Health and Human Services if terminating the contract is not feasible. (§ 4.19.4 Bullet 4, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • If the personal information is maintained by an information recipient, the information recipient is not required to comply with this act. The information recipient must notify the information owner immediately upon the discovery of an information breach and cooperate with the information owner. (§ 45.48.070, Alaska Personal Information Protection Act, Chapter 48)
  • If the organization maintains residents' personal information, it must report any security breach to the information owner in a timely manner and must share necessary information about the breach with the owner. (§ 44-7501.B, Arizona Revised Statues, Section 44-7501, Notification of breach of security system)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breaches to the owner or licensee immediately after the security breach has been discovered, if personal information was or is believed to have been acquired via unauth… (§ 4-110-105(b), Arkansas Code, Title 4 Business and Commercial Law, Subtitle 7 Consumer Protection, Chapter 110 Personal Information, Sections 4-110-103 thru 4 -110-105, Personal Information Protection Act)
  • Organizations that maintain computerized data that contains personal information that it doesn't own must report any security breach to the owner or licensee immediately after the discovery of the security breach, if personal information was or is believed to have been acquired via unauthorized mean… (§ 1798.29(b), California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures §§ 1798.25-1798.29)
  • If the organizations resells or provides access to data banks that contain personal information, it must report any security breach to the custodian, proprietor, or holder of the information. (§ 4052, Puerto Rico Code, Title 10, Subtitle 3, Chapter Citizen Information on Data Banks Security Act, 10 L.P.R.A. Section 4051, 2005)
  • Upon request by the Insurance Commissioner or by the Attorney General, each company shall provide to the commissioner or the Attorney General a copy of its comprehensive information security program. If the commissioner or the Attorney General determines that such security program does not conform t… (§ 38a-999b(d), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • If the organization maintains computerized data that contains personal information that it doesn't own or license, it must report any security breach to the owner or licensee immediately after the security breach is discovered, if personal information has or is likely to be misused, and the organiza… (§ 12B-102(b), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12B, Computer Security Breaches, Sections 12B-101 thru 104)
  • If the organization maintains, possesses, or handles electronic or computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee in a timely manner after the security breach has been discovered. (§ 28-3852(b), District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Notification)
  • If the organization maintains personal information, it must report any security breach to the owner of the information in a timely manner, and no longer than 10 days after the discovery. (§ 817.5681(2)(a), Florida Statutes, Section 817.5681, Breach of security concerning confidential personal information in third-party possession)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report a security breach to the information broker immediately after a security breach has been discovered, if personal information was or is believed to have been acquired via unauthorize… (§ 10-1-912(b), Georgia Code, Title 10, Chapter 1, Article 34, Sections 10-1-911 thru 10-1-915, Notification required upon breach of security regarding personal information)
  • If the organization or government agency maintains or possesses information containing personal information, it must report any security breach to the information owner or licensee is a timely manner. (§ 487N-2(b), Hawaii Revised Statute, Section 487N, Security Breach of Personal Information)
  • If the organization maintains personal information, it must report any security breach to the owner or licensee immediately following its discovery, if misuse of the information is likely to occur, and the organization must cooperate with the owner or licensee, sharing information relevant to the br… (§ 28-51-105(2), Idaho Code, Title 28 Commercial Transactions, Chapter 51 Identity Theft)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee immediately after the security breach is discovered, if personal information was or is believed to have been acquired via unauthorized m… (§ 530/10(b), Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.)
  • Organizations that are using personal information must report any security breaches to the owner. (§ 24-4.9-3-2, Indiana Code 24, Article 4.9, Disclosure of Security Breach)
  • Organizations that are using the personal information must report any security breaches to the owner immediately. (§ 4-1-11-6, Indiana Code 24, Notice of Security Breach, Chapter 11)
  • Organizations that are using the personal information must report any security breaches to the owner in a timely manner and must share any information about the breach with the owner. (§ 715C.2.2, Iowa Code Annotated, Section 715C, Personal Information Security Breach Protection)
  • Organizations that are maintaining computerized data that contains personal information that it doesn't own or license must report any security breaches to the owner or licensee, if the personal information was or is believed to have been accessed and acquired via an unauthorized individual. (§ 50-7a02(b), Kansas Statutes, Chapter 50, Article 7a, Protection Of Consumer Information)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee after discovery of the security breach when personal information was or is believed to have been acquired via unauthorized means. (§ 3074.B, Louisiana Revised Statutes, Title 51, Sections 3073-3074, Database Security Breach Notification Law)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the organization maintaining the personal information immediately following discovery of the security breach, if personal information was or is believed to ha… (§ 1348.2, Maine Revised Statutes Title 10, Part 3, Chapter 210-B, Notice of Risk to Personal Data)
  • Organizations that are using the personal information must report any security breaches to the owner, if it is likely it has resulted in or will likely result in misuse of the information of an individual residing in Maryland, in a timely manner and must share any information about the breach with t… (§ 14-3504(c), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • If the organization stores or maintains, but doesn't license or own, data containing personal information about a Massachusetts resident, it must report any security breaches it knows of, and it must report if it knows or has reason to know that personal information was used or acquired for unauthor… (Ch 93H § 3(a), General Laws of Massachusetts, Part I, Title XV, Chapter 93H, Security Breaches)
  • Organizations that maintain data that contains personal information that it doesn't own must report any security breaches to the owner or licensee immediately after discovery, if the personal information was or is believed to have been acquired via unauthorized means. (§ 325E.61 Subd 1(b), Minnesota Statutes, Section 325E.61, Data Warehouses; Notice Required For Certain Disclosures)
  • If the organization maintains or possesses data or records that contain personal information on Missouri residents that it doesn't own or license, or an organization conducts business in Missouri and maintains or possesses personal information on Missouri residents that it doesn't own or license, th… (§ 407.1500.2(2), Missouri Revised Statutes, Chapter 407 Merchandising Practices. Section 407.1500)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee immediately after the security breach has been discovered, if personal information was or is believed to have been acquired via unauthor… (§ 30-14-1704(2), Montana Code - Part 17: IMPEDIMENT OF IDENTITY THEFT)
  • If the organization maintains computerized data containing personal information it doesn't own, it must report any security breaches to the owner or licensee immediately after discovery, if personal information was or is believed to have been acquired via unauthorized means. (§ 603A.220(2), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
  • If the organization maintains computerized data with personal information, it must report any security breaches to the owner or licensee immediately, if personal information was acquired, and must share information about the breach with the owner, excluding confidential business information or trade… (§ 359-C:20.I(c), New Hampshire Statute, Title XXXI, Chapter 359-C, Right to Privacy, Notice of Security Breach)
  • If the organization compiles or maintains computerized data including personal information, it must report any security breaches to the owner immediately after a breach is discovered, if personal information was or is believed to have been accessed by unauthorized means. (§ 56:8-163.b, New Jersey Permanent Statutes, Title 56, Security of Personal Information)
  • If the organizations maintains computerized data containing private information, it must report any security breaches to the owner or licensee immediately after discovering a security breach. (§ 899-aa.3, New York General Business Law Chapter 20, Article 39-F, Section 899-aa)
  • If the organization possesses or maintains data or records that contain personal information on North Carolina residents that the organization doesn't own or license, or the organization conducts business in the state and maintains or possesses records or data that include personal information on re… (§ 75-65(b), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee immediately after the breach has been discovered, if personal information was or is believed to have been acquired via unauthorized mean… (§ 51-30-03, North Dakota Century Code, Chapter 51-30, Notice of Security Breach For Personal Information)
  • If the organization stores or is the custodian of computerized data that contains personal information that it doesn't own, it must report any security breach to the owner expeditiously, if personal information was or is believed to have been accessed and acquired via unauthorized means and causes o… (§ 1349.19(C), Ohio Revised Code, Title XIII, Chapter 1347, Section 1347.12, Agency disclosure of security breach of computerized personal information data)
  • If the state agency or agency of a political subdivision stores or is the custodian of computerized data that contains personal information on behalf of another state agency or agency of a political subdivision, it must report any security breach to the other state agency or agency of a political su… (§ 1347.12(C), Ohio Revised Code, Title XIII, Chapter 1349, Section 1349.19, Private disclosure of security breach of computerized personal information data, 2009)
  • State agencies, commissions, or state government subdivisions that maintain personal information that they do not own must report any security breaches to the owner or licensee immediately after the security breach is discovered, if personal information was or is believed to have been acquired via u… (§ 74-3113.1.B, Oklahoma Statutes, Section 74-3113.1, Disclosure of breach of security of computerized personal information)
  • If the organization must notify more than 1,000 affected individuals about a breach, the organization must also notify all national consumer reporting agencies, without unreasonable delay, of the distribution, timing, and number of the notices. (§ 2305, Pennsylvania Statutes, Title 73, Trade and Commerce, Chapter 43, Breach of Personal Information Notification Act, Sections 2301 thru 2329, 2009 Statutes)
  • If the organizations or state agency maintains unencrypted computerized data that contains personal information that it doesn't own, it must report any security breach that presents a significant risk of identity theft to the owner or licensee immediately after discovering the breach, if personal in… (§ 11-49.2-3(b), Rhode Island General Law, Chapter 11-49.2, Identity Theft Protection, Sections 11-49.2-1 thru 11-49. 2-4, 2008 General Laws)
  • State agencies that are maintaining personal information that they do not own must report any security breach to the owner or licensee immediately after the breach has been discovered, if personal information was or is believed to have been acquired via unauthorized means. (§ 1-11-490(B), South Carolina Code of Laws, Section 1-11-490, Breach of security of state agency data notification, 2008 Session)
  • If the organization maintains personal information that it does not own and it conducts business in South Carolina, it must report any security breach to the owner or licensee immediately after the security breach is discovered, if personal information was or is believed to have been acquired via un… (§ 39-1-90(B), South Carolina Code of Laws, Sections 16-13-512, Credit Card, and 39-1-90, Breach of security of business data notification, 2008 Session)
  • If the organization maintains computerized data that contains sensitive personal information that it doesn't own, it must report any security breach to the owner or licensee immediately after a security breach is discovered, if sensitive personal information was or is believed to have been acquired … (§ 521.053(c), Texas Business and Commercial Code, Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521)
  • If the agency maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee immediately after the security breach has been discovered, if personal information was or is believed to have been acquired via unauthorized m… (§ 2208(b), § 2209(b), Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act § 2201 thru § 2211)
  • If the organization maintains computerized data that contains personal information that it doesn't own or license, it must report any security breach to the owner or licensee immediately after the security breach is discovered, if misuse has or is likely to occur. (§ 13-44-202(3), Utah Code, Title 13-44, Protection of Personal Information Act)
  • If the organization possesses or maintains data that contains personal information that it doesn't own or license, it must report any security breaches to the owner or licensee immediately after the security breach is discovered. (§ 2435(b)(2), Vermont Statute, Title 9, Chapter 62, Protection of Personal Information, Sections 2430, 2435, 2440, 2445)
  • Organizations that maintain computerized data that contains personal information that it doesn't own or license must report any security breach to the owner or licensee in a timely manner after a security breach is discovered, if personal information was acquired and accessed via unauthorized means. (§ 18.2-186.6.D, Virginia Code, Title 18.2, Chapter 6, Breach of personal information notification, Section 18.2-186.6)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner or licensee immediately, if personal information was or is believed to have been acquired via unauthorized means. (§ 19.255.010(2), Revised Code of Washington, Title 19, Chapter 19.255, Personal information - notice of security breaches, Section 19.255.010)
  • If a security breach of either of these types occurs, all licensees must notify the Insurance Commissioner. The notification must be made in writing and must include the number of consumers potentially affected and the actions being taken by the licensee. (¶ 3, Washington State Register, 17-23-188, Two Day Notification Requirement for Security Breaches)
  • If the organization maintains computerized data that contains personal information the organization doesn't own or license, it must report any security breach to the owner or licensee in a timely manner after the security breach is discovered, if personal information was or is believed to have been … (§ 46A-2A-102(c), West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information § 46A-2A-101 thru § 46A-2A-105, 2009 Legislative Session)
  • If the organization stores personal information that it doesn't own or license, and has not contracted with the owner or licensee of the information, it must report any security breach to the owner or licensee in a timely manner. (§ 134.98(2)(bm), Wisconsin Statute, Chapter 134, Notice of unauthorized acquisition of personal information, Section 134.98, 2008 Session)
  • If the organization maintains computerized data that contains personal information that it doesn't own, it must report any security breach to the owner as soon as possible after determining personal information was or is believed to have been acquired via unauthorized means. The two organizations ma… (§ 40-12-502(g), Wyoming Statutes, Title 40, Article 5, Breach of the security of the data system, Sections 40-12-501 thru 40-12-509)
  • If an educational agency or institution determines that it cannot comply with the Act or this part due to a conflict with State or local law, it must notify the Office within 45 days, giving the text and citation of the conflicting law. If another recipient of Department funds under any program admi… (§ 99.61 ¶ 1, 34 CFR Part 99, Family Educational Rights and Privacy)