Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when consumer notification was made to more than 10,000 residents of this state at one time, without unreasonable delay. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Organizations may be fined or penalized for Vendor violations. Businesses in violation of data protection laws may incur fines up to $250 for the first violation and up to $1,000 for a second or subsequent violation. Businesses in violation of data disposal law may incur fines up to $500 for each customer’s record that contains personal information that is wrongfully disposed of or discarded; with a total fine up to $10,000.

There are separate laws covering data for education and health.

Vendors must notify Organizations within 24 hours after the discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Organizations and Vendors in the business of destroying records must have measures in place for the secure destruction of records containing personal information so the records are unreadable or undecipherable.