MISSISSIPPI LEGISLATURE
2016 Regular Session
To: Technology; Judiciary A
By: Representative Miles
AN ACT TO CREATE NEW SECTION 75-24-31, MISSISSIPPI CODE OF 1972, TO PROHIBIT A THIRD PARTY ENTITY WITH WHOM A STATE AGENCY HAS CONTRACTED TO PROVIDE THE PERSONAL INFORMATION OR BUSINESS INFORMATION OF AN INDIVIDUAL FOR COLLECTION AND MAINTENANCE FROM ESTABLISHING A RIGHT OF OWNERSHIP IN THE DATA FOR PURPOSES OF MINING, SELLING OR RELEASING OTHER ENTITIES; AND FOR RELATED PURPOSES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:
SECTION 1. The following shall be codified as Section 75-24-31, Mississippi Code of 1972:
75-24-31. (1) The personal information or business information, including, but not limited to, financial and operational data and intellectual property, hereinafter referred to as "data," to which a third party entity has been provided access by a state agency through direct submission or through authority granted by such agency to collect and maintain data on the agency's behalf does not create a right of ownership in the personal or business information data provided, collected or maintained by the third party entity. Unless the third party entity has been voluntarily granted an affirmative right of ownership in the data upon an agreement by the state agency and the person or business providing the data, which must be confirmed in writing and communicated to the third party entity, the data shall remain the property of the state agency with whom the third party entity has contracted and the provider of such data.
(2) Any third party entity that is provided data by a state agency or collects or maintains data on a state agency's behalf shall:
(a) Be liable for any breach of data;
(b) Limit the use of the data provided, collected or maintained strictly for the use and purpose for which the state agency contracted the third party entity; and
(c) Be prohibited from any action to mine, sell or release the data to another person, agency, firm, corporation, public or private business, for-profit or not-for-profit organization, except as otherwise provided in subsection (1).
(3) Failure to comply with the provisions of this section shall be considered a data breach constituting an unfair trade practice, and shall be enforced by the Attorney General. Nothing in this section may be construed as prohibiting a private right of action against a third party entity.
SECTION 2. This act shall take effect and be in force from and after July 1, 2016.