| N.H. Rev. Stat. §§ 359-C:19, C:20, C:21 |
|---|
| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic. | As quickly as possible. | Yes – notify the Attorney General or specific regulatory agency if any resident is notified. |
|
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
|
Definition of Personal Information |
First name or first initial and last name, in combination with one or more of the following data elements, when not encrypted:
|
|
Definition of Breach |
Unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information, excluding certain good faith acquisitions. |
|
Type of Data Covered |
Electronic. |
|
Encryption Safe Harbor |
Statute does not apply to information that is encrypted, so long as the encryption key was not accessed or acquired. |
|
Risk of Harm Analysis |
Notification is not required if entity determines that misuse of the personal information has not and is not reasonably likely to occur. |
|
Consumer Notice Requirements |
Timing: Notify affected individuals as soon as possible. Content: Notice must include at a minimum:
Method: Notification must be made by written notice, or electronic notice if it is the primary means of communication with those affected, or by telephone if the entity keeps a log of the notification. |
|
Substitute Notice Requirements |
Substitute notice may be provided if the cost of providing notice exceeds $5,000, the affected class of subject individuals to be notified exceeds 1,000, or the entity lacks sufficient contact information or consent. Substitute notice must consist of all the following:
|
|
Delayed Notice Requirements |
Notification may be delayed if a law enforcement agency or national security agency determines that the notice will impede a criminal investigation or jeopardize national security. |
|
Government Notice Requirements |
Entities engaged in trade or commerce subject to the jurisdiction of the bank commissioner, securities regulation director, insurance commissioner, public utilities commission, financial institutions and insurance regulators of other states, or federal banking or securities regulators must notify the regulator which has primary regulatory authority. All other entities, or persons, must notify the Attorney General’s Office of the anticipated date of notice and approximate number of residents to be notified. Not required to provide names or any personal information relating to the affected individuals. State insurance licensees must notify the Insurance Department as soon as possible and affected customers within 30 days, in accordance with N.H. Code Admin. R. Ins. § 3702 and must comply with other notification obligations under N.H. Rev. Stat. §§420-P:1–P:14. |
|
Third Party Notice Requirements |
An entity that maintains personal information that it does not own must notify and cooperate with the owner or licensee of the information immediately following discovery of breach. |
|
Consumer Reporting Agency Obligations |
If more than 1,000 persons are notified, the entity must notify all nationwide consumer reporting agencies without unreasonable delay of the time of distribution, the approximate number of consumers who will be notified, and content of the notice. |
|
Potential Penalties |
Violations may result in civil penalties or other remedies. |
|
Notification Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
|
Related Statutes |
Please see N.H. Rev. Stat. §§ 332-I:1-6 for specific requirements concerning uses or disclosures of PHI that are allowed under federal law but are not permitted under New Hampshire law. |
Last updated: January 2024
