Mandated Timeframe for Breach Reporting and/or Consumer Notification

As soon as possible
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- Up to triple damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach notifications to the Attorney General and affected NH residents must include specific information and may only be delivered by specific means.
  • If an entity is required to notify more than 1,000 consumers of a breach of security, the entity must notify all consumer reporting agencies without unreasonable delay.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Sector-specific laws (health, education) provide for an individual’s right to access their personal information.
  • Entities handling personal health information and student data must comply with additional protection and disclosure requirements.
  • New Hampshire’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees must comply with the breach notification requirements effective January 1, 2020, and have until January 1, 2021 to comply with the information security requirements, and until January 1, 2022 to comply with the vendor management requirements.
  • Insurance licensees who experience a breach of security must notify the Insurance Commissioner within 3 business days of determining that a breach could materially harm a residential consumer or any material part of licensee’s business operations.
Statutes and Laws
  • NH Rev Stat §§ 359-C:19 – 359-C:21 Right to Privacy

    NH Rev Stat § 282-A:120 Destruction of Records

    NH Rev Stat § 189:66-189:68a Student Privacy

    NH Rev Stat §§ 126:25 & 126:27 Health Data Collection and Availability of Data

    NH Rev Stat, Ch. 332-I Medical Records, Patient Information

    NH Rev Stat, Ch. 420-P Insurance Data Security Law

BAck to map