Data Privacy Map - New Hampshire

Highlights

Consumer Notification: When a covered entity becomes aware of a breach and they “promptly determine the likelihood the information has been or will be misused.” If PI has been, is reasonably likely to be misused, or it cannot be determined, the entity “shall notify the affected individuals as soon as possible….”

Regulatory Notification: Must notify New Hampshire Attorney General if one person in New Hampshire is notified.

Notification Timeline: “As soon as possible…”

Data Format: Electronic

Citations: N.H. Rev. Stat. §§ 359-C:19-21

More Details

Definitions:

• Breach: “unauthorized acquisition of computerized data from compromises the security or confidentiality of personal information” except for a good faith acquisition of that data.
• Personal Information (PI):
  • First name or initial and last name in combination with any one or more of the following data elements when either the name or data elements are unencrypted:
    • Social Security number
    • Driver’s License number or other government identification number
    • Account number, credit card number, or debit card number in combination with a code or password allowing access to an individual’s financial account.
    • Personal information does not include public data gathered from federal, state, or local government records.

Safe Harbors:

• Encryption: Personal information that is encrypted is not subject to notification, so long as the encryption keys were not also acquired and “would permit access to the encrypted data.”
• Good Faith: When PI is acquired by an employee or agent of a person for “the purposes of the person’s business” so long as that PI is “not used or subject to further unauthorized disclosure.”
• Risk of Harm: There is no notification required if the entity can promptly determine it is reasonably unlikely that personal “information has been or will be misused”
• Law Enforcement Delay: May delay reporting if “a law enforcement agency, or national or homeland security agency determines that the notification will impede a criminal investigation or jeopardize national or homeland security.”

Direct Notice:

• Timing: “As soon as possible”
• Format: Written, Electronic
• Content:
  • General description of the incident
  • “[A]pproximate date of the breach”
  • “[P]ersonal information obtained” from the breach
  • “Telephonic contact information” of the covered entity reporting the breach
• Method:
  • Written
  • Electronic, if the affected entity’s “primary means of communication” with impacted individuals is electronic.
  • Telephonic, provided a log is kept of the notification
  • Substitute notice

Substitute Notice:

If the cost of noticing affected individuals exceeds $5,000 or it is more than 1,000 people, or there is not “sufficient contact information or consent to provide” written, electronic, or telephonic notice then may provide substitute notice by the doing all the below:

• Email notice when an email address is known
• Conspicuous website posting
• “Notification to major statewide media”
• "Notification pursuant to international procedures set up in “an information security policy for the treatment of personal information”

Remediation Services:

N/A

Regulatory Notice:

Notification to include “anticipated date of the notice to the individuals and the approximate number of individuals” in New Hampshire who will be notified.

Credit Reporting Agencies Notice:

If more than 1,000 consumers are notified, the entity “shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis” of the anticipated date consumer will be notified, approximately how many will be notified, and the content of the notification. This does not apply if the entity is subject to GLBA.

Third-Party Notice:

If a person or business maintains PI that it does not own, the person or business “shall notify and cooperate with the owner or licensee of the information” regarding any breach immediately after learning an unauthorized person acquired PI.

HIPAA:

N/A

Private Action:

Yes, any person injured by a violation may bring an action for damages and equitable relief. If successful, plaintiffs may recover actual damages. If the violation was willful or knowing, a court may award no less than 2 and no more than 3 times the amount of actual damages. A successful plaintiff may also be awarded attorney’s fees and costs.

Associated Regulations:

N/A

Highlights

Covered Entities (Licensee): Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this state but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this state or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment; the program must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system. The information security program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control. The insurer will annually submit to the insurance commissioner a written statement certifying compliance.

Consumer Notification: A licensee shall notify consumers by complying with RSA 359-C:20V, and VI, I(a) and (c), II-I, which requires notification “as soon as possible”, and providing a copy of the notice sent to consumers under that statute to the commissioner, when a licensee is required to notify the commissioner

Regulatory Notification: A licensee shall notify the commissioner within 3 business days that a cybersecurity event has occurred if the licensee is domiciled in NH and the incident has a reasonable likelihood of materially harming a consumer or reasonably believes more than 250 residents are affected and the incident impacts the licensee or is reasonably likely of materially harming state residents or material parts of the licensee’s normal operations.

Notification Timeline: The licensee must notify the Commissioner within three business days of a cybersecurity event, and must notify consumers “as soon as possible” per N.H. Rev. Stat. §§ 359-C:20(I)(a)

Citations: N.H. RSA §§ 420-P:1 to 420-P:14

More Details

Definitions:

• Consumer: An individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control.
• Cybersecurity Event: An event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system. The term shall not include: (i) the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; and/or (ii) the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
• Third-party service provider: An entity, not otherwise defined as a licensee, that contracts with a licensee to maintain, process, store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.
• Nonpublic Information: Information that is not publicly available information and is:
  
  • Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
    
    • Social Security number;
    • Driver’s license number or non-driver identification card number;
    • Financial account number, credit or debit card number;
    • Any security code, access code, or password that would permit access to a consumer’s financial account; or
    • Biometric records.
  • Any information or data, except age or gender, in any form created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to:
    
    • The past, present, or future physical, mental or behavioral health or condition of any consumer or a member of the consumer’s family;
    • The provision of health care to any consumer; or
    • Payment for the provision of health care to any consumer.
• Publicly available information: any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from: federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. For the purposes of this paragraph, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:
  
  • That the information is of the type that is available to the general public; and
  • Whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

Regulatory Notice:

A licensee shall notify the commissioner within 3 business days of a determination that a cybersecurity event has occurred, when either of the following criteria has been met:

• New Hampshire is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in RSA 402-J, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or reasonable likelihood of materially harming any material part of the normal operations of the licensee; or
• The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing in New Hampshire and that the cybersecurity event:
  
  • Impacts the licensee, in which case notice shall be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
  • Has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee.

Content Requirements:

The licensee shall provide as much of the following information as possible. The licensee shall provide the information in electronic form as directed by the commissioner. The licensee shall have a continuing obligation to update and supplement initial and subsequent notifications to the commissioner regarding material changes to previously provided information relating to the cybersecurity event.

• Date of the cybersecurity event.
• Description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.
• How the cybersecurity event was discovered.
• Whether any lost, stolen, or breached information has been recovered and, if so, how this was done.
• The identity of the source of the cybersecurity event.
• Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided.
• Description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
• The period during which the information system was compromised by the cybersecurity event.
• The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
• The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
• Description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
• A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
• Name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensee has become aware, the licensee shall treat such event as though it experienced the cybersecurity event itself and must notify individuals and the insurance commissioner, unless the third-party service provider provides the notice required to the commissioner.

Penalties:

The commissioner shall have power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of this chapter. This is in addition to the commissioner’s powers under RSA 400-A:16 and RSA 400-A:37. Additionally, whenever the commissioner has reason to believe that a licensee has been or is engaged in conduct in this state which violates this chapter, the commissioner may take action that is necessary or appropriate to enforce the provisions of this chapter.

Any other licensee may be subject to the suspension or revocation of the license or certificate of authority of the licensee or, in lieu thereof and at the discretion of the Commissioner, subject to a fine of up to $10,000 per violation.

Associated Regulations:

N/A