Scope of this Summary
Form of Covered Info
Encryption Safe Harbor
Timing: Must be made in the most expeditious time possible and without unreasonable delay, but not later than 45 days following discovery or notification of breach. In providing notice, covered entity should undertake reasonable measures necessary to determine sufficient contact info, determine the scope of the breach, and restore the reasonable integrity, security and confidentiality of the data.
Content: Notice must include a description of the breach in general terms, approximate date of the breach, the type of covered info subject to the breach, contact info for the covered entity, contact info for the national CRAs, and advice to report suspected identity theft to law enforcement, including the Attorney General and the FTC. If credit monitoring/ID theft protection services offered to affected resident free of charge, enrollment may not require resident to provide credit or debit card number. If additional credit mornitoring/ID theft protection services offered for a fee, offer must separately, distinctly, clearly and conspicuously disclose existence of fee.
Method: By written notice, by telephone notice (if direct contact made with resident), or electronic notice (if it’s the customary method of communication with the resident or is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.