Missouri

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes, if >1,000 residents notified

Mo. Rev. Stat. § 407.1500

Scope of this Summary:

Notification requirements applicable tindividuals or entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject tdifferent requirements.

Risk of Harm Threshold

Notification is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local law enforcement agencies, the covered entity determines that a risk of identity theft or other fraud tany consumer is not reasonably likely toccur as a result of the breach. The covered entity must document its determination in writing and maintain it for five years.

Breach Defined

Unauthorized access and acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply tinformation that is encrypted, redacted, or otherwise altered in such a manner tmake it unreadable or unusable.

Form of Covered Info

Electronic Only

Covered Info

An individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number.
  • Driver's license number or other unique identification number created or collected by a government body.
  • Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access tan individual's financial account.
  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access tan individual's financial account.
  • Medical information.
  • Health insurance information.

Consumer Notice Timing

Must be made without unreasonable delay, consistent with any measures necessary tdetermine scope of the breach and sufficient contact information for affected residents and trestore the reasonable integrity, security, and confidentiality of the system.

Consumer Notice Method

In writing, by telephone (if contact made directly with affected resident), or electronic notice (if entity has valid email address, resident agreed treceive communications electronically, and notice is consistent with E­-SIGN). Substitute notice available if certain criteria are satisfied.

Consumer Notice Contents

The notification shall at minimum include a description of the following:

  • The incident in general terms.
  • The type of personal information that was obtained as a result of the breach of security.
  • A telephone number that the affected consumer may call for further information and assistance, if one exists.
  • Contact information for Consumer Reporting Agencies.
  • Advice that directs the affected consumer tremain vigilant by reviewing account statements and monitoring free credit reports.

Delayed Notice

Notification may be delayed if law enforcement determines that notification will impede a criminal investigation or jeopardize national or homeland security. The request must be in writing or documented by the covered entity contemporaneously and include the officer name and agency.

Government Notice

If more than 1,000 residents are notified, must, without unreasonable delay, notify Attorney General's office of timing, distribution, and content of the consumer notice.

Consumer Reporting Agency Notice

If more than 1,000 residents are notified, must, without unreasonable delay, notify all Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.

Exceptions for Other Laws

A covered entity is deemed in compliance if it is: a financial institution subject tthe Federal Interagency Guidance Response Programs for Unauthorized Access tCustomer Information and Customer Notice (70 Fed. Reg. 15,736 (March 29, 2005)); the National Credit Union Administration security program regulations (12 CFR §§ 748.0 t748.2); or the Gramm-Leach-Bliley Act (GLBA).

Third-Party Notice

If you maintain covered infon behalf of another entity, you must notify it immediately following discovery of a breach.

Private Right of Action

The Missouri statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023