Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Missouri residents.
Definition includes (i) unique electronic identifier or routing code in combination with required security code, access code, or password; (ii) medical information; or (iii) health insurance information.
“Security Breach” means unauthorized access to and unauthorized acquisition of personal information maintained in computerized form that compromises the security, confidentiality, or integrity of the personal information.
“Health Insurance Information” means an individual’s health insurance policy number or subscriber number or any unique identifier used by a health insurer to identify the individual.
“Medical Information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
“Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
“Redacted” means altered or truncated such that no more than five digits of a social security number or the last four digits of a driver’s license number, state ID, or account number is accessible.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or legal or commercial entity that conducts business in Missouri and that owns or licenses personal information of Missouri residents in any form.
Third party recipients:
Any person that maintains or possesses records or data containing personal information of Missouri residents that the person does not own must notify the owner or licensee of the information of any security breach immediately following discovery of the breach consistent with the legitimate needs of law enforcement.
Notice Procedures & Timing / Other Obligations
Written, electronic, or telephonic notice must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in the statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $100,000, affected class exceeds 150,000 persons, or covered entity has insufficient contact information. Substitute notice may also be used for consumers who the covered entity knows to be affected but is not able to identify.
- Notice not required if, after an appropriate investigation by the covered entity or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the covered entity determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination must be documented in writing and retained for five years.
Any business that must notify more than 1,000 persons at one time of a security breach is also required to notify consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted, redacted, or otherwise rendered unreadable or unusable.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for a legitimate purpose so long as personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information.
Covered entity deemed in compliance with the Missouri statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with Missouri’s timing requirements.
Any business that complies with the notification procedures imposed by its primary or functional federal or state regulator is deemed in compliance with the Missouri statute.
Financial institutions are exempt if they are subject to and comply with federal interagency guidelines.
Notification to Regulator / Waiver
Attorney general must be notified if a single breach results in notification to more than 1,000 Missouri residents.
The notice must describe timing, distribution and content of notice to residents.
A determination of no likelihood of harm:
Does not require notification to attorney \gGeneral.
For willful and knowing violations, actual damages, and/or civil penalties not to exceed $150,000 for each security breach.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute