Simon Says – Musings of a Technology CTO

Although maybe unnoticed, a month ago Missouri finally joined that heady club called “States which have Data Privacy Laws”.

On 28th August, the “Missouri Data Breach Notification Law”, or House Bill 62 took effect, not protecting, but at least enforcing care and attention of residents personal information (Social Security Numbers, Driver’s Licence Numbers, and information which could be used to access a residents financial accounts). Note I use the word “resident”, because, as with the other 47 or so State laws, this one applies to the Residents of Missouri, not to the businesses. If you have Missouri resident information in your datacenter in Tinbuktoo, you are still required (under civil and actual damages) to comply.

The full text of the law can be found on the excellent HuschBlackwell site, but the interesting points are:

• This law applies to Personal Health Information (PHI) as well as Personally Identifiable Information (PII)
• The law applies to both “customer” data, as well as “employee” data – it basically applies to every resident of Missouri.
• If you loose more than 1000 individual records, you need to tell the Attorney General. Non compliance means civil damages.
• If you determine that the exposure of data is “unlikely” due to protective measures (or you believe the device was destroyed etc), you can elect not to disclose, but you MUST fully document the investigation and keep records for 5 years.

As with all these laws, if you hold Missouri resident data, you should approach your legal team and assess any additional risk (and mitigating measures) that you might now be subject to.

To keep you in the loop, the list States without, or with very weak data disclosure laws is now Alabama, Kentucky, Mississippi, New Mexico, and South Dakota.