If notification is required to more than 250 persons, reporting to the state attorney general must be done either by mail or email. Reporting must also be completed without unreasonable delay to all consumer reporting agencies and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis. If the notification is delayed by a law enforcement investigation, notification must be made within 30 days after determination that it will not compromise an investigation. If an organization is not required to report a breach, they must keep documentation of incident for 3 years.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Vendors should notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.

Failure to provide notification of breach incident(s) is considered a deceptive act or practice. The attorney general may bring a civil action to recover monetary damages up to $10,000 per day, per violation. Organizations may be fined or penalized for Vendor violations.