The Maryland Personal Information Protection Act (PIPA, Md. Code Ann., Com. Law § 14-3501 et seq.) requires strict procedures after a data breach.

If You Own or License the Data (Information Collector):

1. Investigate Promptly: Conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur. Notification is not required if, after this investigation, it’s determined that misuse has not and is not likely to occur. This determination must be documented in writing and maintained for three years.
2. Notify Affected Individuals: If misuse is likely, notice must be provided as soon as reasonably practicable, but no later than 45 days after the conclusion of the investigation.
   • Notice can be delayed if law enforcement determines it will impede a criminal investigation or jeopardize homeland/national security. If delayed for law enforcement, notice must be given within 7 days after law enforcement determines it will not impede the investigation, or by the end of the original 45-day period, whichever is earlier.
   • The notice must include specific details, such as a description of the breach, types of information compromised, contact information for the business, and contact information for major consumer reporting agencies and the FTC/AG for identity theft information.
3. Notify the Maryland Attorney General: If notification to any Maryland resident is required, the Attorney General must also be notified prior to or at the same time the consumer notice is provided. The AG notification must include the number of affected Maryland individuals, when and how the breach occurred, and remediation steps.
4. Notify Consumer Reporting Agencies: If a breach requires notification of 1,000 or more residents, the entity must also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

If You Maintain Data for Another Business (Third-Party Agent):

• You must notify the data owner or licensee of the breach as soon as reasonably practicable, but no later than 10 days after discovering or being notified of the breach. You must also share information related to the breach.

Businesses that fail to comply with PIPA may face enforcement action from the Attorney General, including civil penalties of up to $5,000 per day for failure to take reasonable action to comply with notice provisions (after a 30-day cure period from a prior violation).

If your business suffers a breach, you must act quickly. Maine data breach law (10 M.R.S. § 1348) requires prompt notification to affected parties and, in some cases, regulators.

Required actions:

1. Conduct a reasonable and prompt investigation: Determine if misuse of personal information has occurred or is reasonably likely to occur. Notification is not required if, after this good-faith investigation, it’s determined there is no reasonable likelihood that the personal information has been or will be misused.
2. Notify affected individuals: Notice must be provided to a resident of Maine whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. This notice must be made as expediently as possible and without unreasonable delay. Delays are allowed for legitimate law enforcement needs, or for measures necessary to determine the scope of the breach and restore data integrity. If notice is delayed due to law enforcement, it must be made no more than 7 business days after law enforcement determines notification will not compromise an investigation. Your written (or electronic/substitute) notice must include:
   • Nature of the breach
   • Types of personal data exposed
   • Contact person for more information
   • Remedial steps your business has taken
3. Notify the Maine Attorney General (or appropriate state regulator): When notice of a breach is required to consumers, the business must also notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the entity is not regulated by that Department, the Attorney General. This notification should be made without unreasonable delay.
4. Notify Credit Reporting Agencies: If a security breach requires notification to more than 1,000 persons at a single time, the business shall also notify, without unreasonable delay, all nationwide consumer reporting agencies (as defined in 15 U.S.C. Section 1681a). This notification must include the date of the breach, an estimate of the number of persons affected, if known, and the actual or anticipated date that persons were or will be notified of the breach.

Also, most policies require that you notify your cyber insurance carrier within 24 to 72 hours to avoid coverage issues.

Penalties: A person who violates this chapter commits a civil violation and is subject to a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation (10 M.R.S. § 1349).

Louisiana law requires companies to notify individuals “in the most expedient time possible and without unreasonable delay, but not later than sixty days” from the discovery of the breach. This notification is not required if, after a reasonable investigation, the entity determines that there is no reasonable likelihood of harm to the residents of this state.

Required Notifications

1. To Affected Individuals: Notice must be provided for unencrypted or unredacted personal information that was, or is reasonably believed to have been, acquired by an unauthorized person. It may be delayed consistent with legitimate law enforcement needs or measures necessary to determine the scope of the breach and restore data integrity.
   • Must include the breach type, approximate date, exposed data categories, and business contact info.
   • Written or electronic notice (consistent with E-SIGN) is permitted. Substitute notice is allowed under specific conditions (e.g., cost exceeds $100,000 or over 100,000 persons affected).
2. To the Louisiana Attorney General: If notice to residents is required, the entity must also provide written notice to the Consumer Protection Section of the Attorney General’s Office. This notice must include the names of all Louisiana citizens affected by the breach and be received by the Attorney General’s office within 10 days of distribution of notice to Louisiana citizens.
3. To Owners/Licensors (if you maintain data for others): If you maintain computerized data that includes personal information you do not own, you must notify the owner or licensee of the information if it was, or is reasonably believed to have been, acquired by an unauthorized person through a breach.
4. Credit Reporting Agencies: Louisiana law does not explicitly require notification to credit reporting agencies, unless required under federal law (e.g., for breaches affecting certain numbers of individuals involving the Federal Trade Commission’s Red Flags Rule or other specific federal regulations).

Failure to comply with Louisiana breach law can result in state investigations, civil penalties (as noted above), lawsuits for actual damages, and even criminal penalties for willful concealment or certain computer crimes.

Kentucky law outlines clear expectations after a cyber incident.

Key requirements:

1. KRS §365.732 (General Data Breach Notification): Any information holder who discovers a breach of the security of the system that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky, must disclose the breach to affected residents “in the most expedient time possible and without unreasonable delay,” consistent with legitimate law enforcement needs or measures necessary to determine the scope of the breach and restore data integrity.
   • Encrypted Data: Notification is generally not required if the acquired data was encrypted and the encryption key was not also acquired or reasonably believed to have been acquired.
   • Large Breaches: If notification is required for more than 1,000 persons at one time, the information holder must also notify, without unreasonable delay, all nationwide consumer reporting agencies and credit bureaus.
2. HB 474 (Kentucky Insurance Data Security Law): Insurers must report a cybersecurity event involving nonpublic information to the Kentucky Department of Insurance (DOI) as promptly as possible, but no later than three business days from a determination that a cybersecurity event occurred, if it meets certain criteria (e.g., affecting 250+ Kentucky consumers and requiring notice to another government body, or reasonably likely to materially harm a consumer or the insurer’s operations).
3. KCDPA (Kentucky Consumer Data Protection Act – effective Jan. 2026):
   • Consumers can request to confirm, access, correct, delete, or obtain a copy of their personal data, and opt out of the processing of data for targeted advertising, sale, or profiling.
   • Businesses must respond to consumer requests without undue delay, but within 45 days, with a possible 45-day extension for complex requests.
   • The Attorney General has exclusive enforcement authority. Businesses are provided a 30-day “right to cure” period for violations before an enforcement action is initiated.
   • Civil penalties of up to $7,500 per violation may apply—with no stated monetary cap on total penalties.

These rules apply to any business meeting the KCDPA thresholds for data processing.

Under Kansas data breach law (K.S.A. §§ 50-7a01 to 50-7a04), any individual or commercial entity that owns or licenses computerized data that includes personal information about a Kansas resident must:

1. Investigate Immediately: Conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur.
2. Notify Affected Individuals: If misuse has occurred or is reasonably likely to occur, notice must be given to the affected Kansas resident as soon as possible, in the most expedient time and manner possible and without unreasonable delay. Notice can be written or electronic (consistent with E-SIGN). Delays are allowed only if a law enforcement agency determines that notification will impede a criminal investigation. Your notice must include:
   • Contact details for the business.
   • Which personal information was impacted.
   • Contact information for nationwide consumer reporting agencies (e.g., Equifax, TransUnion) and the Federal Trade Commission (FTC).
   • Recommended steps to protect against misuse (e.g., changing passwords for online accounts).
3. Notify Consumer Reporting Agencies: If a security breach requires notification of more than 1,000 consumers at one time, the business must also notify, without unreasonable delay, all nationwide consumer reporting agencies (as defined in 15 U.S.C. Section 1681a) of the timing, distribution, and content of the consumer notices.
4. No Mandatory Attorney General Notification (for private entities): Kansas law does not explicitly require private businesses to notify the Attorney General for data breaches, unlike many other states, unless other federal rules (e.g., HIPAA for breaches of Protected Health Information) apply.
5. Encrypted/Redacted Data Exception: Notification is not required if the unauthorized access and acquisition was of encrypted or redacted personal information, and the encryption key or means to render the data readable or usable was not also acquired.

Most cyber policies require you to alert your insurer within 24–72 hours after a breach. Documentation may include forensics reports and copies of notification letters.

Violations of the Kansas data breach law can result in civil penalties of not more than $25,000 per breach of the security of the system if the failure to give notice is intentional (K.S.A. § 50-7a07).

If your business suffers a breach, Iowa Code §715C.2 outlines specific steps you must take. This applies to any person who owns or licenses computerized data containing a consumer’s personal information that was subject to a breach of security.

Required Actions:

1. Conduct a Prompt Investigation: Immediately following discovery of a breach, conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur. Notification is not required if, after this investigation, it’s determined there’s no reasonable likelihood of financial harm. This determination must be documented and retained for five years.
2. Notify Affected Individuals: Give notice to affected consumers as soon as possible, in the most expeditious manner possible and without unreasonable delay. This may be delayed if a law enforcement agency determines notification will impede a criminal investigation. Your notice must include:
   • A description and approximate date of the breach.
   • The type of personal information obtained.
   • Recommended steps to protect against misuse.
3. Notify the Iowa Attorney General’s Office: If a breach requires notification to more than 500 residents of Iowa, the business must provide written notice to the Director of the Consumer Protection Division of the Office of the Attorney General. This report must be submitted within five business days after consumer notifications begin.
4. Comply with federal laws if applicable:
   • HIPAA applies to healthcare data.
   • GLBA covers financial information.
5. Report the breach to your cyber insurance provider promptly. Most policies require notice within 5–10 business days and request:
   • Forensic findings
   • Copies of consumer notices
   • A detailed breach timeline

Insurers typically assist with breach response, legal counsel, customer outreach, and reimbursement for damages. Violations of Iowa Code §715C are considered an unlawful practice under Iowa Code §714.16, allowing the Attorney General to seek remedies.

Indiana has strict breach notification rules under Indiana Code §24-4.9-3.

Required Steps:

1. Investigate Immediately: After discovering or being notified of a breach, conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur.
2. Notify Affected Individuals: Disclose the breach to an Indiana resident whose unencrypted personal information was or may have been acquired by an unauthorized person, or whose encrypted personal information was acquired by an unauthorized person with access to the encryption key, if the data base owner knows, should know, or should have known that the unauthorized acquisition has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. Disclosure must be made as soon as possible, without unreasonable delay, but no later than 45 days after discovery of the breach. Delays are reasonable if necessary to restore system integrity, discover the scope of the breach, or in response to a law enforcement request
3. Report to the Attorney General: If a database owner makes a disclosure to affected residents, they shall also disclose the breach to the Attorney General.
4. Notify Consumer Reporting Agencies: If a database owner is required to make a disclosure to more than 1,000 consumers, they shall also disclose to each consumer reporting agency information necessary to assist in preventing fraud.
5. Insurers must also report to the Indiana Department of Insurance (IDOI) within 3 business days of confirming certain reportable cybersecurity events, as required by Indiana Code §27-2-27.

Failing to meet these deadlines can result in fines, lawsuits, or even denial of insurance coverage. That’s why it’s critical to have a breach response plan—and an insurance policy that helps manage it.

If you suffer a cyberattack, Illinois law requires you to act quickly and maintain proper documentation.

Under the Personal Information Protection Act (PIPA, 815 ILCS 530):

1. Notify Your Insurer Most cyber policies require that you report any incident within 24-72 hours of discovery.
2. Notify Affected Individuals You must inform any Illinois resident whose unencrypted personal information was compromised “in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.” Notification may be delayed if a law enforcement agency determines it will interfere with a criminal investigation.
3. Notify the Attorney General This is required for all data breaches affecting Illinois residents. Notification must be made no later than when consumers are notified. Notification to the AG must be made in the most expedient time possible and without unreasonable delay, but in no event later than when the data collector provides notice to consumers.
4. Document the Incident Save all forensic reports, breach notices, system logs, and related communications.
5. Prepare for Dispute Resolution Many cyber insurance policies include arbitration clauses or mediation procedures for handling coverage disputes.

Violations of PIPA are considered unlawful practices under the Illinois Consumer Fraud and Deceptive Business Practices Act, which can lead to civil penalties enforced by the Attorney General (e.g., up to $50,000 per violation) and private rights of action for individuals.

Cyber insurance costs change by industry and coverage level. But Hawaii cyber insurance stays affordable compared to breach costs.

Monthly Premiums:

• Small Offices: $100–$150
• Healthcare or Education: $250–$700
• Hotels and Resorts: $200–$600

What Affects Your Premium:

• Business location (Honolulu vs. rural islands)
• Industry risk level (healthcare costs more than retail)
• Security tools you use (MFA, endpoint protection, backups)
• Employee training and past breaches
• Policy limit you want (starts at $1M per event)

Small or seasonal Hawaii businesses often get flexible terms that match revenue cycles.

Under Idaho Code § 28-51-105, companies that experience a data breach must:

1. Investigate Immediately: Conduct a good faith, reasonable, and prompt investigation to determine if misuse of personal information has occurred or is reasonably likely to occur.
2. Notify Affected Individuals: Give notice as soon as possible to the affected Idaho resident if misuse has occurred or is reasonably likely to occur. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with legitimate law enforcement needs and measures necessary to determine the scope of the breach and restore the system’s integrity. Notices can be written, telephonic, or electronic (if consistent with E-SIGN).
3. Report to the Idaho Attorney General (If a State Agency): A state agency that becomes aware of a breach must notify the Idaho Attorney General’s Office within 24 hours. Commercial entities may notify the Attorney General’s Office but are not required to do so.
4. Penalties: Any agency, individual, or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system (Idaho Code § 28-51-107).

Idaho’s data breach notification law does not provide a private right of action for individuals to sue directly for notice violations, but plaintiffs may still sue under contract or negligence law if damages are proven.