2-6-504. Notification of breach of security of data system. (1) (a) Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
(b) The notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (3) or with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
(2) (a) A third party that receives personal information from a state agency and maintains that information in a computerized data system in order to perform a state agency function shall:
(i) notify the state agency immediately following discovery of the breach of the security of a data system if the personal information is reasonably believed to have been acquired by an unauthorized person; and
(ii) make reasonable efforts upon discovery or notification of a breach of the security of a data system to notify any person whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person as part of the breach of the security of a data system. This notification must be provided in the same manner as the notification required in subsection (1).
(b) A state agency notified of a breach by a third party has no independent duty to provide notification of the breach if the third party has provided notification of the breach in the manner required by subsection (2)(a) but shall provide notification if the third party fails to do so in a reasonable time and may recover from the third party its reasonable costs for providing the notice.
(3) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay of notification. The notification required by this section must be made after the law enforcement agency determines that the notification will not compromise the investigation.
(4) All state agencies and third parties to whom personal information is disclosed by a state agency shall develop and maintain:
(a) an information security policy designed to safeguard personal information; and
(b) breach notification procedures that provide reasonable notice to individuals as provided in subsections (1) and (2).
History: En. Sec. 4, Ch. 163, L. 2009.