On March 21 and April 3, 2018, the governors of South Dakota and Alabama inked data breach notification laws, outlining how entities must notify victims in their states. These laws make them the 49th and 50th states, respectively, to enact such legislation.
South Dakota SB62
The South Dakota law, Senate Bill (SB) 62, which takes effect on July 1, requires any entity that experiences a data breach to notify affected residents within 60 days of discovery of the event. This is the same amount of time allowed to report a HIPAA violation. South Dakota’s law defines “personal information” as either a person’s full name or first initial and last name in combination with one of the following:
- Social Security number;
- Driver’s license number or other government “created or collected” identification number;
- A credit or debit card number, including a Personal Identification Number (PIN) or Card Verification Code (CVC), found on the back of the card;
- A username or e-mail address and associated authentication methods, including a password or security question answer that grants access to an online account;
- An employment identification number and any associated code, password, or biometric data used for authentication; or
- Health/medical information as defined in 45 CFR 160.103.
If a given data breach impacts more than 250 state residents, the organization must also send a notification to the Attorney General’s office also within 60 days of discovery. Any delays in notification extending beyond the 60 days could be subject to a $10,000-per-day fine, plus state attorneys’ fees, and possibly a $10,000 fine for each violation.
The South Dakota legislation includes an exception that exempts organizations that have “reasonably determine[d] that the breach will not likely result in harm to the affected person” from notifying affected individuals. HIPAA Journal notes contrasts with similar laws in many other states.
Alabama SB 318
Alabama’s SB 318 was signed into law on April 3, 2018, and it takes effect on May 1. It mirrors South Dakota’s law regarding how it defines “personal information,” including information it exempts, such as information that has been lawfully made public by federal, state, or local government, and information that has been encrypted, redacted, or is otherwise unusable.
There are three significant differences between the two laws. Alabama is requiring that compromised organizations notify Alabama residents of a data breach affecting their personal information within 45 days. Failure to do so could result in fines of up to $5,000 per day, with the potential for the Attorney General to file lawsuits on behalf of affected residents.
The Alabama law has a similar risk harm exemption to South Dakota, though the threshold for notifying the Attorney General’s office of a breach is set at 1,000 residents rather than 250. Alabama also requires the organizations to notify credit reporting agencies in these instances.
Data Breach Regulation at the Federal Level
The passage of South Dakota’s and Alabama’s legislation comes at an interesting time. In February 2018, a draft House Bill titled the Data Acquisition and Technology Accountability and Security Act began circulating on Capitol Hill. The bill has the potential to render all 50 state laws obsolete. The bill would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”
In March, Lisa Madigan, Illinois Attorney General, sent a letter to the House Financial Services Committee on behalf of a bipartisan group of 32 state Attorneys General. The Attorneys General argue that any federal legislation would preempt state data breach and security laws, thereby harming the abilities of state Attorneys General to protect their residents. They also state that the proposed law would result in “less transparency to consumers” and allows organizations to push any notification of a breach until after the harm has already occurred.
While the Attorneys General do present valid arguments, we’ll have to wait and see whether the federal government takes their concerns into consideration. Having a single, federal regulation dictating data breach response would place less of a burden on organizations, which would only have to apply a single reporting standard.