On April 8, the Mississippi governor signed into law HB 1596, known as the “Data Security for Money Transmitters Act.” The law, effective July 1, amends the Money Transmission Modernization Act (MTMA) to impose data security, consumer protection, and operational requirements on licensed money transmitters and virtual currency kiosk operators. The law requires licensees to develop and maintain a comprehensive written information security program proportionate to the licensee’s size and complexity, designate a qualified individual to oversee the program, conduct risk assessments, and report annually to the board of directors. Required safeguards include access controls, encryption, multi-factor authentication, secure disposal of customer information, annual penetration testing, and semiannual vulnerability assessments. Licensees must also maintain written incident response and business continuity plans. Certain requirements, including written risk assessment criteria, penetration testing, the incident response plan, and annual board reporting, do not apply to licensees with fewer than 5,000 consumers.

The law also requires notification to the Commissioner of Banking and Consumer Finance within 72 hours of discovering the unauthorized acquisition of unencrypted customer information, with provisions for law enforcement to delay public notification. In addition, HB 1596 brings virtual currency kiosks under the MTMA’s licensing, renewal, and authorized delegate reporting requirements. Licensees must provide annual training to authorized delegates on recognizing elder adult financial abuse and display fraud warnings at authorized delegate locations.