Missouri Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business collects personal data from Missouri residents, state law requires you to notify those individuals promptly when a security breach compromises their information. Missouri's data breach notification statute, codified at Mo. Rev. Stat. 407.1500, has been in effect since August 28, 2009, and falls under the broader Missouri Merchandising Practices Act (Chapter 407).

Unlike states that impose hard notification deadlines, Missouri uses a "without unreasonable delay" standard. Enforcement rests entirely with the Attorney General, and penalties can reach $150,000 per breach.

This guide covers every provision of the statute, from what triggers a notification obligation to who enforces it and what penalties apply. For the broader privacy landscape in the state, see the parent guide to [Missouri Data Privacy Laws](/us-laws/data-privacy-laws/missouri-data-privacy-laws).

What Qualifies as a Breach Under Missouri Law

Missouri defines a "breach of security" as the unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of that information.

Two conditions must both exist for a breach to be reportable:

• The access must be unauthorized
• The acquisition must compromise the security, confidentiality, or integrity of the data

A good faith acquisition of personal information by an employee or agent of a business does not count as a breach, as long as the information is acquired for a legitimate purpose and is not used in violation of applicable law.

The statute also requires that the personal information be maintained in computerized form. Paper records are not covered by this law.

What Counts as Protected Personal Information

Missouri law protects a resident's first name or first initial and last name when combined with one or more of these unencrypted data elements:

• Social Security number
• Driver's license number or other government-issued identification number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the account
• Unique electronic identifier or routing code combined with any required security code, access code, or password
• Medical information (any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional)
• Health insurance information (an individual's health insurance policy number, subscriber identification number, or any unique identifier used by a health insurer to identify the individual)

If the data elements are encrypted, redacted, or otherwise rendered unreadable or unusable, they fall outside the definition of personal information and do not trigger notification requirements.

The Encryption Safe Harbor

Missouri provides a clear safe harbor for organizations that encrypt their data. The statute excludes from its definition of "personal information" any data that has been "encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable."

This means that if a breach exposes only encrypted data that cannot be read without a decryption key, the organization has no obligation to notify affected consumers. The encryption must render the data genuinely unreadable, not merely obfuscated.

The term "encrypted" is defined in the statute as "the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key."

Organizations that implement strong encryption across their data systems can significantly reduce their notification obligations under Missouri law.

Notification Timeline and Requirements

When to Notify

Missouri requires notification "without unreasonable delay" following the discovery or notification of a breach. The statute does not impose a fixed day count like many other states.

However, the law acknowledges that some delay is acceptable when a business needs to:

• Determine sufficient contact information for affected consumers
• Assess the scope of the breach
• Restore the reasonable integrity, security, and confidentiality of the data system

When Notification Is Not Required

A business may skip notification entirely if, after conducting an appropriate investigation or consulting with relevant law enforcement agencies, it determines that a risk of identity theft or other fraud to any consumer is "not reasonably likely to occur" as a result of the breach.

This determination must be documented in writing and the documentation must be maintained for five years.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notice would impede a criminal investigation. The agency must provide written notice to the business identifying the law enforcement officer making the determination and the officer's agency. Notification must resume promptly after law enforcement advises that it will no longer impede the investigation.

How to Provide Notification

Missouri allows four methods for notifying affected consumers:

Written notice. Sent to the consumer's mailing address on file.

Electronic notice. Permitted if the consumer has consented to receive electronic communications and the notice is consistent with the provisions of the federal E-SIGN Act (15 U.S.C. Section 7001).

Telephone notice. Direct contact by phone with each affected consumer.

Substitute notice. Available when specific conditions are met (see below).

What the Notice Must Include

Every notification must contain:

• A description of the incident in general terms
• A description of the type of personal information that was subject to the breach
• Contact information for the person or business providing the notice
• Contact information for the major consumer reporting agencies
• Advice to the consumer to report suspected identity theft to law enforcement and consumer reporting agencies

Substitute Notice Rules

Organizations may use substitute notice instead of direct notification when any of these conditions apply:

• The cost of direct notification would exceed $100,000
• The affected class of consumers exceeds 150,000 persons
• The business does not have sufficient contact information for the affected consumers

Substitute notice requires all three of the following:

1. Email notice to all affected consumers for whom the business has an email address
2. Conspicuous posting of the notice on the business's website
3. Notification to major statewide media

Attorney General and Consumer Reporting Agency Notification

When a business notifies more than 1,000 Missouri consumers at one time, it must also notify:

• The Missouri Attorney General's office
• All consumer reporting agencies that compile and maintain files on consumers on a nationwide basis (as defined in 15 U.S.C. Section 1681a(p))

This notification must be made "without unreasonable delay" and must include the timing, distribution, and content of the consumer notice.

For breaches affecting fewer than 1,000 consumers, the statute does not require notification to the AG or consumer reporting agencies.

Enforcement: AG Exclusive Authority

The Missouri Attorney General holds exclusive authority to bring enforcement actions for violations of the breach notification law. This is one of the most significant features of the statute.

What this means in practice:

• No private right of action. Individual consumers cannot sue a business under Mo. Rev. Stat. 407.1500 for failing to provide breach notification.
• No class action lawsuits. Private plaintiffs cannot bring class actions under this specific statute.
• AG-only enforcement. Only the Missouri Attorney General can pursue legal action for violations.

The AG can seek:

• Actual damages suffered by consumers as a result of a willful and knowing violation
• Civil penalties up to $150,000 per breach of the security of the system, or per series of breaches of a similar nature discovered in a single investigation

The "willful and knowing" standard means that accidental failures or good-faith compliance efforts that fall short are unlikely to trigger penalties. The AG must demonstrate that the violation was intentional.

The Merchandising Practices Act Connection

Missouri's breach notification law is codified within Chapter 407 of the Missouri Revised Statutes, which is the Merchandising Practices Act (MMPA). This placement is significant.

The MMPA, particularly Mo. Rev. Stat. 407.020, broadly prohibits deception, fraud, unfair practices, and the concealment of material facts in connection with trade or commerce. While Section 407.1500 provides the specific breach notification framework, the broader MMPA could potentially apply to situations where a company's handling of a data breach involves deceptive practices.

For example, if a business publicly claims it has notified all affected consumers but has not, or if it misrepresents the scope of a breach, the MMPA's general consumer protection provisions could provide an additional basis for AG enforcement.

The MMPA also allows the AG to pursue injunctive relief and other remedies beyond those specifically listed in Section 407.1500.

Exemptions and Compliance Safe Harbors

Missouri's statute provides several exemptions:

Existing security procedures. Organizations that maintain their own notification procedures as part of an information security policy are deemed in compliance if those procedures are consistent with the timing requirements of the statute.

Financial institution compliance. Financial institutions that comply with federal interagency guidance on response programs for unauthorized access to customer information (issued under the Gramm-Leach-Bliley Act) are exempt from the state notification requirements.

HIPAA-covered entities. Organizations subject to the federal Health Insurance Portability and Accountability Act (HIPAA) that comply with HIPAA breach notification requirements satisfy the state law.

Missouri's Insurance Data Security Act (Effective 2026)

Missouri enacted the Insurance Data Security Act as part of HB 974 during the 2025 legislative session. Codified at Mo. Rev. Stat. 375.1400 to 375.1427, this law took effect on January 1, 2026, and creates additional obligations specifically for insurance companies and licensed entities.

The Insurance Data Security Act requires insurers to:

• Develop and maintain a written information security program
• Conduct risk assessments of their data systems
• Designate personnel responsible for information security
• Implement access controls and encryption measures
• Develop incident response plans
• Investigate cybersecurity events and notify the Department of Commerce and Insurance
• Provide annual compliance certification to state regulators

This law operates alongside the general breach notification statute. Insurance companies must comply with both Mo. Rev. Stat. 407.1500 for consumer notification and the Insurance Data Security Act for regulatory reporting.

Practical Steps for Compliance

Organizations that handle personal information of Missouri residents should take these steps:

Develop an incident response plan. Document your procedures for detecting, investigating, and responding to data breaches. Missouri law recognizes organizations with their own notification procedures as compliant if those procedures meet the statutory timing requirements.

Encrypt sensitive data. The encryption safe harbor provides a strong incentive to encrypt personal information at rest and in transit. Encrypted data that is breached does not trigger notification obligations.

Maintain investigation records. If you determine that a breach does not require notification, document that determination in writing and retain the documentation for five years.

Know your thresholds. If a breach affects more than 1,000 Missouri consumers, you must notify the AG and consumer reporting agencies in addition to the affected individuals.

Monitor for legislative changes. Missouri's data privacy landscape is evolving. The Insurance Data Security Act took effect in 2026, and legislators have introduced multiple bills addressing biometric data and broader consumer privacy rights.

How Missouri Compares to Other States

Missouri's breach notification law is less prescriptive than many states:

• No fixed notification deadline. States like Florida (30 days), Colorado (30 days), and Ohio (45 days) set specific timelines. Missouri uses "without unreasonable delay."
• AG-exclusive enforcement. Most states allow at least some private enforcement. Missouri does not.
• Moderate penalties. The $150,000 cap per breach is lower than many states. California, for example, allows penalties of $7,500 per intentional violation per affected consumer.
• No biometric data coverage. Missouri does not include biometric identifiers in its definition of protected personal information. For more on this gap, see Missouri Biometric Privacy Laws.
• Strong encryption safe harbor. Missouri's safe harbor is clear and well-defined, providing genuine protection for organizations that encrypt their data.

More Missouri Laws

• Missouri Data Privacy Laws
• Missouri Recording Laws
• Missouri Hit and Run Laws
• Missouri Recording Laws
• Missouri Car Seat Laws

This article provides general legal information about Missouri data breach notification requirements under Mo. Rev. Stat. 407.1500. It is not legal advice. Laws and regulations change frequently, and this content may not reflect the most recent developments. Consult a qualified attorney licensed in Missouri for advice about your specific situation.