C.__Are subject to examination for compliance with the requirements of this chapter by one or more federal functional regulators, as defined in the federal Gramm- Leach-Bliley Act, 15 United States Code, Section 6809(2), or by the Department of Professional and Financial Regulation, Office of Consumer Credit Regulation with respect to the operation of the security program and the notification procedures.

5.__Security breach.__"Security breach" means the compromise of the security, confidentiality or integrity of computerized data that results in unauthorized acquisition of and access to personal information maintained by a business or that creates a reasonable basis for the conclusion that such acquisition has occurred.__"Security breach" does not include the good faith acquisition of personal information by an employee or agent of a business for the purposes of that business if the personal information is not used or subject to further unauthorized disclosure.

6.__Subject person.__"Subject person" means a resident of this State whose personal information is stored by a business that has suffered a security breach resulting in the disclosure or possible disclosure of the resident's personal information.

7.__Substitute notice.__"Substitute notice" means:

A.__An e-mail notice, if the business has the e-mail addresses of its customers;

B.__A conspicuous posting of the notice on a publicly accessible website of the business; or

C.__Publication in major media, including newspapers of general circulation.

8.__System.__"System" means a computerized data storage system containing personal information.

§1348.__Database security

1.__Disclosure of security breach to subject person.__A business that owns or licenses electronic data containing personal information, following the discovery of a security breach, shall notify the subject person whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.