Data Protection Impact Assessment (DPIA) - Mississippi

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

State of Mississippi

Organization: [________________________________]
Assessment Date: [__/__/____]
Assessment Reference No.: [________________________________]
Prepared By: [________________________________]
Department/Division: [________________________________]

1. Project Overview

Project Name / Identifier: [________________________________]

Project Owner: [________________________________]

Executive Sponsor: [________________________________]

Project Description:
[________________________________________________________________________________]
[________________________________________________________________________________]
[________________________________________________________________________________]

Business Justification:
[________________________________________________________________________________]
[________________________________________________________________________________]

Projected Launch Date: [__/__/____]

Project Phase: [____] (e.g., concept, design, development, deployment, ongoing operations)

Systems / Applications Involved:
| System Name | Vendor | Environment | Data Types |
|---|---|---|---|
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |

2. Scope of Processing

2.1 Data Subjects

☐ Customers / Consumers
☐ Employees / Job Applicants
☐ Vendors / Contractors
☐ End Users (App / Website)
☐ Minors (under 13)
☐ Minors (13-17)
☐ Other: [________________________________]

2.2 Categories of Personal Data Collected

Personal Information as Defined by Miss. Code Ann. § 75-24-29(2):

An individual's first name or first initial and last name in combination with any one or more of the following data elements (when the name or data element is not encrypted):

☐ Social Security number
☐ Driver's license number or Mississippi state-issued identification number
☐ Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account

Note: Mississippi's statutory definition of "personal information" is among the narrowest in the country. It does not explicitly include medical information, health insurance data, biometric identifiers, username/password combinations, or taxpayer identification numbers. Organizations should nonetheless consider broader data categories as a matter of best practice and to comply with federal requirements.

2.3 Additional Data Categories (Beyond Mississippi Statutory Minimum)

☐ Medical / health information
☐ Health insurance information
☐ Biometric identifiers (fingerprints, facial geometry, etc.)
☐ Geolocation data
☐ Username or email address with password or security question
☐ Tax identification numbers
☐ Passport numbers
☐ Student records
☐ Other: [________________________________]

2.4 Volume and Retention

• Estimated number of data subjects: [________________________________]
• Estimated records per year: [________________________________]
• Retention period: [________________________________]
• Deletion/destruction triggers: [________________________________]
• Legal hold procedures: [________________________________]

2.5 Processing Activities

☐ Collection
☐ Storage / Hosting
☐ Analysis / Profiling
☐ Automated decision-making
☐ Sharing with third parties
☐ Sale of data
☐ Cross-border transfer
☐ Other: [________________________________]

3. Legal Basis, Notices, and Rights

3.1 Mississippi Data Protection Legal Landscape

Mississippi does not have a comprehensive consumer privacy law. The state's sole data protection statute is the Security Breach Notification Law (Miss. Code Ann. § 75-24-29), which went into effect on July 1, 2011. Mississippi has one of the more limited data protection frameworks in the United States.

3.2 Consumer Rights Under Mississippi Law

• No right to access personal information held by businesses
• No right to correction of personal information
• No right to deletion of personal information
• No right to opt out of data sales or targeted advertising
• No right to data portability
• No private right of action under the breach notification statute (Miss. Code Ann. § 75-24-29(8): "nothing in this section may be construed to create a private right of action")
• Enforcement exclusively by the Mississippi Attorney General as an unfair trade practice

3.3 Applicability

The breach notification law applies to:
☐ Any person conducting business in Mississippi who, in the ordinary course of business, owns, licenses, or maintains personal information of any Mississippi resident
☐ Any governmental entity (state, county, municipality) that owns, licenses, or maintains personal information of Mississippi residents

3.4 Harm Threshold

IMPORTANT: Mississippi is a harm-based notification state. Notification is NOT required if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals (Miss. Code Ann. § 75-24-29(3)). This determination must be documented.

Harm Assessment Required: ☐ Yes

3.5 Applicable Federal Overlays

☐ HIPAA (health data)
☐ GLBA (financial data)
☐ FERPA (educational records)
☐ COPPA (children under 13)
☐ FCRA (consumer reports)
☐ Other: [________________________________]

4. Data Flow and Transfers

4.1 Data Flow Diagram

Data Sources:
| Source | Data Type | Collection Method | Legal Basis |
|---|---|---|---|
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |

Data Storage Locations:
| System / Platform | Cloud Region / Data Center | Encryption at Rest | Encryption in Transit |
|---|---|---|---|
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |

4.2 Third-Party Recipients

4.3 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- Transfer mechanism: [________________________________]

4.4 Access Controls

• Role-based access control (RBAC) groups: [________________________________]
• Least privilege principle: ☐ Implemented ☐ Not yet implemented
• Joiner/mover/leaver process: ☐ Documented ☐ Not documented
• Privileged access review cadence: [________________________________]

5. Security and Controls

5.1 Technical Controls

Encryption Safe Harbor: Under Miss. Code Ann. § 75-24-29(1), a "breach of security" means unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Encryption eliminates the breach notification obligation.

☐ Encryption at rest (standard: [________________________________])
☐ Encryption in transit (TLS version: [________________________________])
☐ Key management system: [________________________________]
☐ Network segmentation / micro-segmentation
☐ Endpoint detection and response (EDR)
☐ Logging and monitoring (SIEM: [________________________________])
☐ Data loss prevention (DLP)
☐ Automated backup and disaster recovery
☐ Vulnerability management and patch cadence: [________________________________]
☐ Intrusion detection / prevention systems
☐ Web application firewall (WAF)
☐ Other method or technology rendering PI unreadable or unusable: [________________________________]

5.2 Organizational Controls

☐ Information security policy (last reviewed: [__/__/____])
☐ Privacy policy (last reviewed: [__/__/____])
☐ Acceptable use policy
☐ Employee training cadence: [________________________________]
☐ Vendor due diligence program
☐ Incident response plan (last tested: [__/__/____])
☐ Change management procedures
☐ Data classification framework

5.3 Authentication and Authorization

☐ Multi-factor authentication (MFA) for all privileged access
☐ Single sign-on (SSO) / SAML integration
☐ Session timeout policies: [________________________________]
☐ Privileged access management (PAM) solution: [________________________________]

6. Risk Assessment

6.1 Identified Risks

6.2 Risk Rating Matrix

6.3 Mississippi-Specific Risk Considerations

• Harm-based threshold: Mississippi only requires notification if harm is "likely" to result. The entity must conduct an investigation and document its harm determination. An AG investigation could challenge a no-notification determination.
• No private right of action: While individuals cannot sue under this statute, the AG can enforce violations as unfair trade practices under the Mississippi Consumer Protection Act.
• Narrow PI definition: The limited definition of personal information means some data breaches involving medical, biometric, or credential data may not trigger Mississippi's notification statute -- but could still trigger federal requirements or reputational harm.
• No explicit security mandate: Mississippi's statute does not impose specific data security requirements (unlike some states). However, reasonable security measures are a best practice and may be required under applicable federal laws.
• 2025 SB 2046: Monitor for enactment of proposed amendment requiring AG notification when 100+ individuals are affected.

7. Mitigations and Residual Risk

7.1 Planned Mitigations

7.2 Validation and Testing

☐ Penetration testing completed (date: [__/__/____])
☐ Security audit completed (date: [__/__/____])
☐ Privacy-by-design review completed
☐ Tabletop incident response exercise conducted (date: [__/__/____])
☐ Vendor security assessments completed
☐ Harm assessment process documented and tested

7.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept ☐ Mitigate Further ☐ Transfer (Insurance) ☐ Avoid / Block Project

Justification: [________________________________________________________________________________]

8. Incident Response and Breach Notification

8.1 Mississippi Breach Notification Requirements (Miss. Code Ann. § 75-24-29)

8.1.1 Triggering Event

A "breach of security" is the unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information of any Mississippi resident, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable (Miss. Code Ann. § 75-24-29(1)).

Key exclusions from breach definition:

• Encrypted data or data rendered unreadable/unusable by any other method
• Good-faith acquisition by an employee or agent for a legitimate business purpose, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure

8.1.2 Investigation and Harm Determination

Upon discovering a potential breach, the entity must:

1. Conduct an investigation to determine the nature and scope of the incident, identify affected individuals, and restore the reasonable integrity of the data system
2. Determine whether harm is likely: Notification is NOT required if the entity reasonably determines that the breach will not likely result in harm to affected individuals (Miss. Code Ann. § 75-24-29(3))
3. Document the determination: Record the basis for any decision not to notify

Practice Tip: While the statute permits foregoing notification based on a no-harm determination, this determination should be made carefully, documented thoroughly, and ideally reviewed by legal counsel. The MS AG could later challenge the reasonableness of a no-harm finding.

8.1.3 Notification Timeline and Requirements

8.1.4 Methods of Notification (Miss. Code Ann. § 75-24-29(5))

☐ Written notice to most recent address on file
☐ Telephone notice -- permitted if direct contact is made and a log of the notification is maintained
☐ Electronic notice -- if the entity's primary means of communication is electronic, or if consistent with the E-SIGN Act (15 U.S.C. § 7001)
☐ Substitute notice -- available if:

• Cost would exceed $5,000, OR
• Affected class exceeds 5,000 individuals, OR
• Entity does not have sufficient contact information

Substitute notice requires ALL of the following:

• Email notice (if email address is available)
• Conspicuous posting on the entity's website (if one is maintained)
• Notification to major statewide media

Note: Mississippi's $5,000 cost threshold for substitute notice is among the lowest in the country, making substitute notice more readily available for smaller entities.

8.1.5 Third-Party Data Holder Obligations

Any person who maintains computerized data that includes personal information that the person does not own or license shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person (Miss. Code Ann. § 75-24-29(4)).

8.1.6 Enforcement (Miss. Code Ann. § 75-24-29(7)-(8))

8.1.7 Federal Law Exemption

An entity that complies with the notification requirements of federal law (e.g., HIPAA, GLBA) is deemed to be in compliance with the Mississippi statute, provided the entity notifies affected Mississippi residents in accordance with federal requirements (Miss. Code Ann. § 75-24-29(9)).

8.2 Internal Incident Response Procedures

Incident Response Team Lead: [________________________________]
Legal Counsel (MS-licensed): [________________________________]
AG Contact: Mississippi Attorney General, Consumer Protection Division, (601) 359-4230

Response Timeline:
| Step | Action | Responsible Party | Target Timeframe |
|---|---|---|---|
| 1 | Identify and contain the incident | [________________________________] | Immediate |
| 2 | Determine if PI (as defined by § 75-24-29(2)) is involved | [________________________________] | Within 24 hours |
| 3 | Conduct investigation into nature, scope, and affected individuals | [________________________________] | Begin immediately |
| 4 | Perform and document harm likelihood determination | [________________________________] | Upon completion of investigation |
| 5 | If harm likely: prepare notification to affected individuals | [________________________________] | Without unreasonable delay |
| 6 | If third-party holder: immediately notify data owner/licensee | [________________________________] | Immediately |
| 7 | Select notification method (written, telephone, electronic, substitute) | [________________________________] | Prior to notification |
| 8 | Deliver notification to affected individuals | [________________________________] | Without unreasonable delay |
| 9 | Document incident, investigation, harm determination, and remediation | [________________________________] | Ongoing |

9. State Law Overlay Summary -- Mississippi

9.1 Key Compliance Obligations

9.2 Mississippi-Specific Compliance Checklist

☐ Personal information as defined by Miss. Code Ann. § 75-24-29(2) has been identified and documented
☐ Encryption implemented for all PI at rest and in transit (safe harbor)
☐ Incident response plan includes Mississippi-specific harm determination procedure
☐ Harm determination documentation template prepared
☐ Third-party vendor contracts require immediate notification to data owner upon breach
☐ Substitute notice procedures documented (threshold: $5K cost or 5K+ individuals)
☐ Federal law compliance confirmed (HIPAA/GLBA exemption if applicable)
☐ Employee training on breach identification and reporting is current
☐ COPPA compliance confirmed for any children's data
☐ Investigation and notification procedures tested via tabletop exercise
☐ Cyber liability insurance coverage reviewed
☐ Monitor Mississippi legislative developments (SB 2046 and potential amendments)

10. Approvals and Accountability

Next Review Date: [__/__/____]

11. Attachments

☐ Data flow diagrams and architecture documentation
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements
☐ Information security policy
☐ Harm determination documentation template
☐ Penetration test reports
☐ Incident response playbook (MS-specific)
☐ Breach notification letter template (MS-specific)
☐ Telephone notification script and log template
☐ Insurance policy summary (cyber liability)

Sources and References

• Mississippi Code § 75-24-29: https://codes.findlaw.com/ms/title-75-regulation-of-trade-commerce-and-investments/ms-code-sect-75-24-29/
• Mississippi Code § 75-24-29 (2024 version): https://law.justia.com/codes/mississippi/title-75/chapter-24/general-provisions/section-75-24-29/
• Mississippi Attorney General, Consumer Protection: https://www.ago.state.ms.us/divisions/consumer-protection/
• Perkins Coie, Mississippi Security Breach Notification Chart: https://perkinscoie.com/insights/publication/security-breach-notification-chart-mississippi
• SB 2046 (2025 Regular Session): https://billstatus.ls.state.ms.us/documents/2025/html/SB/2001-2099/SB2046IN.htm