Top
Top

Global Data Privacy Guide

USA, Mississippi

(United States) Firm Butler Snow LLP Updated 01 Mar 2022
What is the key legislation?

The key legislation is Mississippi's Notice of Breach of Security statute, Miss. Code Ann. § 75-24-29.

Note: Mississippi's data breach notification statute, Miss. Code Ann. § 75-24-29, protects the personal information of any resident of Mississippi.

Mississippi also has an Insurance Data Security Law (Miss. Code Ann. §§ 83-5-801 to 83-5-825) which is modeled after the National Association of Insurance Commissioners Insurance Data Security Model Law. The statute generally requires insurance licensees to comply with the general data breach notification statute provisions (Miss. Code Ann. §§ 83-5-805(i) and 83-5-811(3)).

What data is protected?

Protected data includes unencrypted electronic files, media, databases or computerized data containing personal information of any resident of Mississippi.

Note:

"Personal information” means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • social security number;
  • driver's license number, state identification card number, or tribal identification card number; or
  • an account number or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual's financial account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Who is subject to privacy obligations?

Any person who conducts business in Mississippi and who, in the ordinary course of the person's business functions, owns, licenses or maintains personal information of any resident of this state.

Note:

Also applies to any person who conducts business in Mississippi that maintains computerized data which includes personal information that the person does not own or license.

What are the principles applicable to personal data processing?

Personal information (defined herein) shall be secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

How is the processing of personal data regulated?

The unauthorized acquisition of unencrypted personal information requires notice to the affected Mississippi residents.

Note: “Breach of security” means unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

Notice of a data breach of unencrypted personal information is not required if, after an appropriate investigation, the person reasonably determines that the breach is not likely to result in harm to the affected individuals.

How are storage, security and retention of personal data regulated?

Personal information (defined herein) shall be secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

What are the data subjects' rights?

N/A

Are there restrictions on cross-border data transfers?

N/A

Are there any notification requirements for data breaches?

Yes.

Note: Any person who conducts business in Mississippi shall disclose any data breach of personal information to all affected individuals without unreasonable delay subject to the covered entity's completion of an investigation to (i) determine the nature and scope of the incident; (ii) identify the affected individuals; and (iii) restore the reasonable integrity of the data system. The notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals.

Notice may be provided by one of the following methods:

  • written notice;
  • telephone notice;
  • electronic notice, if the person's primary means of communication with the affected individuals is by electronic means or if the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USCS 7001; or
  • substitute notice provided the person demonstrates that the cost of providing notice would exceed USD $5,000.00), that the affected class of subject persons to be notified exceeds 5,000 individuals, or the person does not have sufficient contact information.

Any person who conducts business in this state that maintains its own security breach procedures as part of an information security policy for the treatment of personal information, and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section if the person notifies affected individuals in accordance with the person's policies in the event of a breach of security.

Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or federal functional regulator, as defined in 15 U.S.C.S § 6809(2), shall be deemed to be in compliance with the security breach notification requirements, provided the person notifies affected individuals in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or federal functional regulator in the event of a breach of security of the system.

Any notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation or national security and the law enforcement agency has made a request that the notification be delayed.

Who is the privacy regulator?

The Mississippi Attorney General.

What are the consequences of a privacy breach?

Failure of any person who conducts business in the state to provide notice of a data breach shall constitute an unfair trade practice, and shall be enforced by the Attorney General. Consequences of failing to provide notice of a data breach may include the imposition of civil penalties and criminal penalties.

Note: The Office of the Attorney General has authority to enforce the statute and may bring an unfair trade practices act. If a court finds from clear and convincing evidence that a person knowingly and willfully committed any unfair or deceptive trade practice, the Attorney General, upon petition to the court, may recover a civil penalty in a sum not to exceed USD $10,000.00 per violation.  The Attorney General may also recover investigative costs and a reasonable attorney's fee.

There is no private right of action for a data breach.

Additionally, any person who, knowingly and willfully, commits an unfair or deceptive trade practice shall be guilty of a misdemeanor, and upon the first conviction shall be fined up to one thousand dollars USD $1,000.00. Subsequent convictions are in addition to a fine subject to imprisonment as a misdemeanor or a felony.

How is electronic marketing regulated?

N/A

Are there any recent developments or expected reforms?

The Mississippi Legislature introduced a broad, CCPA-like consumer data privacy bill in the 2022 legislative session, which would have provided a private cause of action for data breaches. The bill died in committee.

Global Data Privacy Guide

USA, Mississippi

(United States) Firm Butler Snow LLP Updated 01 Mar 2022