Mississippi Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Mississippi was the 46th state to enact a data breach notification law. Governor Haley Barbour signed House Bill 583 on April 7, 2010, and the law took effect on July 1, 2011. Codified at Miss. Code Ann. 75-24-29, the statute sits within the state's Regulation of Business for Consumer Protection chapter.

For a broader look at the state's privacy framework, see the parent guide to [Mississippi Data Privacy Laws](/us-laws/data-privacy-laws/mississippi-data-privacy-laws).

Compared to most states, Mississippi's breach notification law is minimal. It covers a narrow set of data elements, sets no fixed notification deadline, requires no government reporting, and carries no penalties specific to the breach statute itself. Enforcement runs through the state's general consumer protection framework.

Who Must Comply With Mississippi's Breach Notification Law

The law applies to any person who conducts business in Mississippi and who, in the ordinary course of business, owns, licenses, or maintains personal information of Mississippi residents in electronic form.

This covers corporations, partnerships, sole proprietors, nonprofits, and any other entity that handles covered data. It does not matter whether the business is headquartered in Mississippi. If the entity conducts business in the state and holds personal information of state residents, the law applies.

Third-party service providers that maintain, store, or process personal information on behalf of another entity have a separate obligation. They must notify the data owner "as soon as practicable" after discovering that personal information was or is reasonably believed to have been acquired by an unauthorized person for fraudulent purposes.

Government Entities

Mississippi's breach notification statute applies only to the private sector. State and local government agencies are not covered by Miss. Code Ann. 75-24-29. However, insurance licensees in Mississippi must comply with the separate Mississippi Insurance Data Security Law (codified at Miss. Code Ann. 83-5-801 through 83-5-825), which took effect July 1, 2019 and requires notification to the Insurance Commissioner within three business days of a qualifying cybersecurity event.

What Personal Information Is Protected

Mississippi defines "personal information" narrowly. The law only covers an individual's first name or first initial and last name combined with one or more of the following data elements:

• Social Security number
• Driver's license number or state-issued identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account

That is the complete list. Unlike many other states, Mississippi does not include:

• Medical records or health information
• Health insurance policy numbers
• Biometric data (fingerprints, facial recognition, retina scans)
• Usernames and passwords for online accounts
• Passport numbers or military identification numbers
• Taxpayer identification numbers (unless also used as an SSN)

The data elements are only considered personal information when they are not secured by encryption or another method of technology that renders the data unreadable or unusable. Publicly available information lawfully obtained from federal, state, or local government records is also excluded.

How Mississippi Defines a Breach of Security

A "breach of security" under the statute means the unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of a Mississippi resident when access to that information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.

Two important points emerge from this definition. First, it applies only to electronic data. Paper records are not covered. Second, the encryption safe harbor is built directly into the breach definition itself. If the compromised data was encrypted, no breach has occurred under the statute, and no notification is required.

The Harm-Based Exemption

Even when a breach of unencrypted personal information occurs, Mississippi does not automatically require notification. The statute provides that notification is not required if, after an appropriate investigation, the entity "reasonably determines that the breach will not likely result in harm to the affected individuals."

This harm-based exemption gives businesses significant discretion. The statute does not define "harm" or specify what factors must be considered in making this determination. It does not require the entity to document its reasoning in writing or retain that documentation for any period.

This makes Mississippi's exemption broader and less structured than the harm thresholds in states like Alabama, which requires written documentation of no-harm determinations and retention for five years.

Notification Timeline

Mississippi requires notification "without unreasonable delay," subject to the completion of an investigation to determine the nature and scope of the incident, identify affected individuals, or restore the reasonable integrity of the data system.

The statute sets no specific deadline in days. There is no 30-day, 45-day, or 60-day requirement. This is among the most flexible timing provisions in the country. For comparison:

• Alabama requires notification within 45 days
• Colorado requires notification within 30 days
• Most states that use "without unreasonable delay" also set a maximum number of days

Mississippi's open-ended timeline means the investigation period can extend as long as the entity deems necessary, provided the delay is not "unreasonable." There is no published guidance from the Mississippi Attorney General defining what constitutes an unreasonable delay.

Law Enforcement Delay

Notification may be delayed for a "reasonable period of time" if a law enforcement agency determines that notification would impede a criminal investigation or compromise national security. The law enforcement agency must request the delay. Once the agency determines that notification will no longer compromise the investigation, the entity must proceed with notification.

How Notification Must Be Provided

The statute allows four methods of notification:

Written notice sent to the affected individual.

Telephone notice to the affected individual.

Electronic notice if the entity's primary means of communication with the individual is electronic, or if the notice complies with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. 7001).

Substitute notice is available when any of these conditions exist:

• The cost of providing direct notice would exceed $5,000
• The affected class exceeds 5,000 residents
• The entity lacks sufficient contact information

Substitute notice requires all three of the following:

1. Email notice to affected individuals for whom the entity has an email address
2. Conspicuous posting on the entity's website (if one exists)
3. Notification to major statewide media, including newspapers, radio, and television

The statute does not specify what information must be included in the notification itself. This is another area where Mississippi lags behind states like Alabama, California, and New York, which mandate specific content such as a description of the breach, the types of data involved, and steps individuals can take to protect themselves.

No Attorney General or Credit Reporting Agency Notification

Mississippi is one of the few remaining states that does not require entities to notify the Attorney General after a data breach, regardless of the number of affected individuals.

The law also does not require notification to consumer reporting agencies (Equifax, Experian, TransUnion) at any threshold.

This absence is notable. The vast majority of states require AG notification when breaches exceed a certain threshold (commonly 500 or 1,000 affected residents). A 2025 bill (SB 2046) introduced by Senator Bradford Blackmon would have added an AG notification requirement for breaches affecting more than 100 individuals, but it died in committee on February 4, 2025 without receiving a vote.

Encryption Safe Harbor

Mississippi's encryption safe harbor is built into the definition of "breach of security" itself. If the personal information involved was secured by encryption or by any other method or technology that renders it unreadable or unusable, no breach has occurred under the statute.

The law does not address the scenario where the encryption key is also compromised. In states like Alabama and California, the safe harbor does not apply if the encryption key or security credential was obtained alongside the encrypted data. Mississippi's statute contains no such qualification.

Existing Internal Notification Policies

The statute includes a safe harbor for entities that maintain their own notification procedures as part of an information security policy. If the entity's existing policy is consistent with the timing requirements of the statute (notification without unreasonable delay), compliance with that internal policy satisfies the state law.

Federal Compliance Exemption

Entities that comply with breach notification requirements established by their primary or functional federal regulator are deemed in compliance with Mississippi's law. This exemption covers:

• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
• Healthcare entities regulated under HIPAA
• Other entities with federal breach notification obligations

This exemption is unconditional. Unlike states such as Alabama, Mississippi does not require federally regulated entities to also notify the state Attorney General.

Enforcement and Penalties

Mississippi's breach notification statute does not contain its own penalty provisions. Instead, the law states that failure to comply "shall constitute an unfair trade practice and shall be enforced by the Attorney General."

This routes enforcement through the Mississippi Consumer Protection Act (Miss. Code Ann. 75-24-1 et seq.). Under Miss. Code Ann. 75-24-19, the Attorney General can pursue the following remedies:

• Injunctive relief: Temporary or permanent injunctions to stop violations, plus voluntary compliance agreements
• Civil penalties: Up to $10,000 per violation for knowing and willful violations, based on clear and convincing evidence
• Investigative powers: Subpoena authority, compelled document production, and investigative hearings

The statute explicitly provides that "nothing in this section may be construed to create a private right of action." Mississippi residents cannot individually sue businesses for failing to provide breach notification.

There is no published record of the Mississippi Attorney General bringing a standalone enforcement action specifically under the data breach notification statute.

Comparison With Stronger State Laws

Mississippi's breach notification law is among the weakest in the country. Here is how it compares on key provisions:

Provision	Mississippi	National Trend
Notification deadline	No specific deadline	Most states set 30-60 day limits
AG notification	Not required	Required in 40+ states
Credit agency notification	Not required	Required in 30+ states
Protected data categories	3 categories	Most states cover 5-10+ categories
Harm exemption	Broad, unstructured	Many states require written documentation
Required notice content	Not specified	Most states mandate specific elements
Private right of action	None	Growing number of states allow it
Government entities covered	No	Many states include government

Pending Legislative Changes

Multiple bills have attempted to strengthen Mississippi's breach notification requirements in recent years, but none have passed:

• SB 2046 (2025): Would have required AG notification for breaches affecting more than 100 individuals. Died in committee on February 4, 2025.
• SB 2528 (2022): Proposed expanding the law. Did not advance.
• HB 1380 (2025): Addressed cybersecurity standards for government entities and certain commercial entities, including liability protections for entities that adopt recognized cybersecurity frameworks. This bill focused on liability shields rather than strengthening notification requirements.

As of March 2026, Mississippi's data breach notification law remains unchanged since its original enactment in 2010.

Practical Compliance Steps

Despite the law's limited scope, businesses that handle personal information of Mississippi residents should take these steps:

1. Inventory covered data: Identify where you store names combined with SSNs, driver's license numbers, or financial account credentials for Mississippi residents
2. Encrypt at rest and in transit: Encryption eliminates the notification obligation entirely under Mississippi law
3. Develop an incident response plan: Even though the law allows flexibility on timing, documenting a clear process reduces legal risk
4. Monitor federal obligations: If you are regulated by a federal agency with its own breach notification rules (GLBA, HIPAA), compliance with those rules satisfies Mississippi's requirements
5. Track legislative changes: Mississippi is under pressure to modernize its law, and future amendments may add AG notification requirements, broader data categories, or fixed deadlines

More Mississippi Laws

• Mississippi Data Privacy Laws
• Mississippi Lemon Laws
• Mississippi Dog Bite Laws
• Mississippi Statute of Limitations
• Mississippi Recording Laws
• Mississippi Car Seat Laws

Sources and References

This article references the Mississippi data breach notification law codified at Miss. Code Ann. 75-24-29. For the original bill text, see HB 583 (2010) on the Mississippi Legislature website. For information about the Mississippi Consumer Protection Act enforcement framework, visit the Mississippi Attorney General Consumer Protection Division. For the NCSL's national overview of breach notification laws, see Security Breach Notification Laws.

This article provides general legal information about Mississippi's data breach notification requirements. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Mississippi government sources.