(a) If a covered entity determines that a breach of security has or may have occurred in relation to sensitive personally identifying information that is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity, the covered entity shall conduct a good faith and prompt investigation that includes all of the following:
(1) An assessment of the nature and scope of the breach.
(2) Identification of any sensitive personally identifying information that may have been involved in the breach and the identity of any individuals to whom that information relates.
(3) A determination of whether the sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates.
(4) Identification and implementation of measures to restore the security and confidentiality of the systems compromised in the breach.
(b) In determining whether sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person without valid authorization, the following factors may be considered:
(1) Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information.
(2) Indications that the information has been downloaded or copied.
(3) Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
(4) Whether the information has been made public.