Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: As soon as possible
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to persons who conduct businesses in the state or who own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if entity determines that misuse of the covered info has not occurred and is not reasonably likely to occur.
Unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a covered entity.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or secured by a method that renders the covered info completely unreadable or unusable so long as encryption key was not also acquired.
Form of Covered Info
An individual's first name or initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or other government identification number.
- Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Consumer Notice Timing
Must be made as soon as possible following determination that covered information has been or is reasonably likely to be misused or following conclusion that such determination cannot be made.
Consumer Notice Method
By written notice, electronic notice (if the primary means of communication with affected individuals), or by telephone notice (if a log of the notification is kept). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The notification shall include at a minimum:
- A description of the incident in general terms.
- The approximate date of breach.
- The type of personal information obtained as a result of the security breach.
- The telephonic contact information of the person required to notify affected individuals
The covered entity may delay giving notice if a law enforcement or national security agency determines that the notice will impede a criminal investigation or jeopardize national security.
All entities that do not fall under the jurisdiction of a regulator specified below must notify the Attorney General's office of the breach. Such notice must include the anticipated date of the notice to individuals and the approximate number of individuals who will be notified. Different regulators may have different notification requirements and deadlines.
Entities subject to the jurisdiction of the bank commissioner, director of securities regulation, insurance commissioner, public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators must notify their primary regulator of the breach.
Consumer Reporting Agency Notice
If required to notify more than 1,000 persons, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of the anticipated date of notification, approximate number of consumers to be notified, and the content of the notice.
Exceptions for Other Laws
Licensees will be exempt from the statute's notification provisions if they are subject to the Gramm-Leach-Bliley Act (GLBA) and provide notice to affected consumers for security breaches consistent with the GLBA's requirements.
If you maintain covered info on behalf of another entity, you must notify and cooperate with it immediately following discovery of a breach if the covered info was acquired by an unauthorized person. Cooperation includes sharing information relevant to the breach but not disclosure of confidential info or trade secrets.
Private Right of Action
Under New Hampshire's general data breach notification statute, affected persons injured as a result of a security breach may bring an action for damages.
Violations may result in civil penalties.