Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?
Under many state laws, unauthorized access alone can trigger breach notification requirements. Therefore, if the data involved was accessed but not exported, this condition would not be sufficient to excuse an entity from providing breach notification. State laws often prioritize the protection and potential risk to individuals' personal information, making mere access a significant factor in necessitating a notification.
Note that C says "subject to GLBA" not in compliance.
The answer is B. Exceptions include (1) encryption, (2) being in compliance with other GLBA, and (3) internal breach notification procedures compatible with state laws. Many state laws define a breach as "unauthorized access to" files, media, databases, etc. So access alone is not a sufficient excuse to be exempted from data breach notification.
Agree with Ambulocetus C. If the entity was subject to the GLBA Safeguards Rule.
While compliance with the Safeguards Rule helps in preventing breaches and ensuring data security, it does not necessarily exempt an entity from having to provide breach notifications as required by state laws. State breach notification laws typically have their own criteria for when notification is required, which may include factors like the type of data compromised, the potential risk of harm to individuals, and other circumstances surrounding the breach. While following the GLBA Safeguards Rule may demonstrate a commitment to data security, it doesn't automatically override the notification obligations imposed by state laws when a data breach occurs.