Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes, if >1,000 residents notified
Scope of this Summary:
Notification requirements applicable tindividuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject tdifferent requirements.
Risk of Harm Threshold
Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local law enforcement agencies, the covered entity determines that a risk of identity theft or other fraud tany consumer is not reasonably likely toccur as a result of the breach. The covered entity must document its determination in writing and maintain it for five years.
Unauthorized access and acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply tinformation that is encrypted, redacted, or otherwise altered in such a manner tmake it unreadable or unusable.
Form of Covered Info
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or other unique identification number created or collected by a government body.
- Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access tan individual's financial account.
- Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access tan individual's financial account.
- Medical information.
- Health insurance information.
Consumer Notice Timing
Must be made without unreasonable delay, consistent with any measures necessary tdetermine scope of the breach and sufficient contact information for affected residents and trestore the reasonable integrity, security, and confidentiality of the system.
Consumer Notice Method
In writing, by telephone (if contact made directly with affected resident), or electronic notice (if entity has valid email address, resident agreed treceive communications electronically, and notice is consistent with E-SIGN). Substitute notice available if certain criteria are satisfied.
Consumer Notice Contents
The notification shall at minimum include a description of the following:
- The incident in general terms.
- The type of personal information that was obtained as a result of the breach of security.
- A telephone number that the affected consumer may call for further information and assistance, if one exists.
- Contact information for Consumer Reporting Agencies.
- Advice that directs the affected consumer tremain vigilant by reviewing account statements and monitoring free credit reports.
Notification may be delayed if law enforcement determines that notification will impede a criminal investigation or jeopardize national or homeland security. The request must be in writing or documented by the covered entity contemporaneously and include the officer name and agency.
If more than 1,000 residents are notified, must, without unreasonable delay, notify Attorney General's office of timing, distribution, and content of the consumer notice.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must, without unreasonable delay, notify all Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
A covered entity is deemed in compliance if it is: a financial institution subject tthe Federal Interagency Guidance Response Programs for Unauthorized Access tCustomer Information and Customer Notice (70 Fed. Reg. 15,736 (March 29, 2005)); the National Credit Union Administration security program regulations (12 CFR §§ 748.0 t748.2); or the Gramm-Leach-Bliley Act (GLBA).
If you maintain covered infon behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
The Missouri statute does not provide for a private right of action.
Violations may result in civil penalties.