Cyber Attack: United Airlines, WSJ, NYSE … Oh My!!

Jul 9, 2015 Lazarus Alliance 0 Comment

Cyber Attack: United Airlines, WSJ, NYSE … Oh My!!

While United Airlines grounded their entire fleet and the Wall Street Journal was off-line and the New York Stock Exchange could not conduct trading yesterday for an extended period of time, they all have stated that they were not under a cyber attack.

We do not believe in coincidences!

Apparently we are not alone with this cyber attack sentiment. The Phoenix Business Journal conducted an engaging cyber attack conversation with us about it.

Computer network problems and outages brought the New York Stock Exchange to a halt, temporarily grounded United Airlines flights and took down The Wall Street Journal’s website Wednesday.

While none of the affected businesses blamed the problems on cyber attack by Russian, North Korean, Chinese or ISIS hackers, their troubles show the vulnerability and potential minefields for U.S. computer and communications networks.

Businesses, large and small, as well as consumers are dependent on communications systems and computer networks in their day-to-day lives.
If technical glitches can halt NYSE trading on Wall Street and force United to ground and delay flights, think of what they can do to Main Street businesses, startups and personal lives.

United Airlines’ troubles adversely impacted a couple dozen flights at Phoenix Sky Harbor International Airport today, according to FlightAware.com. Chicago, New York, Atlanta and Los Angeles had major delays.

A cybersecurity expert suspects today’s problems may stem from malware contracted from a third-party vendor rather than from nefarious hackers invading U.S. business systems from a dark room in Moscow, Pyongyang or Shanghai. “If you look at all the cyber attacks in the last 12 months, 100 percent of their breaches happened due to human interaction on third party networks,” said Michael Peters, CEO of Lazarus Alliance, a cybersecurity company:. “Employees of a third party company will download malware and forward it to a company, allowing cyber attacks.”

United officials blamed router problems on their network problems. “An attack can certainly happen through a router,” said Peters. “A router isn’t any different from network devices, they follow all the same rules. So a cyber attack can happen when a router is hacked and traffic is rerouted.”
Peters explained that routers are like highways, controlling network traffic. When cyber attacks happen, hackers can “reroute” traffic and effectively send data to other locations where it can be forwarded to another location.

Peters said most companies who are hacked, even large organizations, don’t have proactive measures in place, leaving them vulnerable.

Glowing Neon malware sign on a digital projection background.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→

Stay ahead of federal and industry security alerts with Lazarus Alliance. Featured

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Make sure that your software is secure with or without AI. Trust Lazarus Alliance. featured

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Manage identity security and compliance with a trusted partner in Lazarus Alliance. featured

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Harden security against new AI attack surfaces. Work with Lazarus Alliance. featured

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Stay ahead of CMMC changes with Lazarus Alliance. Featured

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Lazarus Alliance helps enterprises manage identity security and data governance.

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→

FedRAMP Authorization assessments from Lazarus Alliance. featured

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→

Get expert monitoring and security support with Lazarus Alliance featured

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→

The Proverbial Identity Theft Bus Will Run You Over!

Jun 25, 2015 Lazarus Alliance 0 Comment

The Proverbial Identity Theft Bus Will Run You Over!

Think about a time when you had a single credit card lost or stolen and how much of a pain that experience was. Now imagine if your entire wallet was lost or stolen and the exponential magnitude of pain in the patootie that would be for you.

If you are a subscriber to identity theft protection disservice providers, they are the custodians of a subscriber’s (this means you!) entire portfolio of financial account information, credit cards numbers, current and former address history, family names, social security number, power of attorney and everything else you care to chuck into their systems. To make matters worse, you can now add web site account user names and passwords.

What you now have is a cornucopia of identity theft and cyber criminal fun all in one place, neatly packaged up for hackers in one convenient location. Referring back to my wallet analogy, the database entrusted to these identity theft protection disservice providers is bigger than your wallet; it’s now your entire financial and personal history.

Not only are these providers reckless, they are incompetent from a cybersecurity and consumer protection perspective. Further proof that you are precariously about to be swinging in the wind is to only look as far as their advertisements and marketing campaigns. They seem to think that it makes great advertising to ridicule Russian hackers or other cyber criminals portrayed as troglodytes.

When you poke a stick into a hornets’ nest, eventually you are going to get stung. In doing so, these identity theft protection disservice providers risk the subscribers mother lode of personal identity data for the sake of theatrics. You may recall a rather stupid marketing stunt by a CEO with a bullhorn shouting his social security number out. He could not prevent his own identity from being stolen 12+ times and counting. How can they protect subscribers?

Now comes a bigger consumer problem that would add insult to injury. Have you ever looked at the policy acknowledgement for your financial institution? I’ll share some current language to Chase which states:

“We may at our option change the parameters for the password used to access the Online Service (“Password”) without prior notice to you, and if we do so, you will be required to change your password the next time you access the Online Service. To prevent unauthorized access to your accounts and to prevent unauthorized use of the Online Service, you agree to protect and keep confidential your Card number, account number, PIN, User ID, Password, or other means of accessing your accounts via the Online Service. The loss, theft, or unauthorized use of your Card numbers, account numbers, PINs, User IDs, and Passwords could cause you to lose some or all of the money in your accounts, plus any amount available under your overdraft protection credit line, or draws on your credit card account. It could also permit unauthorized persons to gain access to your sensitive personal and account information and to use that information for fraudulent purposes, including identity theft. If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure. If you permit any other person(s) or entity, including any data aggregation service providers, to use the Online Service or to access or use your Card numbers, account numbers, PINs, User IDs, Passwords, or other means to access your accounts, you are responsible for any transactions and activities performed from your accounts and for any use of your personal and account information by such person(s) or entity. If you believe someone may attempt to use or has used the Online Service without your permission, or that any other unauthorized use or security breach has occurred, you agree to immediately notify us at 1-877-242-7372, (J.P. Morgan Online clients only, call 866-265-1727 or 302-634-5115 for international clients).”

Here is another from Wells Fargo which states the same:

“You are responsible for protecting your password and account information by not disclosing your personal account information to others (including your ATM PIN, online username, and password).”

I can’t help but see the proverbial bus that will run over consumers when an identity theft protection disservice provider is breached. Consumers will look to their banks for assistance and the banks will refuse to cover the damages. It’s not due to consumer negligence. It’s due to custodian negligence and deceptive business practices of these identity theft protection disservice providers.

Look before you leap!

Lazarus Alliance is Proactive Cybersecurity®

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→

Clients Policies & Governance Services Your Personal CXO

2015 State-by-State Data Breach Charts

Jun 7, 2015 Lazarus Alliance 0 Comment

2015 State-by-State Data Breach Charts

The following standard definitions of Personal Information and Breach of Security (based on the definition commonly used by most states) are used for ease of reference, and any variations from the common definition are noted:

Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state- issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information. Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Breach of Security: The unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.

Please note that the following summary of state data breach statutes are not intended to be and should not be used as a substitute for reviewing the statutory language, nor do they constitute legal advice.

States In Which Definition for “Personal Information” is Broader Than the General Definition
States That Trigger Notification by Access
States That Require a Risk of Harm Analysis
States That Require Notice to Attorney General or State Agency
States That Require Notification Within a Specific Time Frame
States That Permit a Private Cause of Action
States With an Encryption Safe Harbor
States Where the Statute is Triggered By a Breach of Security in Electronic and/or Paper

States in Which Definition for “Personal Information” is Broader than the General Definition
Alaska	Personal Information of Alaska residents. In addition: passwords, personal identification numbers, or other access codes for financial accounts.
Arkansas	Personal Information of Arkansas residents. In addition: medical information.
California	General Breach Notification Statute: Personal Information of California residents. In addition: a username or email address, in combination with a password or security question and answer that would permit access to an online account; medical information and health insurance information.Medical Information Specific Breach Notification Statute: For clinics, health facilities, home health agencies, and hospices licensed pursuant to sections 1204, 1250, 1725, or 1745 of the California Health and Safety Code, the state’s Medical Information Breach Notification statute may apply. The statute applies to patients’ medical information. “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or Social Security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
Florida	Personal Information means either of the following:a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual: (i) a social security number; (ii) a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (iii) a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account; (iv) any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (v) an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual. b. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
Georgia	Personal Information of Georgia residents. In addition: a password and any of the data elements not in connection with the name if any of the other data elements alone would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.
Iowa	Personal Information of Iowa residents. In addition: a unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.

Kansas	Personal Information of Kansas residents. In addition: an account number or credit card/debit card number, alone or in combination with any required security code, access code or password that would permit access to a consumer’s financial account.
Maine	Personal Information of Maine residents. In addition: a password, if any of the other data elements alone would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.
Maryland	Personal Information of Maryland residents. In addition: an individual Taxpayer Identification Number.
Massachusetts	Personal Information of Massachusetts residents. In addition: financial account information with or without password or security code information. This includes non-electronic personal information.
Missouri	Personal Information of Missouri residents. In addition: a unique electronic identifier or routing code in combination with required security code, access code, or password that would permit access to an individual’s financial account; medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer.
Nebraska	Personal Information of Nebraska residents. In addition: a unique electronic identification number or routing code, in combination with any required security code, access code, or password; or unique biometric data, such as finger print, voice print, or retina or iris image, or other unique physical representation.
New Hampshire	Medical Information Unauthorized Disclosure Notification Statute: For persons, corporations, facilities, or institutions either licensed in New Hampshire or otherwise lawfully providing health care services, the state’s Medical Information Unauthorized Disclosure Notification statute may apply. The statute applies to protected medical information from §§262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (codified at 42U.S.C. § 300gg and 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq. (2010)).
New Jersey	Personal Information of New Jersey residents. In addition: dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
New York	The law applies to “private information,” which means personal information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person, in combination with any one or more of the following data elements:(1) Social Security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The law statute covers “private information,” which is personal information consisting of any information in combination with any one or more of the following data elements: (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

	“Personal information” means any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.Private information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
North Carolina	A person’s first name or initial and last name, in combination with any one or more of the following:(1) Social Security number; (2) driver’s license or State ID number; (3) account number, credit or debit card number, in combination with security or access codes or passwords to an individual’s financial account; (4) biometric data; (5) finger prints; (6) other information that would permit access to a person’s financial account or resources. Personal Information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parents’ legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.
North Dakota	“Personal information” means an individual’s first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted:(1) the individual’s social security number; (2) the operator’s license number assigned to an individual by the department of transportation; (3) a nondriver color photo identification card number assigned to the individual by the department of transportation; (4) the individual’s financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial accounts; (5) the individual’s date of birth; (6) the maiden name of the individual’s mother; (7) medical information; (8) health insurance information; (9) an identification number assigned to the individual by the individual’s employer; or (10) e individual’s digitized or other electronic signature.
Ohio	Personal Information of Ohio residents, excluding publicly available information that is lawfully available to the general public from federal, state, or local government records or any of the following media that are widely distributed:1) any news or editorial advertising statement published in any bona fide newspaper, journal, or magazine, or broadcast over radio or television; 2) any gathering or furnishing of information or news by any bona fide reporter, correspondent, or news bureau to news media; 3) any publication designed for and distributed to members of any bona fide associations or charitable or fraternal nonprofit corporation;

	4) any type of media similar in nature to any item, entity, or activity identified above.
Oregon	A consumer’s first name or first initial and last name in combination with any one or more of the following data elements when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:(1) Social Security number; driver license number or state identification card number issued by the Department of Transportation; (2) passport number or other United States issued identification number; or (3) financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account. Personal information also includes any of the data elements or any combination of the data elements described above when not combined with the consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised. Personal information DOES NOT include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.
South Carolina	Personal Information of South Carolina residents. ddition: other numbers or information which may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
Texas	The statute applies to “Sensitive personal information”, which includes Personal Information of Texas residents. In addition: information that identifies an individual and relates to:1) the physical or mental health or condition of the individual; 2) the provision of health care to the individual; or 3) payment for the provision of health care to the individual.
Vermont	“Personally identifiable information” of Vermont residents, which means an individual’s first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted, redacted, or otherwise protected:(i) Social Security number; (ii) motor vehicle operator’s license number or non-driver identification card number; (iii) financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; (iv) account passwords or personal identification numbers or other access codes for a financial account.
Virginia	Personal Information Breach Notification Statute: Personal Information of Virginia residents. In addition: medical information.Medical Information Breach Notification Statute: For an authority, board, bureau, commission, district or agency of the state or of any political subdivision of the state, or agencies in the state supported wholly or principally

	by public funds, the state’s Medical Information Breach Notification statute may apply. The statute applies to Medical information.“Medical information” means the first name or first initial and last name with any of the following elements: (1) any information regarding an individual’s medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (2) an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
Wisconsin	An individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:(1) the individual’s Social Security number; (2) the individual’s driver’s license number or state identification number; (3) the number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account; (4) DNA profile; (5) the individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
Wyoming	“Personal identifying information”, which includes the first name or first initial and last name of a person in combination with one or more of the following data elements when either the name or the data elements are not redacted:(A) Social Security number; (B) driver’s license number or Wyoming identification card number; (C) account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person; (D) tribal identification card; or (E) federal or state government issued identification card.
District of Columbia	A person’s first name or first initial and last name, or phone number, or address, in combination with one of the following:(1) Social Security number; (2) driver’s license number or District of Columbia Identification Card number (3) credit card number or debit card number; or any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.
Puerto Rico	At least the name or first initial and the surname of a person, together with any of the following data so that an association may be established between certain information with another and in which the information is legible enough so that in order to access it there is no need to use a special cryptographic code:(1) Social Security number; (2) driver’s license number, voter’s identification or other official identification; (3) bank or financial account numbers of any type with or without passwords or access code that may have been assigned; (4) names of users and passwords or access codes to public or private information systems; medical information protected by the HIPAA; tax information; work-related evaluations.

States that Trigger Notification by Access
Connecticut	“Breach of security” means unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
New Jersey	“Breach of security” means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
Puerto Rico	“Violation of the system’s security” means any situation in which it is detected that access has been permitted to unauthorized persons or entities to the data files so that the security, confidentiality or integrity of the information in the data bank has been compromised; or when normally authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information. This includes both access to the data banks through the system and physical access to the recording media that contain the same and any removal or undue retrieval of said recordings.

States That Require a Risk of Harm Analysis in Determining When Notification is Triggered
Alaska	Notice is not required if, after an investigation and written notice to the Attorney General, the entity determines that there is not a reasonable likelihood that harm to the consumers has or will result. The determination must be documented in writing and maintained for five years.
Arizona	Notice is not required if the breach does not materially compromise the security of the personal information maintained or if the entity or a law enforcement agency, after a reasonable investigation, determines that a breach of the security of the system has not occurred or is not reasonably likely to occur.
Arkansas	Notification under this section is not required if, after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to customers.
Colorado	Notification is not required if after a good-faith, prompt and reasonable investigation, the entity determines that misuse of personal information about a Colorado resident has not occurred and is not likely to occur.
Connecticut	Notification is not required if, after a reasonable investigation and consultation with relevant law enforcement agencies, it is determined that there is no reasonable likelihood of harm to customers.

Delaware	Notification is only required if an investigation determines that the misuse of information about a Delaware resident has occurred or is reasonably likely to occur.
Florida	Notice to the affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least 5 years.
Hawaii	Notification is not required if the entity determines after a reasonable investigation that there is no reasonable likelihood of harm.
Idaho	Notification required if the security, confidentiality, or integrity of the personal information for one or more persons is materially compromised and an investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur.
Indiana	Notification required if the database owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident.
Iowa	Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.
Kansas	Any entity to which the statute applies shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident.
Kentucky	Notification is required if the unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals actually causes or leads the information holder to reasonably believe has caused or will cause identity theft or fraud against any Kentucky resident.
Louisiana	Notification is not required if after reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.
Maine	Notification is not required if after conducting a good-faith, reasonable and prompt investigation, the entity determines that there is not a reasonable likelihood that the personal information has been or will be misused.
Maryland	Notification is not required if after a good-faith, reasonable and prompt investigation the entity determines that the personal information of the individual was not and will not be misused as a result of the breach. If after the investigation is concluded, the entity determines that notification is not required, the entity shall maintain records that reflect its determination for three years after the determination is made.

Massachusetts	The breach must create a substantial risk of identity theft or fraud against a resident of the commonwealth or when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose.
Michigan	The person or agency does not have to provide notice if the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of Michigan. In making this determination, a person or agency shall act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances.
Mississippi	Notification is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.
Missouri	Notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years.
Montana	Notification required if the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.
Nebraska	If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident.
Nevada	Notification is required if the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information maintained by the data collector.
New Hampshire	For Personal Information Breach Notification Statute: Notification is not required if it is determined that misuse of the information has not occurred and is not reasonably likely to occur.
New Jersey	Notification is not required if the business or public entity establishes that misuse of the information is not reasonably possible (must retain a record of this decision for five years).
New York	In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others:(1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or (2) indications that the information has been downloaded or copied; or (3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

North Carolina	Notification not required if a breach does not result in illegal use of personal information, is not reasonably likely to result in illegal use, or there is no material risk of harm to a consumer.
Ohio	Notification required only if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.
Oklahoma	Notification required if the breach causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.
Oregon	For a person that owns the data, notification is not required if, after an appropriate investigation or after consultation with relevant federal, state or local agencies responsible for law enforcement, the person determines that no reasonable likelihood of harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Such a determination must be documented in writing and the documentation must be maintained for five years.
Pennsylvania	Notification required only if the access and acquisition materially compromises the security or confidentiality of personal information.
Rhode Island	Notification of a breach is not required if, after an appropriate investigation or after consultation with relevant federal, state, or local law enforcement agencies, a determination is made that the breach has not and will not likely result in a significant risk of identity theft to the individuals whose personal information has been acquired.
South Carolina	Notification required when personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person, and the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.
Tennessee	Notification required for unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder.
Utah	Notification required if misuse of personal information for identity theft or fraud purposes has occurred, or is reasonably likely to occur
Vermont	Notice of a security breach is not required if the data collector establishes that misuse of personal information is not reasonably possible and the data collector provides notice of the determination and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration. If the data collector later gathers facts to indicate that the misuse of personal information is reasonably possible, then notice is required.
Virginia	Notification required if the entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.
Washington	A person, business, or agency shall not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity.
West Virginia	Notification required only if the individual or entity reasonably believes the breach has caused or will cause identity theft or other fraud to any resident of this State.

Wisconsin

Notification is not required if the acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information.

Wyoming

Notification is required when unauthorized acquisition of computerized data materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.Residents must be notified of a breach of the security of the system when, after a good faith, reasonable, and prompt investigation, the individual or commercial entity determines that the misuse of personal identifying information about the residents has occurred or is reasonably likely to occur.

States that Require Notice to Attorney General or State Agency
Alaska	If an entity determines after an investigation that the breach does not create a reasonable likelihood that harm to the consumers has or will result, it must document this determination and provide notice of the determination to the Attorney General.
California	General Breach Notification Statute: Any person who notifies more than 500 California residents as a result of a single breach must electronically submit a single sample copy of the notification letter to the Attorney General.Medical Information Specific Breach Notification Statute: The California Department of Health Services must be notified no later than 5 business days (15 business days effective Jan. 1, 2015) after the unauthorized access, use, or disclosure has been detected by the licensee.
Connecticut	If notice of a breach of security is required to be provided to affected individuals, the person must also provide notice of the breach to the Attorney General not later than the time when notice is provided to residents.Pursuant to Bulletin IC-25 (Aug. 18, 2010), all licensees and registrants of the Connecticut Insurance Department are required to notify the Department of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.
Florida	A covered entity shall provide notice to the Florida Attorney General’s Office of any breach of security affecting 500 or more Florida residents. Such notice shall be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach has occurred.
Hawaii	If the breach involves over 1000 persons, the Hawaii Office of Consumer Protection must be notified of the timing, content and distribution of the notice.
Idaho	If the entity is a public agency, it must notify the Attorney General within 24 hours of discovery.The agency must also report a security breach to the Office of the Chief Information Officer within the Department of Administration, pursuant to the Information Technology Resource Management Council policies.

Illinois	Any state agency that collects personal information and has had a breach of security of the system data or written material shall submit a report within five business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Any agency that has submitted a report under the statute shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.
Indiana	The Attorney General must be notified regarding a breach.
Iowa	For a breach of security requiring notification of 500 or more Iowa residents pursuant to Iowa law, written notification must be provided to the director of the consumer protection division of the Iowa Attorney General within five business days of notifying any Iowa residents regarding the breach. (Effective July 1, 2014)
Louisiana	When notice must be given to Louisiana citizens, the entity must provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s office. Notice shall include names of all Louisiana citizens affected. Notice to the state Attorney General shall be timely if received within 10 days of the distribution of notice to LA citizens. Each day notice is not received by the state Attorney General shall be deemed a separate violation.
Maine	The Attorney General or Department of Professional and Financial Regulation if the entity is governed by that body must be notified regarding a breach.
Maryland	The Attorney General must be notified prior to notification of individuals.
Massachusetts	The Attorney General, Director of Consumer Affairs and Business Regulation, must be notified regarding a breach. Upon receipt of notice, the Director of Consumer Affairs and Business Regulation will identify any relevant Consumer Reporting Agency or state agency that needs to be notified to the notifying party.
Missouri	If 1,000 or more persons are affected, then the Attorney General must be notified regarding the timing, distribution and content of notice to individuals.
New Hampshire	A person engaged in trade or commerce shall notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the Attorney General’s office. Notice to the Attorney General’s office must include the anticipated date of the notice to the individuals and the approximate number of individuals in the state who will be notified. The names of the individuals entitled to receive notice do not have to be disclosed.
New Jersey	The Division of State Police in the Law Department of Law and Public Safety must be notified regarding a breach prior to notifying customers.
New York	The Attorney General, Consumer Protection Board, and the state Office of Cybersecurity and Critical Infrastructure must be notified regarding a breach via form notice.
North Carolina	The Consumer Protection Division of the Attorney General’s Office must be notified of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice via form notice.
Puerto Rico	The Department of Consumer Affairs must be notified regarding a breach as expeditiously as possible (within a non-extendable 10 days after the violation of the system is detected, parties shall inform the Department of Consumer Affairs, which shall make a public announcement of the fact within 24 hours of receiving information).

South Carolina

If 1,000 or more persons are affected, the Consumer Protection Division of the Department of Consumer Affairs must be notified regarding a breach.

Vermont

Once notice is made to consumers, the Attorney General must be notified of the number of Vermont consumers affected and provided a copy of the notice. A second copy of the consumer notification letter, with personally identifiable information that was subject to the breach redacted, can also be provided to the attorney general which will be used for any public disclosure of the breach.In the event a data collector provides notice to more than 1,000 consumers at one time pursuant to this section, the data collector shall notify, without unreasonable delay, all consumer reporting agencies. In notice to a consumer reporting agency, the data collector must include the timing, distribution, and content of the notices being sent to the affected consumers.

Virginia

Personal Information Breach Notification Statute: The Office of the Attorney General must be notified following discovery of a breach of personal information.In the event an individual or entity provides notice to more than 1,000 persons at one time, they must notify, without unreasonable delay, both the Office of the Attorney General and all consumer reporting agencies of the timing, distribution, and content of the notice sent to affected residents.

Medical Information Breach Notification Statute: The Office of the Attorney General and the Commissioner of Health must be notified following discovery of a breach of medical information. The entity must notify both the subject of the medical information and any affected resident of the Commonwealth, if those are not the same person.

In the event an entity provides notice to more than 1,000 persons at one time, they must notify, without unreasonable delay, the Office of the Attorney General and the Commissioner of Health of the timing, distribution, and content of the notice sent to affected individuals.

States that Require Notification within a Specific Time Frame (other than the general provision that notification must be given in the most expedient time and manner possible and without unreasonable delay, consistent with the legitimate needs of law enforcement).
California	Medical Information Specific Breach Notification Statute: For clinics, health facilities, home health agencies, and hospices licensed pursuant to sections 1204, 1250, 1725, or 1745 of the California Health and Safety Code, the state’s Medical Information Breach Notification statute may apply. The statute requires licensees to notify both affected patients and the California Department of Health Services no later than 5 business days (15 business days effective Jan. 1, 2015) after the unauthorized access, use, or disclosure has been detected by the licensee.
Connecticut	Pursuant to Bulletin IC-25 (Aug. 18, 2010), all licensees and registrants of the Connecticut Insurance Department are required to notify the Department of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.

Florida	Notice must be provided without unreasonable delay; no later than 30 days; law enforcement can delay notification.
Maine	If, after the completion of an investigation, notification is required under this section, the notification required by this section may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
Ohio	Notice must be provided in the most expedient time possible but not later than 45 days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities.
Vermont	Notice of the security breach to a consumer shall be made in the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery.
Wisconsin	Notice shall be provided within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.

States That Permit a Private Cause of Action
Alaska	A person injured by a breach may bring an action against a non-governmental agency under the Unfair or Deceptive Act or Practices, AS 45.50.471 – 45.50.561.
California	Any customer injured by a violation of the general breach notification statute may institute a civil action to recover damages. Any business that violates, proposes to violate, or has violated this title may be enjoined.
Louisiana	A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information.
Maryland	Consumers may bring actions under Title 13 of the Maryland Code, the Unfair and Deceptive Trade Practices Act.
Massachusetts	Massachusetts consumers may seek damages under Chapter 93A, which allows for certain instances of treble damages.
Nevada	A private right of action exists for the data collector. A data collector that provides the requisite notice may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector.
New Hampshire	Persons injured as a result of a violation may bring an action for damages and for such equitable relief as the court deems necessary and proper. A prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney’s fees.An aggrieved individual whose health records were wrongly disclosed may bring a civil action under RSA 332-I:4 or RSA 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees.

North Carolina	Provides a private right of action only if individual is injured as a result of the violation. Damages set at a maximum of up to $5,000, per incident, and provides for treble damages within this range. Injunctive relief also available.
Oregon	Compensation can be ordered by the state upon a finding that enforcement of the rights of consumers by private civil action would be so burdensome or expensive as to be impractical.
South Carolina	A resident of SC who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: institute a civil action to recover damages in case of a willful and knowing violation; institute a civil action to recover only actual damages resulting from a violation in case of a negligent violation; seek an injunction to enforce compliance; and recover attorney’s fees and court costs, if successful.
Tennessee	A violation under the data breach notification statute may also be a violation of the Tennessee Consumer Protection Act, which could give rise to a private cause of action.
Texas	A violation under the data breach notification statute may also be a violation of the Texas Deceptive Trade Practices Act, which could give rise to a private cause of action.
Virginia	Though generally enforced by the Attorney General, nothing in the data breach notification statute will preclude recovery of economic damages.
Washington	Any customer injured by a violation may institute a civil action to recover damages.
District of Columbia	Any District of Columbia resident injured by a violation may institute a civil action to recover actual damages, the costs of the action, and reasonable attorney’s fees. Actual damages shall not include dignitary damages, including pain and suffering.
Puerto Rico	Consumers may bring actions apart from the statute.
Virgin Islands	Any customer injured by a violation may commence a civil action to recover damages.

States With an Encryption Safe Harbor
Alaska	The statute only applies to unencrypted information or encrypted information when the encryption key has also been disclosed.
Arizona	Notification requirement only applies where personal information was unencrypted.
Arkansas	Statute only applies to unencrypted data elements.
California	Notification under the general breach notification statute only applies where unencrypted personal information was acquired, or is believed to acquired, by an unauthorized person.
Colorado	Statute applies only to the disclosure of unencrypted computerized data.
Connecticut	A breach of security only occurs when access to the personal information has not been secured by encryption or by any other method or technology that renders personal information unreadable or unusable.
Delaware	The statute applies to unencrypted computerized data.

States With an Encryption Safe Harbor
Alaska	The statute only applies to unencrypted information or encrypted information when the encryption key has also been disclosed.
Arizona	Notification requirement only applies where personal information was unencrypted.
Arkansas	Statute only applies to unencrypted data elements.
California	Notification under the general breach notification statute only applies where unencrypted personal information was acquired, or is believed to acquired, by an unauthorized person.
Colorado	Statute applies only to the disclosure of unencrypted computerized data.
Connecticut	A breach of security only occurs when access to the personal information has not been secured by encryption or by any other method or technology that renders personal information unreadable or unusable.
Delaware	The statute applies to unencrypted computerized data.

New York	When the private information is encrypted and the encryption key has not been acquired, there is no duty to notify.
North Carolina	Notification requirement only applies where the personal information acquired is unencrypted and unredacted.
North Dakota	Notification is not required when data has been secured by encryption or by any other method or technology that renders the electronic files, media, or data bases unreadable or unusable.
Ohio	If the data is encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable, notification is not required.
Oklahoma	Notification is not required for encrypted or redacted information unless the encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.
Oregon	If data is encrypted or redacted, notice is not required.
Pennsylvania	Notification is not required when encrypted or redacted information is accessed and acquired. Notice is required, however, if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.
Rhode Island	If the information is encrypted, notice is not required.
South Carolina	If data is rendered unusable through encryption, redaction, or other methods, notice to consumers is not required.
Tennessee	Notification requirement only applies where personal information was unencrypted.
Texas	“Sensitive personal information” only applies to data items that are not encrypted.
Utah	If the personal information is encrypted or protected by another method that renders the data unreadable or unusable, notice is not required.
Vermont	Data is not considered personal information if both the individual’s name and the combined data element (i.e. social security number) are encrypted, redacted, or protected by another method that renders them unreadable or unusable.
Virginia	The unauthorized acquisition of encrypted or redacted data, without access to the encryption key, does not trigger the notice requirement under this statute.
Washington	If both an individual’s first name or first initial and last name and accompanying data element (i.e. social security number) are encrypted, notice is not required.
West Virginia	If encrypted or redacted information is accessed and acquired and the person does not have access to the encryption key, notice is not required.
Wisconsin	If one of the data elements linked to an individual’s name is encrypted, redacted, or altered in a manner that renders the element unreadable, it is not considered personal information, meaning no notice is required.
Wyoming	If both an individual’s first name or first initial and last name and combined data element (i.e. social security number) are redacted, the data is not considered personal identifying information, and notice is not required.
District of Columbia	The acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party is not considered a breach of the security system.

Guam	Notification requirement does not apply to encrypted data unless the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of Guam.
Puerto Rico	This statute is triggered only when unencrypted information is disclosed.
Virgin Islands	Statute applies only where personal information was unencrypted.

States Where the Statute is Triggered by a Breach of Security in Electronic and/or Paper Records
Alaska	“Breach of security” means unauthorized acquisition, or reasonable belief of unauthorized acquisition, or personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector. “Acquisition” includes: acquisition by photocopying, facsimile, or other paper-based method; a device including a computer, that can read, write or store information that is represented in numerical form; or a method not identified by this paragraph.
Hawaii	This statute applies to any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes.
Indiana	Breach of the security of data means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.
Iowa	“Breach of security” means unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. “Breach of security” also means unauthorized acquisition of personal information maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form and that compromises the security, confidentiality, or integrity of the personal information. (Effective July 1, 2014)
Massachusetts	Breach of security is the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.Data is any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
North Carolina	Statute applies to any business that owns or licenses personal information in any form (whether computerized, paper or otherwise) or any business that maintains or possesses records or data containing personal information that the business does not own or license.

Wisconsin

This statute does not define a “breach of security”, and its definition of “personal information” is not restricted to computerized information alone.

Lazarus Alliance, Inc. publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel.

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→

Trusted risk management program by Lazarus Alliance

Developing Key Risk Indicators in GRC

Organizations in regulated industries can’t just meet security standards; they need to predict them one, three, or five years down the road. The ability to predict, measure, and manage risks is becoming a core competency, and Key Risk Indicators are foundational to this effort. Key Risk Indicators, when properly developed, empower organizations to move from...Continue reading→

Holistic CMMC certification controls by Lazarus Alliance

Interpreting Requirements and Controls in CMMC

CMMC has fundamentally transformed the landscape for defense contractors operating within the DIB. With mandatory compliance deadlines looming and contract requirements becoming increasingly stringent, organizations can no longer afford to treat cybersecurity as an afterthought. Yet for many contractors, the path to CMMC Level 2 compliance remains fraught with challenges that extend far beyond simple...Continue reading→

Cutting-edge CMMC certification assessment by Lazarus Alliance

How CMMC Impacts Subcontractors and Supply Chain Risk

While most of the focus of CMMC is on primary contractors, subcontractors (especially small and mid-sized firms) play an equally critical role in ensuring information security across the supply chain. As such, they are increasingly in the spotlight, both in terms of compliance requirements and as focal points for supply chain risk. However, their smaller...Continue reading→

Expert open source compliance assessment services by Lazarus Alliance

Does Open Source Software Fit into Compliance Strategies?

Incorporating open-source software (OSS) into organizational systems offers numerous benefits, including flexibility, innovation, and cost savings. However, for entities operating under stringent regulatory frameworks such as CMMC, FedRAMP, and HIPAA, adopting OSS requires careful consideration to ensure compliance. This article explores the effectiveness of OSS within these regulations and outlines the essential measures organizations must...Continue reading→

Leading CMMC certification governance by Lazarus Alliance

Startups in CMMC: Scaling Compliance Without Enterprise Resources

For startups in the defense sector, CMMC is a double-edged sword. On the one hand, working in the DIB is a massive opportunity for most startups. Conversely, the costs and complexity of compliance can overwhelm lean teams with limited resources. This is why startups increasingly turn to CSPs and MSPs to achieve CMMC compliance without...Continue reading→

Secure BYOD policy implementation by Lazarus Alliance

Navigating BYOD Workplaces and Federal Security Requirements: Challenges and Solutions

We’re well into the era of “hybrid,” where many tech and office jobs are managed from the comfort of our employees’ homes alongside elective trips to the office. This approach to work is often much more convenient and flexible than on-site work (when possible), but it introduces its own set of challenges, specifically around security. Hybrid...Continue reading→

Proactive FedRAMP compliance experts by Lazarus Alliance

The Evolution of FedRAMP in 2024

2024 has been a watershed year for FedRAMP, ushering in significant structural, procedural, and technological advancements to the program meant to streamline authorization and make bringing cloud products to federal agencies easier. From new governance to new paths to authorization, we’re recapping FedRAMP’s changes in 2024.