HB 1660-FN – FINAL VERSION
HOUSE BILL 1660-FN
SPONSORS: Rep. Hogancamp, Ches 4; Rep. Kurk, Hills 7; Rep. Maxfield, Merr 6; Rep. Ulery, Hills 27; Rep. Ryan, Merr 2; Sen. Roberge, Dist 9; Sen. Letourneau, Dist 19; Sen. Fuller Clark, Dist 24; Sen. D'Allesandro, Dist 20; Sen. Gottesman, Dist 12
This bill requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [
in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Six
AN ACT regulating identity theft.
Be it Enacted by the Senate and House of Representatives in General Court convened:
242:1 New Subdivision; Right to Privacy; Notice of Security Breach. Amend RSA 359-C by inserting after section 18 the following new subdivision:
Notice of Security Breach
359-C:19 Definitions. In this subdivision:
I. “Computerized data” means personal information stored in an electronic format.
II. “Encrypted” means the transformation of data through the use of an algorithmic process into a form for which there is a low probability of assigning meaning without use of a confidential process or key, or securing the information by another method that renders the data elements completely unreadable or unusable. Data shall not be considered to be encrypted for purposes of this subdivision if it is acquired in combination with any required key, security code, access code, or password that would permit access to the encrypted data.
III. “Person” means an individual, corporation, trust, partnership, incorporated or unincorporated association, limited liability company, or other form of entity, or any agency, authority, board, court, department, division, commission, institution, bureau, or other state governmental entity, or any political subdivision of the state.
IV.(a) “Personal information” means an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or other government identification number.
(3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(b) “Personal information” shall not include information that is lawfully made available to the general public from federal, state, or local government records.
V. “Security breach” means unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state. Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person’s business shall not be considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.
359-C:20 Notification of Security Breach Required.
I.(a) Any person doing business in this state who owns or licenses computerized data that includes personal information shall, when it becomes aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision.
(b) Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in this state who will be notified. Nothing in this section shall be construed to require the person to provide to any regulator or the New Hampshire attorney general’s office the names of the individuals entitled to receive the notice or any personal information relating to them. The disclosure shall be made to affected individuals as quickly as possible, after the determination required under this section.
(c) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify and cooperate with the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach; except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.
II. Notification pursuant to paragraph I may be delayed if a law enforcement agency, or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.
III. The notice required under this section shall be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice, if the agency or business’ primary means of communication with affected individuals is by electronic means.
(c) Telephonic notice, provided that a log of each such notification is kept by the person or business who notifies affected persons.
(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $5,000, that the affected class of subject individuals to be notified exceeds 1,000, or the person does not have sufficient contact information or consent to provide notice pursuant to subparagraphs I(a)-I(c). Substitute notice shall consist of all of the following:
(1) E-mail notice when the person has an e-mail address for the affected individuals.
(2) Conspicuous posting of the notice on the person’s business website, if the person maintains one.
(3) Notification to major statewide media.
(e) Notice pursuant to the person’s internal notification procedures maintained as part of an information security policy for the treatment of personal information.
IV. Notice under this section shall include at a minimum:
(a) A description of the incident in general terms.
(b) The approximate date of breach.
(c) The type of personal information obtained as a result of the security breach.
(d) The telephonic contact information of the person subject to this section.
V. Any person engaged in trade or commerce that is subject to RSA 358-A:3, I which maintains procedures for security breach notification pursuant to the laws, rules, regulations, guidances, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if it acts in accordance with such laws, rules, regulations, guidances, or guidelines.
VI.(a) If a person is required to notify more than 1,000 consumers of a breach of security pursuant to this section, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. section 1681a(p), of the anticipated date of the notification to the consumers, the approximate number of consumers who will be notified, and the content of the notice. Nothing in this paragraph shall be construed to require the person to provide to any consumer reporting agency the names of the consumers entitled to receive the notice or any personal information relating to them.
(b) Subparagraph (a) shall not apply to a person who is subject to Title V of the Gramm, Leach-Bliley Act, 15 U.S.C. section 6801 et seq.
I. Any person injured by any violation under this subdivision may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of this chapter, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney’s fees, as determined by the court. Any attempted waiver of the right to the damages set forth in this paragraph shall be void and unenforceable. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
II. The New Hampshire attorney general’s office shall enforce the provisions of this subdivision pursuant to RSA 358-A:4.
III. The burden shall be on the person responsible for the determination under RSA 359-C:20, I to demonstrate compliance with this subdivision.
242:2 Effective Date. This act shall take effect January 1, 2007.
Approved: June 1, 2006
Effective: January 1, 2007