Data Breach Requirements in the State of Missouri

Mo. Rev. Stat. § 407.1500 is a data breach notification law that was passed in the U.S. state of Missouri in 2009. Mo. Rev. Stat. § 407.1500 establishes the legal requirements that business entities and organizations within the state of Missouri must adhere to in the event that a data breach occurs. Moreover, the law also establishes the penalties and sanctions that business entities and organizations stand to face should they fail to comply with the provisions set forth in the law. To this point, Mo. Rev. Stat. § 407.1500 represents the primary means by which the personal information of Missouri residents is protected in the event that said information is compromised as a result of a data breach.

How is a data breach defined under Mo. Rev. Stat. § 407.1500?

Under Mo. Rev. Stat. § 407.1500, a data breach is defined as the “unauthorized access to and unauthorized acquisition of PI maintained in computerized form by an Entity that compromises the security, confidentiality, or integrity of the PI.” Alternatively, the “good-faith acquisition of PI by an Entity or that Entity’s employee or agent for a legitimate purpose of that Entity is not a breach of security, provided that the PI is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the PI.” Furthermore, in terms of the scope and application of the law, Mo. Rev. Stat. § 407.1500 applies to “any individual, corporation, business trust, estate, trust, etc” within the state of Missouri.

What are the requirements of Mo. Rev. Stat. § 407.1500?

Under Mo. Rev. Stat. § 407.1500, business entities and organizations within Missouri are responsible for providing residents of the state with data breach notifications in the event that such an event occurs. Data breach notifications may be provided to residents in writing, via email, or electronically. What’s more, these notifications must provide consumers with the following information:

• A description of the incident that took place, in general terms.
• The categories of personal information that were compromised as a result of the breach.
• A telephone number that affected consumers can use to obtain further information and assistance concerning the breach, if such contact information exists.
• Contact information for the three major U.S. credit reporting agencies (Equifax, Experian, and TransUnion).
• Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

What categories of personal information are protected under Mo. Rev. Stat. § 407.1500?

Under Mo. Rev. Stat. § 407.1500, the following categories of personal information are protected under the law should a data breach occur, in combination with the first name or first initial and last name of a resident within the state of Missouri, permitting the information has not been redacted, encrypted, or altered by any other method or technology:

• Social security numbers.
• Driver’s license numbers and other forms of unique identification numbers that may be created or collected by a government body.
• Account numbers, credit card numbers, and debit card numbers, in combination with any security codes, access codes, or passwords that could be used to grant access to an individual’s financial account.
• Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
• Medical information (information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional).
• Health insurance information (an individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual).

What are the punishments for violating Mo. Rev. Stat. § 407.1500?

In terms of the enforcement of Mo. Rev. Stat. § 407.1500, the provisions and requirements laid out in the law are enforced by the Missouri Attorney General. To this end, business entities and organizations within the state of Missouri that are found to be in violation of the law are subject to a number of sanctions and penalties. Such punishments include actual damages for purposeful violations of the law, as well as a monetary penalty of up to $150,000 in instances where the breach or a series of breaches of a security system is uncovered during the course of an investigation.

Mo. Rev. Stat. § 407.1500 stands as the primary legal means by which residents of the state of Missouri can seek both justice and compensation in the event that a data breach occurs and results in personal information being compromised. In comparison to many other state privacy laws concerning data breach incidents, the requirements that are placed upon business entities and organizations under Mo. Rev. Stat. § 407.1500 are quite stringent. As such, residents of the state of Missouri can have the peace of mind that certain categories of personal information pertaining to them will be protected in the event that a security breach takes place.