New Hampshire

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: As soon as possible
Government Notification Required: Yes

N.H. Rev. Stat. Ann. §§ 359-C:19 to C:21

Scope of this Summary:

Notification requirements applicable to persons who conduct businesses in the state or who own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if entity determines that misuse of the covered info has not occurred and is not reasonably likely to occur.

Breach Defined

Unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a covered entity.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or secured by a method that renders the covered info completely unreadable or unusable so long as encryption key was not also acquired.

Form of Covered Info

Electronic Only

Covered Information

An individual's first name or initial and last name in combination with any one or more of the following data elements:

  • Social Security number.
  • Driver's license number or other government identification number.
  • Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Consumer Notice Timing

Must be made as soon as possible following determination that covered information has been or is reasonably likely to be misused or following conclusion that such determination cannot be made.

Consumer Notice Method

By written notice, electronic notice (if the primary means of communication with affected individuals), or by telephone notice (if a log of the notification is kept). Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The notification shall include at a minimum:

  • A description of the incident in general terms.
  • The approximate date of breach.
  • The type of personal information obtained as a result of the security breach.
  • The telephonic contact information of the person required to notify affected individuals

Delayed Notice

The covered entity may delay giving notice if a law enforcement or national security agency determines that the notice will impede a criminal investigation or jeopardize national security.

Government Notice

All entities that do not fall under the jurisdiction of a regulator specified below must notify the Attorney General's office of the breach. Such notice must include the anticipated date of the notice to individuals and the approximate number of individuals who will be notified. Different regulators may have different notification requirements and deadlines.

Entities subject to the jurisdiction of the bank commissioner, director of securities regulation, insurance commissioner, public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators must notify their primary regulator of the breach.

Consumer Reporting Agency Notice

If required to notify more than 1,000 persons, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of the anticipated date of notification, approximate number of consumers to be notified, and the content of the notice.

Exceptions for Other Laws

Licensees will be exempt from the statute's notification provisions if they are subject to the Gramm-Leach-Bliley Act (GLBA) and provide notice to affected consumers for security breaches consistent with the GLBA's requirements.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify and cooperate with it immediately following discovery of a breach if the covered info was acquired by an unauthorized person. Cooperation includes sharing information relevant to the breach but not disclosure of confidential info or trade secrets.

Private Right of Action

Under New Hampshire's general data breach notification statute, affected persons injured as a result of a security breach may bring an action for damages.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023