New Hampshire Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

New Hampshire has historically taken a light-touch regulatory approach consistent with its "Live Free or Die" ethos, but the reality of escalating cyber threats has driven the state to build a more robust data protection framework. The passage of SB 255 — the New Hampshire Privacy Act — in 2024 marked a significant shift, placing the Granite State alongside Connecticut, Virginia, and other states with comprehensive consumer privacy legislation. Combined with the existing breach notification statute (RSA 359-C:20) and federal requirements that heavily impact New Hampshire's defense and healthcare sectors, businesses face a layered compliance landscape.

For organizations operating in New Hampshire — from defense subcontractors in Nashua to healthcare providers affiliated with Dartmouth Health — compliance requires understanding not just one law but the intersection of state and federal obligations. This guide breaks down each requirement and provides practical steps for building a compliant cybersecurity program. Reviewing the New Hampshire data breach timeline underscores why these protections continue to expand.

New Hampshire's Primary Data Privacy & Cybersecurity Laws

New Hampshire Privacy Act (SB 255)

Signed into law in 2024 and effective January 1, 2025, the New Hampshire Privacy Act establishes comprehensive consumer data privacy rights for Granite State residents. The law applies to entities that conduct business in New Hampshire or target products or services to New Hampshire residents, and that during a calendar year either control or process the personal data of at least 35,000 consumers or derive more than 25% of gross revenue from the sale of personal data while processing data of at least 10,000 consumers. Key provisions include:

• Consumer rights to access, correct, delete, and obtain a portable copy of personal data

• Right to opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects

• Mandatory data protection assessments for processing activities presenting a heightened risk of harm

• Purpose limitation — controllers may not process personal data for purposes beyond what is reasonably necessary and compatible with the disclosed purpose

• Enforcement exclusively by the New Hampshire Attorney General, with a 60-day cure period before penalties may be imposed

The law exempts data already regulated under HIPAA, the Gramm-Leach-Bliley Act, and the Family Educational Rights and Privacy Act. Nonprofit organizations and state government entities are also exempt.

RSA 359-C:20 — Breach Notification Statute

New Hampshire's breach notification law, codified in RSA 359-C:19 through 359-C:21, requires any person doing business in the state who owns or licenses computerized data containing personal information to notify affected individuals of any security breach. The statute defines personal information as a person's first name or initial and last name in combination with Social Security numbers, driver's license numbers, or financial account numbers with access credentials. Notification must be made as quickly as possible consistent with law enforcement needs.

RSA 359-C:19 — Safeguarding Personal Information

This companion provision requires businesses that collect personal information of New Hampshire residents to implement and maintain reasonable security measures to protect that information from unauthorized access, destruction, use, modification, or disclosure. While the statute does not prescribe specific technical controls, regulatory guidance from the AG's office indicates that reasonable measures include encryption, access controls, employee training, and incident response planning.

Data Breach Notification Requirements in New Hampshire

Notification to Individuals

Under RSA 359-C:20, businesses must notify affected New Hampshire residents as quickly as possible after discovering a breach involving their personal information. Notification must include a description of the incident, the type of personal information compromised, the steps taken in response, and contact information for the business. Notification may be delivered by mail, email (if the individual has previously consented to electronic communication), or substitute notice if the cost of direct notification exceeds $5,000, the affected class exceeds 1,000 persons, or the business lacks sufficient contact information.

Notification to the Attorney General

If a breach affects more than 1,000 New Hampshire residents, the organization must notify the New Hampshire Attorney General's office before or at the same time as individual notification. The AG notification must include the anticipated date of individual notification, approximate number of affected residents, and a general description of the breach and the organization's response. The AG maintains public records of reported breaches.

Notification to Credit Reporting Agencies

When a breach affects more than 1,000 New Hampshire residents, the business must also notify all nationwide consumer credit reporting agencies of the timing, distribution, and content of the individual notifications.

Penalties for Noncompliance

Violations of the breach notification statute are treated as unfair or deceptive acts under New Hampshire's Consumer Protection Act (RSA 358-A). The Attorney General may pursue injunctive relief and civil penalties. While the statute does not specify per-violation penalty amounts, the Consumer Protection Act provides broad enforcement authority including fines and mandated corrective actions.

Industry-Specific Compliance in New Hampshire

New Hampshire's economy concentrates risk in several sectors that carry their own federal compliance requirements, creating overlapping obligations for many businesses.

CMMC and DFARS — Defense Contractors

New Hampshire's defense sector, anchored by BAE Systems' Electronic Systems division in Nashua and supported by dozens of smaller subcontractors, must comply with DFARS 252.204-7012 and the evolving CMMC framework. CMMC 2.0 Level 2 requires implementation of all 110 security controls in NIST SP 800-171, with third-party assessment for contracts involving controlled unclassified information. Many of these subcontractors are small manufacturers that need specialized IT support to achieve and maintain compliance.

HIPAA — Healthcare Organizations

Dartmouth-Hitchcock Medical Center, Elliot Health System, Catholic Medical Center, and dozens of smaller practices and business associates must comply with HIPAA's Privacy, Security, and Breach Notification Rules. New Hampshire's own breach notification law applies in addition to HIPAA's federal requirements, meaning healthcare organizations must satisfy both frameworks. Covered entities should ensure their healthcare IT programs address both state and federal obligations simultaneously.

GLBA — Financial Services

Banks, credit unions, and insurance companies operating in New Hampshire must comply with the Gramm-Leach-Bliley Act's Safeguards Rule, which was significantly updated in 2023 to require multi-factor authentication, encryption, and continuous monitoring. New Hampshire's banking sector, while smaller than neighboring Massachusetts, includes several regional banks and credit unions that must implement these enhanced safeguards.

PCI-DSS — Tourism and Hospitality

New Hampshire's tourism industry, concentrated in the White Mountains, Lakes Region, and seacoast, processes significant payment card transaction volumes. Hotels, restaurants, ski resorts, and retail businesses must comply with PCI-DSS version 4.0, which became fully enforceable in March 2024 and introduced new requirements for authentication, encryption, and security monitoring.

New Hampshire Compliance Checklist for Businesses

The following checklist addresses core requirements across New Hampshire's state laws and the most common federal frameworks affecting Granite State businesses:

• Identify and inventory all personal data you collect, process, and store — map data flows across your organization, cloud services, and third-party vendors

• Determine whether the NH Privacy Act applies based on the data processing and revenue thresholds — businesses meeting the thresholds must implement consumer rights mechanisms by January 1, 2025

• Implement reasonable security measures as required by RSA 359-C:19, including encryption, access controls, employee training, and documented security policies

• Establish a data breach response plan with specific procedures for meeting New Hampshire's notification requirements, including AG notification when 1,000+ residents are affected

• Conduct data protection assessments for processing activities that present heightened risk to consumers, as required by the NH Privacy Act

• Publish a compliant privacy notice disclosing categories of personal data collected, processing purposes, consumer rights, and how to exercise them

• Review and update third-party vendor agreements to include data processing terms, security requirements, and breach notification obligations

• Train all employees on data handling procedures, phishing recognition, and their responsibilities under your security program

• Document compliance activities including risk assessments, policy versions, training records, and incident response exercises for regulatory review

How Businesses Stay Compliant

Compliance is an ongoing process, not a one-time project. New Hampshire businesses that maintain strong compliance postures treat regulatory requirements as part of a continuous program.

Annual Risk Assessments

Conduct formal risk assessments at least annually and whenever significant changes occur in your IT environment or business operations. For defense contractors, this aligns with NIST SP 800-171's assessment requirements. For healthcare organizations, this satisfies HIPAA's risk analysis mandate. Document findings and track remediation progress.

Security Awareness Training

New Hampshire breach data consistently shows phishing as the primary initial access vector. Effective training programs include simulated phishing campaigns, role-specific training for employees handling sensitive data, and measurable improvement tracking. Many small business IT programs include training as a core component.

Incident Response Testing

An untested incident response plan is little better than no plan at all. Conduct tabletop exercises at least annually, simulating realistic scenarios like ransomware, business email compromise, or insider data theft. Include executive leadership, legal counsel, and communications teams in exercises — not just IT staff.

Continuous Monitoring

Both the NH Privacy Act and federal frameworks like CMMC and HIPAA expect ongoing monitoring of systems and data. This includes log collection and analysis, endpoint detection and response, vulnerability scanning, and anomaly detection. Organizations that lack the internal capacity for 24/7 monitoring often partner with managed security service providers to fulfill this requirement.

Frequently Asked Questions

When does the New Hampshire Privacy Act take effect?

The New Hampshire Privacy Act (SB 255) takes effect on January 1, 2025. Businesses that meet the applicability thresholds should begin preparing immediately, as implementing consumer rights request processes, conducting data protection assessments, and updating privacy notices requires significant lead time.

Does New Hampshire have a specific deadline for breach notification?

RSA 359-C:20 does not specify a fixed number of days. Instead, it requires notification as quickly as possible, consistent with the legitimate needs of law enforcement. In practice, the Attorney General's office expects prompt action, and delays that cannot be justified by a legitimate investigation or law enforcement request may be treated as violations of the Consumer Protection Act.

Which businesses are exempt from the New Hampshire Privacy Act?

The law exempts nonprofit organizations, state and local government entities, higher education institutions, and entities already regulated under HIPAA, GLBA, or FERPA with respect to the data governed by those laws. Businesses that do not meet the processing thresholds (35,000 consumers or 10,000 consumers with 25%+ revenue from data sales) are also not subject to the law.

What are the penalties for violating the New Hampshire Privacy Act?

The NH Privacy Act is enforced exclusively by the Attorney General. There is no private right of action. Before pursuing penalties, the AG must provide a 60-day cure period during which the business may correct the violation. If the violation is not cured, the AG may pursue civil penalties, injunctive relief, and recovery of investigation costs.

Do small defense subcontractors in New Hampshire need CMMC certification?

Yes. CMMC certification requirements apply to any company in the defense supply chain that handles controlled unclassified information, regardless of company size. Many small machine shops, electronics manufacturers, and engineering firms in New Hampshire's defense corridor will need to achieve at least CMMC Level 2 compliance, which requires implementing all 110 controls in NIST SP 800-171 and undergoing third-party assessment.

How does the New Hampshire Privacy Act compare to Connecticut's data privacy law?

Both laws grant similar consumer rights (access, correction, deletion, portability, opt-out). New Hampshire's thresholds are slightly different — 35,000 consumers versus Connecticut's 100,000 — and New Hampshire provides a 60-day cure period compared to Connecticut's cure provision that sunsets in 2025. Both are enforced exclusively by their respective Attorneys General with no private right of action.