Section 675.NEW - [Newly enacted section not yet numbered] Notification of breach of security]1. If a licensee that owns or licenses computerized data that includes personal information discovers or is notified of a breach of the security of the computerized data system of the licensee, the licensee shall notify any resident of this State whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person if:(a) The breach is reasonably likely to subject the resident to a risk of harm; and(b) Either: (1) The personal information acquired or believed to have been acquired was not encrypted; or(2) The breach resulted in, or is reasonably believed to have resulted in, an unauthorized person acquiring an encryption key or other means of converting encrypted personal information acquired by the person into an unencrypted or otherwise intelligible form.2. Except as otherwise provided in this subsection and subsection 4, the notification required by subsection 1 must be made in the most expedient time possible and not more than 30 days after the date on which the licensee discovered or was notified of the breach. A licensee may delay providing the notification beyond the period required by this subsection, as authorized by subsection 4 or if the delay is caused by any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system of the licensee.3. Except as otherwise provided in subsection 4, a licensee that maintains data which includes personal information that the licensee does not own shall notify the owner of the information of any breach of the security of the computerized data system of the licensee immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.4. A notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification must be made after the law enforcement agency determines that the notification will not impede a criminal investigation.5. Except as otherwise provided in subsections 6 and 8, a notification required by this section may be provided by any of the following methods:(a) Written notification.(b) Electronic notification, if the notification provided is consistent with the provisions of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001 et seq.(c) Substitute notification, if the licensee demonstrates that the cost of providing notification would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000 or the licensee does not have sufficient contact information. Substitute notification must consist of all the following:(1) Notification by electronic mail when the licensee has electronic mail addresses for the subject persons.(2) Conspicuous posting of the notification on the Internet website of the licensee, if the licensee maintains an Internet website.(3) Notification to major statewide media.6. If a breach involves a username, password or other login credentials to an electronic mail account furnished by the licensee, the licensee shall not provide the notification required pursuant to this section to that electronic mail account.7. A notification provided by a licensee pursuant to this section must be written in plain language and contain, at a minimum, the following information:(a) The name and contact information of the licensee;(b) A list of the types of personal information that were or are reasonably believed to have been subject to the breach;(c) The period of time, if known, in which personal information was potentially subject to acquisition by unauthorized persons as a result of the breach, including, without limitation, the date of the breach and the date upon which the licensee discovered or was notified of the breach;(d) The toll-free telephone numbers and addresses of the major credit reporting agencies; and(e) If the breach involved personal information that includes a username, password or other login credentials to an online account, an advisement to the person whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person to promptly change any relevant passwords or security questions or answers associated with the online account and to take any other appropriate steps to protect the online account and any other online account for which the person uses any of the same information to access.8. A licensee who maintains his or her own notification procedures as part of a data security policy for the treatment of personal information that are otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the licensee notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the computerized data system of the licensee.Added by 2023, Ch. 527,§9, eff. 10/1/2023.