The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Mississippi
Data Breach Notification Statute
Highlights
Covered Entities: Applies to any person who conducts business in Mississippi and who, in the ordinary course of the covered entity's business functions, owns, licenses or maintains personal information of any resident of Mississippi.
Consumer Notification: Covered entities who conduct business in Mississippi shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay, subject to the provisions of subsections (4) and (5) of this section and the completion of an investigation by the covered entity to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system.
Regulatory Notification: N/A
Notification Timeline: Without unreasonable delay.
Data Format: Electronic.
Citations: Miss. Code. Ann. § 75-24-29
More Details
Definitions:
- Breach: The unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of Mississippi when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
- Personal Information (PI):
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social security number;
- Driver's license number, state identification card number or tribal identification card number; or
- An account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account; “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- "Affected Individual": Means any individual who is a resident of Mississippi whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security.
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Does not apply to personal information that has been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
- Good Faith: N/A
- Risk of Harm: Notification shall not be required if, after an appropriate investigation, the covered entity reasonably determines that the breach will not likely result in harm to the affected individuals.
- Law Enforcement Delay: Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation or national security and the law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after the law enforcement agency determines that notification will not compromise the criminal investigation or national security and so notifies the covered entity of that determination.
Direct Notice:
- Timing: A covered entity shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay, subject to the provisions of subsections (4) and (5) of this section and the completion of an investigation by the covered entity to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system. Notification shall not be required if, after an appropriate investigation, the covered entity reasonably determines that the breach will not likely result in harm to the affected individuals.
- Format: N/A
- Content: N/A
- Method: Any notice required by the provisions of this section may be provided by one (1) of the following methods: (a) written notice; (b) telephone notice; (c) electronic notice, if the covered entity's primary means of communication with the affected individuals is by electronic means or if the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USCS 7001; or (d) substitute notice, provided the covered entity demonstrates that the cost of providing notice in accordance with paragraph (a), (b) or (c) of this subsection would exceed Five Thousand Dollars ($5,000.00), that the affected class of subject persons to be notified exceeds five thousand (5,000) individuals or the covered entity does not have sufficient contact information.
Substitute Notice:
Substitute notice shall consist of the following: electronic mail notice when the covered entity has an electronic mail address for the affected individuals; conspicuous posting of the notice on the website of the covered entity if the covered entity maintains one; and notification to major statewide media, including newspapers, radio and television.
Remediation Services:
N/A
Regulatory Notice:
N/A
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
Any entity who conducts business in Mississippi that maintains computerized data which includes personal information that the entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the data as soon as practicable following its discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person for fraudulent purposes.
HIPAA:
N/A
Private Action:
N/A
Associated Regulations:
Mississippi Insurance Data Security Law Miss. Code. Ann. § 83-5-803 et seq.
Insurance Data Security Statute
Highlights
Covered Entities: Any entity licensed, authorized to operate, or registered (or required to be licensed, authorized or registered) pursuant to the insurance laws of this state, not including a purchasing group or a risk-retention group chartered and licensed in a state other than this state or an entity who is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment. The program must contain administrative, technical and physical safeguards for the protection of nonpublic information and the licensee's information system.
Consumer Notification: A licensee shall comply with Miss. Code. Ann. § 75-24-29, as applicable. Notification to all affected individuals shall be made without unreasonable delay.
Regulatory Notification: A licensee shall notify the Mississippi Insurance Department as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the criteria referenced below has been met.
Notification Timeline: A licensee must notify the Mississippi Insurance Department as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred. Notice to the consumer must comply in accordance with Miss. Code. Ann. § 75-24-29, which requires notice to be sent without reasonable delay after the determination that a cybersecurity event has occurred.
Citations: Miss. Code Ann. § 83-5-801 et seq.
More Details
Definitions:
- Consumer: An individual, including, but not limited to, applicants, policyholders, insureds, beneficiaries, claimants and certificate holders, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody or control.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system unless the licensee has determined that: (i) the unauthorized acquisition involved encrypted nonpublic information and the key was not acquired, released or used without authorization or (ii) the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized or registered pursuant to the insurance laws of this state, not including a purchasing group or a risk-retention group chartered and licensed in a state other than this state or an entity who is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Any information concerning a consumer which because of name, number, personal mark or other identifier can be used to identify such consumer, in combination with any one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Any security code, access code or password that would permit access to a consumer's financial account; or
- Biometric records.
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer, that can be used to identify a particular consumer, and that relates to:
- The past, present or future physical, mental or behavioral health or condition of any consumer or a member of the consumer's family;
- The provision of health care to any consumer; or
- Payment for the provision of health care to any consumer.
- Any information concerning a consumer which because of name, number, personal mark or other identifier can be used to identify such consumer, in combination with any one (1) or more of the following data elements:
Regulatory Notice:
A licensee shall notify the Mississippi Insurance Department as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Mississippi is the licensee's state of domicile, in the case of an insurer, or Mississippi is the licensee's home state, in the case of a producer, as those terms are defined in Section 83-17-53, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in Mississippi or material part of the licensee’s operations.
- The licensee reasonably believes that the nonpublic information involved is of two hundred fifty (250) or more consumers residing in Mississippi and that is either of the following:
- A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body pursuant to any state or federal law; or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Mississippi or a material part of the licensee’s operations.
Content Requirements:
When notifying the Mississippi Insurance Department of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen or breached, including the specific roles and responsibilities of third-party service providers, if any.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government or law enforcement agencies and, if so, when such notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident occurred in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Mississippi Insurance Department unless the third-party service provider provides the notice.
Penalties:
In the case of a violation of this article, a licensee may be penalized in accordance with Miss. Code. Ann. § 83-5-85. Under this statute, for violation of any provisions of the insurance laws of Mississippi, the penalty whereof is not specially provided, the offender shall be guilty of a misdemeanor and, on conviction, shall be punished by a fine of not more than $5,000.00. For expenses in seeking out, detecting, and punishing violations of such laws, the commissioner may assess an additional penalty to be paid by the offender as restitution in an amount to cover such expenses as may be approved by the court.
Associated Regulations:
- Miss. Code. Ann. § 75-24-29