May 25, 2020

May 22, 2020

Subscribe to Latest Legal News and Analysis

And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind

South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer-issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers).

A “breach” in South Dakota is the unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). The law provides for a definition of encryption (using a process that comports with FIPS 140-2). The law gives companies a 60 day window to notify impacted individuals, but does not have content requirements for notice. Notice to SD authorities is required if more than 250 residents are impacted. Substitute notice in SD is permitted in certain circumstances, and constitutes notice by email (if the company has the email addresses for impacted people), website posting and notice to statewide media. Alabama is the lone US state without a breach notice law; at least for now. The Alabama State Senate delivered SB 318 to Governor Ivey on March 27 for her signature. Alabama may thus become the final state to pass a data breach notification law in the coming days.

Putting it Into Practice: The passing of this law is a reminder that breach notification remains on the forefront of regulators’ minds. Companies with nationwide breach notice plans in place should update their plans to add South Dakota to the list, in particular the need to notify state authorities if over 250 residents have been impacted by a breach as defined by this new law.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Amber Thomson, Sheppard Mullin Law Firm, Litigation Attorney
Associate

Amber C. Thomson is an associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

202-747-2658