SB 207
Creates consumer notification requirements for data security breaches
LR Number:
Last Action:
4/30/2009 - Referred H Special Standing Committee on Health Insurance Committee
Journal Page:
SCS SBs 207 & 245
Calendar Position:
Effective Date:
August 28, 2009

Current Bill Summary

SCS/SBs 207 & 245 - This act requires companies that own or license personal information about Missouri residents to notify the affected individuals if the company discovers that security of the personal information has been breached. The notification must be made without unreasonable delay, but may be delayed by a law enforcement agency if the notification would compromise an investigation or homeland security.

Certain pieces of information must be included in the notification, such as the type of personal information compromised, the steps being taken to protect further breaches, and certain advice and contact information.

The act provides an exception to the notification requirements if it is determined that no risk of identity theft or other fraud to a consumer is reasonably likely to result from the breach.

Notification to affected consumers of a breach may be made in writing, via e-mail, or by telephone. In cases when the cost of notifying would exceed $250,000, when there are over 500,000 affected people to notify, when the company does not have sufficient contact information, or if the company cannot determine which consumers are affected by a breach, the company may use alternate notification procedures as described.

Companies shall notify the Attorney General in cases where the personal information of over 1,000 Missourians has been breached.

Companies that maintain their own notification procedures for security breaches that are consistent with this act shall be deemed in compliance with this act if they follow their procedures. Similarly, if a company maintains procedures for security breaches under another state's laws or federal law, and it follows those procedures, the company shall be deemed in compliance with this act.

The Attorney General has exclusive authority to bring action for actual damages for willful and knowing violations of this act as well as may seek a civil penalty of up to $150,000 per security breach.