New Hampshire has imposed new obligations on anyone doing business in the state that maintains personal information about others in electronic form. Although the new statutory provisions called "Notice of Security Breach" [1], which are effective January 1, 2007, sit within the "New Hampshire Right to Privacy Act" in NH RSA 359-C, it is more expansive than the other provisions of that Act, which apply primarily to financial institutions, their creditors and customers.
WHO HAS TO FOLLOW THIS NEW LAW? WHAT DOES IT COVER?
The Notice of Security Breach obligations apply to any individual, corporation, trust, partnership, a limited liability company, or other type of entity, as well as any agency, authority, board, court, department, division, commission, institution, bureau or other state governmental entity, and any political subdivision of the state. If you are one of these, you do business in New Hampshire and you own or license "personal information" stored in an electronic format, this law applies to you. For those entities already subject to the Health Insurance Portability and Accountability Act ("HIPAA"), this law is more stringent than HIPAA and, therefore, imposes additional requirements.
Personal information means an individual's first name or initial and last name plus any of the following, when either the name or the following data is not encrypted:
- Social security number;
- Driver's license number or other government identification number (such as Medicare, Medicaid, professional license numbers); or
- Account number, credit card number or debit card number, in combination with any security code, access code or password required to permit access to a person's financial account.
For purposes of this law, personal information does not mean information that is lawfully made available to the general public from federal, state or local government records, nor does it include personal information when both the name and the data elements are encrypted. However, simply requiring a required key, security code, access code or password does not mean the data is encrypted under this statute.
WHAT IS THIS NEW LAW ABOUT?
The Notice of Security Breach law does what its name suggests - it imposes new notification requirements upon all of the entities listed above if there is a security breach. A "security breach" means any unauthorized acquisition of personal information (maintained by you in an electronic format) that compromises the security or confidentiality of that information. When an employee or agent accesses others' personal information in good faith for the legitimate purposes of your business, it is not a security breach. However, misuse of the personal information or unauthorized disclosure by the employee or agent, even if originally obtained for legitimate purposes, does constitute a security breach under this law.
Anyone that maintains computerized data including personal information that it does not own - that is, it is maintained for some other person or business - must notify and cooperate with the owner or licensee of any security breach immediately after its discovery, if personal information was acquired by an unauthorized person. Information relevant to the breach must be shared.
NOTICE TO AFFECTED INDIVIDUALS
If you are one of the entities listed above and you become aware that there has been unauthorized acquisition of personal information maintained by you that compromises the security or confidentiality of that information, you must promptly determine whether it is likely that personal information has been or will be misused. If a misuse has occurred or is reasonably likely to occur, or if you cannot make the determination about whether it has occurred or is likely to occur, you must notify all affected individuals as soon as possible.
NOTICE TO REGULATORS OR ATTORNEY GENERAL'S OFFICE AND CONSUMER REPORTING AGENCIES
f you are engaged in trade or commerce subject to the jurisdiction of the bank commissioner, director of securities regulation, insurance commissioner, public utilities commission, financial institutions and insurance regulators of other states, or federal banking or securities regulators, you must also notify the appropriate regulator who has primary regulatory authority over your business, in addition to all affected individuals. If you are not regulated by any of the foregoing, you must give notice to the New Hampshire Attorney General's Office, in addition to affected individuals. Notice to the applicable regulator or Attorney General's Office must include the anticipated date of the notice that you will give to affected individuals and the approximate number of individuals in New Hampshire who will be notified. Further, if there are more than 1,000 affected persons you must notify under this new law, you must also notify all consumer reporting agencies that maintain files on consumers on a nationwide basis, giving them the anticipated date of the notification to consumers, the approximate number of persons and the content of the notice.
Delay in notification is permitted if a law enforcement agency or national or homeland security agency determines that giving the notification will impede a criminal investigation or jeopardize national or homeland security.
HOW DO I HAVE TO GIVE NOTICE?
The new law permits you to give notice in several ways - in writing, via electronic notice if this is your usual primary means of communication with the affected persons, telephonically if you keep a log of each notification, or what is called "substitute notice." If you can show that the cost of giving notice would exceed $5,000 or that the number of affected persons to be notified is more than 1,000 or that you do not have sufficient contact information or consent to provide notice in writing, electronically or by telephone, you may do the following:
-
E-mail notice when you have an email address for the affected persons;
-
Post the notice on your website if you maintain one; and
-
Give notice via a major statewide media. Another alternative is, if you have internal notification procedures as part of your information security policy for the treatment of personal information, you may give notice in accordance with those procedures.
The notice itself must include a description of the security breach incident in general terms, the approximate date of the breach, the type of personal information which was obtained as a result of the security breach and your telephone contact information.
WHAT HAPPENS IF I DO NOT COMPLY?
Any who is injured by lack of compliance under the new law has the right to bring an action against a violator of this law for damages and equitable relief, including an injunction. If the court finds the violation was willful or knowing, the violator is subject to double or even treble damages. Prevailing plaintiffs may recover attorneys' fees and costs.
The New Hampshire attorney general's office is responsible for enforcement of the new law and the burden of demonstrating compliance is on the person responsible for making the initial determination about whether the security breach resulted in misuse or is likely to do so.
CONCLUSION
It is time to update your policies and procedures regarding security breaches and unauthorized acquisition of personal information to assure that you are in compliance with the new New Hampshire Notice of Security Breach requirements.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
[1]NH RSA 359-C:19-21
|
