3.__Timeliness of notification.__Except as provided in subsection 4, notification required pursuant to subsections 1 and 2 must be made as expediently as possible and without unreasonable delay following:

A.__The discovery by the business of a security breach; and

B.__Any measures necessary to determine the scope of the security breach, prevent further disclosures and restore the reasonable integrity of the system.

4.__Delay of notification for law enforcement purposes.__ Notwithstanding subsections 1 and 2, if a law enforcement agency determines that the notification required under this section would impede a criminal investigation, notification may be delayed until that law enforcement agency determines that the notification will no longer compromise the investigation.

5.__Methods of notice.__A business is considered to be in compliance with this section if the business provides the subject person with:

A.__Written notice by regular, first-class mail; or

B.__Substitute notice, if:

(1)__The business demonstrates to the Director of the Office of Consumer Credit Regulation within the Department of Professional and Financial Regulation that the cost of providing direct notice would exceed $250,000;

(2)__The number of subject persons to be notified exceeds 500,000; or

(3)__The business does not have sufficient contact information to notify the subject persons.

6.__Alternative notification procedures.__Notwithstanding the requirements of subsections 1 and 2, a business is in compliance with the requirements of this chapter if the business maintains its own reasonable notification procedures as part of a security policy for personal information and notifies subject