Earlier this year, Mississippi passed legislation requiring organizations to notify individuals whose personal information is compromised by a data breach. With only Alabama, Kentucky, New Mexico and South Dakota as the remaining states without data breach notification laws, Mississippi joins the vast majority of states to have passed such legislation. House Bill 583 will not go into effect until July 1, 2011, but its form and structure tracks many other states’ notice requirements in the event of a data breach.

Based on California’s original definition of personally identifying information (PII), for a breach to trigger the Mississippi notification requirement, the leaked PII must include a name along with a social security number or driver’s license or an account number in combination with any required security or access code. In the event of a triggering breach, notification must be made to individuals only, not to government regulators or any credit reporting agencies. However, in cases where the breaching organization reasonably determines that the breach is not likely to result in harm to the affected individuals, the notification requirement is waived. The law also includes a safe harbor for organizations that secure PII by encryption or other technologies rendering the PII “unreadable or unusable.”

Although there are many similarities between Mississippi’s breach requirement and other state breach notification requirements, significant differences exist with respect to acceptable time to notify, criminal and civil penalties, safe harbors and exemptions. For the vast majority of businesses handling personal information, a careful review of PII handling policies as well as an implementation of a breach notification procedure is recommended. For an outline of the major requirements under each state’s breach notification law, please see our State Data Breach Notification Laws chart.