Missouri finally passed a data breach notification law this year as part of an omnibus crime bill, H.B. 62. That brings the number of states without data breach notification laws to five: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota.
The law itself is pretty standard, at least as much as anything with fifty-five versions can be called “standard.” It requires anyone with personal information about a Missouri resident to notify the resident of a breach of security, defines “personal data” as any of the usual suspects plus a name (although, as John Bambenek points out, a name isn’t actually needed to steal money from someone’s checking account with ACH), requires the notice to be made “without unreasonable delay,” and allows safe harbors for encryption and cases where the data handler determines identity fraud is not likely. Notification can be written, by phone, or with certain electronic notice. The law allows substitute notice if personal notice would cost over $100,000, if more than 50,000 people are affected, or if there isn’t enough contact information to contact people directly. A data handler who has to notify more than one thousand people also has to alert the media, the attorney general’s office, and the credit reporting agencies. Enforcement is by the attorney general, with a civil penalty of $50,000 per breach for willful violations.
Senator Feinstein’s national data breach notification bill hasn’t emerged from committee since she introduced it in January. It’s now a bit of a race to see which happens first: a nationwide breach notification bill, or the remaining states passing their own versions.
