There are specific considerations when determining if a breach is reportable. Notifications may only be given by specific methods. If notification is required to more than 1,000 persons, all consumer reporting agencies must be notified with specific information without unreasonable delay.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

The Attorney General may bring actions for civil relief for security breach violations. Organizations may be fined or penalized for Vendor violations. Violations of protection and disposal requirements are considered an unconscionable act or practice. Organizations may be fined or penalized for Vendor violations.

For violations of the security breach statute by an insurance company licensed to do business in this state, the Insurance Commissioner shall have the sole enforcement authority. A covered entity must provide an individual or such individual’s personal representative with access to the individual’s protected health information. They must also implement and maintain appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.

Organizations and Vendors who maintain or possess records containing personal information must have procedures and practices in place for the protection of personal information. Organizations and Vendors who maintain or possess records containing personal information must have measures in place for the destruction of any records containing personal information.

If a Vendor is breached, they must notify the Organization. The Organization will be responsible to complete any required regulatory and consumer breach notifications.