Security Breach Regulations in the State of New Hampshire
N.H. Rev. Stat. §§ 359-C:19 is a data breach notification and privacy law that was passed in the U.S. state of New Hampshire in 2007. N.H. Rev. Stat. §§ 359-C:19 sets forth the regulations that business entities within New Hampshire must follow when a security breach occurs, including providing notification of the said breach to all affected parties, as well as the New Hampshire attorney general and the three major credit reporting agencies within the U.S., under certain circumstances. What’s more, the law also empowers the aforementioned New Hampshire attorney general to impose penalties against business entities within the state that fail to adhere to the provisions established in the law.
What is the scope and application of N.H. Rev. Stat. §§ 359-C:19?
In terms of the scope and application of N.H. Rev. Stat. §§ 359-C:19, the provisions of the law are applicable to any “individual, corporation, trust, partnership, incorporated or unincorporated association, limited liability company, or other form of entity, or any agency, authority, board, court, department, division, commission, institution, bureau, or other state governmental entity, or any political subdivision of the state (collectively, Entity) doing business in NH that owns or licenses computerized data that includes PI. Conversely, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity’s business shall not be considered a security breach, provided that the PI is not used or subject to further unauthorized disclosure.”
What are the data breach requirements under N.H. Rev. Stat. §§ 359-C:19?
As is the case with many other security breach notification laws at the U.S. state level, business entities that experience such an event are required to provide notification to all affected parties. With this being said, data breach notifications under N.H. Rev. Stat. §§ 359-C:19 must provide residents of the state with the following information:
- The approximate date of the security breach.
- A description of the security breach, in general terms.
- The types of personal information that were compromised as a result of the breach.
- The telephone number of the entity that is reporting the breach.
What personal information is protected under N.H. Rev. Stat. §§ 359-C:19?
Under the provisions of N.H. Rev. Stat. §§ 359-C:19, the following forms of personal information are legally protected in the event that a security breach occurs, in combination with a New Hampshire resident’s first name or initial and last name, in instances where the data elements in question have not been encrypted:
- Social security numbers.
- Drivers license numbers, as well as other forms of government identification.
- Account numbers, debit and credit card numbers, as well as any associated passwords, security codes, keys, or access codes that could be used to permit access to an individual’s financial account.
- Financial account numbers.
What are the penalties for violating N.H. Rev. Stat. §§ 359-C:19?
In terms of the enforcement of N.H. Rev. Stat. §§ 359-C:19, the provisions laid out in the law are enforced by the New Hampshire attorney general, who has the authority to impose numerous penalties against businesses that fail to comply with the law. Furthermore, in contrast to many other security breach notification laws around the country, N.H. Rev. Stat. §§ 359-C:19 provides residents of the state of New Hampshire with the private right of action to bring forth civil charges against businesses that violate their rights under the law. As such, business entities that lose such cases are subject to the following legal actions:
- An injunction.
- Equitable relief.
- Actual damages.
- Attorney fees.
In addition to N.H. Rev. Stat. §§ 359-C:19, the state of New Hampshire also enacted two more data security laws 2019, HB 1700 (LSR 2410) and SB 303 (LSR 2766), which pertain to the placement of a security freeze on an individual’s credit report. As talks of a comprehensive data privacy law at the federal level continue to stall, the approach that states such as New Hampshire have taken will surely become more prevalent. Consequently, residents within the state effectively have three state laws governing security breaches, as well as the right to bring charges against business entities within the state that fail to comply with all relevant legislation and regulations.