This post was written by Alysa Zeltzer Hutnik.
On April 7, 2010, Mississippi enacted a data breach notification law that requires any person who conducts business in the State of Mississippi, and who, in the ordinary course of the person’s business functions, owns, licenses, or maintains personal information of any resident of Mississippi, provide notice in the event of a data security breach. This law tracks the general language of data breach notification laws already enacted in 45 other states and the District of Columbia. The law will become effective on July 1, 2011.
Failure to comply with the law is considered an unfair trade practice and may be enforced by the Mississippi Attorney General. Notably, there is no private right of action. Under the state statutes prohibiting unfair or deceptive acts or practices, the Attorney General may seek injunctive relief, and for knowing or willful violations, a civil penalty up to $10,000 per violation. The Attorney General may also seek criminal penalties including fines and imprisonment for knowing or willful violations.
This law continues the trend of data security legislation at the state level. See previous posts here and here. It is a good reminder for businesses that their information security practices are subject to a patchwork of state and federal regulations, and they should examine not only what they are doing to ensure compliance with data breach notification laws, but also what their safeguarding and data handling practices are as well.