And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind
South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer-issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers).
A “breach” in South Dakota is the unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). The law provides for a definition of encryption (using a process that comports with FIPS 140-2). The law gives companies a 60 day window to notify impacted individuals, but does not have content requirements for notice. Notice to SD authorities is required if more than 250 residents are impacted. Substitute notice in SD is permitted in certain circumstances, and constitutes notice by email (if the company has the email addresses for impacted people), website posting and notice to statewide media. Alabama is the lone US state without a breach notice law; at least for now. The Alabama State Senate delivered SB 318 to Governor Ivey on March 27 for her signature. Alabama may thus become the final state to pass a data breach notification law in the coming days.
Putting it Into Practice: The passing of this law is a reminder that breach notification remains on the forefront of regulators’ minds. Companies with nationwide breach notice plans in place should update their plans to add South Dakota to the list, in particular the need to notify state authorities if over 250 residents have been impacted by a breach as defined by this new law.