Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Privacy / Data Protection > Federal, State and Other Professional Regulations > State Privacy Regulations > Missouri State Security Breach Laws
Missouri State Security Breach Laws

On July 9, 2009, Missouri became the 45th state to enact a data breach notification law.  This leaves Alabama, Kentucky, Mississippi, New Mexico, and South Dakota as the only remaining states without a breach notification requirement. The Missouri law went into effect Aug. 28, 2009.

 

The law contains a broad definition of personal information. It defines personal information as an individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:

(a)  Social Security number;

(b)  Driver’s license number or other unique identification number;

(c)  Financial account number, credit card number, or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account;

(d)  Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

(e)  Medical information; or

(f)  Health insurance information.

 

The law is applicable to any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach. 

 

The notice shall at a minimum include a description of the following:

(a)  The incident in general terms;

(b)  The type of personal information that was obtained as a result of the breach of security;

(c)  A telephone number that the affected consumer may call for further information and assistance, if one exists;

(d)  Contact information for consumer reporting agencies;

(e)  Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.

 

In the event a person provides notice to more than 1,000 consumers at one time, the person shall notify, without reasonable delay, the attorney general’s office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.

 

The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed $150,000 per breach of the security system or series of breaches of a similar nature that are discovered in a single investigation.

 

House Bill 62

 

Visit the state Web site

 
Copyright © 2009 by the American Institute of Certified Public Accountants, Inc., New York, New York.