Finally—All 50 States now have Data Breach Notification Laws
Alabama and South Dakota joined the other 48 states by enacting data breach legislation that requires entities (private or public) to notify individuals of security breaches of information involving personally identifiable information.
On March 21, 2018, South Dakota Governor Dennis Daugaard signed SB 62 into law. While SB 62 mirrors the data breach notification laws of several states, the following provisions are worth highlighting:
Definition of Personal Information and Protected Information: SB 62 defines “Personal Information” as an individual’s first name or first initial and last name, in connection with any one or more of the following data elements: (1) social security number; (2) account, credit card, or debit card number, in combination with any required password, security code, routing number, access code, PIN, or any additional information that would permit access to an individual’s financial account; (3) unique identification number created or collected by a governmental body (i.e., driver licenses number); (4) Health information as defined in 45 C.F.R. 160.103; (5) An identification number assigned to an individual by the individual’s employer in connection with any mandatory security code, password, access code, or biometric data generated from analysis or measurements of human body characteristics for authentication purposes. “Protected information” includes: (1) an email address or username combined with a password, answer to a security question, or other information that allows access to an online account; and (2) debit or credit card number or account number combined with any mandatory password, access code, or security code that allows access to an individual’s financial account.
Definition of Breach and Information Holder: SB 62 defines “Breach of system security” as the “unauthorized acquisition,” not unauthorized access to “unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.” This definition of breach seems narrower than some other statutes that treat unauthorized access as constituting a breach event. An “information holder” is any person or business that conducts business within South Dakota and owns or licenses computerized personal or protected information of South Dakota residents.
Breach Notification Requirements: Notice must be provided to South Dakota residents within 60 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to legitimate needs of law enforcement. Additionally, information holders must also notify “all consumer reporting agencies . . . and any other credit bureau or agency that compiled and maintains files on consumers on a nationwide basis” without unreasonable delay of the timing, distribution, and content of notice provided to South Dakota residents. However, notice may not be required if the information holder, following an appropriate investigation and notice to the South Dakota Attorney General, “reasonably determines that the breach will not likely result in harm to the affected person”; such determination must be documented in writing and maintained for at least three (3) years. If a breach of system security exceeds two hundred fifty (250) South Dakota residents, the information holder must notify the South Dakota Attorney General by mail or electronic mail.
Penalties for Non-Compliance: SB 62 does not create a private right of action. The South Dakota Attorney General may bring suit as “deceptive act or practice” and assess a civil penalty of not more than ten thousand ($10,000) dollars a day per violation.
Effective Date: July 1, 2018.
On March 28, 2018, Alabama Governor Kay Ivey signed the Alabama Data Breach Notification Act of 2018 (the “Act”) into law. While the Act mirrors the data breach notification laws of several states, the following provisions are worth highlighting
Definition of Sensitive Personally Identifying Information: The Act defines Sensitive Personally Identifying Information (“SPII”) includes an Alabama resident’s first name or first initial and last name, in connection with any one or more of the following data elements: (1) non-truncated tax identification number or social security number; (2) financial account number, including a bank account number or credit or debit account number in connection with any PIN, access code, password, security code, expiration date that is required to access the financial account or to conduct a transaction that will credit or debit the financial account; (3) non-truncated unique identification number created or collected by a governmental body (i.e., driver licenses number, passport, or military identification number); (4) any health information, including but not limited to, an individual’s medical history, physical or mental condition, or medical treatment or diagnosis; (5) An individual’s health insurance policy number or any other unique identifier use by a health insurer to identify an individual; or (6) a email address or username in connection with a security question and answer or password that would permit access to an online account associated with the covered entity that is use to obtain or is reasonably likely to contain SPII.
Definition of Breach and Covered Entity: The Act defines “Breach of Security” or “Breach” as the unauthorized acquisition of data in electronic form containing SPII.” Like the South Dakota law, this definition of breach does not extend to unauthorized access to SPII. A “Covered Entity” means a person, partnership, sole proprietorship, corporation, nonprofit, trust, estate, government entity, cooperative association, or other business entity that acquires or uses SPII.
Security Measures Requirement: Although Alabama was the last of the fifty (50) states to pass a data breach notification law, the Act is the first to impose mandatory data security measures. The Act requires each covered entity and third-party agent to “implement and maintain reasonable security measures” to protect SPII. To determine whether security measures are reasonable, covered entities must consider the following: (1) designation of an employee or employees to coordinate the covered entity’s security measures (i.e., a security officer); (2) conduct a risk assessment, considering and identifying the internal and external risks of a breach; (3) implementation of appropriate information safeguards; (4) use of third-party service providers to maintain appropriate safeguards; (5) monitor and audit security measures, adjusting and accounting for changes in circumstances affecting the security of SPII; and (6) involvement of the covered entity’s board of directors by appropriately informing them of the overall status of the covered entity’s security measures.
Investigation Requirement: The Act also requires a covered entity to conduct an investigation that considers the following: (1) the nature and scope of the breach; (2) the type of SPII involved and the identify of any individuals to whom the SPII relates; (3) whether the SPII has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the SPII relates; and (4) what measures were implemented to restore security and confidentiality of the covered entity’s systems that were compromised in the breach. This Investigation Requirement is similar to the four-part risk assessment required under HIPAA. If a covered entity determines a breach did not occur and notice is not required, the entity must document its determination in writing and maintain the determination for no less than five years.
Breach Notification Requirements: Notice must be provided to Alabama residents “as expeditiously as possible and without unreasonable delay” and within 45 days from the determination that a breach has occurred that is reasonably likely to cause substantial harm to the individuals to whom the SPII relates, unless a longer period of time is required due to legitimate needs of law enforcement. Unlike the South Dakota law, the Act’s 45 days does not start until a covered entity has determined that a breach has occurred rather than from the date a breach is discovered. If a covered entity is required to notify 1,000 or more Alabama residents, the covered entity must also provide written notice of the breach to the Alabama Attorney General “as expeditiously as possible and without unreasonable delay.” The Act provides some protection to information disclosed to the attorney general by stating that “information marked as confidential that is obtained by the attorney general . . . is not subject to any open records, freedom of information, or other public record disclosure law.” If a covered entity determines that more than 1,000 Alabama residents were affected at a single time, the entity must also notify all consumer reporting agencies as defined in the Fair Credit Reporting Act without unreasonable delay of the timing, distribution, and content of notices provided to Alabama residents. The notice to the consumer reporting agencies seems narrower than the notice to the attorney general due to the limiting language of “at a single time.”
Third-Party Breach Notification Requirements: The Act is also the first of its kind to impose specific breach notification requirements on third-parties. The Act defines a “third-party agent” as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access [SPII] in connection with providing services to a covered entity” (e.g. business associates). The Act requires a third-party agent to notify the covered entity “as expeditiously as possible and without unreasonable delay,” but no later than 10 days after the determination of the breach of security or reason to believe the breach occurred.
Destruction of SPII Requirement: The Act requires covered entities and third-party agents to take reasonable measures to dispose, or arrange for disposal, of SPII within its control or custody when the records are no longer required to be retained by business needs, law, or regulations. Methods of disposal include shredding, erasing, or otherwise modifying the SPII, rendering it unreadable or undecipherable through any reasonable means consistent with industry standards.
Exemptions: A covered entity that is subject to or regulated by state or federal laws, rules, regulations, procedures, or guidance on data breach notification established or enforced by the state or federal government is exempt from the Act so long as the entity provides notice to the Alabama Attorney General when the number of Alabama residents exceeds 1,000. The state exemption only applies to states with notice requirements that are as, or more, protective than those imposed by the Act.
Effective Date: June 1, 2018.