FINES & PENALTIES
Up to $5,000 per offense
Without unreasonable delay
Breach reporting to the Consumer Protection Division of the Attorney General’s Office must be completed without unreasonable delay when a breached Organization provides consumer notice to an affected state resident. In the event an Organization provides notice to more than 1,000 persons, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
FINES & PENALTIES
For violations of the law pertaining to security breaches and destruction of personal information records, the court may impose a civil penalty against up to $5,000 for each offense. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted. Organizations may be fined or penalized for Vendor violations.
INDUSTRY SPECIFIC LAWS
Destruction Vendors must be certified and must provide independent audits to an Organization. In addition, they must have policies and procedures in place to protect against unauthorized access to personal information during and after disposal. There are separate laws for the protection of personal information relating to medical and insurance.
Organizations must have measures in place for the secure disposal of personal information. Disposal Vendors must be contracted. Vendors contracted for record destruction must be monitored by the Organization for compliance with manners of destruction allowed under the law.
Vendors must notify Organization immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notifications.