New Hampshire Cybersecurity Laws You Should Know (2026)

Mitch Wolverton

New Hampshire has strengthened its data protection landscape in recent years with both data breach notification requirements and a comprehensive state privacy law now in effect. For businesses operating or targeting residents in the Granite State, understanding these laws, and how they interact with federal requirements, is essential for protecting sensitive information, maintaining compliance, and building trust.

New Hampshire Cybersecurity and Privacy Laws

New Hampshire Data Breach Notification Law (RSA 359-C:20)

New Hampshire’s security breach notification law requires entities doing business in the state that own or license computerized data with personal information to promptly investigate and, if misuse is confirmed or cannot be ruled out, notify affected indi

Key points include:

  • Who must comply: Any person or business that owns or licenses computerized data containing personal information of New Hampshire residents.
  • Notification triggers: A breach occurs when personal information is accessed or reasonably likely to be misused.
  • Regulator notice: Businesses must notify the New Hampshire Attorney General or, if applicable, the primary regulator for the affected industry.
  • Private right of action: Affected individuals injured by a violation may bring their own legal claim for damages.

“Personal information” under the statute generally includes data like names combined with Social Security numbers, driver’s license numbers, or financial account credentials when unencrypted.

New Hampshire Data Privacy Act (RSA 507-H) – Effective January 1, 2025

New Hampshire enacted a comprehensive state privacy law, often called the New Hampshire Privacy Act (NHPA),  which became effective January 1, 2025.

This law creates broad data privacy rights and business obligations, including:

Consumer Rights:

  • Right to confirm whether personal data is being processed and access that data.
  • Right to correct, delete, and obtain a copy of personal data (subject to limited exemptions).
  • Rights to opt out of personal data sales and targeted advertising.

Business Obligations:

  • Controllers must implement reasonable data security measures.
  • Data controllers must conduct data protection assessments for activities that present a heightened risk of harm (e.g., profiling or targeted advertising).
  • Privacy notices must be transparent and tell consumers how their data is used.

Applicability Thresholds:
The law applies to entities that either:

  1. Control or process personal data of 35,000+ New Hampshire consumers annually; or
  2. Control or process personal data of 10,000+ consumers and derive over 25% of gross revenue from the sale of personal data.

Enforcement:
The New Hampshire Attorney General enforces the NHPA. Businesses typically receive a notice of violation with an opportunity to cure within 60 days before any enforcement action.

Violations are treated as unfair or deceptive acts or practices under the state’s consumer protection statutes.

Federal and Industry-Specific Cybersecurity Regulations That Affect New Hampshire Businesses

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to New Hampshire businesses that process credit card payments. It requires encryption, access control, and continuous monitoring to prevent payment data breaches.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to New Hampshire healthcare organizations and business associates that handle personal health information (PHI). It mandates administrative, technical, and physical safeguards for patient data.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in New Hampshire must comply with GLBA, which requires secure information systems, employee training, and consumer privacy notices.

General Data Protection Regulation (GDPR)

GDPR applies to New Hampshire businesses that collect or process personal data from EU residents. It mandates explicit consent, transparency, and the right to delete personal information.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

Financial institutions in New Hampshire with operations in New York must comply with NYDFS cybersecurity regulations, requiring encryption, multifactor authentication, and incident reporting.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is widely used across New Hampshire’s key industries, particularly technology, energy, and manufacturing, to identify, protect, detect, respond to, and recover from cybersecurity incidents.

Federal Trade Commission (FTC) Act

Under the FTC Act, New Hampshire businesses must maintain reasonable cybersecurity standards and cannot misrepresent their data protection practices.

Children’s Online Privacy Protection Act (COPPA)

If your New Hampshire business collects personal data from children under 13, COPPA applies. It requires verified parental consent and limits data sharing or tracking.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in New Hampshire must comply with SOX, which enforces accurate financial reporting and secure data management systems.

Family Educational Rights and Privacy Act (FERPA)

FERPA applies to New Hampshire schools and businesses handling student educational records. It requires written consent before disclosing identifiable student data.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA requires critical infrastructure entities, including those in energy, technology, and manufacturing, to report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act governs commercial email marketing practices, requiring accurate sender information, clear subject lines, and simple opt-out mechanisms.

Defense Federal Acquisition Regulation Supplement (DFARS)

New Hampshire defense contractors must comply with DFARS cybersecurity standards aligned with NIST SP 800-171, ensuring protection of controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits deceptive or negligent cybersecurity practices, holding New Hampshire businesses accountable for failing to protect consumer data or misrepresenting security controls.

Best Practices for Complying in New Hampshire

To align with New Hampshire’s evolving cybersecurity landscape, businesses should adopt the following best practices:

  • Conduct regular risk assessments and penetration testing.
  • Maintain comprehensive privacy and cybersecurity policies that reflect New Hampshire’s consumer rights and data controller obligations.
  • Implement incident response plans that include breach notification protocols consistent with state law.
  • Train employees on data privacy rights, breach recognition, and response workflows.
  • Use frameworks like NIST, CIS Controls, or ISO 27001 to support documented security practices.

Conclusion

In 2026, New Hampshire’s cybersecurity landscape is shaped by both data breach notification requirements and a comprehensive privacy law (NHPA) that grants residents meaningful control over their data and imposes robust obligations on businesses. Staying compliant with these laws, and aligning with federal standards, helps organizations safeguard consumer information, reduce legal risk, and demonstrate strong data governance.

Frequently Asked Questions About New Hampshire Cybersecurity Laws

  1. Does New Hampshire have a state privacy law?
    Yes. The New Hampshire Privacy Act (RSA 507-H) took effect January 1, 2025, creating consumer rights and business obligations around personal data.
  2. What is the main New Hampshire data breach law?
    The breach notification law (RSA 359-C:20) requires prompt notice to affected residents and the Attorney General if personal data misuse has occurred or cannot be ruled out.
  3. Who enforces New Hampshire’s privacy and breach laws?
    The New Hampshire Attorney General enforces both the privacy act and breach notification requirements.
  4. How quickly must businesses notify residents of a breach?
    Notifications must be provided as soon as possible after determining that misuse has occurred or is reasonably likely.
  5. What business obligations does the New Hampshire privacy law impose?
    The NHPA requires reasonable security measures, transparent privacy notices, data protection assessments for high-risk processing, and rights-handling mechanisms like opt-outs.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2026)

Ohio Cybersecurity Laws You Should Know (2026)

Virginia Cybersecurity Laws You Should Know (2026)

North Carolina Cybersecurity Laws You Should Know (2026)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.

Mitch Wolverton

Mitch, Marketing Manager at PivIT Strategy, brings over many years of marketing and content creation experience to the company. He began his career as a content writer and strategist, honing his skills on some of the industry’s largest websites, before advancing to specialize in SEO and digital marketing at PivIT Strategy.