A data breach security and notification measure was signed into law by Mississippi Gov. Haley Barbour last week, which means just four US states – Alabama, Kentucky, New Mexico, and South Dakota – do not afford its citizens similar safeguards and notification procedures when personal data is compromised.
House Bill No. 583 was signed by Gov. Barbour in early April; the statute requires all persons or organizations conducting business in Mississippi to notify affected citizens if their personal or banking data is accessed by unauthorized individuals. Responsible parties that store this data will be required to conduct an investigation of the event and notify the people concerned only if the data “was, or is reasonably believed to [have] been, acquired by an unauthorized person for fraudulent purposes”, according to the law.
Infosecurity notes that, absent this perceived malicious intent, the bill does not require persons or organizations that sustain a data breach to notify if the compromised party “reasonably determines that the breach will not likely result in harm to the affected individuals”. The law also does not apply to personal data that is freely available to the public from government records.
The Mississippi data protection statute – which goes into effect on July 1, 2011 – contains provisions to delay the notification of data breach victims, apparently even if their personal information has the potential to be misused. Law enforcement reserves the right to delay notification for an unspecified “reasonable period” if authorities determine that disclosure of the data breach would impact a pending criminal investigation or national security.
The bill also contains a curious little caveat at its close, one that bars private citizens in Mississippi from judicial recourse – presumably via civil courts – if their data is compromised as the result of a breach, a fact that was confirmed for Infosecurity by a deputy spokesperson in Gov. Barbour’s office. The law specifies that only the state’s attorney general will able to bring about an “unfair trade practice” suit if organizations and individuals do not comply with the provisions of the data breach bill.