This week, on March 21, 2018, South Dakota’s Governor signed into law the nation’s 49th Breach Notification Law.
Alabama remains the sole U.S. state without a breach notification law, but not for long. Yesterday, Alabama’s pending breach notification bill unanimously passed the House of Representatives and is headed to the Governor’s desk awaiting final passage.
Here are some of highlights of the two pieces of legislation.
South Dakota: Breach Notification Law
- Applies to:
- “Information Holder”: includes “any person or business that conducts business in the state” andowns or retains “personal or protected information” of South Dakota residents.
- Personal AND Protected Information:
- This South Dakota bill distinguishes and covers both personal information and protected information.
- “Personal information” includes a person’s first name or first initial and last name combined with one or more of the following data elements (SSN, driver’s license number, account number with access code, etc.) but also includes health information (as defined in HIPAA) and employee identification numbers in combination with access code or biometric data.
- “Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.”
- Of note, the definition of “protected information” does not include a person’s name.
- Breach Definition:
- “Breach of system security” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.
- Breach Notification Requirements:
- Trigger: Following “discovery by or notification to” an entity of a “breach of system security”, the entity must notify “any resident whose personal OR protected information was or is reasonably believed to have been, acquired by an unauthorized person”.
- Timeline: Notification to affected individuals is required within 60 days of discovery of the breach.
- Harm Threshold:
- Notification is NOT required if the Entity can reasonable determine that the breach will not likely result in harm to the “affected person”.
- However, this harm exception is an option after an “appropriate investigation and notice to the attorney general”.
- The entity must keep documentation of any no-harm breach in writing for no less than three years.
- Unauthorized person/access:
- South Dakota has included a very broad definition of “unauthorized person,” a term that is defined in only a few state data breach notification laws.
- The bill also defines “unauthorized person” to include a person with access to “personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure…” This definition is very unique amongst data breach notification laws and addresses those otherwise authorized persons that exceed their scope of authorization.
- Other Notification Requirements:
- Attorney General: If more than 250 individuals are affected, the entity must notify the South Dakota Attorney General.
- Consumer Reporting Agencies: If notification to affected individuals is required, the bill requires notification to “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.” This provision is a bit unusual –as it does not include a numerical threshold of affected persons as a trigger to credit reporting agency notifications (see AG trigger above).
- The Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
- A violation of this breach notification law is also considered a deceptive act under the state’s consumer protection laws, allowing the possibility of both criminal liability and a possible private right of action.
- While SB 62 does not expressly create a private right of action, South Dakota Attorney General noted that this violation has the same effect through express incorporation of South Dakota’s Deceptive Trade Practices Act.
- This private right of action issue will likely be litigated after the law takes effect this summer.
- If an entity is already compliant with HIPAA, GLBA or regulated by another federal law that maintains procedures for breach of a system then that entity is deemed to be in compliance with this state law IF it notified affected South Dakota residents in accordance with the provisions of that applicable federal law or regulation.
- If an entity maintains its own notification procedures as part of an information security policy, then the entity is in compliance with notification requirements if they notify each person affected in accordance with their internal policies regarding breach of system security.
This law will take effect on July 1, 2018.
Alabama: Proposed Bill
Alabama’s proposed bill would require a notification period of 45 days from the determination of a breach and follows suit with similar breach law definitions of “Breach of Security”, “Personally Identifiable Information (PII)” and exceptions.
Alabama Attorney General Steve Marshall has been vocally supportive of the bill through this legislative process, thanking the Alabama Senate for “taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked”.
Well…now it’s 49 states to follow for data breach notification requirements, and Alabama will complete the patchwork of state breach notification laws in the coming weeks.
For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at firstname.lastname@example.org.