Security Breach Notifications

Notification of Security Breaches of Personal Information

NH RSA 359-C:20

Any business which maintains computerized information that includes Personal Information has an obligation under New Hampshire law to notify consumers if there is security breach that compromises the security or confidentiality of that data.   Under the statute, Personal Information is defined as the individual’s first and last name in combination with any one or more of the following: social security number, driver’s license number or other government identification number, or identifying account number.   

As soon as a business becomes aware that the security or confidentiality of Personal Information has been compromised, it must promptly determine the likelihood that the compromised information has or will be misused.  If it determines the information has been misused, is likely to be misused or if a determination cannot be made, the business must:

(a) notify the affected individuals either in writing, by e-mail or by telephone of the approximate date of the breach, the circumstances of the breach and the information compromised; and 

(b) report the breach to its primary regulatory authority, if applicable or to the New Hampshire Attorney General; and

(c) if over 1,000 people are affected, report the breach to all national consumer reporting agencies of the date of notification to the consumers and the approximate number of consumers affected.  

The New Hampshire Attorney General posts all security breach notifications on this website.  

The Attorney General Consumer Protection and Antitrust Bureau has administrative enforcement authority and private individuals have a private right of action for violations of the statute.