(a) If the number of individuals a covered entity is required to notify under Section 8-38-5 exceeds 1,000, the entity shall provide written notice of the breach to the Attorney General as expeditiously as possible and without unreasonable delay. Except as provided in subsection (c) of Section 8-38-5, the covered entity shall provide the notice within 45 days of the covered entity's receipt of notice from a third-party agent that a breach has occurred or upon the entity's determination that a breach has occurred and is reasonably likely to cause substantial harm to the individuals to whom the information relates.
(b) Written notice to the Attorney General shall include all of the following:
(1) A synopsis of the events surrounding the breach at the time that notice is provided.
(2) The approximate number of individuals in the state who were affected by the breach.
(3) Any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals and instructions on how to use the services.
(4) The name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
(c) A covered entity may provide the Attorney General with supplemental or updated information regarding a breach at any time.
(d) Information marked as confidential that is obtained by the Attorney General under this section is not subject to any open records, freedom of information, or other public record disclosure law.