Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Vendors must report breaches to Data Owners and cooperate with them
  • Data owners are responsible for reporting and notifications
  • Notifications must contain specified information
  • Possible notification to applicable agencies or to the state attorney general’s office
  • Possible notification to the consumer reporting agencies
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?


New Hampshire breach and notification laws may apply if you are a person or business that: 

  • Conducts business in NH and owns or licenses computerized data that includes PII;
  • Is engaged in trade or commerce that is subject to RSA §358-A:3;
  • Maintains computerized data that includes PII that you do not own.

There are usually exemptions.

What is PII?


PII relevant to a breach in New Hampshire includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license or state identification card number;
  • Financial account or credit/debit card numbers; with any required security codes, etc. that permits access to their financial account.



A few applicable statutes include, but are not limited to:

Title XXXI - Trade And Commerce

Chapter 359-C - Right To Privacy

  Notice of Security Breach:  § 359-C:19 to 359-C:21


A few applicable statutes include, but are not limited to:

Multiple state agencies have specific instructions regarding the destruction of records, including:

  • Administration of Motor Vehicles

Chapter 260, § 260:19

  • Unemployment Compensation

Chapter 282-A, § 282-A:120

  • Secured Transactions

Chapter 382-A, Article 9, Part 5, Subpart 2, § 382-A:9-522



New Hampshire allows for an injured person to bring an action for damages and equitable relief, including an injunction, as the court deems proper. Recovery must be in the amount of actual damages. If the act was a willful or knowing violation of the statute, the court may award either 2 or 3 times the amount, no less/no more. The state attorney general enforces the statute.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person
  • Whether misuse of the information may occur


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient time and manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation for a specified period, otherwise must be made in the most expedient manner possible and without unreasonable delay, but within 45 days. Notification may be required to the consumer reporting agencies.


Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $5,000, or the persons to be notified exceeds 1,000, or they do not have sufficient contact information or consent.

Contact the Privacy Experts at CSR