Can I avoid having a data breach response plan in Mississippi? What are the requirements?

Data Breach Response Plan Requirements in Mississippi

Mississippi law establishes exclusive state standards for data security, investigation of cybersecurity events, and notification to the Commissioner of Insurance ^[2.1]. Licensees must establish and maintain a comprehensive information security program that includes a written information security plan ^[2.2]. The plan must be designed to ensure the security and confidentiality of nonpublic information and protect against any anticipated threats or hazards to the security or integrity of such information ^[2.2].

In addition, Mississippi law requires licensees to notify the Commissioner of Insurance as promptly as possible but no later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred ^{[2.1][2.3][2.4]}. The licensee must provide specific information about the cybersecurity event, including the date of the event, how the information was exposed, how the event was discovered, and the number of consumers affected ^{[2.1][2.3][2.4]}.

Therefore, it is not possible to avoid having a data breach response plan in Mississippi. Licensees must have a written information security plan and must promptly notify the Commissioner of Insurance in the event of a cybersecurity event involving nonpublic information.

Additional Requirements for Data Management and Security

Mississippi law requires that data must be properly managed from its creation, through authorized use, to proper disposal ^[3.1]. All data must be classified on an ongoing basis and managed based on its confidentiality, integrity, and availability characteristics ^[3.1]. Each agency must establish a data classification policy and shall serve as a classification authority for the data and information that it collects or maintains in satisfaction of its mission ^[3.1]. In addition, each agency must ensure that sensitive data is secured in accordance with applicable agency requirements, federal or state regulations/guidelines, and the enterprise security policy ^[3.1][4.1].

Mississippi has established the Enterprise Security Program to provide for coordinated oversight of cybersecurity efforts across state agencies ^[5.1]. The Mississippi Department of Information Technology Services (MDITS) shall provide centralized management and coordination of state policies for the security of data and information technology resources ^[5.1].

Therefore, in addition to having a data breach response plan, licensees must properly manage and secure data in accordance with Mississippi law.

[Citation ^[2.1]=MS Code Ann. § 83-5-803; ^[3.1]=36 MSAC Part 1 Chapter 4 Rule 4.1; ^[2.2]=MS Code Ann. § 83-5-803; ^[2.3]=MS Code Ann. § 83-5-805; ^[2.4]=MS Code Ann. § 83-5-807; ^[4.1]=36 MSAC Part 1 Chapter 9 Rule 9.4; ^[5.1]=MS Code Ann. § 25-53-201]

Source(s):

• [2.1] Article establishes exclusive state standards for data security, investigation of cybersecurity event, and notification to Commissioner of Insurance.
• [3.1] Data must be properly managed from its creation, through authorized use, to proper disposal.
• [2.2] Article establishes exclusive state standards for data security, investigation of cybersecurity event, and notification to Commissioner of Insurance.
• [2.3] Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider.
• [2.4] Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider.
• [4.1] Each agency must encrypt sensitive data stored on any of their local systems.
• [5.1] Enterprise Security Program established to provide for coordinated oversight of cybersecurity efforts across state agencies.

Jurisdiction

Mississippi

• Privacy