Missouri

• Essentially any Missouri business shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach.
o Notification is not required if, after an appropriate investigation by the Entity or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the Entity determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for 5 years. Notification may be delayed if a law enforcement investigation requires such.
• In the event an Entity notifies more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.
• In the event an Entity provides notice to more than 1,000 consumers at one time pursuant to this section, the Entity shall notify, without unreasonable delay, the state Attorney General’s office of the timing, distribution, and content of the notice.
• Any Entity that maintains or possesses records or data containing PI of residents of MO that the Entity does not own or license, or any Entity that conducts business in MO that maintains or possesses records or data containing PI of a resident of MO that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section.
• The disclosure notification shall be made without unreasonable delay and consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
• Definition of Personal Information: An individual’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable:
o Social Security number;
o Driver’s license number or other unique identification number created or collected by a government body;
o Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
o Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
o Medical information (information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional); or
o Health insurance information (an individual’s health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual).
PI does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public.
• Notice may be provided by one of the following methods:
o Written notice;
o Telephonic notice, if such contact is made directly with the affected consumers; or
o Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).
The notice shall at minimum include a description of the following:
o The incident in general terms;
o The type of PI that was obtained as a result of the breach of security;
o A telephone number that the affected consumer may call for further information and assistance, if one exists;
o Contact information for consumer reporting agencies; and
o Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports.
Mo. Rev. Stat. § 407.1500