South Dakota and Alabama have just become the 49th and 50th states to enact data security breach notification statutes, joining the other 48 U.S. states and four U.S districts/territories that already have similar laws in effect.Here is what you need to know:
Signed on March 21, 2018 by Governor Dennis Daugaard (before Alabama's statute) and will take effect July 1, 2018 (after Alabama's statute).
The statute applies to “information holders” which is a term that seems to cover the concepts of data controller and data processor in other regulatory regimes. (This is just one more reason why data controllers and data custodians will want to carefully allocate responsibility for compliance in their contracts.)
Notice is required to South Dakota residents within 60 days after “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”
There are two categories of protected data (unlike most state statutes): “Personal Information" and "Protected Information,” and they include biometric data, in addition to other elements that are common among such state laws.
Personal and protected information includes health information (which is a recent trend in state laws that many think unnecessarily duplicative of HIPAA's breach notice provisions).
Access credentials (e.g., a username and password) for an online account are covered, reflecting a recent trend in state laws.
Notice to the Attorney General of South Dakota is required if more than 250 residents are affected.
Notification to consumers is not necessary if the breached organization conducts an investigation and determines that consumers are not likely to be harmed (but notice to the AG is still required). That determination should be supported by a written analysis, which is to be retained. The AG may disagree with the conclusion and require notice to consumers. (This consultation approach is a relatively recent trend in state data breach statutes.)
The AG can impose fines of up to $10,000 per day per violation.
Violations of the breach notice requirement may also be criminal deceptive acts or practices under South Dakota’s Deceptive Trade Practices Act (37-24-6). (Note: I am not aware of any other state data security breach notification law that criminalizes a failure to comply. If you are, please tell me.)
There is no express right of civil action in the new statute, but because violations are also deemed violations of the Deceptive Trade Practices Act, civil suits seem foreseeable.
Signed on March 28, 2018 by Governor Kay Ivey (after South Dakota's) will take effect June 1, 2018 (before South Dakota's).
Notice is required to Alabama residents within 45 days after discovery.
“Sensitive personally identifying information” includes elements that are common among other state breach notification laws.
Access credentials (e.g., a username and password) for an online account, are also covered, reflecting a recent trend in state laws.
Notice to the Attorney General of Alabama is required if more than 1,000 residents are affected.
Those who knowingly violate the notification law are subject to penalties of up to $500,000 under the Alabama Deceptive Trade Practices Act, plus additional amounts up to $5,000 per day for continuing failure to comply.
There is no express right of civil action in the new statute, but the Alabama Attorney General may bring a “representative action” for named individual victims to recover actual damages plus attorney’s fees and costs.
At long last, every state has some sort of data breach notification law. They vary, of course, in the details. [Georgia's statute, for example applies only to governmental "information collectors" and "data brokers" that collect and share data for compensation, severely limiting the reach of the statute.] Some of them have idiosyncrasies that preclude a once-size-fits-all breach notice. [Compare California's statute with Massachusetts' statute, for example.] For a handy reference of all states' and territories' data security breach laws, see the website of the National Conference of State Legislatures, here.
It should also be noted that the U.S. Congress seems to consider a federal breach notification statute in almost every session, and almost every proposal would preempt all state breach notification statutes. None, however, have yet been enacted (for reasons you may have heard me describe on social media or in presentations).
As a result of these two new statutes, organizations may want to update cyber incident response plans to reflect the new notice requirements and categories of data covered.