TITLE XXXI
TRADE AND COMMERCE

Chapter 359-C
RIGHT TO PRIVACY

Section 359-C:1

    359-C:1 Short Title. – This chapter may be cited as the New Hampshire right to privacy act.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:2

    359-C:2 Purpose. –
The general court finds and declares as follows:
I. The confidential relationships between financial institutions and creditors and their respective customers are built on trust and must be preserved and protected.
II. The purpose of this chapter is to protect the confidential relationship between financial institutions and creditors and their respective customers.

Source. 1977, 594:1. 1983, 174:1. 1992, 268:1, eff. July 17, 1992.

Section 359-C:3

    359-C:3 Definitions. –
In this chapter:
I. "Credit" means any permission granted to any person to defer payment of any debt, or to incur any debt and defer payment of such debt.
II. "Creditor" means any person who regularly extends, or arranges for the extension of, credit for which the payment of a finance charge is required, whether such credit is extended by means of any card, coupon book, or other device which may be used for the purpose of obtaining any money, property, labor, service, or other thing of value on credit, or by any other means.
III. "Credit record" means any information held by any creditor concerning:
(a) Any person to whom such creditor extends any credit; or
(b) Any person seeking to obtain any credit from such creditor.
IV. "Customer" means any person who has transacted business with or has used the services of a financial institution or a creditor, or for whom a financial institution has acted as a fiduciary, in relation to an account maintained in the person's name.
V. "Financial institution" means:
(a) Any bank, trust company, savings and loan association, building and loan association, homestead association, or credit union which is organized under the laws of any state or of the United States; and
(b) Any other person organized under the banking laws of any state.
VI. "Financial record" means any information held by any financial institution concerning:
(a) Any debit or credit to any deposit or share account with such financial institution; or
(b) Any person who maintains, or has maintained, any such account or who transacts, or has transacted, any other business with such financial institution.
VII. "Investigation" includes, but is not limited to, any inquiry by a peace officer, sheriff, or county attorney or any inquiry made for the purpose of determining whether there has been a violation of any law enforceable by imprisonment, fine, or monetary liability.
VIII. "Local agency" includes a county; city; town; school district; municipal corporation; district; political subdivision or any board, commission or agency thereof; or other local public agency.
IX. (a) "Person" means an individual, partnership, corporation, association, trust or other legal entity organized under the laws of this state.
(b) In the case of a partnership, corporation, association, trust or other legal entity, the term "person" shall also mean:
(1) Any partner in a partnership, any director or officer of a corporation, any trustee of a trust, or any member of an association; or
(2) Any agent who is authorized to maintain an account or transact business with a financial institution on behalf of a partnership, corporation, association, trust or other legal entity organized under the laws of this state.
X. "State agency" means every state office, officer, department, division, bureau, board, and commission or other state agency.
XI. "Supervisory agency" means:
(a) Any authority of any state or of any political subdivision of any state which is required by law to examine or audit any financial record of any financial institution; and
(b) Any authority of any state or of any political subdivision of any state which the United States Secretary of the Treasury by regulation determines to be exercising supervisory functions over any financial institution which are substantially similar to those supervisory functions exercised by the Federal Deposit Insurance Corporation, the Federal Savings and Loan Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Reserve Board, the Comptroller of the Currency or the Federal Communications Commission.

Source. 1977, 594:1. 1983, 174:2. 1991, 107:1. 1992, 268:2, eff. July 17, 1992.

Section 359-C:4

    359-C:4 Access to Records. –
I. Except as provided in RSA 359-C:11, no officer, employee, or agent of a state or local agency or department thereof, in connection with a civil or criminal investigation of a customer, whether or not such investigation is being conducted pursuant to formal judicial or administrative proceedings, may request or receive copies of, or the information contained in, the financial or credit records of any customer from a financial institution or creditor unless the financial or credit records are described with particularity and are consistent with the scope and requirements of the investigation giving rise to such request and:
(a) Such customer has authorized such disclosure under RSA 359-C:7;
(b) Such financial records are disclosed in response to an administrative subpoena meeting the requirements set forth in RSA 359-C:8;
(c) Such financial records are disclosed in response to a search warrant meeting the requirements set forth in RSA 359-C:9; or
(d) Such financial records are disclosed in response to a judicial subpoena or subpoena duces tecum pursuant to RSA 359-C:10.
II. [Repealed.]
III. Nothing in this section or in RSA 359-C:7, 359-C:8, 359-C:9 or 359-C:10 shall require a financial institution or creditor to inquire or determine that those seeking disclosure have duly complied with the requirements set forth therein; provided only that the customer authorization, administrative subpoena or summons, search warrant or judicial subpoena or order served on or delivered to a financial institution or creditor pursuant to such sections shows compliance on its face. The burden of proof to show compliance with this chapter shall be on the agency or body issuing such order.
IV. The financial institution or creditor shall maintain for a period of 5 years a record of all examinations or disclosures of the financial or credit records of a customer including the identity and purpose of the person examining the financial or credit records, the state or local agency or department thereof which he represents and, where applicable, a copy of the customer authorization, subpoena, summons or search warrant providing for such examination or disclosure or a copy of the certified crime report received pursuant to RSA 359-C:11, II. Any record maintained pursuant to this paragraph shall be available at the office or branch where the customer's account is located during normal business hours for review by the customer upon request. A copy of such record shall be furnished to the customer upon request and payment of the reasonable cost thereof.

Source. 1977, 594:1. 1983, 174:3. 1992, 268:3, 4, eff. July 17, 1992.

Section 359-C:5

    359-C:5 Disclosure of Records. –
I. Except in accordance with requirements of RSA 359-C:7, 359-C:8, 359-C:9 or 359-C:10, no financial institution or creditor, nor any director, officer, employee, or agent thereof may provide or authorize another to provide to an officer, employee or agent of a state or local agency or department thereof any financial, or credit records, copies thereof, or the information contained therein if the director, officer, employee or agent of the financial institution or creditor knows or has reasonable cause to believe that such financial or credit records or information are being requested in connection with a civil or criminal investigation of the customer, whether or not such investigation is being conducted pursuant to formal judicial or administrative proceedings.
II. This section is not intended to prohibit disclosure of the financial or credit records of a customer or the information contained therein incidental to a transaction in the normal course of business of such financial institution or creditor if the director, officer, employee or agent thereof making or authorizing the disclosure has no reasonable cause to believe that the financial or credit records or the information contained in such records so disclosed will be used by a state or local agency or department thereof in connection with an investigation of the customer, whether or not such investigation is being conducted pursuant to formal judicial or administrative proceedings.
II-a. This section is not intended to prevent a financial institution from disclosing to the county attorney or the attorney general, or either of their authorized designees, the financial or credit records of a customer or any other person, or the information contained therein when the director, officer, employee or agent of the financial institution has reasonable cause to believe the customer, or other person, is utilizing the services of the institution to defraud the institution or any other person.
III. A financial institution or creditor which refuses to disclose the financial or credit records of a customer, copies thereof or the information contained therein in reliance in good faith upon the prohibitions of RSA 359-C:5, I, shall not be liable to its customer, to a state or local agency or to any other person for any loss or damage caused in whole or in part by such refusal.

Source. 1977, 594:1. 1983, 174:4. 1992, 268:5. 2005, 233:1, eff. Jan. 1, 2006.

Section 359-C:6

    359-C:6 Use Restricted. –
Copies of financial or credit records or the information contained therein, including information supplied pursuant to RSA 359-C:11, II, which are obtained by any state agency, local agency or supervisory agency may not be:
I. Used or retained in any form for any purpose other than the specific statutory purposes for which the information was originally obtained; or
II. Provided to any other governmental department or agency or other person except where authorized by state law. If in the course of an investigation conducted pursuant to the provisions of this chapter, an officer, employee or agent of a state or local agency or department thereof discovers financial or credit records indicating a possible violation of law which such agency is without statutory authority to investigate or prosecute, the information in such financial or credit records shall be provided to the county attorney of the county in which such financial or credit records were examined or to the attorney general.

Source. 1977, 594:1. 1983, 174:5, eff. Aug. 9, 1983.

Section 359-C:7

    359-C:7 Customer Authorized Disclosure. –
I. A customer may authorize disclosure under RSA 359-C:4, I(a), if those seeking disclosure furnish to the financial institution or creditor a signed and dated statement by which the customer:
(a) Authorizes such disclosure for a period to be set forth in the authorization statement;
(b) Specifies the name of the agency or department to which disclosure is authorized and, if applicable, the statutory purpose for which the information is to be obtained; and
(c) Identifies the financial or credit records which are authorized to be disclosed.
II. No such authorization shall be required as a condition of doing business with such financial institution or creditor.
III. Any officer, employee or agent of a state or local agency seeking customer authorization for disclosure of customer financial or credit records shall notify the customer that the customer has the right at any time to revoke such authorization, except where such authorization is required by statute.
IV. An agency or department examining the financial or credit records of a customer pursuant to this section shall notify the customer in writing within 30 days of such examination. Such notice shall specify the financial or credit records which were examined and the reason for such examination.

Source. 1977, 594:1. 1992, 268:6, eff. July 17, 1992.

Section 359-C:8

    359-C:8 Administrative Subpoena; Summons. –
I. An officer, employee or agent of a state or local agency or department thereof may obtain financial or credit records under RSA 359-C:4, I(b), pursuant to an administrative subpoena or summons otherwise authorized by law and served upon the financial institution or creditor only if:
(a) The person issuing such administrative summons or subpoena has served a copy of the subpoena or summons on the customer; and
(b) The subpoena or summons includes the name of the agency or department on whose name the subpoena or summons is issued and the statutory purpose for which the information is to be obtained; and
(c) The customer has not moved to quash such subpoena or summons within 10 days of service.
II. Nothing in this chapter shall preclude a financial institution or creditor from notifying a customer of the receipt of an administrative summons or subpoena.

Source. 1977, 594:1. 1992, 268:7, 8, eff. July 17, 1992.

Section 359-C:9

    359-C:9 Obtaining Records by Search Warrant. – An officer, employee or agent of a state or local agency or department thereof may obtain financial or credit records under RSA 359-C:4, I(c), only if he obtains a search warrant pursuant to RSA 595-A. Examination of financial or credit records may occur as soon as the warrant is served on the financial institution or creditor.

Source. 1977, 594:1. 1992, 268:9, eff. July 17, 1992.

Section 359-C:10

    359-C:10 Obtaining Records by Subpoena. –
I. An officer, employee or agent of a state or local agency or department thereof may obtain financial or credit records under RSA 359-C:4, I(d), pursuant to a judicial subpoena or subpoena duces tecum only if:
(a) The subpoena or subpoena duces tecum is issued and served upon the financial institution or creditor and served upon or mailed to the customer; and
(b) Ten days after the service date passes, or 14 days after the mailing date passes without notice to the financial institution or creditor that the customer has moved to quash the subpoena. If testimony is to be taken, or financial or credit records produced, before a court, the notice periods provided for in this paragraph may be shortened by the court issuing the subpoena or subpoena duces tecum upon a showing of reasonable cause. The court shall direct that all reasonable measures be taken to notify the customer within the time so shortened.
II. Without limiting in any way the authority of the grand jury, a grand jury is authorized to and may, upon a resolution adopted by a majority of its members, obtain financial or credit records pursuant to a subpoena duces tecum bearing the authenticating signature of the clerk of court. The grand jury may appoint, by resolution, any person as its agent for purposes of receiving the information set forth in the subpoena. Notwithstanding RSA 359-C:4, IV, the grand jury may further adopt a resolution prohibiting any owner, officer, director, partner, employee, agent or attorney from a financial institution from notifying any person named in a subpoena about the existence or contents of such subpoena or that information has been furnished to a grand jury in response to such subpoena. Such resolution shall continue until such time as the customer has been notified pursuant to RSA 359-C:10, III, at which time the grand jury shall so notify the financial institution.
III. Upon issuing such subpoena or subpoena duces tecum, the judge shall order the grand jury to notify the customer in writing within 180 days of such issuance; provided, however, that the judge may shorten the 180 day period or, upon a showing of good cause, may extend such period beyond 180 days, but in no event beyond 360 days. The notice shall specify the financial or credit records which were examined and the reason for such examination.

Source. 1977, 594:1. 1983, 174:6. 1992, 268:10, eff. July 17, 1992.

Section 359-C:11

    359-C:11 Exceptions. –
Nothing in this chapter prohibits any of the following:
I. The dissemination of any financial or credit information which is not identified with, or identifiable as being derived from, the financial or credit records of a particular customer.
II. When any police or sheriff's department or county attorney in this state certifies to a financial institution in writing that a crime report has been filed which involves the alleged fraudulent use of drafts, checks or other orders drawn upon any financial institution in this state, such police or sheriff's department or county attorney may request a financial institution to furnish, and a financial institution shall supply, a statement setting forth the following information with respect to a customer account specified by the police or sheriff's department or county attorney for a period of 30 days prior to and up to 30 days following the date of occurrence of the alleged illegal act involving the account:
(a) The number of items dishonored;
(b) The number of items paid which created overdrafts;
(c) The dollar volume of such dishonored items and items paid which created overdrafts and a statement explaining any credit arrangement between the financial institution and customer to pay overdrafts;
(d) The dates and amounts of deposits and debits and the account balance on such dates;
(e) A copy of the signature appearing on a customer's signature card;
(f) Date account opened and, if applicable, date account closed.
III. Subject to the limitations in RSA 359-C:6, the examination by, or disclosure to, any supervisory agency of financial or credit records which relate solely to the exercise of its supervisory function. The scope of an agency's supervisory function shall be determined by reference to statutes which grant authority to examine, audit or require reports of financial or credit records of financial institutions or creditors.
IV. Subject to the limitations of RSA 359-C:6, the examination by or disclosure to the commissioner of the department of health and human services of the financial records of a person upon a request by the commissioner pursuant to RSA 126-A:38, I(b) for the purpose of reviewing a person's ability to pay for care, treatment, maintenance, and services provided by institutions; pursuant to RSA 161-C:3-a, I for the purpose of establishing, modifying, or enforcing an obligation to pay child support against such person; or pursuant to RSA 167:4-a for purposes directly connected with the determination and verification of eligibility for medical assistance for applicants and recipients whose eligibility for medical assistance is based upon the applicant's or recipient's age, blindness, or disability.
V. Subject to the limitations of RSA 359-C:6, the examination by or disclosure to the department of health and human services of financial records requested by the commissioner or his or her authorized representative, pursuant to RSA 161-F:56, for the purpose of investigating a report of alleged abuse, neglect, or exploitation.

Source. 1977, 594:1. 1992, 268:11. 1995, 310:24. 2002, 36:8, eff. July 1, 2002. 2010, 308:3, eff. Sept. 11, 2010. 2013, 144:41, eff. July 1, 2013.

Section 359-C:12

    359-C:12 Criminal Penalties. –
I. Any person who wilfully or knowingly participates in a violation of this chapter is guilty of a misdemeanor.
II. Any person who induces or attempts to induce a violation of this chapter is guilty of a misdemeanor.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:13

    359-C:13 Costs. – In any successful action to enforce liability for a violation of the provisions of this chapter, the customer may recover the cost of the action together with reasonable attorney's fees as determined by the court.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:14

    359-C:14 Injunction. – In addition to any other remedy contained in this chapter, injunctive relief shall be available to any customer aggrieved by a violation, or threatened violation, of this chapter in the same manner as such injunctive relief would be available if the financial or credit records concerning the customer accounts were in his possession. In any successful action by the customer, costs together with reasonable attorney's fees as determined by the court may be recovered.

Source. 1977, 594:1. 1983, 174:7, eff. Aug. 9, 1983.

Section 359-C:14-a

    359-C:14-a Remedies Exclusive. – The remedies provided under the provisions of this chapter shall be the exclusive remedies available to a customer aggrieved by a violation of the provisions of this chapter.

Source. 1983, 174:8, eff. Aug. 9, 1983.

Section 359-C:15

    359-C:15 Statute of Limitations. – An action to enforce any provision of this chapter must be commenced within 3 years after the date on which the violation occurred.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:16

    359-C:16 Effect of Customer Waiver. – Except as provided in RSA 359-C:7, no waiver by a customer of any right hereunder shall be valid, whether oral or written, and whether with or without consideration.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:17

    359-C:17 Priority of This Chapter. – Should any other law grant or appear to grant power or authority to any person to violate the provisions of this chapter, the provisions of this chapter shall supersede and pro tanto override and annul such law, except those statutes enacted after September 17, 1977, which specifically refer to this chapter.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Section 359-C:18

    359-C:18 Provisions Severable. – If any provision of this chapter or the application thereof to any person or circumstance is held invalid for any reason, such invalidity shall not affect any other provisions or applications of this chapter which can be effected, without the invalid provision or application, and to this end the provisions of this chapter are severable.

Source. 1977, 594:1, eff. Sept. 17, 1977.

Notice of Security Breach

Section 359-C:19

    359-C:19 Definitions. –
In this subdivision:
I. " Computerized data " means personal information stored in an electronic format.
II. " Encrypted " means the transformation of data through the use of an algorithmic process into a form for which there is a low probability of assigning meaning without use of a confidential process or key, or securing the information by another method that renders the data elements completely unreadable or unusable. Data shall not be considered to be encrypted for purposes of this subdivision if it is acquired in combination with any required key, security code, access code, or password that would permit access to the encrypted data.
III. " Person " means an individual, corporation, trust, partnership, incorporated or unincorporated association, limited liability company, or other form of entity, or any agency, authority, board, court, department, division, commission, institution, bureau, or other state governmental entity, or any political subdivision of the state.
IV. (a) " Personal information " means an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or other government identification number.
(3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(b) " Personal information " shall not include information that is lawfully made available to the general public from federal, state, or local government records.
V. " Security breach " means unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state. Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person's business shall not be considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Source. 2006, 242:1, eff. Jan. 1, 2007.

Section 359-C:20

    359-C:20 Notification of Security Breach Required. –
I. (a) Any person doing business in this state who owns or licenses computerized data that includes personal information shall, when it becomes aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision.
(b) Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general's office. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in this state who will be notified. Nothing in this section shall be construed to require the person to provide to any regulator or the New Hampshire attorney general's office the names of the individuals entitled to receive the notice or any personal information relating to them. The disclosure shall be made to affected individuals as quickly as possible, after the determination required under this section.
(c) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify and cooperate with the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach; except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.
II. Notification pursuant to paragraph I may be delayed if a law enforcement agency, or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.
III. The notice required under this section shall be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice, if the agency or business' primary means of communication with affected individuals is by electronic means.
(c) Telephonic notice, provided that a log of each such notification is kept by the person or business who notifies affected persons.
(d) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $5,000, that the affected class of subject individuals to be notified exceeds 1,000, or the person does not have sufficient contact information or consent to provide notice pursuant to subparagraphs I(a)-I(c). Substitute notice shall consist of all of the following:
(1) E-mail notice when the person has an e-mail address for the affected individuals.
(2) Conspicuous posting of the notice on the person's business website, if the person maintains one.
(3) Notification to major statewide media.
(e) Notice pursuant to the person's internal notification procedures maintained as part of an information security policy for the treatment of personal information.
IV. Notice under this section shall include at a minimum:
(a) A description of the incident in general terms.
(b) The approximate date of breach.
(c) The type of personal information obtained as a result of the security breach.
(d) The telephonic contact information of the person subject to this section.
V. Any person engaged in trade or commerce that is subject to RSA 358-A:3, I which maintains procedures for security breach notification pursuant to the laws, rules, regulations, guidances, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if it acts in accordance with such laws, rules, regulations, guidances, or guidelines.
VI. (a) If a person is required to notify more than 1,000 consumers of a breach of security pursuant to this section, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. section 1681a(p), of the anticipated date of the notification to the consumers, the approximate number of consumers who will be notified, and the content of the notice. Nothing in this paragraph shall be construed to require the person to provide to any consumer reporting agency the names of the consumers entitled to receive the notice or any personal information relating to them.
(b) Subparagraph (a) shall not apply to a person who is subject to Title V of the Gramm, Leach-Bliley Act, 15 U.S.C. section 6801 et seq.

Source. 2006, 242:1, eff. Jan. 1, 2007.

Section 359-C:21

    359-C:21 Violation. –
I. Any person injured by any violation under this subdivision may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of this chapter, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney's fees, as determined by the court. Any attempted waiver of the right to the damages set forth in this paragraph shall be void and unenforceable. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
II. The New Hampshire attorney general's office shall enforce the provisions of this subdivision pursuant to RSA 358-A:4.
III. The burden shall be on the person responsible for the determination under RSA 359-C:20, I to demonstrate compliance with this subdivision.

Source. 2006, 242:1, eff. Jan. 1, 2007.