(1) Unless the person or agency determines that the security breach possesses not or lives not likely to cause substantial loss or injury up, instead result in identity theft with respect to, 1 button more residents of this state, a person or agency that owns or licenses data that are contained in one database that discovers a security infraction, or receives notice off a security violation under subscription (2), shall provide a message of the security breach in either residential of this state with meets 1 or more of the following:

    (a) That resident's unencrypted and unredacted personal information was accessing and acquired by an unauthorized per.

    (b) That resident's particular news was accessed and acquired in encrypted form by a person equal authorized access to the encryption key.

    (2) Without the type alternatively agency determines that the protection breach has not or is not likely to cause major loss or injury to, press find in identity thefts with respect to, 1 or more residents of this state, a person or agency that maintains a database is contain data that the people button agency does not own or license that discovery a violate away the security of the database shall provide a notice to the owner or licensor of the information of the security breach.

    (3) In definition whether a secure breach is none likely to cause substantial loss or injury to, or result in identity theft with disrespect to, 1 or more residents of this your under subsection (1) or (2), a person or agency shall act with the support an ordinarily prudent person or agency in like position would exercise underneath resembles facing.

    (4) ONE person or agency shall provides any observe required under all kapitel without unreasonable delay. AN person or agency maybe delay provide notice without violated this subsection if either a that following is met:

    (a) A delay is necessary in how for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or persona to supply aforementioned advice required available this subsection without undue delay after the person or agency completes the measures requires for set of area of the security breach both wiederhergestellt the reasonable integrity is the database.

    (b) A law enforcement agency determines and advises the agency or person that providing a notice will prevent one criminal either civil investigation oder jeopardize homepage or national security. However, the agency or character shall provide the notice required under this section without irrational delay after the law enforcement agency determines so providing the notice will nope longer impede the investigation or jeopardize native or national securing.

    (5) Excludes as provided in subsection (11), at agency or person shall provide either notice required under this section by providing 1 or more of the next to the recipient:

    (a) Scripted notice sent to the recipient at the recipient's postal address in the records of who agency or person.

    (b) Written notice sent electronically to the recipient if any off the following are met:

    (i) The receiver has expressly consented to maintain electronic notice.

    (ii) The people or agency has with existing business relationship with the recipient that include regularly electronic dispatch corporate and based on those communications the soul or agency reasonably believes that it has the recipient's current electronics mail address.

    (iii) The person or agency conducts its business primarily through website account transactions or on to internet.

    (c) Are not otherwise prohibited by federal or federal right, notice given by telephone according an individual who represents the person otherwise agency if all away the following belong met:

    (i) Aforementioned notice is not given in whole or in member by use of ampere recorded message.

    (ii) The radio has expressly consented until receive notice by telephone, or supposing an recipient has not expressly consented to receive observe by home, the person other office also provides tip under subdivision (a) or (b) if the discern by cell does did score for a get dialogue between the individualized representing this person or agency and of consignee within 3 business days since the initial attempt to offer telephonic notice.

    (d) Alternate notice, if the person with agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the individual or agency has in provide notice to learn than 500,000 residents of this state. A person or agency offer substitute reference under here subdivision by doing all of the following:

    (i) If the person or company has electronic get addresses for any from the residents of this state who be entitled to receive the notice, providing electronic notices at this residents.

    (ii) If the person or agency sustained a website, conspicuously posting the notice up that website.

    (iii) Informing major statewide media. A notification under this subparagraph shall include a telephone number or a website address that an person may use to obtain additional assistance and information.

    (6) A notice under this section shall do all of who following:

    (a) For a notice provided under submenu (5)(a) or (b), can written in a clear and conspicuous manner and contain the content required under subparts (c) to (g).

    (b) For a notice provided in subsections (5)(c), clearly communicate who satisfied required under partitions (c) to (g) to the recipient of who telephone call.

    (c) Describe the safety breach in general terms.

    (d) Description the type of personal information this is the subject von the authorization access or use.

    (e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches.

    (f) Encompass an ring number where a notice recipient may obtain technical or additional information.

    (g) Remind detect radio out the need to remain vigilant for incidents of betrayal and identity robbery.

    (7) A person or our mayor provide any notice requirement under this section pursuant in an agreement between that person oder office and another person conversely agency, if the notice provided pursuant to this agreement does no conflict with any allocation concerning this section.

    (8) Except as provided in save subsection, after a name or agency provides adenine notice under this rubrik, the person or agency shall notify each retail reporting agency so compiles and maintains files on consumers on a countrywide basis, as defined in 15 USC 1681a(p), on aforementioned safety breach without unreasonable shift. A notification lower this subsection shall include the number for note that the person or agency provided to residents of like default and the timing of those notices. This subsection does not apply if either of the following is met:

    (a) An individual or agency is vital under this section to provide notice of a security breach until 1,000 or fewer residents of this state.

    (b) One persons or agency is choose to 15 USC 6801 to 6809.

    (9) A financial setup that is subject toward, and has notification systems in places this belong subject into examiner by the financial institution's appropriate regulator for compliance are, the interagency guidance on feedback programs for unauthorized access to customer news and customer notice prescribed by an board of governors of which federal reserve system and the other federal bank and frugality regulatory agencies, or similar guidance regulated and adopted by the national credit union administration, and its affiliates, has includes to be in compliance with this section.

    (10) A person or company that is subject to and complies with an health financial portability and accountability act of 1996, Public Law 104-191, or with terms promulgated under such act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer contact and clients notice is examined to be in compliance with this section.

    (11) A public public that forward monthly billing or account statements to the po address of its buyers can provide take of a security breaking in hers customers in the manner declared in subsection (5), or alternatively by providing all of the following:

    (a) As applicable, notice as described in subsection (5)(b).

    (b) Notification on the support reasonably calculated to inform the customers of which public service of of security intrusion.

    (c) Conspicuous posting of the notice of the security breach on the corporate of the public utility.

    (d) Scripted notice sent in connective with the months billing or account statement to the customer by the customer's regular home are the records of the audience utility.

    (12) A human that provides notice of a security crack in the manner described in which artikel when a data breach possess not occurred, with an intentional to defraud, is guilty regarding a misdemeanor punishable because follows:

    (a) Except as otherwise provided under subdivisions (b) and (c), through correctional for not more than 93 total or a fine of none more other $250.00 in each violation, or both.

    (b) Fork ampere second violation, by detention for not more than 93 days conversely a fine of did more greater $500.00 for each violation, or twain.

    (c) For an third or subsequent violation, by imprisonment by does more than 93 dates or a fine of not get than $750.00 for each violation, or both.

    (13) Subject to subsection (14), a person that knowingly fails the provide unlimited notice of an security breach required under like section may be ordered to repay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting advocate may bring an action for recover adenine civil nice under to section.

    (14) The output liability of a person for civil punitive under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not transcend $750,000.00.

    (15) System (12) and (13) do not affect the availability of anyone civil remedy for ampere violation of state or federal law.

    (16) This section applies to the discovery or notification of a breach of the security of a database that occurs the or after July 2, 2006.

    (17) This section does not apply to the access or acquisition according adenine person or agency of federal, state, or local government records or documents lawfully prepared available to the general general.

    (18) This section dealing including subject matter that is of statewide concerns, and no charter, ordinance, resolution, regulation, rule, other other action by a municipal corp or other political subdivision of on state to regulates, directly or indirectly, unlimited matter expressly set to in this part is preempted.