Can I ignore my obligations as a service provider with access to personal information in Mississippi? What are the requirements?

Obligations as a Service Provider with Access to Personal Information in Mississippi

As a service provider with access to personal information in Mississippi, you have certain obligations under the law. Specifically, you must comply with the Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider ^[1.1][1.2].

Under this law, you must notify the commissioner as promptly as possible but in no event later than three (3) business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred. You must provide as much information as possible, including the date of the cybersecurity event, description of how the information was exposed, lost, stolen or breached, how the cybersecurity event was discovered, and the identity of the source of the cybersecurity event. You must also describe the specific types of information acquired without authorization, the period during which the information system was compromised by the cybersecurity event, and the number of total consumers in this state affected by the cybersecurity event.

Additionally, you must comply with Section 75-24-29, as applicable, and provide a copy of the notice sent to consumers under that statute to the commissioner, when a licensee is required to notify the commissioner under subsection (1) of this section.

If you are a third-party service provider and a cybersecurity event occurs in a system maintained by you, you must treat such event as it would under subsection (1) of this section unless you provide the notice required under subsection (1) of this section to the commissioner.

Failure to comply with these obligations may result in legal action against you.

Access to Proprietary Information

Proprietary information submitted to the Board shall be disclosed only to the following individuals: Board members, members on the Board’s staff and the Attorney General’s Office, consultants and experts employed or engaged by the Board, and members of committees appointed by the Board ^[3.1]. Prior to disclosure of any proprietary information to any individuals listed, such individuals shall execute and place on file with the Board, a written acknowledgment that they have read the rules concerning proprietary information submitted to the Board, agree to be bound by these rules, and understand that the unauthorized disclosure of proprietary information as submitted to the Board constitutes a violation of the rules ^[3.1].

Conclusion

In conclusion, you cannot ignore your obligations as a service provider with access to personal information in Mississippi. You must comply with the Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider ^[1.1][1.2]. Additionally, proprietary information submitted to the Board shall be disclosed only to specific individuals, and prior to disclosure, they must execute a written acknowledgment that they have read and agree to be bound by the rules concerning proprietary information submitted to the Board ^[3.1].

Source(s):

• [1.1] Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider.
• [1.2] Notification of cybersecurity event involving nonpublic information; information to be provided; investigation of cybersecurity event in system maintained by third-party service provider.
• [3.1] Access to Proprietary Information

Jurisdiction

Mississippi

• Privacy