New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

A confidential, independent resource for NH lawyers, judges and law students.

Visit the NH Bar Association's Lawyer Referral Service (LRS) website for information about how our trained staff can help you find an attorney who is right for you.
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency
MyNHBar
Member Login
Member Portal
Casemaker

Bar News - November 3, 2006


Information & Technology Law New Hampshire Mandates Data Breach Notification

By:

 

An employee downloads office files containing names of customers and their Social Security numbers onto his laptop to do some work at home after hours. He stashes the computer in the trunk of his car, but first stops at the gym to work out. His car is broken into and the computer is stolen, along with the disk of information.

           

Whether it is this low-tech method of stealing data, or a higher-tech method—like hackers gaining access to computer network records—businesses need to understand the requirements of a new state law passed to help stem the tide of identity theft.

           

House Bill 1660 adds sections to the right-to-privacy statute, RSA 359-C, that require any person doing business in New Hampshire to notify (or cooperate in notifying) those individuals who are affected by any security breach of unencrypted computerized data that contains personal information.

           

The new law takes effect Jan. 1, 2007. Failure to understand the requirements of the law could subject the business to harsh penalties, including private rights of action for money damages, treble damages, costs and attorneys’ fees.

 

Notification timetable

           

Although the new law has no hard and fast timetable for providing the required notice, once a determination has been made that there has been a security breach, the business must promptly determine whether personal information has been misused or is reasonably likely to be misused, and if so, notify either the persons affected or the person that owns the information, as soon as possible.

           

If the business is unable to tell whether the information has been misused, the new law requires that notice must be provided, also as soon as possible. Delay is permitted only if a law enforcement agency or a national or homeland security agency determines notice would impede a criminal investigation or jeopardize national security.

Notice must either be in writing, by telephone or in electronic form, such as e-mail, and must include a general description of the incident, date of the breach, type of personal information accessed, and a telephone contact.

           

If the total cost of providing notice is more than $5,000 or there are more than 1,000 people affected, a substitute notice in the form of publication in statewide media, posting on the business Web site or e-mail is permitted. If the number to be notified exceeds 1,000, and the business is not already subject to the federal Gramm-Leach-Bliley Act, which regulates privacy, all consumer reporting agencies must also be notified of the number of persons affected.

 

Higher standards

           

Those businesses that are regulated must notify their primary regulator. All other businesses must notify the New Hampshire attorney general’s office.

           

Notice to the appropriate regulator must include the number and the anticipated date of notice. If the business is already subject to state or federal regulations or guidance setting out procedures for handling breaches, and if the business acts in accordance with such regulations or guidance, it will be in compliance with the requirements of this law.

           

Businesses that handle personal information are held to increasingly higher standards of care. Because the new law puts the burden of demonstrating compliance with its provisions on the person responsible for the determination of a security breach, businesses should start now to develop a program that sets out procedures for compliance in the unfortunate event of a data breach.

           

Any such program should include creating prompt internal reporting of possible security breaches, preparing draft customer disclosures that comply with the law’s requirements, the recommended disclosure method (mail, Web site, etc.), and careful record-keeping that documents compliance.

           

Finally, familiarize all employees with the importance of protecting the confidentiality of personal information, examine your procedures to make certain that physical and electronic information is secure and train your employees to respond appropriately to a possible breach. If employees are not informed about security procedures or are not diligent in complying with their terms, they are putting your business at risk.

 

Susan Hollinger, a shareholder-director at the Concord-based law firm of Gallagher, Callahan & Gartrell, practices banking and business law, with an emphasis on regulatory matters and transactional work. She is admitted in New Hampshire, Vermont and Massachusetts.

 

This article was reprinted with permission and was previously published in The New Hampshire Business Review in August 2006.

 

 

Supreme Court Rule 42(9) requires all NH admitted attorneys to notify the Bar Association of any address change, home or office.

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer