On April 7, 2010, Mississippi Governor Haley Barbour signed H.B. 583, making his state the forty-sixth state with a security breach notification law on the books.
Effective July 1, 2011, H.B. 583 will require any person who conducts business in Mississippi and who, in the ordinary course of the person’s business, functions, owns, licenses or maintains personal information of any Mississippi resident to notify certain individuals when the security of their unencrypted personal information may be at risk.Mississippi’s new law is consistent with other states’ security breach notification laws in many respects, but deviates in at least one potentially significant way.Specifically, the law only requires notice to “affected individuals,” which are defined to mean residents of Mississippi whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security. Like it or not (and the business community ought to like it), this qualification may allow a covered entity to avoid providing notice when electronic media containing personal information is simply lost, or when such information is inadvertently sent to the wrong person. (However, when the compromised information belongs to another business, there is still a requirement to notify that business.) H.B. 583 also does not require notification if a covered entity determines, after an appropriate investigation, that the security breach “will not likely result in harm to the affected individuals.” This latter provision, however, is not unlike provisions in other states’ laws that require a so-called material risk of harm” to trigger a notification obligation.
The enactment of H.B. 583 in Mississippi means only Alabama, Kentucky, New Mexico, and South Dakota have yet to adopt such a law. But as the saying goes, better late than never!