1. GOVERNING TEXTS

New Hampshire does not currently have a comprehensive cybersecurity law but has passed significant sector specific laws on data security with particular focus on the educational and insurance sector. In particular, between 2014 and 2018, New Hampshire has passed 10 student data privacy laws covering a number of topics, including the creation of data security and breach notification policies, and establishing that students and parents have the right to data deletion after graduation. For the most part, the legislation establishes obligations for the public education sector in New Hampshire. Furthermore, the Insurance Data Security Law under Chapter 420-P of Title XXXVII of the New Hampshire State Statutes ('N.H. Rev. Stat. Ann.') ('the Data Security Law'), which took effect on 1 January 2020, affects insurance carriers, producers, and other business licensed by the New Hampshire Insurance Department ('NHID'). In addition, the Data Security Law takes significant cues from the National Association of Insurance Commissioners Insurance Data Security Model Law published by the National Association of Insurance Commissioners ('NAIC').

For a more detailed outline of the NAIC Model Law, please refer to the OneTrust DataGuidance Guidance Note USA – NAIC.

The Data Security Law establishes the Insurance Commissioner as the regulatory authority, overseeing compliance with its provisions. The Insurance Commissioner has the power to examine and investigate the affairs of any licensee to determine whether conduct is in violation of the Data Security Law. Where the Insurance Commissioner has reason to believe that a licensee has been or is engaged in conduct in New Hampshire that violated the Data Security Law, the Insurance Commissioner may take action that is necessary or appropriate to enforce the provisions of the Data Security Law (N.H. Rev. Stat. Ann. §420-P:7).

For the student and education sector-specific data security laws, enforcement, and supervision is undertaken by the Office of the Commissioner ('the Education Commissioner') of the New Hampshire Department of Education ('NH DoE').

General data security laws are enforced by the New Hampshire Attorney General ('AG').

The NHID has not issued any guidance. However, the NHID has issued the following forms:

• the Cybersecurity Incident Reporting Form;
• the Information Security Program Exception Form; and
• the Information Security Program Certification Form.

Please note that this Guidance Note refers to state-wide legislation for New Hampshire. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:

• USA Federal - Cybersecurity;
• USA - GLBA Safeguards Rule – Cybersecurity;
• USA - NIST – Cybersecurity; and
• USA - HIPAA - Cybersecurity.

2. SCOPE OF APPLICATION

Not applicable.

3. GENERAL REQUIREMENTS

3.1. Implementation of a cybersecurity framework

Not applicable.

3.2. Notification of cybersecurity incidents

Not applicable.

3.2.1.  In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?

Not applicable.

3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.

Not applicable.

3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?

Not applicable.

3.2.4. Please outline any other bodies that might be notified.

Not applicable.

For a more detailed outline of the requirements please refer to OneTrust DataGuidance Guidance Note New Hampshire – Data Breach.

3.3. Appointment of a security officer

Not applicable.

3.4. Other requirements

Not applicable.

4. REQUIREMENTS IN THE INSURANCE SECTOR

4.1. Definitions

Consumer: means an individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose non-public information is in a licensee's possession, custody, or control (N.H. Rev. Stat. Ann. §420-P:3(III)).

Cybersecurity event: means an event resulting in unauthorised access to, disruption or misuse of, an information system or non-public information stored on such information system. The term shall not include the unauthorised acquisition of encrypted non-public information if the encryption, process, or key is not also acquired, released, or used without authorization. A cybersecurity event shall not include an event with regard to which the licensee has determined that the non-public information accessed by an unauthorised person has not been used or released and has been returned or destroyed (N.H. Rev. Stat. Ann. §420-P:3(IV)).

Information Security Program: there is no definition for Information Security Program, however, the Data Security Law defines 'program' as information security program (N.H. Rev. Stat. Ann. §420-P:3(XIII)).

Information System: means a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information, as well as any specialised system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems (N.H. Rev. Stat. Ann. §420-P:3(VIII)).

Non-public Information: means information that is not publicly available information and is (N.H. Rev. Stat. Ann. §420-P:3(XI)).

• any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
  
   
  • Social Security number;
  • driver's license number or non-driver identification card number;
  • financial account number, credit or debit card number;
  • any security code, access code, or password that would permit access to a consumer's financial account; and
  • biometric records.

Licensee: means any person licensed, authorised to operate, registered, or required to be licensed, authorised, or registered pursuant to insurance laws of New Hampshire but do not include a purchasing group or a risk retention group chartered an licensed in a state other than New Hampshire or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction (N.H. Rev. Stat. Ann. §420-P:3(IX)).

All licensees are subject to the provisions of the Data Security Law with the following exceptions (N.H. Rev. Stat. Ann. §420-P:9).

• a licensee with fewer than 20 employees, including any independent contractors, shall be exempt from N.H. Rev. Stat. Ann. §420-P:4;
• an employee, agent, representative, or designee of a licensee, who is also a licensee, shall be exempt from N.H. Rev. Stat. Ann. §420-P:4and need not develop its own program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee;
• a continuing care retirement community, as defined by §420-D1 of Chapter 402 of Title XXXVII of the N.H. Rev. Stat. Ann, shall be exempt from N.H. Rev. Stat. Ann. §420-P:4;
• a life settlement provider, as defined by Chapter 408-D of Title XXXVII of the N.H. Rev. Stat. Ann, shall be exempt from N.H. Rev. Stat. Ann. §420-P:4;
• a licensee that is a bank or a credit union, as defined in Article 2-201 of Chapter 383 of Title XXXV of the N.H. Rev. Stat. Ann., that has established and maintains programs and procedures regarding administrative, technical, and physical safeguards for customer information that are prescribed by §501(b) of the GLBA and by §216 of the Fair and Accurate Credit Transaction Act of 2003, and that is subject to examination by its federal regulatory authorities, shall be exempt from N.H. Rev. Stat. Ann. §420-P:4, and those provisions of the Data Security Law that apply to a bank or credit union apply only to the extent that it involves insurance. Notification to affected consumers for security breaches relating to insurance business shall be made consistent with the requirements of the GLBA. Notification to the Insurance Commissioner shall be made consistent with that received by federal regulatory authorities;
• a motor vehicle retail seller or a motor vehicle sales finance company, as defined in Chapter 361-A of Title XXXIII of the N.H. Rev. Stat. Ann shall be exempt from N.H. Rev. Stat. Ann. §420-P:4, and those provisions of the Data Security Law that apply to a motor vehicle retail seller or a motor vehicle sales finance company apply only to the extent that it involves insurance. Notification to affected consumers for security breaches relating to the insurance business shall be made consistent with the requirements of the GLBA. Notification to the Insurance Commissioner shall be made consistent with that received by federal regulatory authorities; and
• A vendor, as defined under Chapter 402- K:1 of Title XXXVII of the N.H. Rev. Stat. Ann, shall be exempt from the requirements under the Data Security Law. A licensee that ceases to qualify for an exception under this section shall have 180 days to comply with N.H. Rev. Stat. Ann. §420-P:4

Third-party service providers: mean entities that contract with a licensee to maintain, process, store, or otherwise are permitted access to non-public information through their provision of services to the licensee (N.H. Rev. Stat. Ann. §420-P:3(XVII)).

4.2. Information security program implementation

Information security program

Licensees are responsible for implementing an information security program and the implementation of the program should corresponded to the size and complexity of the licensees, the nature, and scope of their activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensees' possession, custody, or control. In addition, the licensee is responsible for developing and maintaining a comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system (N.H. Rev. Stat. Ann. §420-P:4(I)). Furthermore, the objectives of the information security program must include the following (N.H. Rev. Stat. Ann. §420-P:4(II)):

• protect the security and confidentiality of non-public information and the security of the information system;
• protect against any threats or hazards to the security or integrity of non-public information and the information system;
• protect against unauthorised access to, or use of, non-public information, and minimise the likelihood of harm to any consumer; and
• define and periodically re-evaluate a schedule for retention of non-public information and a mechanism for its destruction when no longer needed.

Risk assessments

Licensees are responsible for performing risk assessments including:

• identify reasonably foreseeable internal or external threats that could result in unauthorised access, transmission, disclosure, misuse, alteration, or destruction of non-public information, including the security of information systems and non-public information that are accessible to, or held by, third-party service providers.
• assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the non-public information.
• assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including:
  • employee training and management;
  • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and
  • detecting, preventing, and responding to attacks, intrusions, or other systems failures.
• implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures.

The licensee is responsible to determine which security measures listed are appropriate and implement them (N.H. Rev. Stat. Ann. §420-P:4(IV)(b)):

• place access controls on information systems, including controls to authenticate and permit access only to authorised individuals to protect against the unauthorised acquisition of non-public information;
• identify and manage the data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes in accordance with their relative importance to business objectives and the organisation's risk strategy;
• restrict physical access to non-public information to authorised individuals only;
• protect by encryption or other appropriate means, all non-public information while being transmitted over an external network and all non-public information stored on a laptop computer or other portable computing or storage device or media;
• adopt secure development practices for in-house developed applications utilised by the licensee;
• modify the information system in accordance with the licensee's information security program;
• utilise effective controls, which may include multi-factor authentication procedures for any individual accessing non-public information;
• regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;
• include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee;
• implement measures to protect against destruction, loss, or damage of non-public information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures;
• develop, implement, and maintain procedures for the secure disposal of non-public information in any format;
• include cybersecurity risks in the licensee's enterprise risk management process;
• stay informed regarding emerging threats or vulnerabilities and utilise reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and
• provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment.

The licensee is obliged to monitor, evaluate, and adjust, as appropriate, the information security program according to changes in technology, the sensitivity of its non-public information, internal, or external threats to information, and any other business or outsourcing arrangements (N.H. Rev. Stat. Ann. §420-P:4(VII)).

In addition, if the licensees have a board of directors, the board or an appropriate committee of the board must at minimum (N.H. Rev. Stat. Ann. §420-P:4(VI)):

• require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program.
• require the licensee's executive management or its delegates to report in writing at least annually, the following information:
  • the overall status of the information security program and the licensee's compliance with the Data Security Law;
  • material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the program; and
• if executive management delegates any of its responsibilities under N.H. Rev. Stat. Ann. §420-P:4, it shall oversee the development, implementation and maintenance of the licensee's program prepared by the delegates and shall receive a report from the delegates complying with the requirements of the report to the board of directors.

4.3. Cybersecurity incidents

Notification to the Insurance Commissioner

Each licensee must notify the Insurance Commissioner within three business days following the determination that a cybersecurity event has occurred, when either the following criteria has been met (N.H. Rev. Stat. Ann. §420-P:6(I)):

• New Hampshire is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in Chapter 402-J of Title XXXVII of the N.H. Rev. Stat. Ann. and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state, or reasonable likelihood of materially harming any material part of the normal operations of the licensee; or
• the licensee reasonably believes that the non-public information involves 250 or more consumers residing in New Hampshire and that the cybersecurity event:
  • impacts the licensee, in which case notice shall be provided to any government body, self-regulatory agency, or any other supervisory body pursuant to any state or federal law; or
  • has a reasonable likelihood of materially harming:
    • any consumer residing in this state; or
    • any material part of the normal operations of the licensee.

The notification to the Insurance Commissioner must be provided in electronic form. In addition, the licensee has the continuing obligation to update and supplement initial and subsequent notification to the Insurance Commissioner regarding material changes to previously provided information relating to the cybersecurity event. The notification to the Insurance Commissioner must include as much of the following (N.H. Rev. Stat. Ann. §420-P:6(II)):

• date of the cybersecurity event;
• description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any;
• how the cybersecurity event was discovered;
• whether any lost, stolen, or breached information has been recovered and, if so, how this was done;
• the identity of the source of the cybersecurity event;
• whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when such notification was provided;
• description of the specific types of information acquired without authorisation. Specific types of information mean particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer;
• the period during which the information system was compromised by the cybersecurity event;
• the number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Insurance Commissioner and update this estimate with each subsequent report to the Insurance Commissioner pursuant to treport to the Insurance Commissioner pursuant to the Insurance Data Security Law;
• the results of any internal review identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed;
• description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur;
• a copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and
• name of a contact person who is both familiar with the cybersecurity event and authorised to act for the licensee.

In the case of a cybersecurity event in a system maintained by a third-party service provider, of which the licensees have become aware, the licensees should treat the event as it would under N.H. Rev. Stat. Ann. §420-P:6(I) and provide notice with the same requirement to the Insurance Commissioner. The deadline for notification begins on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner (N.H. Rev. Stat. Ann. §420-P:6(IV)(a) and (b)).

Licensee must, as part of their information security program, establish a written incident response plan designated to promptly respond to, and recover from, any cybersecurity event that compromised the confidentiality, integrity, or availability of non-public information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations (N.H. Rev. Stat. Ann. §420-P:5(VIII)(a)). The incident response plan should address the following areas (N.H. Rev. Stat. Ann. §420-P:5(VIII)(b)):

• the internal process for responding to a cybersecurity event;
• the goals of the incident response plan;
• the definition of clear roles, responsibilities, and levels of decision-making authority;
• external and internal communications and information sharing;
• identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
• documentation and reporting regarding cybersecurity events and related incident response activities; and
• the evaluation and revision as necessary of the incident response plan following a cybersecurity event.

Investigation of a cybersecurity event

When a licensee learns that a cybersecurity event has or may have occurred, the licensee or an outside vendor and/or service provider designated to act on behalf of the licensee, mud conduct a prompt investigation during which a determination must include as much of the following information (N.H. Rev. Stat. Ann. §420-P:5(II)):

• whether a cybersecurity event has occurred;
• the nature and scope of the cybersecurity event;
• identify any non-public information that may have been involved in the cybersecurity event; and
• perform or oversee reasonable measures to restore the security of the information systems compromised in the cybersecurity event in order to prevent further unauthorised acquisition, release, or use of non-public information in the licensee's possession, custody, or control.

The licensee must also complete the aforementioned steps where a licensee learns that a cybersecurity event has or may have occurred in a system maintained by a third-party service provider (N.H. Rev. Stat. Ann. §420-P:5(III)).

The licensee must maintain records concerning all cybersecurity events for at least five years from the date of the cybersecurity event and must produce these records upon demand from the Insurance Commissioner (N.H. Rev. Stat. Ann. §420-P:5(IV)).

Notification to consumers

Licensees must notify consumers and provide a copy of the notice sent to consumers when a licensee is required to notify the Insurance Commissioner as stated above.

Notification to insurers

For notifications of cybersecurity events of reinsurers to insurers involving non-public information that is used by the licensee acting as an insurer or in possession, custody, or control of a licensee that is acting as an agent of an insurer, the insurer must notify the affected ceding insurers and the Insurance Commissioner of its state of domicile within three business days of making the determination that a cybersecurity event has occurred. The ceding insurer that has a direct contractual relationship with affected consumers must also notify consumers according to the above section. Any licensee acting as an agent of the insurer in this call does not have other notice obligations relating to a cybersecurity event or other data breach notification requirement under the Data Security Law or any other law of New Hampshire (N.H. Rev. Stat. Ann. §420-P:6(V)).

Notification to producer of record

In the case of a cybersecurity event involving non-public information that is in the possession, custody, or control of a license that is an insurer or its third-party service provider and for which a consumer accessed the insurer's services through and independent insurers producer, the licensee is responsible to notify the producers of record of all affected consumers as soon as practicable as directed by the Insurance Commissioner. The insurer is excused from this obligation for instances where it does not have the current producer of record information for any individual consumer (N.H. Rev. Stat. Ann. §420-P:6(VI)).

Additionally, there is a requirement to notify data breaches pursuant to the New Hampshire right to privacy act under §359-C:1 et seq. of Chapter 359-C of Title XXXI of the New Hamp. Rev. Stat. In particular, a business that suffers a breach is required to notify the AG, subscribers, and consumer reporting agencies in certain circumstances.

4.4. Powers / penalties

A licensee which violates the Data Security Law may be penalised in accordance with §400-A:15(III) of Chapter 400-A:15 of Title XXXVII of the N.H. Rev. Stat. Ann. which states that any person who knowingly violates any statute, rule, regulation, or order of the Insurance Commissioner may, upon hearing, except where another penalty is expressly provided, be subject to such suspension or revocation of certificate of authority or license, or administrative fine not to exceed $2,500 per violation, as may be applicable under this title for violation of the statute or the provision to which the rule, regulation, or order relate (N.H. Rev. Stat. Ann. §420-P:12).

4.5. Other

The Data Security Law does not explicitly state requirements to appoint a security officer. However, through their risk assessment, licensees are required to designate one or more employees, affiliate, or an outside vendor to act on behalf of the licensee who is responsible for their security program (see section 2 above).

In addition, if the licensees have a board of directors, the board or an appropriate committee of the board must at minimum (N.H. Rev. Stat. Ann. §420-P:4(VI):

• require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program.
• require the licensee's executive management or its delegates to report in writing at least annually, the following information:
  • the overall status of the information security program and the licensee's compliance with the Data Security Law;
  • material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in the program; and
• if executive management delegates any of its responsibilities under N.H. Rev. Stat. Ann. §420-P:4, it shall oversee the development, implementation and maintenance of the licensee's program prepared by the delegates and shall receive a report from the delegates complying with the requirements of the report to the board of directors.

Licensees must exercise due diligence in selecting third-party services providers and licensees must require that a third-party service provider implement appropriate administrative, technical and physical measures to protect and secure the information systems and non-public information that is accessible to or held by the third-party service provider (N.H. Rev. Stat. Ann. §420-P:4(VI)).

Each insurer domiciled in New Hampshire must submit to the Insurance Commissioner, annually by 1 March of the respective year, a written statement stating that they are compliant with the requirements set forth in the Data Security Law. Each insurer must maintain for examination by the NHID, a full record supporting this certification for five years and where the insurer has identified areas, systems, or processes requiring improvement. In addition, full documentation of efforts planned and underway to address such issues must be documented and made available for inspection by the Insurance Commissioner (N.H. Rev. Stat. Ann. §420-P:4(IX)).

No insurance company organised under the laws of New Hampshire shall do insurance business unless it has obtained a license from the Insurance Commissioner authorising it to do so (Chapter 402 of Title XXXVII of the N.H. Rev. Stat. Ann.).

A licensee that is in possession of protected health information subject to HIPAA and that has established and maintains programs and procedures regarding information privacy, security, and breach notification that are prescribed by HIPAA and by Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to HIPAA, shall be considered to meet the requirements of the Data Security Law with respect to such protected health information, provided that the licensee is compliant with the HIPAA privacy, security, and breach notification requirements and submits a written statement certifying such compliance.

Furthermore, to the extent a licensee maintains other non-public information concerning a consumer in the same manner as protected health information, it shall be considered to meet the requirements of the Data Security Law with respect to such non-public information, provided the licensee submits a written statement that it does maintain and protect other non-public information as it does protected health information. However, any licensee subject to this HIPAA safe harbour shall continue to be subject to and shall comply with, the Insurance Commissioner notification requirements of N.H. Rev. Stat. Ann. §420-P:6(I) and (II). For purposes of this section, the definition of 'protected health information' shall be as set forth in HIPAA and the regulations promulgated thereunder and shall be considered to be a subset of non-public information, as defined in N.H. Rev. Stat. Ann. §420-P:3(XI) (N.H. Rev. Stat. Ann. §420-P:10 ).

A licensee that is in compliance with Cybersecurity Requirements for Financial Services Companies, Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York is considered to meet the requirement under the Data Security Law, provided that the licensee submits a written statement to the Commissioner certifying such compliance. However, any licensee subject to the New York Regulatory Safe Harbour is continued to be subject to and shall comply with the investigation requirements of N.H. Rev. Stat. Ann. §420-P:5, the Insurance Commissioner notification requirements of N.H. Rev. Stat. Ann. §420-P:6(I) and (II), and the consumer notification requirements of N.H. Rev. Stat. Ann. §420-P:6(III) ( N.H. Rev. Stat. Ann. §420-P:11).

5. REQUIREMENTS IN THE HEALTH SECTOR

5.1. Definitions

Not applicable.

5.2. Security program / framework

Not applicable.

5.3. Incidents

Not applicable.

5.4. Penalties

Not applicable.

5.5. Other

Not applicable.

For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.

6. REQUIREMENTS IN THE FINANCIAL SECTOR

6.1. Definitions

Not applicable.

6.2. Security program / framework

Not applicable.

6.3. Incidents

Not applicable.

6.4. Penalties

Not applicable.

6.5. Other

For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note:

• USA - GLBA Safeguards Rule – Cybersecurity.

7. PENALTIES

Not applicable.

8. OTHER AREAS OF INTEREST

Cybersecurity in the education sector

An 'online service' is defined under Chapter 189 of Title XV of the N.H. Rev. Stat. Ann. ('the Education Law') to include cloud computing services, which must comply with the provisions in N.H. Rev. Stat. Ann. §68-a that stipulate cybersecurity obligations for organisations operating in the education sector.

'Operators' under the Education Law are defined as operators of an internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes (N.H. Rev. Stat. Ann. §68-a(I)(a)).

Many of the cybersecurity obligations in the education sector are imposed on public institutions or the NH DoE itself. However under N.H. Rev. Stat. Ann. §68-a, the law creates obligations for operators which are defined as operators of internet websites, online services, online applications, or mobile applications with actual knowledge that the site, services, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. In particular, an operator must implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information and protect this information from unauthorised access, destruction, use, modification, or disclosure (N.H. Rev. Stat. Ann. §68-a(II)(b)(1)) In addition, an operator is permitted to use de-identified student covered information under two circumstances (N.H. Rev. Stat. Ann. §68-a(II)(b)(2)):

• within the operator's site, service, or application or other sites, services, or applications owned by the operator to improve educational products; and
• to demonstrate the effectiveness of the operator's products or services, including in its marketing.

There are federal cybersecurity obligations for organisations, for more information please refer to OneTrust DataGuidance Guidance Note USA – Data Protection in the Education Sector.

Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Teamwork closely with clients to direct their research for the production of topic-specific Charts.