What is meant by unsecured personal information in breach notification context?

Unsecured personal information means data that has not been encrypted or otherwise protected against unauthorized access. Protective measures like encryption, tokenization, or strong access controls render data secured, so even if a breach occurs, the information may not be readable or usable by an attacker. When data is not encrypted or protected, a breach can expose readable information, which commonly triggers the notification requirements to affected individuals. In practice, unencrypted personal data such as Social Security numbers or account numbers would be considered unsecured, while data that is properly encrypted with keys kept secure is regarded as secured. If the encryption is broken and the decryption key is compromised, the data could become unsecured and require notification. Publicly available information is generally not treated as unsecured for breach notification purposes since it is already accessible.