New Hampshire joins the club
The Granite State requires that security breaches involving PII be reported to the Attorney General:
Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in this state who will be notified.
NH Revised Statutes Annotated
This makes New Hampshire the fourth state (by my count) to require such central reporting, joining New York, Maine, and North Carolina.
Illinois requires reporting only when State Agencies are breached, and New Jersey requires reporting to the State Police (who keep the reports secret).
[Update: Missing quote added. Grr.]
Interesting.. “If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, the person shall notify the affected individuals as soon as possible as required under this subdivision.”