Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws
can bring award of actual damages up to triple

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Notifications (to Attorney General and Consumers) must include specific information and may only be delivered by specific means.
  • If an entity is required to notify more than 1,000 consumers of a breach of security the entity must notify all consumer reporting agencies without unreasonable delay.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete reporting and consumer notification requirements.
  • Entities handling personal health information may have to comply with additional protection and handling requirements.
  • There are comprehensive student online data handling and protection requirements for “operators” as stated under Title XV CH 189 Section 189:68-a.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • NH Rev Stat §§ 359-C:19 – § 359-C:21 Right to Privacy (2007)

    NH Rev Stat § 189:66 Data Inventory and Policies Publication

    NH Rev Stat § 282-A:120 Destruction of Records

BAck to map