6 — Notification of a Cybersecurity Event
35 requirements in the Notification of a Cybersecurity Event section
6Notification of a Cybersecurity Event
6.ACommissioner Notification (72 Hours)
6.A(1)State of Domicile
6.A(2)Consumer Threshold (250+)
6.A(2)(a)Government Notification Required
6.A(2)(b)Material Harm Likelihood
6.A(2)(b)(i)Consumer Harm
6.A(2)(b)(ii)Business Operations Harm
6.BNotification Information Requirements
6.B(1)Event Date
6.B(2)Exposure Description
6.B(3)Discovery Method
6.B(4)Information Recovery
6.B(5)Source Identity
6.B(6)Law Enforcement Notification
6.B(7)Information Types Acquired
6.B(8)Compromise Period
6.B(9)Affected Consumer Count
6.B(10)Internal Review Results
6.B(11)Remediation Efforts
6.B(12)Privacy Policy and Consumer Steps
6.B(13)Contact Person
6.CConsumer Notification
6.DThird-Party Service Provider Notification
6.D(1)Third-Party Event Treatment
6.D(2)Deadline Computation
6.D(3)Agreements for Investigation and Notice
6.EReinsurer Notification
6.E(1)Assuming Insurer Events
6.E(1)(a)Assuming Insurer Notification
6.E(1)(b)Ceding Insurer Consumer Notification
6.E(2)Third-Party Provider of Assuming Insurer
6.E(2)(a)Third-Party Event Notification
6.E(2)(b)Ceding Insurer Obligations
6.FProducer Notification