Attorney Publications

N.H. Rev. Stat. § 359-C:19 et seq.

H.B. 1660 (signed into law June 2, 2006)

Effective January 1, 2007


Application. Any individual, corporation, trust, partnership, incorporated or unincorporated association, limited liability company, or other form of entity, or any agency, authority, board, court, department, division, commission, institution, bureau, or other state governmental entity, or any political subdivision of the state (collectively, Entity) doing business in NH that owns or licenses computerized data that includes PI.

  • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining PI, whether or not the Entity does business in NH.

Security Breach Definition. An unauthorized acquisition of computerized data that compromises the security or confidentiality of PI maintained by an Entity doing business in NH.

  • Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity’s business shall not be considered a security breach, provided that the PI is not used or subject to further unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies, when it becomes aware of a security breach and determines that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, shall notify the affected individuals.

  • Notification is not required if it is determined that misuse of the information has not occurred and is not reasonably likely to occur.

Notification to Consumer Reporting Agencies. If an Entity is required to notify more than 1,000 consumers, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of the notification, the approximate number of consumers who will be notified, and the content of the notice. This obligation does not apply to entities subject to Title V of the Gramm-Leach-Bliley Act.

Attorney General/Regulator Notification. An Entity engaged in trade or commerce that is subject to N.H. Rev. Stat. § 358-A:3(I) (trade or commerce that is subject to the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices) shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other Entities shall notify the state AG. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in NH who will be notified.

Third-Party Data Notification. If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity shall notify and cooperate with the owner or licensee of the information of any breach of the security of the data immediately following discovery if the PI was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.

Timing of Notification. The Entity shall notify the affected individuals as soon as possible.

Personal Information Definition. An individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social Security Number;
  • Driver license number or other government identification number; or
  • Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Data shall not be considered to be encrypted if it is acquired in combination with any required key, security code, access code, or password that would permit access to the encrypted data.

PI shall not include information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice shall include at a minimum:

  • A description of the incident in general terms;
  • The approximate date of the breach;
  • The type of PI obtained as a result of the security breach; and
  • The telephonic contact information of the Entity.

Notice shall be provided by one of the following methods:

  • Written notice;
  • Telephonic notice, provided that a log of each such notification is kept by the person or business who notifies affected persons;
  • Electronic notice, if the Entity’s primary means of communication with affected individuals is by electronic means; or
  • Notice pursuant to the Entity’s internal notification procedures maintained as part of an information security policy for the treatment of PI.

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $5,000, the affected class of subject individuals to be notified exceeds 1,000, or the Entity does not have sufficient contact information or consent to provide written, electronic or telephonic notice. Substitute notice shall consist of all of the following:

  • Email notice when the Entity has an email address for the affected individuals;
  • Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
  • Notification to major statewide media.

Exception: Compliance with Other Laws

  • Primary Regulator. An Entity engaged in trade or commerce that maintains procedures for security breach notification pursuant to laws, rules, regulations, guidance, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if it acts in accordance with such laws, rules, regulations, guidance or guidelines.

Other Key Provisions:

  • Delay for Law Enforcement. The notification may be delayed if a law enforcement agency or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.
  • AG Enforcement.
  • Private Right of Action. Any person injured by any violation may bring a civil action. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was willful or knowing, it shall award as much as three times but not less than two times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and attorney’s fees, as determined by the court. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
  • Waiver Not Permitted.