Missouri Data Breach Notification Statute Summary

Mo. Rev. Stat. § 407.1500

 

Type of Data Covered Deadline for Notification Government Notice
Electronic. Without unreasonable delay.

Yes – The Attorney General.

 

Subject Entities

Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.

Definition of Personal Information

First name or first initial and last name, in combination with one or more of the following unencrypted, unredacted, or otherwise altered data elements:

  • Social Security number;
  • Driver’s license number or other unique identification number created or collected by a government body;
  • Financial account number, credit card number, debit card number, or unique electronic identifier or routing code, in combination with any required security code, access code, or password permitting access to an resident’s financial account;
  • Medical information; or
  • Health insurance information.

Definition of Breach

Unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information, excluding certain good faith acquisitions.

Type of Data Covered

Electronic.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, redacted, or otherwise altered to render information unreadable or unusable, so long as the encryption key was not accessed or acquired.

Risk of Harm Analysis

Notification is not required if, after an appropriate investigation or consulting with relevant law enforcement agencies, the entity determines the risk of identity theft or other fraud to residents is not reasonably likely to occur. Determination shall be documented in writing and maintained for five years.

Consumer Notice Requirements

Timing: Notification must be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information for residents, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the system.

Content: Must include, at a minimum, a description of the following:

  • The incident in general terms;
  • Type of personal information obtained as a result of the breach;
  • A telephone number, if one exists, that affected residents may call for further information and assistance;
  • Contact information for consumer reporting agencies; and
  • Advice to the affected residents to remain vigilant by reviewing account statements and monitor free credit reports.

Method: Written notice, electronic notice if the resident has provided a valid email address and agreed to receive communications electronically, if the notice provided is consistent with E-SIGN, or telephonic notice if such contact is made directly with the affected consumers. Substitute notice is also available under certain circumstances.

Substitute Notice Requirements

Substitute notice may be provided if the cost of providing notice exceeds $100,000, affected consumers to be notified exceeds 150,000, lack sufficient contact information or consent, or the entity is unable to identify particular affected consumers, for only those unidentifiable consumers.

Substitute notice shall consist of all the following:

  • Email notice if email address is available;
  • Conspicuous posting of notice or a link to the notice on the entity’s website, if it maintains one; and
  • Notification to major statewide media.

Delayed Notice Requirements

Notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation or jeopardize national security.

Government Notice Requirements

If required to notify more than 1,000 consumers, entity also must notify the Attorney General’s office without unreasonable delay of the timing, distribution, and content of the consumer notice.

Third Party Notice Requirements

Any person that maintains or possesses personal information of a Missouri resident that that person does not own or license must notify the owner or licensee of the personal information immediately following discovery of breach.

Consumer Reporting Agency Obligations

If required to notify more than 1,000 consumers, then the entity must also notify all nationwide consumer reporting agencies without unreasonable delay of the timing, distribution, and con-tent of the consumer notice.

Potential Penalties

Violations may result in civil penalties not to exceed $150,000 per breach, and other remedies.

Notification Requirements for Government Agencies

Please see the statute for specific requirements and/or penalties for applicable government agencies.

 

Last updated: July 1, 2021