Lawyer Publications

Miss. Code § 75-24-29

(Follow link to Lexis, scroll to Title 75, Chapter 24)

H.B. 582 (signed into law
April 7, 2010)

Effective July 1, 2011

Application. Any person who conducts business in MS and who, in the ordinary course of the person’s business functions, owns, licenses, or maintains the PI of any MS resident.

Security Breach Definition. An unauthorized acquisition of electronic files, media, databases, or computerized data containing PI of any MS resident when access to the PI has not been secured by encryption or by any other method of technology that renders the PI unreadable or unusable.

Notification Obligation. A person who conducts business in MS shall disclose any breach of security to all affected individuals. Notification is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.

Third-Party Data Notification. A person who maintains computerized data that includes PI that the person does not own or license shall notify the owner or licensee of the information of any breach of security as soon as practical following its discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes.

Timing of Notification. Notice shall be provided without unreasonable delay subject to the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the system.

Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable:

  • Social Security number;
  • Driver’s license number or state identification card number; or
  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice may be provided by one of the following methods:

  • Written notice,
  • Telephonic notice, or
  • Electronic notice, if the Entity’s primary method of communication with the individual is by electronic means, or if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $5,000, that the Entity has to provide notice to more than 5,000 residents, or that the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

  • Email notice, if the Entity has Email addresses for subject persons;
  • Conspicuous posting of the notice on the Entity’s website, if the Entity maintains one; and
  • Notification to major statewide media.

Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute, shall be deemed to be in compliance with the notification requirements of the statute, if the Entity notifies subject persons in accordance with its policies in the event of a breach of security of the system.

Exception: Compliance with Federal Regulations.

  • Any person that maintains a security breach procedure pursuant to the rules, regulations, or guidelines established by the primary federal functional regulator shall be deemed to be in compliance with this section, provided the person notifies affected individuals in accordance with the policies or the rules, regulations, procedures, or guidelines.

Other Key Provisions:

  • Delay for Law Enforcement. Any notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation or national security and the law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after the law enforcement agency determines that notification will not compromise the criminal investigation or national security and so notifies the person of that determination.
  • Attorney General Enforcement. Failure to comply with the requirements of the act shall constitute an unfair trade practice and shall be enforced by the Attorney General.