# Missouri Consumer Privacy Law[^about] Missouri has no omnibus consumer-privacy statute; the main commercial spine is breach notice, MMPA deception, and the insurance-sector IDSA. ## Which privacy laws apply to your business in Missouri? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive Missouri consumer-privacy law. The main commercial privacy spine is three state statutes, with narrower Missouri sectoral rules still possible outside this workflow. The breach-notification statute applies to any person that owns or licenses personal information of Missouri residents, or that conducts business in Missouri and owns or licenses a resident's personal information, with no revenue or volume threshold [^stat-1500-trigger]. The Merchandising Practices Act (MMPA) makes deception, fraud, misrepresentation, unfair practices, and material omissions in connection with the sale or advertisement of merchandise unlawful — the hook that reaches privacy promises [^stat-020-unlawful]. And for the insurance sector, the Insurance Data Security Act establishes the exclusive state standards for licensees' data security, cybersecurity-event investigation, and notification to the director [^stat-1400-exclusive]. Because Missouri has no omnibus statute, its residents hold no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and businesses face no state notice-at-collection, consent, data-protection-assessment, or universal opt-out-signal duties. The 2026 session saw biometric and privacy-adjacent bills, including H.B. 1970, H.B. 3537, and S.B. 1359, but they would not have created an omnibus access/delete/correct/opt-out framework and none passed before the General Assembly adjourned on May 15, 2026. What fills the gap is layered. The MMPA's reach is broad in practice because *merchandise* is defined to include services and intangibles, not just goods [^stat-010-merchandise] — so data-driven services sold to Missouri consumers sit squarely inside it. The Insurance Data Security Act is new: enacted in 2025 as H.B. 974, the Act became effective January 1, 2026 [^stat-hb974-effective]; its four-business-day director-notice duty is live, while security-program compliance runs to January 1, 2027 and third-party-service-provider safeguards run to January 1, 2028 [^stat-idsa-phase-in]. The rest of a Missouri-facing program rides the federal overlay — Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and their business associates, and the Children's Online Privacy Protection Act governs services directed to children under 13. This note is written to stay durable: a program built to the breach statute, the MMPA, and that overlay upgrades rather than restarts if Missouri later enacts an omnibus law. ## What must your Missouri privacy policy contain? {#privacy-policy-contents} **Short answer.** No Missouri statute requires a general consumer privacy policy or fixes its contents. The governing rule is that whatever you publish must be true: under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^fed-ftc5-deceptive], and the MMPA makes the same conduct actionable as a matter of Missouri law when the misstatement, concealment, or omission of a material fact occurs in connection with the sale or advertisement of merchandise [^q2-mmpa-deception]. A privacy policy that misdescribes how you collect, use, share, retain, or secure data is exposure under both. In practice the Missouri drafting question is less *what must be included* and more *does the policy match actual practice*. Where a sectoral regime applies, it supplies the contents: a financial institution may not share nonpublic personal information with nonaffiliated third parties without first giving the GLBA-compliant notice [^fed-glba-notice], and a HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice]. For everyone else, best practice supplies the outline — categories of data collected, purposes, third-party sharing, retention, and how users exercise any choices you offer — and the MMPA supplies the reason to honor it. One Missouri-specific wrinkle deserves attention: the Insurance Data Security Act assumes an insurance licensee *has* a privacy policy, because after a reportable cybersecurity event the licensee must hand the director a copy of the licensee's privacy policy along with a statement of how it will investigate and notify affected consumers [^stat-1410-policy-copy]. For licensees, the policy is therefore not just a marketing document — it is part of the regulatory record a Missouri regulator will read in the worst week of an incident, which is a strong reason to keep it accurate and current before the event. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** Missouri has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The two state-law touchpoints are narrow: the breach statute requires any person that maintains records it does not own to notify the owner or licensee of a breach immediately following discovery [^q3-breach-vendor], and the Insurance Data Security Act requires licensees to make their third-party service providers implement appropriate administrative, technical, and physical safeguards [^stat-1405-vendor], with that vendor-safeguards duty phased to January 1, 2028 [^q3-idsa-phase-in]. Where a federal regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information changes hands [^fed-hipaa-baa]. The Insurance Data Security Act deserves a closer read from any insurer, producer, or other licensee, because its vendor duties are statutory rather than contractual best practice, even though the provider-specific subsection has a January 1, 2028 implementation deadline [^q3-idsa-phase-in]. A licensee must exercise due diligence in selecting its third-party service providers [^stat-1405-diligence] and must require each provider to protect the nonpublic information and information systems the provider can access — which in practice means written security commitments in the services agreement [^stat-1405-vendor]. Outside the regulated verticals, the prudent move is to carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Missouri statute compels them. There is no Missouri source to cite for omnibus vendor terms, which is itself the point. ## When must you notify people of a data breach in Missouri? {#breach-notification} **Short answer.** Any person that owns or licenses personal information of Missouri residents — or that conducts business in Missouri and owns or licenses a resident's personal information — must notify the affected consumer of a breach of security following discovery or notification of the breach [^q4-breach-trigger]. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement and with the measures needed to determine the breach's scope and restore the system's integrity [^q4-breach-timing]. If you notify more than 1,000 consumers at one time, you must also notify the Attorney General's office and the nationwide consumer reporting agencies, again without unreasonable delay [^q4-breach-ag-cra]. The statute is the center of any Missouri incident-response plan, so its mechanics are worth internalizing. *Personal information* is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or government ID number, financial-account or card number with its access code, unique electronic identifier with a security code permitting account access, medical information, or health-insurance information [^q4-personal-information]. A *breach* is unauthorized access to and unauthorized acquisition of that information in computerized form that compromises its security, confidentiality, or integrity [^q4-breach-definition]. Encryption and redaction are effectively safe harbors, since the listed data elements only count when not encrypted, redacted, or otherwise made unreadable or unusable [^q4-personal-information]. The statute fixes the notice's minimum contents: a general-terms description of the incident, the type of personal information obtained, a phone number for further information if one exists, contact information for the consumer reporting agencies, and advice to stay vigilant by reviewing account statements and monitoring free credit reports [^q4-breach-contents]. Notice may be written, electronic with consent, or telephonic; substitute notice is available if notice would cost more than $100,000, the affected class exceeds 150,000 consumers, contact information or consent is insufficient, or particular consumers cannot be identified, and it requires email when available, conspicuous website posting if the person has a website, and notice to major statewide media [^q4-breach-methods]. There is also a genuine risk-of-harm off-ramp — notification is not required if, after an appropriate investigation or consultation with law enforcement, you determine that identity theft or other fraud is not reasonably likely to occur, but that determination must be documented in writing and kept for five years [^q4-breach-harm-exception]. Noncompliance is an Attorney General matter: the AG has exclusive authority to seek actual damages for a willful and knowing violation and a civil penalty of up to $150,000 per breach, or per series of similar breaches discovered in a single investigation [^q4-breach-penalty]. ## What does Missouri's Insurance Data Security Act require of insurance licensees? {#insurance-data-security} **Short answer.** If you are licensed, authorized, or registered under Missouri insurance law, a dedicated regime is already effective: the Insurance Data Security Act, enacted in 2025 as H.B. 974, took effect January 1, 2026 [^q5-idsa-effective]. Its headline operational duty is live now: a licensee must notify the director of the Department of Commerce and Insurance as promptly as practicable, but in no event later than four business days, from a determination that a qualifying cybersecurity event has occurred [^q5-idsa-4day]. Its structural security-program duty is phased: § 375.1405 implementation runs to January 1, 2027, and third-party-service-provider safeguards under § 375.1405.6 run to January 1, 2028 [^q5-idsa-phase-in]. Four business days is a dramatically faster clock than the standards most businesses build around — the federal Safeguards Rule gives financial institutions as long as 30 days to notify the FTC of a qualifying event [^q5-glba-ftc-30day], and Missouri's own consumer breach statute runs on a *without unreasonable delay* standard [^q5-breach-timing] — so an insurance licensee's incident-response plan has to be built to make the reportability determination and assemble the director's filing in days, not weeks. The notice duty applies only when the statutory criteria are met: Missouri is the insurer's domicile or the producer's home state and the event is reasonably likely to materially harm a Missouri consumer or a material part of the licensee's operations, or the licensee reasonably believes the event involves nonpublic information of at least 250 Missouri consumers and either outside government or supervisory notice is required or material harm is reasonably likely [^q5-idsa-criteria]. The clock also runs on vendor incidents: when the event happens in a third-party service provider's systems, the licensee's deadlines begin the day after the provider notifies it or the licensee otherwise has actual knowledge, whichever is sooner [^q5-idsa-vendor-clock]. The Act dovetails with the general breach statute rather than displacing it — a licensee that must notify the director must also comply with § 407.1500 and give the director a copy of the consumer notice [^q5-idsa-consumer-notice]. When the security-program deadline arrives, the program must include a written incident response plan designed to promptly respond to and recover from any cybersecurity event compromising nonpublic information or the licensee's operations [^q5-idsa-irp]. Missouri-domiciled insurers must also certify compliance to the director annually by April 15 and keep the supporting records for five years [^q5-idsa-cert]. Violations expose a licensee to the penalties provided by the insurance code's enforcement sections [^q5-idsa-penalty]. ## Can a consumer sue your business in Missouri over privacy? {#consumer-lawsuit} **Short answer.** Not under the breach statute — the Attorney General has exclusive authority to sue for a willful and knowing violation [^q6-breach-ag-exclusive] — and not under the Insurance Data Security Act, which expressly creates no private cause of action [^q6-idsa-no-pra]. The real private-suit exposure is the MMPA: any person who purchases or leases merchandise primarily for personal, family, or household purposes and suffers an ascertainable loss of money or property from an unlawful practice may bring a private civil action for actual damages [^q6-mmpa-pra]. Courts may also award punitive damages, attorney's fees to the prevailing party, and equitable relief [^q6-mmpa-remedies]. The MMPA is how a misleading privacy promise, an undisclosed data practice, or a mishandled incident most plausibly becomes a Missouri lawsuit. But the claim is materially harder to plead and prove than it once was. A 2020 amendment (S.B. 591) rewrote § 407.025: a plaintiff now must establish that they acted as a reasonable consumer would in light of all circumstances, that the unlawful practice would cause a reasonable person to enter into the transaction that resulted in damages, and individual damages with sufficiently definitive and objective evidence allowing the loss to be calculated with a reasonable degree of certainty [^q6-mmpa-elements]. Those requirements apply to cases filed after August 28, 2020 [^q6-mmpa-sb591-date]. For privacy claims, the objective-damages element is the practical battleground — a plaintiff who cannot quantify an ascertainable loss from the data practice with objective evidence does not get past it, and the reasonable-consumer standard replaces the more plaintiff-friendly subjective framing that preceded it. Two structural features still cut in opposite directions. The exposure scales: the MMPA authorizes class actions where an unlawful practice causes similar injury to numerous persons [^q6-mmpa-class], and class representatives carry the same heightened proof elements. And the exposure has a sectoral boundary: the MMPA does not apply to entities within the listed Missouri-regulated insurance, credit-union, and finance chapters unless those regulators authorize the Attorney General to act or a statute gives the powers to the Attorney General or a private citizen [^q6-mmpa-exemption]. For everyone else, the durable takeaway is that Missouri's privacy-suit risk runs through consumer-deception law: keep the privacy policy true, and the heightened § 407.025 elements become your second line of defense rather than your first. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Missouri. This article synthesizes Missouri primary law and is not legal advice from a Missouri-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-1500-trigger]: **Mo. Rev. Stat. § 407.1500** — "Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach." *Mo. Rev. Stat. § 407.1500.2(1).* [^stat-020-unlawful]: **Mo. Rev. Stat. § 407.020** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce or the solicitation of any funds for any charitable purpose, as defined in section 407.453, in or from the state of Missouri, is declared to be an unlawful practice." *Mo. Rev. Stat. § 407.020.1.* [^stat-1400-exclusive]: **Mo. Rev. Stat. § 375.1400** — "Notwithstanding any other provision of law, sections 375.1400 to 375.1427 establish the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event as defined in section 375.1402, and notification to the director." *Mo. Rev. Stat. § 375.1400.2.* [^stat-010-merchandise]: **Mo. Rev. Stat. § 407.010** — "any objects, wares, goods, commodities, intangibles, real estate or services" *Mo. Rev. Stat. § 407.010(4).* [^stat-hb974-effective]: **Mo. Rev. Stat. § 375.1400 (enactment history)** — "(L. 2025 H.B. 974, et al.) Effective 1-01-26; see § 375.1427" *Mo. Rev. Stat. § 375.1400 (history note; eff. Jan. 1, 2026).* [^stat-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* [^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-mmpa-deception]: **Mo. Rev. Stat. § 407.020** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce or the solicitation of any funds for any charitable purpose, as defined in section 407.453, in or from the state of Missouri, is declared to be an unlawful practice." *Mo. Rev. Stat. § 407.020.1.* [^fed-glba-notice]: **GLBA privacy-notice obligation** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* [^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* [^stat-1410-policy-copy]: **Mo. Rev. Stat. § 375.1410** — "A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event" *Mo. Rev. Stat. § 375.1410.2(12).* [^q3-breach-vendor]: **Mo. Rev. Stat. § 407.1500** — "Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section." *Mo. Rev. Stat. § 407.1500.2(2).* [^stat-1405-vendor]: **Mo. Rev. Stat. § 375.1405** — "A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider." *Mo. Rev. Stat. § 375.1405.6(2).* [^q3-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* [^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e)(2).* [^stat-1405-diligence]: **Mo. Rev. Stat. § 375.1405** — "A licensee shall exercise due diligence in selecting its third-party service provider." *Mo. Rev. Stat. § 375.1405.6(1).* [^q4-breach-trigger]: **Mo. Rev. Stat. § 407.1500** — "Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach." *Mo. Rev. Stat. § 407.1500.2(1).* [^q4-breach-timing]: **Mo. Rev. Stat. § 407.1500** — "The disclosure notification shall be: (a) Made without unreasonable delay; (b) Consistent with the legitimate needs of law enforcement, as provided in this section; and (c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *Mo. Rev. Stat. § 407.1500.2(1).* [^q4-breach-ag-cra]: **Mo. Rev. Stat. § 407.1500** — "In the event a person provides notice to more than one thousand consumers at one time pursuant to this section, the person shall notify, without unreasonable delay, the attorney general's office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice." *Mo. Rev. Stat. § 407.1500.2(8).* [^q4-personal-information]: **Mo. Rev. Stat. § 407.1500** — "(9) ‘Personal information’, an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: (a) Social Security number; (b) Driver's license number or other unique identification number created or collected by a government body; (c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; (d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (e) Medical information; or (f) Health insurance information." *Mo. Rev. Stat. § 407.1500.1(9).* [^q4-breach-definition]: **Mo. Rev. Stat. § 407.1500** — "unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information." *Mo. Rev. Stat. § 407.1500.1(1).* [^q4-breach-contents]: **Mo. Rev. Stat. § 407.1500** — "The notice shall at minimum include a description of the following: (a) The incident in general terms; (b) The type of personal information that was obtained as a result of the breach of security; (c) A telephone number that the affected consumer may call for further information and assistance, if one exists; (d) Contact information for consumer reporting agencies; (e) Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports." *Mo. Rev. Stat. § 407.1500.2(4).* [^q4-breach-methods]: **Mo. Rev. Stat. § 407.1500** — "For purposes of this section, notice to affected consumers shall be provided by one of the following methods: (a) Written notice; (b) Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the provisions of 15 U.S.C. Section 7001 regarding electronic records and signatures for notices legally required to be in writing; (c) Telephonic notice, if such contact is made directly with the affected consumers; or (d) Substitute notice, if: a. The person demonstrates that the cost of providing notice would exceed one hundred thousand dollars; or b. The class of affected consumers to be notified exceeds one hundred fifty thousand; or c. The person does not have sufficient contact information or consent to satisfy paragraphs (a), (b), or (c) of this subdivision, for only those affected consumers without sufficient contact information or consent; or d. The person is unable to identify particular affected consumers, for only those unidentifiable consumers ... (7) Substitute notice under paragraph (d) of subdivision (6) of this subsection shall consist of all the following: (a) Email notice when the person has an electronic mail address for the affected consumer; (b) Conspicuous posting of the notice or a link to the notice on the internet website of the person if the person maintains an internet website; and (c) Notification to major statewide media." *Mo. Rev. Stat. § 407.1500.2(6)-(7).* [^q4-breach-harm-exception]: **Mo. Rev. Stat. § 407.1500** — "Notwithstanding subdivisions (1) and (2) of this subsection, notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years." *Mo. Rev. Stat. § 407.1500.2(5).* [^q4-breach-penalty]: **Mo. Rev. Stat. § 407.1500** — "The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation." *Mo. Rev. Stat. § 407.1500.4.* [^q5-idsa-effective]: **Mo. Rev. Stat. § 375.1400 (enactment history)** — "(L. 2025 H.B. 974, et al.) Effective 1-01-26; see § 375.1427" *Mo. Rev. Stat. § 375.1400 (history note; eff. Jan. 1, 2026).* [^q5-idsa-4day]: **Mo. Rev. Stat. § 375.1410** — "Each licensee shall notify the director as promptly as practicable, but in no event later than four business days, from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:" *Mo. Rev. Stat. § 375.1410.1.* [^q5-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* [^q5-glba-ftc-30day]: **GLBA Safeguards Rule (FTC breach notice)** — "Upon discovery of a notification event as described in paragraph (j)(2) of this section, if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event." *16 C.F.R. § 314.4(j)(1).* [^q5-breach-timing]: **Mo. Rev. Stat. § 407.1500** — "The disclosure notification shall be: (a) Made without unreasonable delay;" *Mo. Rev. Stat. § 407.1500.2(1).* [^q5-idsa-criteria]: **Mo. Rev. Stat. § 375.1410** — "(1) This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in section 375.012, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or a reasonable likelihood of materially harming any material part of the normal operations of the licensee; or (2) The licensee reasonably believes that the nonpublic information involved is of two hundred fifty or more consumers residing in this state and is either of the following: (a) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body under any state or federal law; or (b) A cybersecurity event that has a reasonable likelihood of materially harming: a. Any consumer residing in this state; or b. Any material part of the normal operations of the licensee." *Mo. Rev. Stat. § 375.1410.1(1)-(2).* [^q5-idsa-vendor-clock]: **Mo. Rev. Stat. § 375.1410** — "The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner." *Mo. Rev. Stat. § 375.1410.4(2).* [^q5-idsa-consumer-notice]: **Mo. Rev. Stat. § 375.1410** — "The licensee shall comply with section 407.1500, as applicable, and provide a copy of the notice sent to consumers under that section to the director when a licensee is required to notify the director under subsection 1 of section 375.1410." *Mo. Rev. Stat. § 375.1410.3.* [^q5-idsa-irp]: **Mo. Rev. Stat. § 375.1405** — "As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations." *Mo. Rev. Stat. § 375.1405.8.* [^q5-idsa-cert]: **Mo. Rev. Stat. § 375.1405** — "Annually by April fifteenth, each insurer domiciled in this state shall submit to the director a written statement certifying that the insurer is in compliance with the requirements set forth in this section." *Mo. Rev. Stat. § 375.1405.9.* [^q5-idsa-penalty]: **Mo. Rev. Stat. § 375.1420** — "In the case of a violation of sections 375.1400 to 375.1427, a licensee may be subject to penalties as provided by law, including sections 374.046, 374.048, and 374.049." *Mo. Rev. Stat. § 375.1420.* [^q6-breach-ag-exclusive]: **Mo. Rev. Stat. § 407.1500** — "The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation." *Mo. Rev. Stat. § 407.1500.4.* [^q6-idsa-no-pra]: **Mo. Rev. Stat. § 375.1400** — "Sections 375.1400 to 375.1427 shall not be construed to create or imply a private cause of action for violation of their provisions, nor shall such sections be construed to curtail a private cause of action that would otherwise exist in the absence of sections 375.1400 to 375.1427." *Mo. Rev. Stat. § 375.1400.3.* [^q6-mmpa-pra]: **Mo. Rev. Stat. § 407.025** — "Any person who purchases or leases merchandise primarily for personal, family or household purposes and thereby suffers an ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 407.020, may bring a private civil action in either the circuit court of the county in which the seller or lessor resides or in which the transaction complained of took place, to recover actual damages." *Mo. Rev. Stat. § 407.025.1(1).* [^q6-mmpa-remedies]: **Mo. Rev. Stat. § 407.025** — "The court may, in its discretion: (1) Award punitive damages; (2) Award to the prevailing party attorney's fees, based on the amount of time reasonably expended; and (3) Provide such equitable relief as it deems necessary or proper to protect the prevailing party from the methods, acts, or practices declared unlawful by section 407.020." *Mo. Rev. Stat. § 407.025.2.* [^q6-mmpa-elements]: **Mo. Rev. Stat. § 407.025** — "A person seeking to recover damages shall establish: (a) That the person acted as a reasonable consumer would in light of all circumstances; (b) That the method, act, or practice declared unlawful by section 407.020 would cause a reasonable person to enter into the transaction that resulted in damages; and (c) Individual damages with sufficiently definitive and objective evidence to allow the loss to be calculated with a reasonable degree of certainty." *Mo. Rev. Stat. § 407.025.1(2).* [^q6-mmpa-sb591-date]: **Mo. Rev. Stat. § 407.025 (revisor's applicability note)** — "Applicability of statute changes for cases filed after August 28, 2020, 510.262" *Mo. Rev. Stat. § 407.025 (revisor's note; A.L. 2020 S.B. 591).* [^q6-mmpa-class]: **Mo. Rev. Stat. § 407.025** — "Persons entitled to bring an action pursuant to subsection 1 of this section may, if the unlawful method, act or practice has caused similar injury to numerous other persons, institute an action as representative or representatives of a class against one or more defendants as representatives of a class, and the petition shall allege such facts as will show that these persons or the named defendants specifically named and served with process have been fairly chosen and adequately and fairly represent the whole class, to recover damages as provided for in subsection 1 of this section." *Mo. Rev. Stat. § 407.025.5.* [^q6-mmpa-exemption]: **Mo. Rev. Stat. § 407.020** — "Any institution, company, or entity that is subject to chartering, licensing, or regulation by the director of the department of commerce and insurance under chapter 354 or chapters 374 to 385, the director of the division of credit unions under chapter 370, or director of the division of finance under chapters 361 to 369, or chapter 371, unless such directors specifically authorize the attorney general to implement the powers of this chapter or such powers are provided to either the attorney general or a private citizen by statute" *Mo. Rev. Stat. § 407.020.2(2).*