HB 1404 – AS INTRODUCED
2006 SESSION
06/04
HOUSE BILL 1404
AN ACT relative to breach of security of computerized personal information.
SPONSORS: Rep. Stepanek, Hills 6; Rep. Lasky, Hills 26; Rep. Mooney, Hills 19
This bill requires an individual, agency, or commercial entity to notify a resident when there is a breach of computer security regarding the resident’s personal information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
06-2647
06/04
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Six
AN ACT relative to breach of security of computerized personal information.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Chapter; Computer Security Breaches. Amend RSA by inserting after chapter 359-H the following new chapter:
CHAPTER 359-I
359-I:1 Definitions.
I. “Agency” means any agency, authority, board, court, department, division, commission, institution, bureau, or other governmental entity of the state or a political subdivision of the state.
II. “Breach of the security of the system” means the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by an individual, agency, or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
III. “Commercial entity” includes corporations, sole proprietorships, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, or joint ventures.
IV. “New Hampshire resident” means a person whose principal mailing address, as reflected in the records of the an individual, agency, or a commercial entity, is in New Hampshire.
V. “Notice” means:
(a) Written notice;
(b) Telephonic notice;
(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001; or
(d) Substitute notice, which consists of the following:
(1) E-mail notice if the individual, agency, or the commercial entity has e-mail addresses for the members of the affected class of New Hampshire residents.
(2) Conspicuous posting of the notice on the website page of the individual, agency, or the commercial entity if the individual, agency, or the commercial entity maintains one; and
(3) Notice to major statewide media.
VI. “Personal information” means a New Hampshire resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:
(a) Social Security number.
(b) Driver’s license number or New Hampshire identification card number.
(c) Account, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
Personal information shall not include publicly available information from federal, state, or local government records or widely available media.
359-I:2 Notice of Computer Security Breach Required.
I.(a) An individual, agency, or a commercial entity that conducts business in New Hampshire and that owns or licenses computerized data that includes personal information about a resident of New Hampshire shall, when it becomes aware of a breach of the security of the system, conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a New Hampshire resident has occurred or is reasonably likely to occur, the individual, agency, or the commercial entity shall give notice as soon as possible to the affected New Hampshire resident, consistent with the needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
(b) An individual, agency, or a commercial entity required to provide notice may use substitute notice if it demonstrates that the cost of providing notice will exceed $75,000, or that the affected class of New Hampshire residents to be notified exceeds 100,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice.
II. An individual, agency, or a commercial entity that maintains computerized data that includes personal information that it does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information about a New Hampshire resident occurred or is reasonably likely to occur. The individual, agency, or commercial entity shall cooperate with the owner or licensee of the information.
III. An individual, agency, or a commercial entity that maintains notice procedures as part of an information security policy for personal information, and whose procedures are consistent with this chapter shall be deemed to be in compliance if the individual, agency, or the commercial entity notifies affected New Hampshire residents in accordance with its policies in the event of a breach of security of the system.
IV. An individual, agency, or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator shall be deemed to be in compliance with this chapter.
V. Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice required by this chapter must be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.
2 Effective Date. This act shall take effect January 1, 2007.