Bar News - November 3, 2006
Information & Technology Law New Hampshire Mandates Data Breach Notification
By: Susan B. Hollinger
An employee downloads office files containing names of customers and their Social Security numbers onto his laptop to do some work at home after hours. He stashes the computer in the trunk of his car, but first stops at the gym to work out. His car is broken into and the computer is stolen, along with the disk of information.
Whether it is this low-tech method of stealing data, or a higher-tech method—like hackers gaining access to computer network records—businesses need to understand the requirements of a new state law passed to help stem the tide of identity theft.
House Bill 1660 adds sections to the right-to-privacy statute, RSA 359-C, that require any person doing business in New Hampshire to notify (or cooperate in notifying) those individuals who are affected by any security breach of unencrypted computerized data that contains personal information.
The new law takes effect Jan. 1, 2007. Failure to understand the requirements of the law could subject the business to harsh penalties, including private rights of action for money damages, treble damages, costs and attorneys’ fees.
Although the new law has no hard and fast timetable for providing the required notice, once a determination has been made that there has been a security breach, the business must promptly determine whether personal information has been misused or is reasonably likely to be misused, and if so, notify either the persons affected or the person that owns the information, as soon as possible.
If the business is unable to tell whether the information has been misused, the new law requires that notice must be provided, also as soon as possible. Delay is permitted only if a law enforcement agency or a national or homeland security agency determines notice would impede a criminal investigation or jeopardize national security.
Notice must either be in writing, by telephone or in electronic form, such as e-mail, and must include a general description of the incident, date of the breach, type of personal information accessed, and a telephone contact.
If the total cost of providing notice is more than $5,000 or there are more than 1,000 people affected, a substitute notice in the form of publication in statewide media, posting on the business Web site or e-mail is permitted. If the number to be notified exceeds 1,000, and the business is not already subject to the federal Gramm-Leach-Bliley Act, which regulates privacy, all consumer reporting agencies must also be notified of the number of persons affected.
Those businesses that are regulated must notify their primary regulator. All other businesses must notify the New Hampshire attorney general’s office.
Notice to the appropriate regulator must include the number and the anticipated date of notice. If the business is already subject to state or federal regulations or guidance setting out procedures for handling breaches, and if the business acts in accordance with such regulations or guidance, it will be in compliance with the requirements of this law.
Businesses that handle personal information are held to increasingly higher standards of care. Because the new law puts the burden of demonstrating compliance with its provisions on the person responsible for the determination of a security breach, businesses should start now to develop a program that sets out procedures for compliance in the unfortunate event of a data breach.
Any such program should include creating prompt internal reporting of possible security breaches, preparing draft customer disclosures that comply with the law’s requirements, the recommended disclosure method (mail, Web site, etc.), and careful record-keeping that documents compliance.
Finally, familiarize all employees with the importance of protecting the confidentiality of personal information, examine your procedures to make certain that physical and electronic information is secure and train your employees to respond appropriately to a possible breach. If employees are not informed about security procedures or are not diligent in complying with their terms, they are putting your business at risk.
Susan Hollinger, a shareholder-director at the Concord-based law firm of Gallagher, Callahan & Gartrell, practices banking and business law, with an emphasis on regulatory matters and transactional work. She is admitted in New Hampshire, Vermont and Massachusetts.
This article was reprinted with permission and was previously published in The New Hampshire Business Review in August 2006.