Mandated Timeframe for Breach Reporting and/or Consumer Notification

As soon as possible
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Up to triple damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If any New Hampshire residents are affected by a breach, the breached Organization must give notice to each affected individual and the Attorney General as as soon as possible.
  • Breach notifications to the Attorney General and affected NH residents must include specific information and may only be delivered by specific means.
  • If an Organization is required to notify more than 1,000 consumers of a breach of security, the Organization must notify all consumer reporting agencies without unreasonable delay.
  • Vendors must notify Organizations immediately after discovery of a breach or suspected breach.
  • Vendors must cooperate with the Organizations to provide all necessary information regarding a breach incident and any remediation taken relating to an incident.
  • The Organization will be responsible to complete any required regulatory reporting and consumer notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Sector-specific laws (health, education) provide for an individual’s right to access their personal information.
  • Entities handling personal health information and student data must comply with additional protection and disclosure requirements.
  • New Hampshire’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until January 1, 2021 to comply with the information security requirements, and until January 1, 2022 to comply with the vendor management requirements.
  • Insurance licensees who experience a breach of security must notify the Insurance Commissioner within 3 business days of determining that a breach could materially harm a residential consumer or any material part of licensee’s business operations.
Statutes and Laws
  • NH Rev Stat §§ 359-C:19 – 359-C:21 Right to Privacy

    NH Rev Stat § 282-A:120 Destruction of Records

    NH Rev Stat § 189:66-189:68a Student Privacy

    NH Rev Stat §§ 126:25 & 126:27 Health Data Collection and Availability of Data

    NH Rev Stat, Ch. 332-I Medical Records, Patient Information

    NH Rev Stat, Ch. 420-P Insurance Data Security Law

BAck to map