KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Mississippi

SB2128 • 2026

Breach of security; report to the Attorney General.

AN ACT TO AMEND SECTION 75-24-29, MISSISSIPPI CODE OF 1972, TO REQUIRE CERTAIN ENTITIES TO PROVIDE WRITTEN NOTICE OF A BREACH OF SECURITY TO THE OFFICE OF THE ATTORNEY GENERAL; AND FOR RELATED PURPOSES.

Did Not Pass

The latest official action shows that this bill did not move forward in that session.

Sponsor
Blackmon
Last action
2026-02-03
Official status
Dead
Effective date
July 1, 20

Plain English Breakdown

The candidate explanation included details about notifying affected individuals, which were not directly supported by the provided official source material.

Report Security Breaches to the Attorney General

This bill requires certain businesses to report security breaches involving personal information of Mississippi residents to the Office of the Attorney General.

What This Bill Does

  • Requires entities conducting business in Mississippi to notify the Attorney General if a breach affects more than 100 people.
  • Specifies that written notice must include details about the breach, number of affected individuals, offered services, and contact information for further inquiries.
  • Allows delay in notification if it would impede a criminal investigation or national security efforts.

Who It Names or Affects

  • Businesses conducting business in Mississippi that own, license, or maintain personal information of residents.
  • The Office of the Attorney General.

Terms To Know

Breach of security
Unauthorized acquisition of electronic files containing personal information when access to the data has not been secured by encryption or other methods.
Personal information
Includes a person's name and social security number, driver’s license number, credit card numbers, etc., but excludes publicly available government records.

Limits and Unknowns

  • The bill did not pass in the current session.
  • Details on enforcement actions are limited to those taken by the Attorney General.

Bill History

  1. 2026-02-03 Mississippi Legislative Bill Status System

    02/03 (S) Died In Committee

  2. 2026-01-13 Mississippi Legislative Bill Status System

    01/13 (S) Referred To Business and Financial Institutions

Official Summary Text

Breach of security; report to the Attorney General.

Current Bill Text

Read the full stored bill text 
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~ G1/2
26/SS36/R94
PAGE 1 (baf\kr)

To: Business and Financial
Institutions
MISSISSIPPI LEGISLATURE REGULAR SESSION 2026

By: Senator(s) Blackmon

SENATE BILL NO. 2128

AN ACT TO AMEND SECTION 75-24-29, MISSISSIPPI CODE OF 1972, 1
TO REQUIRE CERTAIN ENTITIES TO PROVIDE WRITTEN NOTICE OF A BREACH 2
OF SECURITY TO THE OFFICE OF THE ATTORNEY GENERAL; AND FOR RELATED 3
PURPOSES. 4
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI: 5
SECTION 1. Section 75-24-29, Mississippi Code of 1972, is 6
amended as follows: 7
75-24-29. (1) This section applies to any person who 8
conducts business in this state and who, in the ordinary course of 9
the person's business functions, owns, licenses or maintains the 10
personal information of any resident of this state. 11
(2) For purposes of this section, the following terms shall 12
have the meanings ascribed unless the context clearly requires 13
otherwise: 14
(a) "Breach of security" means unauthorized acquisition 15
of electronic files, media, databases or computerized data 16
containing personal information of any resident of this state when 17
access to the personal information has not been secured by 18
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~
26/SS36/R94
PAGE 2 (baf\kr)

encryption or by any other method or technology that renders the 19
personal information unreadable or unusable * * *. 20
(b) "Personal information" means an individual's first 21
name or first initial and last name in combination with any one or 22
more of the following data elements: 23
(i) Social security number; 24
(ii) Driver's license number, state identification 25
card number or tribal identification card number; or 26
(iii) An account number or credit or debit card 27
number in combination with any required security code, access code 28
or password that would permit access to an individual's financial 29
account; "personal information" does not include publicly 30
available information that is lawfully made available to the 31
general public from federal, state or local government records or 32
widely distributed media * * *. 33
( * * *c) "Affected individual" means any individual 34
who is a resident of this state whose personal information was, or 35
is reasonably believed to have been, intentionally acquired by an 36
unauthorized person through a breach of security. 37
(3) A person who conducts business in this state shall 38
disclose any breach of security to all affected individuals. The 39
disclosure shall be made without unreasonable delay, subject to 40
the provisions of subsections (4) and (5) of this section and the 41
completion of an investigation by the person to determine the 42
nature and scope of the incident, to identify the affected 43
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~
26/SS36/R94
PAGE 3 (baf\kr)

individuals, or to restore the reasonable integrity of the data 44
system. Notification shall not be required if, after an 45
appropriate investigation, the person reasonably determines that 46
the breach will not likely result in harm to the affected 47
individuals. 48
(4) Any person who conducts business in this state that 49
maintains computerized data which includes personal information 50
that the person does not own or license shall notify the owner or 51
licensee of the information of any breach of the security of the 52
data as soon as practicable following its discovery, if the 53
personal information was, or is reasonably believed to have been, 54
acquired by an unauthorized person for fraudulent purposes. 55
(5) Any notification required by this section shall be 56
delayed for a reasonable period of time if a law enforcement 57
agency determines that the notification will impede a criminal 58
investigation or national security and the law enforcement agency 59
has made a request that the notification be delayed. Any such 60
delayed notification shall be made after the law enforcement 61
agency determines that notification will not compromise the 62
criminal investigation or national security and so notifies the 63
person of that determination. 64
(6) Any notice required by the provisions of this section 65
may be provided by one (1) of the following methods: (a) written 66
notice; (b) telephone notice; (c) electronic notice, if the 67
person's primary means of communication with the affected 68
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~
26/SS36/R94
PAGE 4 (baf\kr)

individuals is by electronic means or if the notice is consistent 69
with the provisions regarding electronic records and signatures 70
set forth in 15 USCS 7001; or (d) substitute notice, provided the 71
person demonstrates that the cost of providing notice in 72
accordance with paragraph (a), (b) or (c) of this subsection would 73
exceed Five Thousand Dollars ($5,000.00), that the affected class 74
of subject persons to be notified exceeds five thousand (5,000) 75
individuals or the person does not have sufficient contact 76
information. Substitute notice shall consist of the following: 77
electronic mail notice when the person has an electronic mail 78
address for the affected individuals; conspicuous posting of the 79
notice on the website of the person if the person maintains one; 80
and notification to major statewide media, including newspapers, 81
radio and television. 82
(7) Any person who conducts business in this state that 83
maintains its own security breach procedures as part of an 84
information security policy for the treatment of personal 85
information, and otherwise complies with the timing requirements 86
of this section, shall be deemed to be in compliance with the 87
security breach notification requirements of this section if the 88
person notifies affected individuals in accordance with the 89
person's policies in the event of a breach of security. Any 90
person that maintains such a security breach procedure pursuant to 91
the rules, regulations, procedures or guidelines established by 92
the primary or federal functional regulator, as defined in 15 USCS 93
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~
26/SS36/R94
PAGE 5 (baf\kr)

6809(2), shall be deemed to be in compliance with the security 94
breach notification requirements of this section, provided the 95
person notifies affected individuals in accordance with the 96
policies or the rules, regulations, procedures or guidelines 97
established by the primary or federal functional regulator in the 98
event of a breach of security of the system. 99
(8) (a) If the number of persons an entity covered in this 100
section is required to notify exceeds one hundred (100), the 101
entity shall provide written notice of the breach to the Office of 102
the Attorney General as expeditiously as possible and without 103
unreasonable delay; 104
(b) Written notice to the Attorney General shall 105
include all of the following: 106
(i) A synopsis of the events surrounding the 107
breach at the time that the notice is provided; 108
(ii) The approximate number of individuals in the 109
state who were affected by the breach; 110
(iii) Any services related to the breach being 111
offered or scheduled to be offered, without charge, by the covered 112
entity to individuals and instructions on how to use the services; 113
and 114
(iv) The name, address, telephone number and email 115
address of the employee or agent of the disclosing party from whom 116
additional information may be obtained about the breach; and 117
S. B. No. 2128 *SS36/R94* ~ OFFICIAL ~
26/SS36/R94
PAGE 6 (baf\kr)
ST: Breach of security; report to the Attorney
General.
(c) If a covered entity learns that in some material 118
respect, the written notice required under this subsection is 119
incomplete or incorrect, such entity shall, as expeditiously as 120
possible and without unreasonable delay, provide the Attorney 121
General with supplemental or updated information regarding the 122
breach. 123
(9) The Attorney General is empowered to promulgate rules 124
and regulations necessary to carry out, enforce and effectuate the 125
provisions of this section. 126
( * * *10) Failure to comply with the requirements of this 127
section shall constitute an unfair trade practice and shall be 128
enforced by the Attorney General; however, nothing in this section 129
may be construed to create a private right of action. 130
SECTION 2. This act shall take effect and be in force from 131
and after July 1, 2026. 132