New Hampshire Data Breach Laws: Reporting Requirements and Fines

New Hampshire businesses that suffer a data breach must notify affected consumers as soon as possible. A breach that impacts 1,000 or more NH residents has to be reported to all consumer-reporting agencies. Additionally, appropriate regulators, such as the insurance commissioner, must be notified. If there is no primary regulator, the business must notify the New Hampshire attorney general. Consumers have the right to sue for actual damages when a business fails to comply. If the court determines the business willfully violated the law, the consumer may be rewarded as much as three times their damages (plus court costs and attorney fees).\

Name of Law / Statute


Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes

Who Is Subject to Law?

Any person or business conducting business in the state who licenses or owns PI

Notification of Consumers?

Yes, unless determination of no harm by business

By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; specific info must be included in notice

Substitute Notice Threshold?

If cost of notice >$5,000 or involves >100k residents

Notification of authorities / regulators required?


By what means?


Regulatory Fines

Up to $10,000/violation

Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?

Actual damages + costs, fees; double or treble if violation was willful

Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised)

Link to complete law

Read the full text of New Hampshire’s data breach law.

70% of businesses raise prices or cut hiring when sued