In light of the recent CDK security incident, the NHADA has received a number of questions from New Hampshire dealers about whether New Hampshire has a security breach notification law. At this time, the NHADA is working closely with Bernstein, Shur, Sawyer & Nelson, P.A., an NHADA Silver Partner, to develop guidance for New Hampshire dealers who were impacted by the CDK security incident. The NHADA will provide more guidance soon.
In the meantime, this update written by Hilary Holmes Rheaume, Bernstein, Shur, Sawyer & Nelson, P.A.,will provide a brief overview of New Hampshire’s security breach notification law:
Does New Hampshire have a security breach notification law?
Yes. New Hampshire’s security breach notification law is codified at R.S.A. 359-C:20.
When does R.S.A. 359-C:20 apply?
R.S.A. 359-C:20 provides that “[a]ny person doing business in this state who owns or licenses computerized data that includes personal information shall, when it becomes aware of a security breach, promptly determine the likelihood that the information has been or will be misused.” (emphasis added.)
The statute defines “personal information” as an individual’s first and last name in combination with any one or more of the following: social security number, driver’s license number or other government identification number, or “[a]ccount number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”
The statute defines a “security breach” as the “unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state.”
Based on the information obtained to date, it is the NHADA’s understanding that CDK considers all consumer data to be owned by the dealership—not CDK. As a result, a dealership that uses CDK will likely be considered to be the owner of “computerized data” for purposes of R.S.A. 359-C:20. At this time, CDK is still investigating the security incident and has not provided sufficient information for dealerships to determine “the likelihood that the information has been or will be misused.” However, dealerships should remain diligent in communicating with CDK about whether any personal information in their respective CDK program likely has been or will be misused.
Are there any notification obligations under R.S.A. 359-C:20 and when are these triggered?
Yes. The statute imposes two notification obligations on businesses, which are triggered when a business determines “that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made...”
First, a business must notify affected individuals in accordance with the statute. In the event CDK notifies your dealership that personal information has been misused, is reasonably likely to be misused, or a determination cannot be made, we recommend contacting legal counsel as soon as possible.
Second, the business must report the breach to the primary regulatory authority or, if none, the New Hampshire Attorney General. The notice shall include the anticipated date of the notice to affected individuals and the approximate number of individuals in the state who will be notified.
A third notification obligation is triggered when the business is required to notify more than 1,000 customers of a security breach. Under such circumstances, the business must also notify all nationwide consumer reporting agencies.
Hilary Holmes Rheaume, Bernstein, Shur, Sawyer & Nelson, P.A.
hrheaume@bernsteinshur.com
603-665-8839
At this time, it is NHADA’s understanding that CDK is still investigating the security incident, so no determination concerning the misuse of personal information has been made. The NHADA recommends that dealerships remain diligent in communicating with CDK about whether any personal information in their respective CDK program has been misused, will likely be misused, or whether no determination can be made.
The NHADA will provide an additional update as more information becomes available.
