Mississippi An Act to Require Notice of a Breach of Security
Miss. Code Ann. § 75-24-29
SUMMARY:
EFFECTIVE. July 1, 2011
WHO DOES THIS LAW APPLY TO. Any person or entity that conducts business in Mississippi and owns, licenses or maintains Personal Information on any resident.
WHAT IS A BREACH. An unauthorized acquisition of unencrypted electronic files, media, databases, or computerized data containing Personal Information of a Mississippi resident.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
-
Social Security Number.
-
Driver’s license number, State identification card number or Tribal identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individual(s) affected. No notification is required if the person or business, after a reasonable investigation, determines that a breach of the security of the system will not likely result in harm to the affected individual(s).
EXCEPTION. This Section does not apply to the following:
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Mississippi individuals are notified by the person or business in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected Mississippi individuals are notified in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Disclosure shall be made to the affected individual(s) in the most expedient manner possible and without unreasonable delay consistent with measures necessary to determine the nature and scope of the breach, to identify the individual(s) affected or to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation or national security and is requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if it is the primary means of communication, or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $5,000, the affected class of persons to be notified exceeds 5,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee as soon as possible following discovery of the breach. The person or entity that conducts business in Mississippi shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any violation of this Section will constitute an unfair trade practice and will be enforced by the state Attorney General.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.B. 582 – Signed into law on 4/7/2010, Effective 7/1/2011.
H.B. 277 – Signed into law on 3/18/2021, Effective 7/1/2021.
For more information, see here: https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=b973dda5-6245-4584-9f5b-35649c111375&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00&ecomp=vg1_kkk&prid=0f77a537-652a-4c84-afd4-d4714b5d3f1a
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.