Lawyer Publications

N.H. Rev. Stat. § 359-C:19 et seq.

H.B. 1660 (signed into law June 2, 2006)

Effective January 1, 2007

Application. Any individual, or any form of entity or government agency (collectively, Entity) doing business in NH that owns or licenses computerized data that includes PI.

Security Breach Definition. An unauthorized acquisition of computerized data that compromises the security or confidentiality of PI maintained by an Entity doing business in NH.

  • Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity’s business shall not be considered a security breach, provided that the PI is not used or subject to further unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies, when it determines that misuse of PI has occurred or is reasonably likely to occur, or if a determination cannot be made, shall notify the affected individuals.

  • Notification is not required if it is determined that misuse of the PI has not occurred and is not reasonably likely to occur.

Notification to Consumer Reporting Agencies. If an Entity is required to notify more than 1,000 consumers, the Entity shall also notify, without unreasonable delay, all nationwide consumer reporting agencies of the timing, distribution, and content of the notice. This obligation does not apply to entities subject to Title V of the Gramm-Leach-Bliley Act.

Attorney General/Regulator Notification. An Entity engaged in trade or commerce that is subject to N.H. Rev. Stat. § 358-A:3(I) (trade or commerce that is subject to the jurisdiction of the Bank Commissioner, the Director of Securities Regulation, the Insurance Commissioner, the Public Utilities Commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices) shall also notify the regulator that has primary regulatory authority over such trade or commerce. All other Entities shall notify the state Attorney General. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in NH who will be notified.

Third-Party Data Notification. If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity shall notify and cooperate with the owner or licensee of the PI of any breach of the security of the data immediately following discovery if the PI was acquired by an unauthorized person. Cooperation includes sharing with the owner or licensee information relevant to the breach, except that such cooperation shall not be deemed to require the disclosure of confidential or business information or trade secrets.

Timing of Notification. The Entity shall notify the affected individuals as soon as possible.

Personal Information Definition. An individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social Security number;
  • Driver’s license number or other government identification number; or
  • Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Data shall not be considered to be encrypted if it is acquired in combination with any required key, security code, access code, or password that would permit access to the encrypted data.

PI shall not include information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice shall include at a minimum:

  • A description of the incident in general terms;
  • The approximate date of the breach;
  • The type of PI obtained as a result of the security breach; and
  • The telephonic contact information of the Entity.

Notice shall be provided by one of the following methods:

  • Written notice;
  • Telephonic notice, provided that a log of each such notification is kept by the person or business who notifies affected persons;
  • Electronic notice, if the Entity’s primary means of communication with affected individuals is by electronic means; or
  • Notice pursuant to the Entity’s internal notification procedures maintained as part of an information security policy for the treatment of PI.

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $5,000, the affected class of subject individuals to be notified exceeds 1,000, or the Entity does not have sufficient contact information or consent to provide written, electronic or telephonic notice. Substitute notice shall consist of all of the following:

  • Email notice when the Entity has email addresses for the affected individuals;
  • Conspicuous posting of the notice on the Entity’s website, if the Entity maintains one; and
  • Notification to major statewide media.

Exception: Compliance with Other Laws.

  • Primary Regulator. An Entity engaged in trade or commerce that maintains procedures for security breach notification pursuant to laws, rules, regulations, guidance, or guidelines issued by a state or federal regulator shall be deemed to be in compliance with this subdivision if it acts in accordance with such laws, rules, regulations, guidance or guidelines.

Other Key Provisions:

  • Delay for Law Enforcement. The notification may be delayed if a law enforcement agency or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.
  • Attorney General Enforcement.
  • Private Right of Action. Any person injured by any violation may bring a civil action. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was willful or knowing, it shall award as much as three times but not less than two times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and attorney’s fees, as determined by the court. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
  • Waiver Not Permitted.