Organizations must have measures in place for the secure disposal of personal information. Disposal Vendors must be contracted. Vendors contracted for record destruction must be monitored by the Organization for compliance with manners of destruction allowed under the law.

Breach reporting to the Consumer Protection Division of the Attorney General’s Office must be completed without unreasonable delay when a breached Organization provides consumer notice to an affected state resident. In the event an Organization provides notice to more than 1,000 persons, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

Vendors must notify Organization immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notifications.

Destruction Vendors must be certified and must provide independent audits to an Organization. In addition, they must have policies and procedures in place to protect against unauthorized access to personal information during and after disposal. There are separate laws for the protection of personal information relating to medical and insurance.

For violations of the law pertaining to security breaches and destruction of personal information records, the court may impose a civil penalty against up to $5,000 for each offense. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted. Organizations may be fined or penalized for Vendor violations.