New Hampshire Statutes § 359-C:19 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Security breach” means unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state. Good faith acquisition of personal information by an employee or agent of a person for the purposes of the person’s business shall not be considered a security breach, provided that the personal information is not used or subject to further unauthorized disclosure."
When is notice required?
Notice is required for all affected residents after notice has been given to the appropriate regulatory agency or, if none exists, the Attorney General. Once said disclosure is made the notice to residents should be made "as quickly as possible..." There are exemptions for any legitimate law enforcement need and if not is required for more than 1,000 residents then consumer credit agencies must receive notice as well. Notice to residents may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances. The notice must include a description of the incident, approximate date of the breach, the type of information affected, and a telephone number to contact for more information.
What are the penalties for non-compliance?
Violations have their own section of the law, § 359-C:21(I)-(III), which reads as follows:
"I. Any person injured by any violation under this subdivision may bring an action for damages and for such equitable relief, including an injunction, as the court deems necessary and proper. If the court finds for the plaintiff, recovery shall be in the amount of actual damages. If the court finds that the act or practice was a willful or knowing violation of this chapter, it shall award as much as 3 times, but not less than 2 times, such amount. In addition, a prevailing plaintiff shall be awarded the costs of the suit and reasonable attorney’s fees, as determined by the court. Any attempted waiver of the right to the damages set forth in this paragraph shall be void and unenforceable. Injunctive relief shall be available to private individuals under this chapter without bond, subject to the discretion of the court.
II. The New Hampshire attorney general’s office shall enforce the provisions of this subdivision pursuant to RSA 358-A:4.
III. The burden shall be on the person responsible for the determination under RSA 359-C:20, I to demonstrate compliance with this subdivision."