Last State Without a Breach Notice Law? Not Mississippi

Yesterday, Mississippi Governor Haley Barbour approved Mississippi's first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota).  Here are the most important basics:

  • Who must be notified?  Notification must be made to individuals only, no government regulators or credit reporting agencies;
  • What is notice-triggering PII?  Personal information has the classic definition based on the original California SB 1386 before California's addition of medical information and health insurance information.  Thus, notice is required by Mississippi if a breach involves a name with Social Security number, driver's license, or account number in combination with any required security code, access code or password that would permit access to an individual's financial account);
  • Is there a risk of harm threshold?  Yes.  Unlike California and many other states, there IS a risk of harm threshold for breach notification:  "Notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals."

The law does not take effect until July 1, 2011.