New Hampshire mandates data breach notification
An employee downloads office files containing names of customers and their Social Security numbers onto his laptop to do some work at home after hours. He stashes the computer in the trunk of his car, but first stops at the gym to work out. His car is broken into and the computer is stolen, along with the disk of information. Whether it is this low-tech method of stealing data, or a higher-tech method — like hackers gaining access to computer network records — businesses need to understand the requirements of a new state law passed to help stem the tide of identity theft. House Bill 1660 adds sections to the right-to-privacy statute, RSA 359-C, that require any person doing business in New Hampshire to notify (or cooperate in notifying) those individuals who are affected by any security breach of unencrypted computerized data that contains personal information. The new law takes effect Jan. 1, 2007. Failure to understand the requirements of the law could subject the business to harsh penalties, including private rights of action for money damages, treble damages, costs and attorneys’ fees. Notification timetable Although the new law has no hard and fast timetable for providing the required notice, once a determination has been made that there has been a security breach, the business must promptly determine whether personal information has been misused or is reasonably likely to be misused, and if so, notify either the persons affected or the person that owns the information, as soon as possible. If the business is unable to tell whether the information has been misused, the new law requires that notice must be provided, also as soon as possible. Delay is permitted only if a law enforcement or a national security agency determines notice would impede a criminal investigation or jeopardize national security. Notice must either be in writing, by telephone or electronic form, such as e-mail, as well as include a general description of the incident, date of the breach, type of personal information accessed, and a telephone contact. If the total cost of providing notice is more than $5,000 or there are more than 1,000 people affected, substitute notice in the form of publication in statewide media, posting on the business Web site or e-mail is permitted. If the number to be notified exceeds 1,000, and the business is not already subject to the federal Gramm-Leach-Bliley Act, all consumer reporting agencies must also be notified of the number of persons affected. Higher standards Those businesses that are regulated must notify their primary regulator. All other businesses must notify the New Hampshire attorney general’s office. Because the new law puts the burden of demonstrating compliance with its provisions on the person responsible for the determination of a security breach, businesses should start now to develop a program that sets out procedures for compliance. Any such program should include creating prompt internal reporting of possible breaches, preparing draft customer disclosures that comply with the law, the recommended disclosure method and careful record-keeping that documents compliance. Finally, familiarize all employees with the importance of protecting the confidentiality of personal information, examine your procedures to make certain that physical and electronic information is secure and train your employees to respond appropriately to a possible breach. If employees are not informed about security procedures or are not diligent in complying with their terms, they are putting your business at risk. Susan Hollinger, a shareholder-director at the Concord-based law firm of Gallagher, Callahan & Gartrell, practices banking and business law, with an emphasis on regulatory matters and transactional work.