Mississippi is the latest state to adopt a data breach notification statute under House Bill 583.  The new law, which goes into effective July 1, 2011, requires the following:

  1. A person who conducts business in Mississippi must disclose any breach of security, as defined below, to all affected individuals.
  2. Notice must be provided without unreasonable delay, subject to any criminal investigation and the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonably integrity of the data system.
  3. Notice is not required, if after reasonable investigation, the person reasonably determines that the breach will not likely result in harm to the affected individual.
  4. For the purpose of this statute, “breach of security” is defined to mean the “unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.”
“Personal information” for this purpose means an individual’s first name or first initial and last name in combination with any one or more of the following data elements: 
  1. Social Security number;
  2. Driver’s license number or state identification card number; or
  3. An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.

Click here to view the full text of House Bill No. 583.

The District of Columbia, Guam, Puerto Rico and the Virgin Islands have also adopted data breach notification laws.  Only four states, Alabama, Kentucky, New Mexico, and South Dakota,  have not yet adopted data breach notification requirements.