New Hampshire Notice of Security Breach
N.H. Rev. Stat. § 359-C:19 - § 359-C:21
SUMMARY:
EFFECTIVE. January 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in New Hampshire and owns or licenses computerized data that includes Personal Information; and (2) any person or entity maintaining Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security or confidentiality of Personal Information maintained by a person or business. A good faith acquisition of Personal Information by an employee or agent of the person or business for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, whether or not the data element is encrypted:
-
Social Security Number.
-
Driver’s license number or government identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected. Such notice shall include at a minimum:
-
A general description of the breach.
-
The approximate date the breach occurred.
-
The type of Personal Information obtained from the breach.
-
Telephone contact information of the person or business providing notice.
Any person or business subject to RSA 358-A:3 shall also notify the regulator which has primary authority. All others shall notify the State Attorney General’s office. Such notice will include:
-
Anticipated date of notice to the affected individuals.
-
Approximate number of State residents to be notified.
If more than 1,000 New Hampshire residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the anticipated date of the notice, the approximate number of individuals involved, and the content of the notice. Notice to the consumer reporting agencies does “not apply to a person who is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801 et seq.”
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the person or business, after a reasonable investigation, determines that the information has not been or is not likely to be misused as a result of a breach.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected New Hampshire individuals are notified by the person or business in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected New Hampshire residents are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent as soon as possible when the person or business first becomes aware of an incident of unauthorized acquisition. Notification may be delayed a law enforcement or homeland security agency determines it will impede a criminal investigation or jeopardize national security.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic (if a log is kept of each notification).
-
Electronic (if it is the primary means of communication).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $5,000, the affected class of persons to be notified exceeds 1,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify and cooperate with the owner or licensee immediately following discovery of the breach. Cooperation includes sharing information relevant to the breach but does not include disclosure of confidential business or trade secret information. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General will enforce the provisions of this Section.
PRIVATE RIGHT OF ACTION. Yes. Any person injured by any violation to this Section may bring a lawsuit for damages and equitable relief including a court injunction. If the injured person wins the lawsuit, the court will award actual damages. If the court finds that the violation was willful, it will award two – three times actual damages to the injured person. In addition, the injured person may be awarded attorneys’ fees and the costs of the lawsuit.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.B. 1660 – Signed into law on 6/2/2006, Effective 1/1/2007.
For more information, see here: http://www.gencourt.state.nh.us/rsa/html/NHTOC/NHTOC-XXXI-359-C.htm
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.