Effective - 28 Aug 2009
407.1500. Definitions — notice to consumer for breach of security, procedure — attorney general may bring action for damages. — 1. As used in this section, the following terms mean:
(1) "Breach of security" or "breach", unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information. Good faith acquisition of personal information by a person or that person's employee or agent for a legitimate purpose of that person is not a breach of security, provided that the personal information is not used in violation of applicable law or in a manner that harms or poses an actual threat to the security, confidentiality, or integrity of the personal information;
(2) "Consumer", an individual who is a resident of this state;
(3) "Consumer reporting agency", the same as defined by the federal Fair Credit Reporting Act, 15 U.S.C. Section 1681a;
(4) "Encryption", the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key;
(5) "Health insurance information", an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual;
(6) "Medical information", any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
(7) "Owns or licenses" includes, but is not limited to, personal information that a business retains as part of the internal customer account of the business or for the purpose of using the information in transactions with the person to whom the information relates;
(8) "Person", any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, governmental agency, governmental instrumentality, public corporation, or any other legal or commercial entity;
(9) "Personal information", an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
(a) Social Security number;
(b) Driver's license number or other unique identification number created or collected by a government body;
(c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(e) Medical information; or
(f) Health insurance information.
"Personal information" does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public;
(10) "Redacted", altered or truncated such that no more than five digits of a Social Security number or the last four digits of a driver's license number, state identification card number, or account number is accessible as part of the personal information.
2. (1) Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach. The disclosure notification shall be:
(a) Made without unreasonable delay;
(b) Consistent with the legitimate needs of law enforcement, as provided in this section; and
(c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(2) Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.
(3) The notice required by this section may be delayed if a law enforcement agency informs the person that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request by law enforcement is made in writing or the person documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the person its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
(4) The notice shall at minimum include a description of the following:
(a) The incident in general terms;
(b) The type of personal information that was obtained as a result of the breach of security;
(c) A telephone number that the affected consumer may call for further information and assistance, if one exists;
(d) Contact information for consumer reporting agencies;
(e) Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
(5) Notwithstanding subdivisions (1) and (2) of this subsection, notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years.
(6) For purposes of this section, notice to affected consumers shall be provided by one of the following methods:
(a) Written notice;
(b) Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the provisions of 15 U.S.C. Section 7001 regarding electronic records and signatures for notices legally required to be in writing;
(c) Telephonic notice, if such contact is made directly with the affected consumers; or
(d) Substitute notice, if:
a. The person demonstrates that the cost of providing notice would exceed one hundred thousand dollars; or
b. The class of affected consumers to be notified exceeds one hundred fifty thousand; or
c. The person does not have sufficient contact information or consent to satisfy paragraphs (a), (b), or (c) of this subdivision, for only those affected consumers without sufficient contact information or consent; or
d. The person is unable to identify particular affected consumers, for only those unidentifiable consumers.
(7) Substitute notice under paragraph (d) of subdivision (6) of this subsection shall consist of all the following:
(a) Email notice when the person has an electronic mail address for the affected consumer;
(b) Conspicuous posting of the notice or a link to the notice on the internet website of the person if the person maintains an internet website; and
(c) Notification to major statewide media.
(8) In the event a person provides notice to more than one thousand consumers at one time pursuant to this section, the person shall notify, without unreasonable delay, the attorney general's office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice.
3. (1) A person that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a breach of security of the system.
(2) A person that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this section if the person notifies affected consumers in accordance with the maintained procedures when a breach occurs.
(3) A financial institution that is:
(a) Subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued on March 29, 2005, by the board of governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, and any revisions, additions, or substitutions relating to said interagency guidance; or
(b) Subject to and in compliance with the National Credit Union Administration regulations in 12 CFR Part 748; or
(c) Subject to and in compliance with the provisions of Title V of the Gramm-Leach-Bliley Financial Modernization Act of 1999, 15 U.S.C. Sections 6801 to 6809;
shall be deemed to be in compliance with this section.
4. The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation.
--------
(L. 2009 H.B. 62)
Structure Missouri Revised Statutes
Title XXVI - Trade and Commerce
Chapter 407 - Merchandising Practices
Section 407.005 - Digital electronic equipment definition.
Section 407.010 - Definitions.
Section 407.020 - Unlawful practices, penalty — exceptions.
Section 407.025 - Civil action to recover damages — class actions authorized, when — procedure.
Section 407.030 - Voluntary compliance, assurance made, effect of — violation, penalty.
Section 407.050 - Evidence, when and where produced.
Section 407.070 - Petition to extend return date, when and where filed.
Section 407.105 - Receiver, powers and duties of.
Section 407.110 - Violation of injunction or restitution order, civil penalty.
Section 407.120 - Provisions of this chapter no bar to other civil actions.
Section 407.125 - Chapter not limitation for commissioner of securities.
Section 407.130 - Assessment of court costs.
Section 407.145 - Rulemaking, authority, limitation.
Section 407.200 - Unsolicited merchandise, how disposed of.
Section 407.315 - American Indian art or craft, no sale unless authentic — penalty.
Section 407.325 - Definitions.
Section 407.330 - Contracts, in writing, required provisions — buyer's right to cancel.
Section 407.334 - Contracts, signed by buyer — duration limit — voidable, when — waiver void, when.
Section 407.335 - Holder of contract or note subject to claims and defenses, notice.
Section 407.337 - Assignment of contract, buyer's rights.
Section 407.350 - Definitions.
Section 407.400 - Definitions.
Section 407.415 - Attorney general may obtain injunction, when — bond not required.
Section 407.420 - Penalty — duty to enforce — jurisdiction of attorney general.
Section 407.430 - Citation of law.
Section 407.431 - Attorney general, authority to enforce.
Section 407.432 - Definitions.
Section 407.435 - Card scanner, illegal use of — penalty.
Section 407.436 - Defacing a credit card reader, offense of, penalty.
Section 407.450 - Short title.
Section 407.453 - Definitions.
Section 407.456 - Registration and reports, who shall file, exceptions.
Section 407.466 - Registration by fund-raisers — form — oath — fees.
Section 407.469 - Disclosure of fund-raising costs and use of professional fund-raiser.
Section 407.475 - No additional annual filing or reporting requirements, when — inapplicability.
Section 407.511 - Definitions.
Section 407.516 - Odometer fraud, first degree, penalty.
Section 407.521 - Odometer fraud, second degree, penalty.
Section 407.526 - Odometer fraud, third degree, penalty.
Section 407.542 - Attempt to commit odometer fraud in first or second degree, penalties.
Section 407.543 - Conspiracy to commit odometer fraud in first or second degree, penalty.
Section 407.544 - Prior convictions for odometer frauds, court may increase sentence, penalties.
Section 407.546 - Civil damages for odometer violations — venue.
Section 407.551 - Injunction — action may include suspension or revocation of license.
Section 407.553 - Attorney general or prosecutor to handle actions for violations, exception.
Section 407.560 - Definitions.
Section 407.563 - Law applicable to breach of new motor vehicles warranties.
Section 407.569 - Affirmative defenses.
Section 407.571 - Presumptions of nonconformity — exception.
Section 407.575 - Manufacturer with approved settlement procedure, consumer's duty.
Section 407.577 - Court action by consumer, costs, expenses, attorney's fees, how paid.
Section 407.579 - Consumer's right to other remedies — law to apply, when.
Section 407.583 - Warranty repairs, labor cost compensation to dealer.
Section 407.585 - Definitions.
Section 407.589 - Affirmative defenses.
Section 407.600 - Definitions.
Section 407.630 - Violation of regulations — penalty.
Section 407.635 - Definitions.
Section 407.637 - Credit service organization — exemptions.
Section 407.638 - Prohibited activities.
Section 407.640 - Registration statements, filing, contents, fee.
Section 407.641 - Contract, writing, contents.
Section 407.642 - Contract requirements, cancellation clause.
Section 407.643 - Waiver of buyer's rights void.
Section 407.644 - Actions — damages — penalties.
Section 407.660 - Citation of law.
Section 407.661 - Definitions.
Section 407.663 - Advertisements, requirements.
Section 407.664 - Reinstatement of agreement, when, conditions.
Section 407.670 - Citation of law.
Section 407.671 - Definitions.
Section 407.672 - Cancellation of membership.
Section 407.673 - Contract, requirements, right to cancel.
Section 407.675 - Duration of contract, renewal, terms and limitations.
Section 407.676 - Law not applicable, when.
Section 407.677 - Unlawful practices.
Section 407.678 - Waivers, unenforceable.
Section 407.679 - Violations, penalty — penalty not a bar to civil action.
Section 407.700 - Home solicitation sale defined.
Section 407.710 - Agreement of sale, required statement, exception.
Section 407.715 - Duties of seller after cancellation.
Section 407.720 - Duties of seller after cancellation — lien of buyer, when.
Section 407.730 - Definitions.
Section 407.738 - Actions, unlawful subleasing, who may bring — definitions.
Section 407.742 - Unlawful subleasing, elements of crime.
Section 407.745 - Assignment or transfer of motor vehicle, not unlawful subleasing, when.
Section 407.748 - Violations are unlawful merchandising practices — remedies not exclusive.
Section 407.754 - How to apply to successors in interest — successor in interest defined.
Section 407.755 - Action for damages and costs by retailer for violations — remedy not exclusive.
Section 407.756 - Law, applicability to existing and future contracts.
Section 407.800 - Going-out-of-business sales, requirements, limitations, extension — exceptions.
Section 407.810 - Citation of law.
Section 407.811 - Public policy statement.
Section 407.812 - Compliance with act required — applicability of act.
Section 407.815 - Definitions.
Section 407.817 - Establishment or transfer of an existing franchise, procedures for franchisor.
Section 407.818 - License required.
Section 407.824 - Facility improvements and other changes not required by franchisee, when.
Section 407.825 - Unlawful practices.
Section 407.830 - Franchisor's defenses against action by franchisee.
Section 407.831 - Indemnification and hold harmless requirements.
Section 407.832 - False advertising, prohibition.
Section 407.838 - Definitions.
Section 407.844 - Farm equipment manufacturers, certain acts prohibited.
Section 407.846 - Law applicable to dealer's agreements, when.
Section 407.848 - Damages in civil action or injunction for dealer against manufacturer, when.
Section 407.850 - Definitions.
Section 407.870 - Inventory which does not qualify for repurchase.
Section 407.875 - Liability for failure to repurchase inventory.
Section 407.885 - Application to existing contracts and future contracts.
Section 407.900 - Definitions.
Section 407.904 - Consignment, effect.
Section 407.907 - Waiver of proceeds in trust by artist, requirements.
Section 407.908 - Contracts, prior to August 13, 1984, not affected, exceptions.
Section 407.910 - Violations — punitive damage and costs authorized.
Section 407.911 - Definitions.
Section 407.925 - Definitions.
Section 407.928 - Restrictions on sales of individual packs of cigarettes.
Section 407.932 - Political subdivisions may make more stringent rules.
Section 407.935 - Definitions.
Section 407.940 - Foreclosure consultants, unlawful acts — penalty.
Section 407.941 - Waiver, void — penalty.
Section 407.950 - Definitions.
Section 407.953 - Warranty express or implied, one year required.
Section 407.955 - Nonconformity of assistive device to be repaired at no cost.
Section 407.957 - Nonconformity not repaired within reasonable time, options of consumer.
Section 407.959 - Lease, early termination — reasonable allowance for use, how computed.
Section 407.963 - Resale or lease of returned device, full disclosure required.
Section 407.967 - Action for damages, attorney's fees and costs may be brought by consumer.
Section 407.970 - Rules, procedure to adopt — suspension or revocation of rules, procedure.
Section 407.1025 - Definitions.
Section 407.1028 - Long-arm jurisdiction, motorcycle and all-terrain vehicle (ATV) businesses.
Section 407.1037 - Location of dealerships in City of St. Louis.
Section 407.1040 - License approval in metropolitan areas, minorities.
Section 407.1046 - False advertising prohibited.
Section 407.1049 - Civil action, remedies.
Section 407.1060 - Definitions.
Section 407.1062 - Structured settlement payment transfers, requirements.
Section 407.1064 - Approval by court, notice.
Section 407.1066 - Right to rescind — limitation of liability — limitation of jurisdiction.
Section 407.1068 - Application of law.
Section 407.1070 - Definitions.
Section 407.1073 - Telemarketers, required disclosures — misrepresentations prohibited.
Section 407.1076 - Unlawful telemarketing acts or practices.
Section 407.1079 - Telemarketers required to keep certain records.
Section 407.1082 - Penalties — criminal penalties — civil damages.
Section 407.1085 - Exemptions — attorney general to receive complaints.
Section 407.1090 - Required disclosures for entities soliciting contributions.
Section 407.1095 - Definitions.
Section 407.1098 - Telephone solicitation of member on no-call list prohibited.
Section 407.1120 - Definitions.
Section 407.1135 - Definitions.
Section 407.1138 - Prohibited acts — rulemaking authority, attorney general.
Section 407.1240 - Definitions.
Section 407.1246 - Renewal of registration, procedure, fee.
Section 407.1249 - Right to rescind and cancel, time period allowed.
Section 407.1252 - Complaint procedure — violations, remedy.
Section 407.1320 - Definitions.
Section 407.1326 - Termination notice, requirements, contents.
Section 407.1329 - Repurchase upon termination of agreement.
Section 407.1332 - Change in ownership, notice — rejection of change, notice.
Section 407.1335 - Succession in dealerships, conditions, restrictions and prohibitions.
Section 407.1340 - Violation of dealer agreement.
Section 407.1346 - New RV dealership, restrictions on operation or ownership by a manufacturer.
Section 407.1355 - Social Security numbers, prohibited actions involving.
Section 407.1360 - Definitions.
Section 407.1362 - Dealership agreements, good cause needed to terminate or cancel.
Section 407.1364 - Notice of termination or cancellation, contents.
Section 407.1366 - Change in ownership, notice required.
Section 407.1368 - Repurchase required, when.
Section 407.1370 - Applicability.
Section 407.1380 - Definitions.
Section 407.1384 - Agency liability for failure to comply, damages and equitable relief.
Section 407.1385 - Processing of applications for credit — effect of security freeze.
Section 407.1400 - Processing services agreements, required disclosures — inapplicability, when.
Section 407.1610 - Speculative accumulation of asphalt shingles prohibited.