HB 1414-FN – AS INTRODUCED
2006 SESSION
05/04
HOUSE BILL 1414-FN
AN ACT relative to the protection of personal information by mandatory notice of security breach.
SPONSORS: Rep. Maxfield, Merr 6; Rep. Cataldo, Straf 3
This bill requires a person engaged in business in this state to notify consumers of any security breach that compromises the confidentiality of their personal information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
06-2251
05/04
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Six
AN ACT relative to the protection of personal information by mandatory notice of security breach.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Subdivision; Right to Privacy; Notice of Security Breach. Amend RSA 359-C by inserting after section 18 the following new subdivision:
359-C:19 Definitions. In this subdivision:
I. “Person” means an individual, corporation, trust, partnership, incorporated or unincorporated association, or any other legal entity.
II.(a) “Personal information” means an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number.
(3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(b) Personal information shall not include information that is lawfully made available to the general public from federal, state, or local government records.
III. “Security breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person doing business in this state. Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person’s business shall not be considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.
359-C:20 Notification of Security Breach Required.
I. Any person doing business in this state who owns or licenses computerized data that includes personal information shall disclose a security breach following discovery or notification of the breach. Notification shall be made to any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as expediently as possible, but no more than 30 days after such breach has been discovered.
II. Notification pursuant to paragraph I may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
III. The notice required under this section shall be provided by one of the following methods:
(a) Written notice.
(b) Electronic notice, if such notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001.
(c) Substitute notice, if the person demonstrates that the cost of providing notice would exceed $250,000, that the affected class of subject individuals to be notified exceeds 500,000, or the person does not have sufficient contact information. Substitute notice shall consist of all of the following:
(1) E-mail notice when the person has an e-mail address for the affected individuals.
(2) Conspicuous posting of the notice on the person’s business website, if the person maintains one.
(3) Notification to major statewide media.
(d) Notice pursuant to the person’s internal notification procedures maintained as part of an information security policy for the treatment of personal information.
359-C:21 Violation; Criminal Penalty.
I. Any person who violates this subdivision shall be guilty of a class A misdemeanor.
II. An individual aggrieved by a violation of this subdivision may bring a private action for damages and injunctive relief. In any successful action under this paragraph, the court may award reasonable attorneys fees and costs.
III. Notwithstanding RSA 359-C:14-a, the rights and remedies available under this subdivision are cumulative and do not affect other rights or remedies available under state or federal law.
2 Effective Date. This act shall take effect January 1, 2007.
LBAO
06-2251
11/15/05
HB 1414-FN - FISCAL NOTE
AN ACT relative to the protection of personal information by mandatory notice of security breach.
FISCAL IMPACT:
The Judicial Branch and Judicial Council state this bill may increase state expenditures by an indeterminable amount in FY 2007 and each year thereafter. There will be no fiscal impact on state, county, and local revenue or county and local expenditures.
METHODOLOGY:
The Judicial Branch states this bill would require persons doing business in New Hampshire to notify consumers of any security breach that compromises the confidentiality of the consumers’ personal information. Violations would be class A misdemeanors which carry the potential of incarceration, and therefore, the potential for de novo appeals to the Superior Court for a jury trial. Class A misdemeanors can also involve appeals to the Supreme Court. The recently completed New Hampshire Judicial Needs Assessment, prepared by the National Center for State Courts, estimates a class A misdemeanor has a judicial case weight of 15.3 minutes in the District Court, and 65 minutes for Superior Court appeals. As a result, the Branch states it would take several cases under this bill to result in a fiscal impact over $10,000. However, one situation of failure of notice could give rise to many civil cases and has the potential to result in an indeterminable fiscal impact over $10,000.
The Judicial Council assumes that any cases arising from the enactment of this bill for which the Indigent Defense Fund may be liable will, in the first instance, be handled by the public defender or a contract attorney who accepts these cases on a fixed fee basis of $275 per misdemeanor charged. If an assigned counsel attorney must be used, the hourly rate of $60 with a fee cap of $1,000 will apply. If a motion to exceed the fee cap is approved and/or “services other than counsel” are approved, these will also be chargeable to the Indigent Defense Fund. Any charge within the criminal justice system, committed by a juvenile, will be compensated within the flat fee contract system of $275 per case through disposition, plus $206.25 for each and every review hearing following disposition. Assigned counsel will be at the $60 per hour rate with a fee cap of $1,200. The fee cap may be waived upon motion filed with the court and approved in advance. Any case where a defendant has been found guilty
LBAO
06-2251
11/15/05
may also result in appeals to either the Superior Court or the Supreme Court which would have a cost implication for Indigent Defense expenditures made by the State. The Council is unable to predict the number of cases which may result from the passage of this bill, and are unable to determine the exact fiscal impact at this time.
The Association of Counties states this bill exempts county governments from the provisions of this bill, therefore, there will be no county fiscal impact.
The Departments of State and Justice state this bill will have no fiscal impact on their departments.