Missouri recently enacted a law which made it the 45th state to adopt data breach notification regulations. The law goes into effect August 28, 2009.  Similar to other states’ laws, Missouri’s law applies to any persons and companies who have personal information of a Missouri resident, regardless of size, nature of business or other factors.

What Type of Information is Covered? Missouri’s law defines “personal information” expansively to include:

  • social security numbers;
  • driver’s license numbers or similar unique identification numbers created by a government body;
  • financial account numbers (with a required security code, access code or password which would permit access to the account);
  • credit card or debit card numbers (with a required security code, access code or password which would permit access to the account);
  • unique electronic identifiers or routing codes (with a required security code, access code or password which would permit access to the account);
  • medical information; and
  • health insurance information.

What You Must Do After a Breach. If a breach occurs, you must provide notice to the Missouri resident that a breach has occurred without any unreasonable delay. That notice must include, at minimum:

  1. a description of the incident in general terms;
  2. the type of information that was obtained in the breach;
  3. a contact number for the person or company for further assistance; and
  4. contact information for consumer reporting agencies.

The notice may be written, telephonic (assuming the company or business has correct contact information for the Missouri resident) or electronic (again, assuming correct contact information), subject to certain special methods available for circumstances where (i) the notification would involve an expense of greater than $100,000, (ii) the total number of affected residents is more than 150,000 or (iii) the class of affected residents is unidentifiable.

Preparing for These New Regulations.  For any company who is subject to data notification laws (not just Missouri), you can take several steps to have effective policies in place to address the risks of a data breach. First, you should review your data security programs or establish such programs if your company does not have them. In reviewing your plan, also keep in mind your obligations under the new red flag rules which go into effect in August. Many of the requirements for compliance with those rules can help address many of these issues.

To ensure an effective, comprehensive program, you should consider the following:

  • what state and federal laws may apply;
  • how your company uses the internet;
  • how data is stored and secured on your systems and how those systems are updated;
  • whether you have a central manager who serves as a plan coordinator;
  • whether you have any reasonably foreseeable internal and external risks to security, including electronic access points and physical (i.e. paper) access points;
  • whether your safeguards extend to your employees and contractors; and
  • what plans and policies you have in place to ensure there is an on-going review process for your programs.

Second, pay attention to any standards, tools or assistance your local or state agencies provide. Since the Missouri law requires cooperation with law enforcement in some sense, you should consider if any actions or opportunities the authorities provide are helpful to your data security measures.

Finally, if a breach occurs, one key to a successful recovery is prompt attention. Therefore, your company should consider including data breach protocols in its data security plans, because having a plan in place to address these types of issues can save significant time and expense in the long run.