| Mo. Rev. Stat. § 407.1500 |
|---|
| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic. | Without unreasonable delay. |
Yes – The Attorney General. |
|
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
|
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following unencrypted, unredacted, or otherwise altered data elements:
|
|
Definition of Breach |
Unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information, excluding certain good faith acquisitions. |
|
Type of Data Covered |
Electronic. |
|
Encryption Safe Harbor |
Statute does not apply to information that is encrypted, redacted, or otherwise altered to render information unreadable or unusable, so long as the encryption key was not accessed or acquired. |
|
Risk of Harm Analysis |
Notification is not required if, after an appropriate investigation or consulting with relevant law enforcement agencies, the entity determines the risk of identity theft or other fraud to residents is not reasonably likely to occur. Determination shall be documented in writing and maintained for five years. |
|
Consumer Notice Requirements |
Timing: Notification must be made without unreasonable delay, consistent with any measures necessary to determine sufficient contact information for residents, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the system. Content: Must include, at a minimum, a description of the following:
Method: Written notice, electronic notice if the resident has provided a valid email address and agreed to receive communications electronically, if the notice provided is consistent with E-SIGN, or telephonic notice if such contact is made directly with the affected consumers. Substitute notice is also available under certain circumstances. |
|
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice exceeds $100,000, affected consumers to be notified exceeds 150,000, lack sufficient contact information or consent, or the entity is unable to identify particular affected consumers, for only those unidentifiable consumers. Substitute notice shall consist of all the following:
|
|
Delayed Notice Requirements |
Notification may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation or jeopardize national security. |
|
Government Notice Requirements |
If required to notify more than 1,000 consumers, entity also must notify the Attorney General’s office without unreasonable delay of the timing, distribution, and content of the consumer notice. |
|
Third Party Notice Requirements |
Any person that maintains or possesses personal information of a Missouri resident that that person does not own or license must notify the owner or licensee of the personal information immediately following discovery of breach. |
|
Consumer Reporting Agency Obligations |
If required to notify more than 1,000 consumers, then the entity must also notify all nationwide consumer reporting agencies without unreasonable delay of the timing, distribution, and con-tent of the consumer notice. |
|
Potential Penalties |
Violations may result in civil penalties not to exceed $150,000 per breach, and other remedies. |
|
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
Last updated: July 1, 2021
