Missouri Statutes § 407.1500
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of security” or “breach”, unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person’s employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information
When is notice required?
Notice is required for all affected residents without unreasonable delay, subject to law enforcement investigations and delays to restore integrity to the system. See § 407.1500-2. There are specific requirements for content found in §407.1500-2(4) and subsection 6 of the statute dictates that written, electronic, telephonic, and substitute notice are permissible, depending on circumstances. In the event that over 1,000 residents are notified, consumer reporting agencies and the Attorney General must receive a copy of the notice.
What are the penalties for non-compliance?
Violations have their own section of the law, § 407.1500-4, which reads as follows:
"The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation."