§ 38-15. Data breaches.

If a provider determines that a breach of its data system has occurred and that the breach has placed user personal information at risk, the provider must, within 48 hours of that determination, notify the Department and all current and prior users of the breach and the likely consequences of the breach.