At the start of 2018, only two states lacked data breach notification legislation – South Dakota and Alabama. Then in March, both states passed breach notification laws within one week of each other. Both will go into effect this summer.
These two new laws come during a year that has already seen a significant increase in cyber security and data privacy regulation. In February, the SEC issued an update to its cyber security guidance that pushes companies to be more transparent about cyber risk and incidents and to guard against insider trading following a breach. That same month, a new regulation from the New York Department of Financial Services (NYDFS) went into effect, placing strict cyber security requirements (including some around breach notification) on financial institutions in the state. And a new batch of landmark European legislation (namely the GDPR and ePR) will fundamentally change privacy practices for many US companies later this year.
As breaches impact millions of individuals across the country each year, companies need to be held accountable for protecting their data and providing accurate disclosures of incidents that may impact their customers and employees. In this post, we’ll look at the specifics of the two new data breach notification laws from Alabama and South Dakota, but if you want to see how they align with others from across the country, download our guide to every state data breach notification law in the U.S.
South Dakota: Senate Bill 62
South Dakota’s Senate Bill 62 (2018 S.B. 62) was signed into law on March 21, 2018, making it the 49th state to implement a data breach notification law. This legislation will go into effect on July 1, 2018 and will apply to any individual or business that handles South Dakota residents’ personal data or protected information.
Definition of a Data Breach
Senate Bill 62 defines a data breach as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.” Like many state data breach notification laws, the law only applies to electronic personal data, and encrypted data is exempt, unless the encryption key is also compromised.
Definitions of Personal and Protected Information
Following a rising trend in many states, South Dakota’s new law has an expansive definition of personal information. In South Dakota, personal information includes the following, when combined with a first name or initial and a last name:
- Social Security number
- Driver’s license number
- Account number, credit, or debit card number, in combination with any required security code, access code, or password that give access to an individual’s financial account
- Health information as defined by HIPAA
- An identification number assigned by an employer in combination with any required security code/password or biometric data for authentication purposes
The law also includes protected information. Protected information in South Dakota does not need to be combined with a person’s first name/last initial to be covered by the law. Examples of protected information are:
- A username or email address in combination with a password, security question answer, or other information that permits access to an online account
- An account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account
Notification Requirements
Notification must be provided to those individuals whose data has been compromised within 60 days of the discovery of the breach. The Attorney General must be notified of all breaches affecting 250 or more South Dakota residents. However, if the Attorney General determines that the breach will not harm the impacted individuals, notice does not have to be given. If notice must be given to those affected, it must also be given to credit bureaus and agencies.
Penalties
The state of South Dakota considers the failure to disclose a breach to be a deceptive act. This can result in a fine of $10,000 a day per violation.
Alabama Data Breach Notification Act of 2018
On March 28, 2018, Alabama signed the Alabama Data Breach Notification Act of 2018 into law. Alabama is the last state to implement a data breach notification law, and it will go into effect on May 1, 2018.
Definition of a Data Breach
Under the Act, a breach is “the unauthorized acquisition of data in electronic form containing sensitive personally identifying information.” Again, the law only applies to the compromise of electronic personal data.
Definition of Sensitive Personally Identifying Information
Alabama also has a wide definition of covered information, using the term “sensitive personally identifying information (PII).” When combined with a resident’s first name/initial and last name, the following information is considered sensitive PII under the Act:
- A non-truncated Social Security or tax-identification number
- A non-truncated driver's license, passport, or other government identification number
- A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance policy numbers or a subscriber ID number and any unique identifier used by a health insurer to identify the individual
- A user name or email address, with a password or security question and answer that would permit access to an online account that is reasonably likely to contain or is used to obtain sensitive PII
Notification Requirements
An organization must notify impacted residents of a breach within 45 days of determining a breach has occurred. Third-parties that handle sensitive PII are required to provide notice to the owner of the data within 10 days of discovering a breach. If the number of affected individuals exceeds 1,000 Alabama residents, the organization must notify the Attorney General and consumer reporting agencies without delay. Notice can be delayed if a law enforcement agency determines it necessary.
Penalties
Violations of the Alabama Data Breach Notification Act of 2018 are to be treated as an unfair or deceptive trade practice, and covered entities can be held liable for up to $500,000 per breach.
Next Steps
Organizations that handle the personal data of South Dakota and/or Alabama residents should review their current incident response plans and make the necessary updates to policies and procedures to ensure they align with these new laws.
Focal Point’s Data Privacy team has put together a state-by-state roadmap to each state’s data breach notifications law, which is available to download for free here.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more helpful guides to data privacy regulations like this one?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.