Missouri became the 45th state to enact a breach notification law. Mo. Rev. Stat. §§ 407.1500.1-407.1500.4. Missouri’s governor signed the enabling legislation, H.B. 62, into law last July. It went into effect last August 28. For a copy of H.B. 62, click here.
H.B. 62 covers “personal information” consisting of a name in combination with a driver’s license number, Social Security number, or account number together with an access code. Id. §§ 407.1500.1(9). These are the usual elements of “personal information” seen in California’s SB 1386. In addition, however, the Missouri law also covers personal information in the form of medical information, health insurance information, and identifier and access codes permitting a person to access a financial account. Id.
Businesses must notify Missouri residents if there is unauthorized access to residents’ personal information that the businesses are maintaining. Id. § 407.1500.2(1). No notification is necessary if, following an investigation and consultation with law enforcement, the business “determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach.” Id. § 407.1500.2(5). A business making such a determination must record it in writing and preserve the writing for five years. Id. In addition, a business may delay notification if law enforcement informs the person that notification may impede a criminal investigation. Id. § 407.1500.2(3).
The Missouri law states that the Attorney General has the “exclusive authority” to bring an action for damages or a civil money penalty. The “exclusive authority” phrase implies that there is no private right of action. The maximum penalty the A.G. may seek is $150,000 for one breach or a “series of breaches of a similar nature that are discovered in a single investigation.” Id. § 407.1500.4.
Stephen S. Wu
Parner, Cooke Kobrick & Wu LLP