HB 1187 – AS INTRODUCED
HOUSE BILL 1187
This bill requires businesses to take reasonable steps to destroy records that contain personal information when such records are no longer needed. The bill also requires businesses to notify customers of personal information that has been released to third parties for direct marketing purposes or to adopt a policy of not disclosing personal information for direct marketing purposes without the customer’s consent.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [
in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Eight
AN ACT regulating disclosure of personal information obtained in the course of business.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 New Subdivision; Protection of Personal Information. Amend RSA 359-C by inserting after section 21 the following new subdivision:
Protection of Personal Information
359-C:22 Definitions. In this section:
I. “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.
II. “Customer” means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.
III. “Disclose” means to release, transfer, disseminate, or otherwise communicate orally, in writing, or by electronic or any other means to any third party.
IV. “Individual” means a natural person.
V. “Personal information” means personal information as defined in RSA 359-C:19, IV.
VI. “Record” means any material, regardless of the physical form, on which information is recorded or preserved.
359-C:23 Destruction of Records Containing Personal Information.
I. Any person doing business in this state shall take all reasonable steps to destroy, or arrange for the destruction of, customer records within its custody or control that contain personal information, as defined in RSA 359-C:19, IV, when such records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.
359-C:24 Disclosure of Personal Information Prohibited.
I. Except as otherwise provided in this section, any person engaged in business in this state shall not disclose personal information relating to a customer unless the customer has provided explicit written consent for such disclosure. The business shall adopt reasonable procedures to assure compliance with this section.
II. Nothing in this section shall prohibit:
(a) Disclosure of personal information to the customer after proper identification.
(b) Disclosure authorized by the customer, provided the disclosure is limited to the scope and purpose that the customer authorizes.
(c) Disclosures between a business and a third party pursuant to contracts or arrangements pertaining to any aspect of the business operation, provided that the third party also complies with the non-disclosure requirement.
(d) Disclosures to or from a consumer reporting agency of a customer’s payment history or other information pertaining to transactions or experiences between the business and a customer if that information is to be reported in, or used to generate, a consumer report.
(e) Disclosures otherwise required by state or federal law.
(f) Disclosures required by court order.
I. Any person injured by any violation under this subdivision may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of this chapter, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney’s fees, as determined by the court. Any attempted waiver of the right to the damages set forth in this paragraph shall be void and unenforceable. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
II. The New Hampshire attorney general’s office shall enforce the provisions of this subdivision according to the procedures required in RSA 358-A:4.
2 Effective Date. This act shall take effect January 1, 2009.