Skip to main content

New Hampshire

Click here to review text of state statute (see N.H. Rev. Stat. §359-C:19, et seq.)

For specific rules applicable to the insurance industry click here.   

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of New Hampshire.

New Hampshire has specific statutes which could apply if an individual’s medical information is compromised.

Important definitions:

“Security Breach” means unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information.

“Encrypted” means the transformation of data through the use of an algorithmic process into a form for which there is a low probability of assigning meaning without use of a confidential process or key, or securing the information by another method that renders the data elements completely unreadable or unusable. 

Covered Entities* / Third Party Recipients

Subject to statute:

Any person, business, legal entity or governmental entity that conducts business in New Hampshire and owns, maintains or licenses computerized data that includes personal information.

Third party recipients:

Any covered entity that maintains computerized data containing personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach immediately following discovery of the breach and provide cooperation as needed and required by statute.

Notice Procedures & Timing / Other Obligations

Written, electronic or telephonic notice must be provided to victims of a security breach as soon as possible. 

  • Notice to affected residents is required to contain specific content described in statute.
  • Substitute notice is available by means prescribed in the statute if costs to exceed $5,000, affected class exceeds 1,000 persons, or covered entity has insufficient contact information.
  • Notification is not required if it is determined that misuse of the information has not occurred and is not reasonably likely to occur.

Other Obligations:

Any covered entity that must  notify more than 1,000 consumers at one time of a security breach is also required to notify consumer reporting agencies of the security breach without unreasonable delay.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted.

Data acquired in combination with the required key, security code, access code or password is not considered encrypted.

Other exemptions:

Exemption for good faith acquisition of personal information by an employee or agent of a person for the purposes of the person’s business so long as personal information is not used or subject to further unauthorized disclosure.

Any person engaged in trade or commerce subject to RSA 358-A:3, I which maintains procedures for security breach notification pursuant to a state or federal regulator will be deemed in compliance with the New Hampshire statute.

A covered entity is deemed in compliance with the New Hampshire statute if it is subject to the GLBA.

Notification to Regulator / Waiver

Attorney general or the primary regulator applicable to covered entity must be notified of a security breach.

Any person engaged in trade or commerce subject to RSA 358-A:3, I must notify the regulator which has primary regulatory over such trade or commerce. All others notify must notify the Attorney General.

Notice must include anticipated date of notice to individuals affected and the approximate number of individuals in the state who will be notified.

A determination of no likelihood of harm: Does not require notification to attorney general.

waiver of the statute is void and unenforceable.


Civil penalties up to $10,000 per violation when actions brought by the Attorney General (injunctive and restitution relief also available).

Private citizens injured as a result of violation may bring an action for damages and for equitable relief, including an injunction.  Recovery will be actual damages (or up to two to three times actual damages if violation was knowing and willful). 

A prevailing plaintiff may also be awarded costs and reasonable attorney’s fees.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Attorney general and affected residents can enforce.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see N.H. Rev. Stat. §359-C:19, et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints