(a) A covered entity that is not a third-party agent that determines under Section 8-38-4 that, as a result of a breach of security, sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates, shall give notice of the breach to each individual.
(b) Notice to individuals under subsection (a) shall be made as expeditiously as possible and without unreasonable delay, taking into account the time necessary to allow the covered entity to conduct an investigation in accordance with Section 8-38-4. Except as provided in subsection (c), the covered entity shall provide notice within 45 days of the covered entity's receipt of notice from a third-party agent that a breach has occurred or upon the covered entity's determination that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates.
(c) If a federal or state law enforcement agency determines that notice to individuals required under this section would interfere with a criminal investigation or national security, the notice shall be delayed upon the receipt of written request of the law enforcement agency for a period that the law enforcement agency determines is necessary. A law enforcement agency, by a subsequent written request, may revoke the delay as of a specified date or extend the period set forth in the original request made under this section if further delay is necessary.
(d) Except as provided by subsection (e), notice to an affected individual under this section shall be given in writing, sent to the mailing address of the individual in the records of the covered entity, or by email notice sent to the email address of the individual in the records of the covered entity. The notice shall include, at a minimum, all of the following:
(1) The date, estimated date, or estimated date range of the breach.
(2) A description of the sensitive personally identifying information that was acquired by an unauthorized person as part of the breach.
(3) A general description of the actions taken by a covered entity to restore the security and confidentiality of the personal information involved in the breach.
(4) A general description of steps an affected individual can take to protect himself or herself from identity theft.
(5) Information that the individual can use to contact the covered entity to inquire about the breach.
(e)(1) A covered entity required to provide notice to any individual under this section may provide substitute notice in lieu of direct notice, if direct notice is not feasible due to any of the following:
a. Excessive cost. The term includes either of the following:
1. Excessive cost to the covered entity relative to the resources of the covered entity.
2. The cost to the covered entity exceeds five hundred thousand dollars ($500,000).
b. Lack of sufficient contact information for the individual required to be notified.
c. The affected individuals exceed 100,000 persons.
(2) a. Substitute notice shall include both of the following:
1. A conspicuous notice on the Internet website of the covered entity, if the covered entity maintains a website, for a period of 30 days.
2. Notice in print and in broadcast media, including major media in urban and rural areas where the affected individuals reside.
b. An alternative form of substitute notice may be used with the approval of the Attorney General.
(f) If a covered entity determines that notice is not required under this section, the entity shall document the determination in writing and maintain records concerning the determination for no less than five years.