407.1500. Definitions--notice to consumer for breach of security, procedure--attorney general may bring action for damages.
Definitions--notice to consumer for breach of security,procedure--attorney general may bring action for damages.
407.1500. 1. As used in this section, the following terms mean:
(1) "Breach of security" or "breach", unauthorized access to andunauthorized acquisition of personal information maintained in computerizedform by a person that compromises the security, confidentiality, orintegrity of the personal information. Good faith acquisition of personalinformation by a person or that person's employee or agent for a legitimatepurpose of that person is not a breach of security, provided that thepersonal information is not used in violation of applicable law or in amanner that harms or poses an actual threat to the security,confidentiality, or integrity of the personal information;
(2) "Consumer", an individual who is a resident of this state;
(3) "Consumer reporting agency", the same as defined by the federalFair Credit Reporting Act, 15 U.S.C. Section 1681a;
(4) "Encryption", the use of an algorithmic process to transform datainto a form in which the data is rendered unreadable or unusable withoutthe use of a confidential process or key;
(5) "Health insurance information", an individual's health insurancepolicy number or subscriber identification number, any unique identifierused by a health insurer to identify the individual;
(6) "Medical information", any information regarding an individual'smedical history, mental or physical condition, or medical treatment ordiagnosis by a health care professional;
(7) "Owns or licenses" includes, but is not limited to, personalinformation that a business retains as part of the internal customeraccount of the business or for the purpose of using the information intransactions with the person to whom the information relates;
(8) "Person", any individual, corporation, business trust, estate,trust, partnership, limited liability company, association, joint venture,government, governmental subdivision, governmental agency, governmentalinstrumentality, public corporation, or any other legal or commercialentity;
(9) "Personal information", an individual's first name or firstinitial and last name in combination with any one or more of the followingdata elements that relate to the individual if any of the data elements arenot encrypted, redacted, or otherwise altered by any method or technologyin such a manner that the name or data elements are unreadable or unusable:
(a) Social Security number;
(b) Driver's license number or other unique identification numbercreated or collected by a government body;
(c) Financial account number, credit card number, or debit cardnumber in combination with any required security code, access code, orpassword that would permit access to an individual's financial account;
(d) Unique electronic identifier or routing code, in combination withany required security code, access code, or password that would permitaccess to an individual's financial account;
(e) Medical information; or
(f) Health insurance information.
"Personal information" does not include information that is lawfullyobtained from publicly available sources, or from federal, state, or localgovernment records lawfully made available to the general public;
(10) "Redacted", altered or truncated such that no more than fivedigits of a social security number or the last four digits of a driver'slicense number, state identification card number, or account number isaccessible as part of the personal information.
2. (1) Any person that owns or licenses personal information ofresidents of Missouri or any person that conducts business in Missouri thatowns or licenses personal information in any form of a resident of Missourishall provide notice to the affected consumer that there has been a breachof security following discovery or notification of the breach. Thedisclosure notification shall be:
(a) Made without unreasonable delay;
(b) Consistent with the legitimate needs of law enforcement, asprovided in this section; and
(c) Consistent with any measures necessary to determine sufficientcontact information and to determine the scope of the breach and restorethe reasonable integrity, security, and confidentiality of the data system.
(2) Any person that maintains or possesses records or data containingpersonal information of residents of Missouri that the person does not ownor license, or any person that conducts business in Missouri that maintainsor possesses records or data containing personal information of a residentof Missouri that the person does not own or license, shall notify the owneror licensee of the information of any breach of security immediatelyfollowing discovery of the breach, consistent with the legitimate needs oflaw enforcement as provided in this section.
(3) The notice required by this section may be delayed if a lawenforcement agency informs the person that notification may impede acriminal investigation or jeopardize national or homeland security,provided that such request by law enforcement is made in writing or theperson documents such request contemporaneously in writing, including thename of the law enforcement officer making the request and the officer'slaw enforcement agency engaged in the investigation. The notice requiredby this section shall be provided without unreasonable delay after the lawenforcement agency communicates to the person its determination that noticewill no longer impede the investigation or jeopardize national or homelandsecurity.
(4) The notice shall at minimum include a description of thefollowing:
(a) The incident in general terms;
(b) The type of personal information that was obtained as a result ofthe breach of security;
(c) A telephone number that the affected consumer may call forfurther information and assistance, if one exists;
(d) Contact information for consumer reporting agencies;
(e) Advice that directs the affected consumer to remain vigilant byreviewing account statements and monitoring free credit reports.
(5) Notwithstanding subdivisions (1) and (2) of this subsection,notification is not required if, after an appropriate investigation by theperson or after consultation with the relevant federal, state, or localagencies responsible for law enforcement, the person determines that a riskof identity theft or other fraud to any consumer is not reasonably likelyto occur as a result of the breach. Such a determination shall bedocumented in writing and the documentation shall be maintained for fiveyears.
(6) For purposes of this section, notice to affected consumers shallbe provided by one of the following methods:
(a) Written notice;
(b) Electronic notice for those consumers for whom the person has avalid e-mail address and who have agreed to receive communicationselectronically, if the notice provided is consistent with the provisions of15 U.S.C. Section 7001 regarding electronic records and signatures fornotices legally required to be in writing;
(c) Telephonic notice, if such contact is made directly with theaffected consumers; or
(d) Substitute notice, if:
a. The person demonstrates that the cost of providing notice wouldexceed one hundred thousand dollars; or
b. The class of affected consumers to be notified exceeds one hundredfifty thousand; or
c. The person does not have sufficient contact information or consentto satisfy paragraphs (a), (b), or (c) of this subdivision, for only thoseaffected consumers without sufficient contact information or consent; or
d. The person is unable to identify particular affected consumers,for only those unidentifiable consumers.
(7) Substitute notice under paragraph (d) of subdivision (6) of thissubsection shall consist of all the following:
(a) E-mail notice when the person has an electronic mail address forthe affected consumer;
(b) Conspicuous posting of the notice or a link to the notice on theInternet web site of the person if the person maintains an Internet website; and
(c) Notification to major statewide media.
(8) In the event a person provides notice to more than one thousandconsumers at one time pursuant to this section, the person shall notify,without unreasonable delay, the attorney general's office and all consumerreporting agencies that compile and maintain files on consumers on anationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing,distribution, and content of the notice.
3. (1) A person that maintains its own notice procedures as part ofan information security policy for the treatment of personal information,and whose procedures are otherwise consistent with the timing requirementsof this section, is deemed to be in compliance with the notice requirementsof this section if the person notifies affected consumers in accordancewith its policies in the event of a breach of security of the system.
(2) A person that is regulated by state or federal law and thatmaintains procedures for a breach of the security of the system pursuant tothe laws, rules, regulations, guidances, or guidelines established by itsprimary or functional state or federal regulator is deemed to be incompliance with this section if the person notifies affected consumers inaccordance with the maintained procedures when a breach occurs.
(3) A financial institution that is:
(a) Subject to and in compliance with the Federal InteragencyGuidance Response Programs for Unauthorized Access to Customer Informationand Customer Notice, issued on March 29, 2005, by the board of governors ofthe Federal Reserve System, the Federal Deposit Insurance Corporation, theOffice of the Comptroller of the Currency, and the Office of ThriftSupervision, and any revisions, additions, or substitutions relating tosaid interagency guidance; or
(b) Subject to and in compliance with the National Credit UnionAdministration regulations in 12 CFR Part 748; or
(c) Subject to and in compliance with the provisions of Title V ofthe Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 U.S.C.Sections 6801 to 6809;
shall be deemed to be in compliance with this section.
4. The attorney general shall have exclusive authority to bring anaction to obtain actual damages for a willful and knowing violation of thissection and may seek a civil penalty not to exceed one hundred fiftythousand dollars per breach of the security of the system or series ofbreaches of a similar nature that are discovered in a single investigation.
(L. 2009 H.B. 62)