Definitions
If a company or person holds private information about Missouri residents on a computer, and that information gets accessed without permission, they have to tell the affected people about it. The notice has to happen without unreasonable delay, describe what happened, and tell people how to protect themselves. If more than 1,000 people are affected, the company also has to notify the attorney general and major credit reporting agencies. The attorney general can sue a company that knowingly breaks this law and ask for up to $150,000 in fines per breach.
407.1500. Definitions — notice to for , procedure — may bring for . — 1. As used in this section, the following terms mean:
(1) "Breach of security" or "", unauthorized access to and unauthorized acquisition of maintained in computerized form by a person that compromises the , , or of the personal information. acquisition of personal information by a person or that person's employee or for a purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information;
(2) "Consumer", an individual who is a resident of this state;
(3) "", the same as defined by the , 15 U.S.C. Section 1681a;
(4) "", the use of an algorithmic to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key;
(5) "Health insurance ", an individual's health insurance policy number or identification number, any unique identifier used by a health to identify the individual;
(6) "Medical information", any information regarding an individual's medical history, mental or physical condition, or medical treatment or by a ;
(7) "Owns or s" includes, but is not limited to, personal information that a business retains as part of the internal customer account of the business or for the purpose of using the information in transactions with the person to whom the information relates;
(8) "Person", any individual, , business trust, , trust, , , association, , government, governmental , governmental agency, governmental , public corporation, or any other legal or commercial ;
(9) "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not , , or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
(a) Social Security number;
(b) Driver's license number or other unique identification number created or collected by a government body;
(c) Financial account number, card number, or debit card number in combination with any required security code, access code, or password that would access to an individual's financial account;
(d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(e) Medical information; or
(f) Health insurance information.
(10) "Redacted", altered or truncated such that no more than five digits of a Social Security number or the last four digits of a driver's license number, state number, or account number is accessible as part of the personal information.
2. (1) Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following or notification of the breach. The disclosure notification shall be:
(a) Made without unreasonable delay;
(b) Consistent with the legitimate needs of law , as provided in this section; and
(c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(2) Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.
(3) The notice required by this section may be delayed if a informs the person that notification may impede a criminal investigation or jeopardize or homeland security, provided that such request by law enforcement is made in writing or the person documents such request contemporaneously in writing, including the name of the making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the person its that notice will no longer impede the investigation or jeopardize national or homeland security.
(4) The notice shall at minimum include a description of the following:
(a) The incident in general terms;
(b) The type of personal information that was obtained as a result of the breach of security;
(c) A telephone number that the affected consumer may call for further information and assistance, if one exists;
(d) Contact information for consumer reporting agencies;
(e) Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
(5) (1) and (2) of this , notification is not required if, after an investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person that a risk of or other to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years.
(6) For purposes of this section, notice to affected consumers shall be provided by one of the following methods:
(a) Written notice;
(b) Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the of 15 U.S.C. Section 7001 regarding electronic records and signatures for notices legally required to be in writing;
(c) Telephonic notice, if such contact is made directly with the affected consumers; or
(d) , if:
a. The person demonstrates that the cost of providing notice would exceed one hundred thousand dollars; or
b. The class of affected consumers to be notified exceeds one hundred fifty thousand; or
c. The person does not have sufficient contact information or to satisfy paragraphs (a), (b), or (c) of this subdivision, for only those affected consumers without sufficient contact information or consent; or
d. The person is unable to identify particular affected consumers, for only those unidentifiable consumers.
(7) Substitute notice under paragraph (d) of subdivision (6) of this subsection shall consist of all the following:
(a) Email notice when the person has an for the affected consumer;
(b) of the notice or a link to the notice on the internet website of the person if the person maintains an internet website; and
(c) Notification to major statewide media.
(8) In the event a person provides notice to more than one thousand consumers at one time this section, the person shall notify, without unreasonable delay, the attorney general's office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice.
3. (1) A person that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is to be in with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a breach of security of the system.
(2) A person that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or established by its primary or is deemed to be in compliance with this section if the person notifies affected consumers in accordance with the maintained procedures when a breach occurs.
(3) A that is:
(a) Subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 29, 2005, by the of governors of the Federal System, the , the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and any revisions, additions, or substitutions relating to said interagency guidance; or
(b) Subject to and in compliance with the National regulations in 12 Part 748; or
(c) Subject to and in compliance with the provisions of V of the Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 U.S.C. Sections 6801 to 6809;
4. The attorney general shall have to bring an action to obtain for a of this section and may seek a not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
Tap any gold-underlined word to see what it means.
Source & history notes
(L. 2009 H.B. 62)
Legal information, not legal advice. Always confirm with the official source at revisor.mo.gov.