Back

Notify interested personnel and affected parties that a security breach was detected.


CONTROL ID
11788
CONTROL TYPE
Communicate
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Include the incident response point of contact's roles and responsibilities in the Incident Response program., CC ID: 01877

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Once an AI becomes aware that a significant incident (including any suspected or confirmed fraud case relating to e-banking) has occurred, the AI concerned should notify the HKMA promptly in accordance with the relevant arrangements set out by the HKMA from time to time. (§ 8.2.5, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Once an AI becomes aware that a significant incident (including any suspected or confirmed fraud case relating to e-banking) has occurred, the AI concerned should notify the HKMA promptly in accordance with the relevant arrangements set out by the HKMA from time to time. (§ 8.2.5, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should establish incident response and reporting procedures to handle information security-related incidents during or outside office hours. The incident response and reporting procedures should include timely reporting to the HKMA of any confirmed IT-related fraud cases or major security breach… (3.3.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Regular reviews of the security parameter settings of network devices such as routers, firewalls and network servers are required to ensure that they remain current. Audit trails of daily activities in critical network devices should be maintained and reviewed regularly. Network operational personne… (6.2.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Reporting any security incident or suspected incident to the Information Security function (User manager ¶ 1 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Distributing and following up on security violation reports (Security Administrator ¶ 1 Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • All security incidents or violations of security policies should be brought to the notice of the CISO. (Critical components of information security 10) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A financial institution shall notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 8(2)(a) and (b), and 21(d) of the Securities and Futures (Organised Marke… (Technology Risk Management ¶ 7, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 9(1) and 23(1)(e) of the Securities and Futures (Markets) Regulations 200… (Technology Risk Management ¶ 7, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that: (35., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information… (Part IIIC Division 3 Section 26WL (2)(a), Australian Privacy Act 1988, Compilation No. 77)
  • The organization should determine who internally and potentially externally needs to be made aware of the security incident. (Step 1 Bullet 4, Key Steps for Organizations in Responding to Privacy Breaches)
  • The organization should promptly notify the individuals whose information has been breached. (Step 3 ¶ 1, Key Steps for Organizations in Responding to Privacy Breaches)
  • The organization should notify the individuals as soon as possible after the breach has been assessed and evaluated. (Step 3(ii) ¶ "When to notify", Key Steps for Organizations in Responding to Privacy Breaches)
  • The processor shall notify the controller without undue delay after becoming aware of a personal data breach. (Art. 33.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlik… (Art. 33.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. (Art. 34.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The organization's information security incident management process should comprise additional activities relating to customers, which include contacting the customer when a security incident occurs, via a pre-agreed mechanism (e.g., individually by telephone or in writing). (CF.05.01.09d, The Standard of Good Practice for Information Security)
  • The organization's information security incident management process should comprise additional activities relating to customers, which include contacting the customer when a security incident occurs, via a pre-agreed mechanism (e.g., individually by telephone or in writing). (CF.05.01.09d, The Standard of Good Practice for Information Security, 2013)
  • In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies. (RS.CO-2.2, CRI Profile, v1.2)
  • In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies. (RS.CO-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should deliver breach notifications in a timely way. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. (CC7.4 Communicates Unauthorized Use and Disclosure, Trust Services Criteria)
  • Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required. (CC7.4 ¶ 3 Bullet 1 Communicates Unauthorized Use and Disclosure, Trust Services Criteria, (includes March 2020 updates))
  • Does the incident response plan include a reporting procedure for an information security event? (§ J.1.2.1, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institution may authorize or… (Supplement A § II.A.2, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; (Supplement A § II.A.1(b), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; (§242.1002(b)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • A covered entity shall send notifications without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach, (§ 13402(d)(1), American Recovery and Reinvestment Act of 2009, Division A Title XIII Health Information Technology)
  • All required notifications under Section 311 must be made without unreasonable delay after the security breach is discovered by the business entity or agency. Reasonable delay is defined as time that is necessary to determine the scope of the breach, prevent further disclosures, restore the system's… (§ 311(c), § 316(c), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Provide privacy and security notices consistent with applicable CUI rules (AC.2.005, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Provide privacy and security notices consistent with applicable CUI rules (AC.2.005, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Provide privacy and security notices consistent with applicable CUI rules (AC.2.005, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Provide privacy and security notices consistent with applicable CUI rules (AC.2.005, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • To whom within the Government, the incident will be reported IAW the incident reporting process defined in Section 6.5.3, Incident Reporting Mechanism (Section 6.5.1 ¶ 1 Bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Covered entities shall notify all affected individuals without unreasonable delay and not later than 60 calendar days after the breach is discovered, except when delayed for law enforcement purposes. (§ 164.404(b), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Covered entities shall notify the main media outlets serving the state or jurisdiction without unreasonable delay and not later than 60 calendar days after the breach is discovered, except when delayed for law enforcement purposes. (§ 164.406(b), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Business associates shall notify the covered entities without unreasonable delay and not later than 60 calendar days after the breach is discovered, except when delayed for law enforcement purposes. (§ 164.410(b), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Implementation specifications: Timeliness of notification. Except as provided in §164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. (§ 164.410(b), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specifications: Breaches involving 500 or more individuals. For breaches of unsecured protected health information involving 500 or more individuals, a covered entity shall, except as provided in §164.412, provide the notification required by paragraph (a) of this section contemporan… (§ 164.408(b), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • When it becomes aware of an incident of unauthorized access to sensitive customer information, a financial institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If misuse has occurred, or if it is reasonably possi… (Supplement A.III Standard for Providing Notice ¶ 1, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Filing procedures—(i) Timing. A credit union must file a SAR with FinCEN no later than 30 calendar days from the date the suspicious activity is initially detected, unless there is no identified suspect on the date of detection. If no suspect is identified on the date of detection, a credit union … (§ 748.1 (c)(2)(i), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Notification to board of directors—(i) Generally. The management of the credit union must promptly notify its board of directors, or a committee designated by the board of directors to receive such notice, of any SAR filed. (§ 748.1 (c)(4)(i), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan. (T0332, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide privacy and security notices consistent with applicable CUI rules. (3.1.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Provide privacy and security notices consistent with applicable CUI rules. (3.1.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Provide privacy and security notices consistent with applicable CUI rules. (3.1.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history, status, and potential impact for further action in accordance with the organization's cyber incident response plan. (T0332, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institution may authorize or… (Supp A § II. A. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; (Supp A § II. A. 1.(b), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Notify TSA of security incidents meeting the criteria provided in Appendix B by phone or email as soon as possible. (2 ¶ 1 Bullet 8, Pipeline Security Guidelines)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 45.48.010(b), Alaska Personal Information Protection Act, Chapter 48)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach, identifying the affected individuals, and restoring the system's integrity, or subject to the legitimate needs of law enforc… (§ 44-7501.A, Arizona Revised Statues, Section 44-7501, Notification of breach of security system)
  • A person that maintains unencrypted computerized data that includes personal information that the person does not own shall notify and cooperate with the owner or the licensee of the information of any breach of the security of the system following discovery of the breach without unreasonable delay.… (¶ 18-545.B, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 4-110-105(a)(2), Arkansas Code, Title 4 Business and Commercial Law, Subtitle 7 Consumer Protection, Chapter 110 Personal Information, Sections 4-110-103 thru 4 -110-105, Personal Information Protection Act)
  • Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was or is reasonably believed to ha… (§ 1798.29(b), California Civil Code Section 1798.29)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 1798.29(a), California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures §§ 1798.25-1798.29)
  • You must notify affected individuals within 10 business days. (Part III Timing of Notification ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • If a covered entity is required to notify more than one thousand Colorado residents of a security breach pursuant to this section, the covered entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files… (§ 6-1-716(2)(d), Colorado Revised Statutes, Section 6-1-716, Notice of Security Breach)
  • If a covered entity is required to notify more than one thousand Colorado residents of a security breach pursuant to this section, the covered entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files… (6-1-716 (2)(d), Colorado Revised Statutes, Title 6, Consumer and Commercial Affairs, Fair Trade and Restraint of Trade, Article 1, Colorado Consumer Protection Act)
  • The organization must notify all affected individuals in the fastest means available with time allowing for restoring the system's integrity or subject to the legitimate needs of law enforcement. The Department of Consumer Affairs must be notified within 10 days of the discovery of a security breach… (§ 4052, Puerto Rico Code, Title 10, Subtitle 3, Chapter Citizen Information on Data Banks Security Act, 10 L.P.R.A. Section 4051, 2005)
  • Notify the state contracting agency and the Attorney General as soon as practical after the contractor becomes aware of or has reason to believe that any confidential information that the contractor possesses or controls has been subject to a confidential information breach; (¶ 4e-70(b)(6), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • (§ 3(b), Connecticut law Requiring Consumer Credit Bureaus to Offer Security Freezes, CT SB 650)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 12B-102(a), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12B, Computer Security Breaches, Sections 12B-101 thru 104)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 28-3852(a), District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Notification)
  • The organization must notify all affected individuals without unreasonable delay (within 45 days of the determination that a breach has occurred) with time allowing for determining the presence, scope, and nature of the breach and restoring the system's integrity, or subject to the legitimate needs … (§ 817.5681(1), Florida Statutes, Section 817.5681, Breach of security concerning confidential personal information in third-party possession)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, confidentiality, and security, or subject to the legitimate needs of law enforcement. (§ 10-1-912(a), Georgia Code, Title 10, Chapter 1, Article 34, Sections 10-1-911 thru 10-1-915, Notification required upon breach of security regarding personal information)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach, identifying the contact information, and restoring the system's integrity, confidentiality, and security, or subject to the legitimate needs of law enforcement… (§ 487N-2(a), Hawaii Revised Statute, Section 487N, Security Breach of Personal Information)
  • The organization must notify all affected individuals without unreasonable delay and as soon as possible with time allowing for determining the scope of the breach, identifying the affected individuals, and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 28-51-105(1), Idaho Code, Title 28 Commercial Transactions, Chapter 51 Identity Theft)
  • The organization or State agency must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's security, integrity, and confidentiality, or subject to the legitimate needs of la… (§ 530/10(a), § 530/12(a), Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity or law enforcement's approval if there is an investigation, or subject to the legitimate needs of law enforcement. (§ 24-4.9-3-3, Indiana Code 24, Article 4.9, Disclosure of Security Breach)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 4-1-11-5(b), Indiana Code 24, Notice of Security Breach, Chapter 11)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach, determining contact information, and restoring the data's confidentiality, security, and integrity, or subject to the legiti… (§ 715C.2.1, Iowa Code Annotated, Section 715C, Personal Information Security Breach Protection)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for any law enforcement investigation, determining the scope of the breach, and restoring the system's integrity, or subject to the legitimate needs of law enforceme… (§ 50-7a02(a), Kansas Statutes, Chapter 50, Article 7a, Protection Of Consumer Information)
  • Any information holder that maintains computerized data that includes personally identifiable information that the information holder does not own shall notify the owner or licensee of the information of any breach of the security of the data as soon as reasonably practicable following discovery, if… (¶ 365.732(3), Kentucky Revised Statutes, Title XXIX, Chapter 365, Section .732, Notification to affected persons of computer security breach involving their unencrypted personally identifiable information)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach, preventing further disclosure, and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 3074.C, Louisiana Revised Statutes, Title 51, Sections 3073-3074, Database Security Breach Notification Law)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's security, integrity, and confidentiality, or subject to the legitimate needs of law enforcement. (§ 1348.1.A, Maine Revised Statutes Title 10, Part 3, Chapter 210-B, Notice of Risk to Personal Data)
  • Before giving the notification required under subsection (b) of this section, a unit shall provide notice of a breach of the security of a system to the Office of the Attorney General. (¶ 10-1305(h)(1), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • In addition to the notice required under paragraph (1) of this subsection, a unit, as defined in § 10-1301(f)(1) of this subtitle, shall provide notice of a breach of security to the Department of Information Technology. (¶ 10-1305(h)(2), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • The organization must notify all affected individuals as soon as possible after the breach investigation has been completed. (§ 14-3504(b)(3), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • The organization must notify all individuals without unreasonable delay and as soon as possible. (Ch 93H § 3(b), General Laws of Massachusetts, Part I, Title XV, Chapter 93H, Security Breaches)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring reasonable security to the data, or subject to the legitimate needs of law enforcement. (§ 13.055 Subd 2, Minnesota Statutes, Section 13.055, State Agencies; Disclosure of Breach in Security)
  • The organization must notify all affected Minnesota residents without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach, identifying the affected individuals, and restoring the system's integrity, or subject to the legitimate needs of la… (§ 325E.61 Subd 1(a), Minnesota Statutes, Section 325E.61, Data Warehouses; Notice Required For Certain Disclosures)
  • Any person who conducts business in this state that maintains computerized data which includes personal information that the person does not own or license shall notify the owner or licensee of the information of any breach of the security of the data as soon as practicable following its discovery, … (§ 75-24-29(4), Mississippi Code Ann Title 75, Chapter 24, Section 75-24-29, Persons conducting business in Mississippi required to provide notice of a breach of security involving personal information to all affected individuals; enforcement)
  • The organization must notify all affected consumers without unreasonable delay, subject to the legitimate needs of law enforcement, and with time allowing for determining contact information and the scope of the breach and restoring the system's security, confidentiality, and integrity. (§ 407.15.2(1), Missouri Revised Statutes, Chapter 407 Merchandising Practices. Section 407.1500)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 30-14-1704(1), Montana Code - Part 17: IMPEDIMENT OF IDENTITY THEFT)
  • notify the state agency immediately following discovery of the breach if the personal information is reasonably believed to have been acquired by an unauthorized person; and (¶ 2-6-1503(2)(a)(i), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • Any person to whom personal information is disclosed in order for the person to perform an insurance function pursuant to this part that maintains computerized data that includes personal information shall notify the licensee or insurance-support organization of any breach of the security of the sys… (¶ 33-19-321(2), Montana Code Annotated Title 33, Chapter 19, Part 3, Section 33-19-321)
  • An individual or a commercial entity that maintains computerized data that includes personal information that the individual or commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system when … (§ 87-803(3), Nebraska Revised Statutes, Sections 87-801 thru 87-807, Data Protection and Consumer Notification of Data Security Breach Act of 2006)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 603A.220(1), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
  • The organization must notify all affected individuals as soon as possible after it becomes aware of the security breach. (§ 359-C:20.I(a), New Hampshire Statute, Title XXXI, Chapter 359-C, Right to Privacy, Notice of Security Breach)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 56:8-163.a, New Jersey Permanent Statutes, Title 56, Security of Personal Information)
  • Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject… (57-12C-6 (A), 2017 New Mexico Statutes Chapter 57 - Trade Practices and Regulations Article 12C - Data Breach Notification Section 57-12C-1)
  • A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile … (57-12C-10 ¶ 1, 2017 New Mexico Statutes Chapter 57 - Trade Practices and Regulations Article 12C - Data Breach Notification Section 57-12C-1)
  • Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not … (¶ 6.C, New Mexico House Bill 15, Data Breach Notification Act)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 899-aa.2, New York General Business Law Chapter 20, Article 39-F, Section 899-aa)
  • Any state entity that maintains computerized data that includes private information which such agency does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably belie… (§ 208.3, New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach, determining contact information, and restoring the system's integrity, confidentiality, and security, or subject to the legitimate needs of law enforcement. (§ 75-65(a), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
  • The organization must notify all affected individuals without unreasonable delay and as soon as possible with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 51-30-02, North Dakota Century Code, Chapter 51-30, Notice of Security Breach For Personal Information)
  • The organization must notify all affected individuals in the fastest means available (but no more than 45 days after discovery or being notified of the breach) with time allowing for determining the scope of the breach, which individuals' personal information was accessed and acquired, and restoring… (§ 1349.19(B)(2), Ohio Revised Code, Title XIII, Chapter 1347, Section 1347.12, Agency disclosure of security breach of computerized personal information data)
  • The state agency or agency of a political subdivision must notify all affected individuals in the fastest means available (but no more than 45 days after discovery or being notified of the breach) with time allowing for determining the scope of the breach, which individuals' personal information was… (§ 1347.12(B)(2), Ohio Revised Code, Title XIII, Chapter 1349, Section 1349.19, Private disclosure of security breach of computerized personal information data, 2009)
  • State agencies, commissions, or state government subdivisions must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law … (§ 74-3113.1.A, Oklahoma Statutes, Section 74-3113.1, Disclosure of breach of security of computerized personal information)
  • The Attorney General, either in writing or electronically, if the number of consumers to whom the person must send the notice described in paragraph (a) of this subsection exceeds 250. The person shall disclose the breach of security to the Attorney General in the manner described in paragraph (a) o… (§ 646A.604(1)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The consumer to whom the personal information pertains after the person discovers the breach of security or after the person receives notice of a breach of security under subsection (2) of this section. The person shall notify the consumer in the most expeditious manner possible, without unreasonabl… (§ 646A.604(1)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • If a person discovers a breach of security that affects more than 1,000 consumers, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis of the timing, distribution and content of the notice the perso… (§ 646A.604(6), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 2303(a), Pennsylvania Statutes, Title 73, Trade and Commerce, Chapter 43, Breach of Personal Information Notification Act, Sections 2301 thru 2329, 2009 Statutes)
  • The organization or state agency must notify all affected individuals without unreasonable delay and promptly with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 11-49.2-3(a), § 11-49.2-3(d), Rhode Island General Law, Chapter 11-49.2, Identity Theft Protection, Sections 11-49.2-1 thru 11-49. 2-4, 2008 General Laws)
  • State agencies must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 1-11-490(A), South Carolina Code of Laws, Section 1-11-490, Breach of security of state agency data notification, 2008 Session)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 39-1-90(A), South Carolina Code of Laws, Sections 16-13-512, Credit Card, and 39-1-90, Breach of security of business data notification, 2008 Session)
  • Any information holder that experiences a breach of system security under this section shall disclose to the attorney general by mail or electronic mail any breach of system security that exceeds two hundred fifty residents of this state. (§ 22-40-20 ¶ 2, South Dakota Codified Laws, Title 22 Crimes, Chapter 40 Identity Crimes, Sections §§ 22-40-19 to 22-40-26, Data Breach Notification Law)
  • Any state agency shall, within a reasonable amount of time, notify the comptroller of the treasury of any confirmed or suspected unauthorized acquisition of computerized data and any confirmed or suspected breach of a computer information system or related security system established to safeguard th… (§ 8-4-119(c)(1), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • Any information holder that maintains computerized data that includes personal information that the information holder does not own shall notify the owner or licensee of the information of any breach of system security if the personal information was, or is reasonably believed to have been, acquired… (§ 47-18-2107(c), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
  • An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the perso… (§ 48.30(c), Guam 9 GCA, Chapter 48, Notification of Breaches of Personal Information)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., TX-RAMP Security Controls Baseline Level 1)
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; (IR-9b., TX-RAMP Security Controls Baseline Level 2)
  • The organization must notify all affected individuals as soon as possible with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 521.053(b), Texas Business and Commercial Code, Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521)
  • The organization or agency must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 2208(a), § 2209(a), Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act § 2201 thru § 2211)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 13-44-202(2), Utah Code, Title 13-44, Protection of Personal Information Act)
  • taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, assist the controller in meeting the controller's obligations, including obligations related to the security of proces… (13-61-301 (1)(b), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available, with time allowing for determining the scope of the breach and restoring the system's integrity, confidentiality, and security, or subject to the legitimate needs of law enforcement. … (§ 2435(b)(1), § 2435(d)(2), Vermont Statute, Title 9, Chapter 62, Protection of Personal Information, Sections 2430, 2435, 2440, 2445)
  • An entity that maintains computerized data that includes medical information that the entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the s… (§ 32.1-127.1:05.D, Code of Virginia Title 32.1, Chapter 5., Section 32.1-127.1:05 Breach of medical information notification.)
  • Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of th… (§ 59.1-579.A.2., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • The organization must notify all affected individuals and the Office of the Attorney General without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 18.2-186.6.B, Virginia Code, Title 18.2, Chapter 6, Breach of personal information notification, Section 18.2-186.6)
  • Any agency that maintains data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acq… (§ 42.56.590(2), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest means available, with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 19.255.010(1), Revised Code of Washington, Title 19, Chapter 19.255, Personal information - notice of security breaches, Section 19.255.010)
  • The organization must notify all affected individuals without unreasonable delay with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 46A-2A-102(a), West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information § 46A-2A-101 thru § 46A-2A-105, 2009 Legislative Session)
  • The organization must notify all affected individuals without unreasonable delay, and no longer than 45 days after the discovery of the unauthorized acquisition of personal information. (§ 134.98(3)(a), Wisconsin Statute, Chapter 134, Notice of unauthorized acquisition of personal information, Section 134.98, 2008 Session)
  • The organization must notify all affected individuals without unreasonable delay and in the fastest time possible with time allowing for determining the scope of the breach and restoring the system's integrity, or subject to the legitimate needs of law enforcement. (§ 40-12-502(a), Wyoming Statutes, Title 40, Article 5, Breach of the security of the data system, Sections 40-12-501 thru 40-12-509)