Missouri Notification of Breach of Security
MO Rev Stat § 407.1500
SUMMARY:
EFFECTIVE. August 28, 2009
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that owns or licenses Personal Information on State residents, whether or not it conducts business in the State; and (2) any person or entity that maintains or possesses Personal Information on State residents that it does not own, whether or not it does business in the State.
WHAT IS A BREACH. Unauthorized acquisition of and access to Personal Information in computerized form that compromises the security, integrity, or confidentiality of the Personal Information. A good faith acquisition of Personal Information by an employee or agent of the person or business for internal purposes only is not a breach, if it is not used for unlawful purposes or in a manner that harms or threatens the security, confidentiality, or integrity of the Personal Information.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
-
Social Security Number.
-
Driver’s license number or government identification number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Medical information including history, condition, treatment, or diagnosis.
-
Health insurance information.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Missouri resident(s). The notice shall include at a minimum:
-
A general description of the incident.
-
The type of Personal Information acquired or accessed.
-
A telephone number that the affected individuals may call for further information and assistance, if one exists.
-
Contact information for consumer reporting agencies.
-
Advice to continue to review account statements and monitor free credit reports.
If more than 1,000 Missouri residents are involved in a breach, the person or business shall also notify the Attorney General’s office and all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the person, business, or a law enforcement agency, after a reasonable investigation, determines that identity theft or other fraud to a Missouri resident is not likely to occur as a result of the breach. Such a determination must be documented in writing and maintained for five years.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected Missouri residents are notified by the person or business in accordance with its policies.
-
A person or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected Missouri residents are notified in accordance with such policies.
-
A financial institution that is subject to and complies with any of the following, is considered in compliance with this Section:
-
Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Consumer Notice;
-
National Credit Union Administration regulations in 12 CFR Part 748; or
-
The provisions of Title V of the Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 USC Sections 6801 – 6809.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business first discovers or is notified of a breach. The disclosure shall be made without unreasonable delay, consistent with the needs of law enforcement and any measures necessary to determine the scope of the breach, to identify the individual(s) affected and to restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation or jeopardize national security and is requested by law enforcement. Such request must be made in writing, or documented in writing, to include the name of the officer and the law enforcement agency conducting the investigation. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if the individual has agreed to receive Email and notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $100,000, the affected class of persons to be notified exceeds 150,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of, or link to, the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains data that includes Personal Information that it does not own or license, then the person or business shall notify the owner or licensee immediately upon discovery of a breach. The person or business that owns or licenses the Personal Information shall provide notice to the affected Missouri resident(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The state Attorney General has exclusive authority to bring an action to enforce any violations to this Section including recovery of actual damages and a civil penalty of up to $150,000 per breach.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
H.B. 62 – Signed into law on 7/9/2009, Effective 8/28/2009.
For more information, see here: https://www.revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl=
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.