At the start of 2018, only two states lacked data breach notification legislation – South Dakota and Alabama. Then in March, both states passed breach notification laws within one week of each other. Both will go into effect this summer.
These two new laws come during a year that has already seen a significant increase in cyber security and data privacy regulation. In February, the SEC issued an update to its cyber security guidance that pushes companies to be more transparent about cyber risk and incidents and to guard against insider trading following a breach. That same month, a new regulation from the New York Department of Financial Services (NYDFS) went into effect, placing strict cyber security requirements (including some around breach notification) on financial institutions in the state. And a new batch of landmark European legislation (namely the GDPR and ePR) will fundamentally change privacy practices for many US companies later this year.
As breaches impact millions of individuals across the country each year, companies need to be held accountable for protecting their data and providing accurate disclosures of incidents that may impact their customers and employees. In this post, we’ll look at the specifics of the two new data breach notification laws from Alabama and South Dakota, but if you want to see how they align with others from across the country, download our guide to every state data breach notification law in the U.S.
South Dakota’s Senate Bill 62 (2018 S.B. 62) was signed into law on March 21, 2018, making it the 49th state to implement a data breach notification law. This legislation will go into effect on July 1, 2018 and will apply to any individual or business that handles South Dakota residents’ personal data or protected information.
Senate Bill 62 defines a data breach as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.” Like many state data breach notification laws, the law only applies to electronic personal data, and encrypted data is exempt, unless the encryption key is also compromised.
Following a rising trend in many states, South Dakota’s new law has an expansive definition of personal information. In South Dakota, personal information includes the following, when combined with a first name or initial and a last name:
The law also includes protected information. Protected information in South Dakota does not need to be combined with a person’s first name/last initial to be covered by the law. Examples of protected information are:
Notification must be provided to those individuals whose data has been compromised within 60 days of the discovery of the breach. The Attorney General must be notified of all breaches affecting 250 or more South Dakota residents. However, if the Attorney General determines that the breach will not harm the impacted individuals, notice does not have to be given. If notice must be given to those affected, it must also be given to credit bureaus and agencies.
The state of South Dakota considers the failure to disclose a breach to be a deceptive act. This can result in a fine of $10,000 a day per violation.
On March 28, 2018, Alabama signed the Alabama Data Breach Notification Act of 2018 into law. Alabama is the last state to implement a data breach notification law, and it will go into effect on May 1, 2018.
Under the Act, a breach is “the unauthorized acquisition of data in electronic form containing sensitive personally identifying information.” Again, the law only applies to the compromise of electronic personal data.
Alabama also has a wide definition of covered information, using the term “sensitive personally identifying information (PII).” When combined with a resident’s first name/initial and last name, the following information is considered sensitive PII under the Act:
An organization must notify impacted residents of a breach within 45 days of determining a breach has occurred. Third-parties that handle sensitive PII are required to provide notice to the owner of the data within 10 days of discovering a breach. If the number of affected individuals exceeds 1,000 Alabama residents, the organization must notify the Attorney General and consumer reporting agencies without delay. Notice can be delayed if a law enforcement agency determines it necessary.
Violations of the Alabama Data Breach Notification Act of 2018 are to be treated as an unfair or deceptive trade practice, and covered entities can be held liable for up to $500,000 per breach.
Organizations that handle the personal data of South Dakota and/or Alabama residents should review their current incident response plans and make the necessary updates to policies and procedures to ensure they align with these new laws.
Focal Point’s Data Privacy team has put together a state-by-state roadmap to each state’s data breach notifications law, which is available to download for free here.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.