When a data breach occurs, it鈥檚 an intense, frightening moment. Who you 鈥榞onna call? Ghostbusters aren鈥檛 the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which 海角吃瓜黑料 is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts 鈥 either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we鈥檝e made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who 鈥渙wn鈥 data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of . Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of .
Now that we鈥檝e discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don鈥檛 even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state鈥檚 specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you鈥檝e had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for 海角吃瓜黑料 Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at听eschweitzer@alliantnational.com)
MARYLAND NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION 听
Contact Information Pursuant to State Data Breach Notification Laws
Md. Code Com. Law 搂 14-3501 et seq., Maryland Personal Information Protection Act. *(Md. Code Com. Law 搂 14-3504 and 搂 14-3506 are the notification/reporting sections).
Prior to giving the individual notification required under the law, provide notice of a breach to the attorney general:
*Attorney General notification requirements are disclosed on website at https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx; send notice to the OAG by one of the following methods: (1) By Mail: Office of Attorney General, Attn: Security Breach Notification, 200 St. Paul Place, Baltimore, MD听 2101; (2) By Fax: Attn: Security Breach Notification, (410) 576-6566; (3) By Email: Idtheft@oag.stat.md.us.
When breach affects > 1,000 residents, notify:
*Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Md. Ins. Code 搂 33-101, et. seq., Insurance Data Security Law, with MIA Bulletin 22-13.听 *(Md. Ins. Code 搂 33-105 is the notification/reporting section).
Notify: * Access Maryland Cybersecurity Event Initial Notification Form at https://marylandinsurance.jotform.com/222405158165048
When a data breach occurs, it鈥檚 an intense, frightening moment. Who you 鈥榞onna call? Ghostbusters aren鈥檛 the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which 海角吃瓜黑料 is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts 鈥 either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we鈥檝e made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who 鈥渙wn鈥 data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of . Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of .
Now that we鈥檝e discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don鈥檛 even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state鈥檚 specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you鈥檝e had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for 海角吃瓜黑料 Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at听eschweitzer@alliantnational.com)
WASHINGTON D.C. NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION 听
Contact Information Pursuant to State Data Breach Notification Laws
D.C. Code 搂 28-3851 et seq. *(D.C. Code 搂 28-3852is the notification/reporting section). 听 When breach affects 鈮 50 residents, notify: *Office of the Attorney General for the District of Columbia Ph: (202) 727-3400 Fax: (202) 347-8922 Email: oag@dc.gov 400 6th Street NW Washington, D.C. 20001 听 When breach affects > 1,000 residents, notify: *Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law 听 Courtesy/Optional contact information: *Philip Barlow, Associate Commissioner of Insurance, philip.barlow@dc.gov *Jocelyn Bramble, General Counsel, Jocelyn.Bramble@dc.gov 1050 First Street, NE, 801, Washington, DC 20002 Ph: (202) 727-8000 Fax: (202) 671-0650
When a data breach occurs, it鈥檚 an intense, frightening moment. Who you 鈥榞onna call? Ghostbusters aren鈥檛 the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which 海角吃瓜黑料 is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts 鈥 either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we鈥檝e made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who 鈥渙wn鈥 data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of . Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of .
Now that we鈥檝e discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don鈥檛 even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state鈥檚 specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you鈥檝e had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for 海角吃瓜黑料 Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at听eschweitzer@alliantnational.com)
ARKANSAS NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION 听
Contact Information Pursuant to State Data Breach Notification Laws
Ark. Code 搂 4-110-101 et seq. *(Ark. Code 搂 4-110-105is the notification/reporting section). 听 When breach affects > 1,000 residents, notify: *Attorney General data breach form: Ph. (501) 682-2007 or (800) 482-8982 oag@ArkansasAG.gov 323 Center Street, Suite 200 Little Rock, AR 72201 Fax: (501) 683-2520
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law, but *A.C.A. 23-61-113,听Disclosure of nonpublic personal information (Effective August 1, 2017), requires notice to be given to the Insurance Commissioner. 听 Notify: *insurance.legal@arkansas.gov 听听听听 *Attorney Amanda Rose, amanda.rose@arkansas.gov; ph. (501)371-2838
When a data breach occurs, it鈥檚 an intense, frightening moment. Who you 鈥榞onna call? Ghostbusters aren鈥檛 the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which 海角吃瓜黑料 is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts 鈥 either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we鈥檝e made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who 鈥渙wn鈥 data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of . Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of .
Now that we鈥檝e discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don鈥檛 even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state鈥檚 specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you鈥檝e had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for 海角吃瓜黑料 Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at听eschweitzer@alliantnational.com)
WISCONSIN NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION 听
Contact Information Pursuant to State Data Breach Notification Laws
Wis. Stat. 搂 134.98. Notice of unauthorized acquisition of personal information. *(Wis. Stat. 搂 134.98 is the notification/reporting section).听 听 When breach affects > 1,000 residents, notify: *Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Wis. Stat. 搂 601.95, et seq., Insurance Data Security Act.听 *(Wis. Stat. 搂 601.954 is the notification/reporting section).听 听 Notify: Regulator鈥檚听 (whose informational website for Insurance Cybersecurity is ) online form to Report a Cybersecurity Event is accessible at ; and use online form for Update to a Cybersecurity Event Report, accessible at ; Email: OCICyberReport@wisconsin.gov
When a data breach occurs, it鈥檚 an intense, frightening moment. Who you 鈥榞onna call? Ghostbusters aren鈥檛 the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which 海角吃瓜黑料 is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts 鈥 either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we鈥檝e made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who 鈥渙wn鈥 data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of . Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of .
Now that we鈥檝e discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don鈥檛 even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state鈥檚 specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you鈥檝e had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for 海角吃瓜黑料 Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
WEST VIRGINIA NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
W.V. Code 搂 46A-2A-101, et seq., Breach of Security of Consumer Information. *(W.V. Code 搂 46A-2A-102is the notification/reporting section).听 (Limited exemption 鈥 no reporting to Consumer Reporting Agencies is required – for those subject to GLBA, such as 海角吃瓜黑料 Title; see W.V. Code 搂 46A-2A-102(f)) 听 When breach affects > 1,000 residents, notify: *Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law 听 Courtesy Insurance Regulator Contact Information: Homepage for WV Office of Insurance Commissioner is Correspondence should be sent to WV Offices of the Insurance Commissioner, Attention: Market Conduct, P.O. Box 50540, Charleston, West Virginia 25305-0540 Ph: (304) 558-2100; (304) 558-6279; Fax: (304) 558-4965
