South Dakota and Alabama recently became the forty-ninth and fiftieth states, respectively, to enact data breach notification legislation, completing the nationwide patchwork quilt of state data breach laws.
South Dakota’s governor signed its data breach law on March 21, 2018. The new law will take effect on July 1, 2018. A “breach” in South Dakota includes the “unauthorized acquisition” of unencrypted data or encrypted data where the encryption key is also compromised. The new law requires “information holders”—that is, “any person or business that conducts business in the state” and owns or licenses “personal or protected information” of state residents—to notify South Dakota residents of a breach involving their “personal or protected information.”
“Personal information” includes a person’s first name or first initial and last name coupled with further data like a social security number, driver’s license number, credit card or debit number, or health information. “Protected information” on the other hand includes, for example, a user name or email address and the password or security question answer, as well as a financial account number coupled with a security code, access code, or password.
In the event of a breach in South Dakota, a company must notify affected individuals within 60 days after the breach is discovered. Companies must also report breaches to South Dakota authorities if more than 250 residents are impacted.
Alabama enacted its data breach notification law shortly after South Dakota on March 28, 2018, becoming fiftieth and final state to do so. The law goes into effect on May 1, 2018. Under Alabama’s law, a “breach” includes the unauthorized acquisition of data containing “sensitive personally identifying information.” Any person or business entity, including government entities, that electronically store such information must comply with the law.
Similar to South Dakota’s definition, “sensitive personally identifying information” under the Alabama law includes first name or first initial and last name combined with other sensitive data like social security number, tax ID number, financial account number, or physical or mental health history, for example. It does not, however, include encrypted data.
If a breach occurs in Alabama, the entity at issue has 45 days after the breach is discovered to notify affected state residents. The entity must also notify the state attorney general and consumer credit reporting agencies if more than 1,000 individuals are affected.