New Hampshire Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to New Hampshire residents, a data breach triggers specific legal obligations under New Hampshire's Notice of Security Breach law. N.H. Rev. Stat. 359-C:19 through 359-C:21 sets out who must notify, what triggers the duty, and how quickly you need to act. New Hampshire enacted its breach notification law in 2007 as part of the state's Right to Privacy chapter, reflecting the legislature's view that breach notification is fundamentally a privacy protection.

This guide covers the full scope of New Hampshire's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, penalties, exemptions, and how the state's broader data privacy framework interacts with breach obligations.

Who Must Comply With New Hampshire's Breach Notification Law

New Hampshire's law applies to any person doing business in the state, any person that owns or licenses computerized data that includes personal information, or any person that maintains computerized data containing personal information on behalf of another. This broad scope captures businesses, government entities, and third-party service providers.

When a third party that maintains data on behalf of a data owner discovers a breach, it must notify the data owner immediately. The data owner then carries the primary responsibility to notify affected individuals and the Attorney General.

The statute applies regardless of where the business is physically located. Any business that holds personal information about New Hampshire residents must comply if it does business in the state.

What Qualifies as a Breach

Under N.H. Rev. Stat. 359-C:19, a "security breach" means the unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in New Hampshire.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of a person doing business in the state does not constitute a security breach, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Encryption Safe Harbor

New Hampshire provides a safe harbor for encrypted data. The notification requirements do not apply to the unauthorized acquisition of personal information that has been encrypted, as long as the encryption key was not also compromised. If both the encrypted data and the key were acquired by the unauthorized person, notification is required.

Personal Information That Triggers Notification

Under N.H. Rev. Stat. 359-C:19, personal information means an individual's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or other government identification number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to an individual's financial account

What New Hampshire's Law Does Not Cover

Compared to states that have recently updated their breach notification statutes, New Hampshire's definition of personal information is relatively narrow. The law does not include:

• Biometric data (fingerprints, retina scans, voiceprints)
• Medical or health information
• Health insurance identification numbers
• Passport numbers
• Username or email address combined with passwords
• Taxpayer identification numbers (other than SSNs)

Personal information does not include information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the public.

Notification Timeline

New Hampshire requires notification "as quickly as possible" under N.H. Rev. Stat. 359-C:20. This language is more urgent than the "without unreasonable delay" standard used by many states, suggesting the legislature intended a particularly prompt response.

The statute does not set a specific day count, but the "as quickly as possible" standard places the burden on the notifying entity to demonstrate that any delay was justified.

When Delay Is Permitted

Notification may be delayed if:

1. A law enforcement agency determines that notification will impede a criminal investigation. Notification must be made after law enforcement determines it no longer compromises the investigation.
2. The entity needs time to determine the nature and scope of the incident, identify the affected individuals, and restore the reasonable integrity of the data system.

Even when delay is permitted, the entity must still act "as quickly as possible" once the reason for the delay no longer applies.

Who Must Be Notified

New Hampshire Attorney General

The New Hampshire Attorney General must be notified of any security breach before individual notifications are sent. This is a notable requirement: New Hampshire mandates that the AG receive notice first, giving the office an opportunity to coordinate with the entity before affected individuals learn of the breach.

The AG notification should include:

• The nature of the security breach
• The number of New Hampshire residents affected
• Steps taken in response to the breach
• Any services being offered to affected individuals

Affected Individuals

Every New Hampshire resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person must be notified. The notification must include:

• A description of the incident in general terms
• The approximate date of the breach
• The type of personal information involved
• Contact information for the entity providing notice
• Contact information for the Federal Trade Commission and the New Hampshire Attorney General
• Steps the individual can take to protect against identity theft

Consumer Reporting Agencies

When a breach affects 1,000 or more New Hampshire residents at a single time, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay. The notification must include the timing, distribution, and content of the notification to individuals.

How to Provide Notification

New Hampshire permits the following notification methods:

• Written notice sent by mail to the last known address of the individual
• Electronic notice if the entity's primary means of communication with the individual is by electronic means, or if the notice is consistent with the E-SIGN Act (15 U.S.C. 7001)
• Telephone notice if the entity can directly reach the affected individual

Substitute Notice

New Hampshire has one of the lowest substitute notice thresholds in the nation. Substitute notice is available when:

• The cost of providing notification would exceed $5,000
• The affected class exceeds 1,000 New Hampshire residents
• The entity does not have sufficient contact information

Compare this to most states where the cost threshold is $250,000 and the affected class threshold is 500,000. New Hampshire's low thresholds make substitute notice available to smaller businesses and smaller breaches.

Substitute notice must include all of the following:

1. Email notification to individuals for whom the entity has an email address
2. Conspicuous posting of the notice on the entity's website
3. Notification to major statewide media outlets

Enforcement and Penalties

New Hampshire's breach notification law is enforced by the Attorney General under the Consumer Protection Act (N.H. Rev. Stat. 358-A). A violation of the breach notification requirements constitutes an unfair or deceptive act or practice.

The Attorney General may seek:

• Injunctive relief to stop ongoing violations
• Civil penalties as provided under the Consumer Protection Act
• Restitution for affected consumers
• Attorney's fees and costs of investigation

There is no private right of action for breach notification violations. Only the Attorney General can bring enforcement actions under the breach notification statute. Individuals may pursue common law claims such as negligence, but not under the notification statute itself.

Exemptions

Certain entities are exempt from New Hampshire's breach notification requirements if they comply with equivalent federal notification frameworks:

• Financial institutions subject to and in compliance with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
• HIPAA-covered entities that comply with HIPAA breach notification requirements

These entities must follow their respective federal notification frameworks, which may impose stricter or different requirements.

How New Hampshire's Privacy Laws Interact With Breach Notification

The New Hampshire Privacy Act, effective January 1, 2025, created a comprehensive consumer privacy framework. However, the Privacy Act does not contain its own breach notification requirements. Businesses subject to the Privacy Act must still follow N.H. Rev. Stat. 359-C:19-21 for breach notification.

The Privacy Act adds relevant data protection obligations:

• Data security requirement: Controllers must implement reasonable administrative, technical, and physical data security practices.
• Data minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary.
• Sensitive data consent: Biometric data, precise geolocation, and other sensitive categories require explicit consumer consent before processing.

Both the Privacy Act and the breach notification statute are enforced by the Attorney General under the Consumer Protection Act.

More New Hampshire Laws

• New Hampshire Recording Laws
• New Hampshire Car Seat Laws
• New Hampshire Data Privacy Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws
• New Hampshire Recording Laws

Sources and References

This article draws from the following official New Hampshire government sources:

• N.H. Rev. Stat. 359-C:19 (Definitions) - Definitions of personal information and security breach
• N.H. Rev. Stat. 359-C:20 (Notification Requirements) - Notification timeline, methods, and AG reporting
• N.H. Rev. Stat. 359-C:21 (Violations) - Enforcement and penalties
• New Hampshire Attorney General: Security Breaches - AG breach reporting portal and guidance
• N.H. Rev. Stat. 358-A (Consumer Protection Act) - Enforcement framework

This article provides general legal information about [New Hampshire data privacy laws](/us-laws/data-privacy-laws/new-hampshire-data-privacy-laws) and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in New Hampshire for guidance specific to your situation.