Every state in the Union now has some type of law in place requiring companies to notify affected individuals of a data breach involving their information. South Dakota and Alabama, the final holdouts, enacted such measures in March.
Alabama Data Breach Notification Act
Under the Alabama Data Breach Notification Act (SB 318), signed March 28 by Gov. Kay Ivey (R), any business or government entity must notify state residents whose “sensitive personally identifying information” is accessed because of a breach involving unauthorized access to electronic data. The law also requires all of these covered entities to implement “reasonable security measures” to prevent such breaches.
“Alabama consumers finally join the rest of America in having the right to know if their personal information is stolen or compromised in a data breach,” Alabama Attorney General Steve Marshall said in a statement.
Defining sensitive information. Sensitive personally identifying information is defined to include an individual’s name combined with one of the following:
- A full Social Security or tax identification number.
- A full driver’s license, passport, or other unique identifying number issued on a government document.
- A financial account number combined with a password or other code necessary to access, credit, or debit the account.
- Information on an individual’s medical condition or treatment.
- A health insurance policy number, subscriber identification number, or other unique identifier used by a health insurer.
- A username or e-mail address, combined with a password or security question and answer, permitting access to an online account with the covered entity that is reasonably likely to contain, or used to obtain, sensitive personally identifying information.
Sensitive personally identifying information does not include information that the government lawfully makes public or that has been truncated, encrypted, or otherwise rendered unidentifiable or unusable.
Notice requirements. Notice must be provided under the law if the entity determines the breach is “reasonably likely to cause substantial harm to the individuals to whom the information relates.” The law specifies the criteria to be considered in making this decision.
Notice must be provided “as expeditiously as possible and without reasonable delay,” and within 45 days at most, unless a law enforcement agency requests a delay in writing. Third-party agents must notify the covered entity within 10 days. Breaches that require notice to more than 1,000 individuals must also be reported to the state attorney general and consumer reporting agencies.
Data security requirements. All covered entities and their third-party agents that handle sensitive personal information must “implement and maintain reasonable security measures” to protect the data against breaches. Entities need only implement what is “practicable,” but must consider specific measures, including designating a security official, identifying risks, adopting appropriate safeguards, and imposing contractual requirements on service providers.
Security assessments must be based on an entity’s security measures as a whole and emphasize multiple or systemic data security failures. Entities must consider their size, the amount and purpose of sensitive information they hold, and the cost of security measures relative to their resources.
The law also requires reasonable disposal practices such as shredding, erasing, or otherwise modifying personal information to make it unreadable or indecipherable.
Enforcement. Violations of the law are enforceable by the attorney general under the Alabama Deceptive Trade Practices Act, and subject to civil penalties of up to $500,000 per breach for knowing violations, in addition to damages. The law does not create a private right of action.
Entities subject to a federal breach notification requirement, or a state requirement at least as thorough, are exempt from the law as long as they maintain procedures and provide notice in compliance with that other requirement. Large breaches still must be reported to the attorney general.
South Dakota Law
South Dakota Gov. Dennis Daugaard (R) signed a breach notification bill March 21.
Under the new law (SB 62), on discovering a “breach of system security,” a business must disclose the breach to any resident of South Dakota whose computerized personal or protected information was acquired by an unauthorized person. Furthermore, if the breach exceeds 250 South Dakota residents, the state attorney general must also be informed. These notices must be provided within 60 days after the breach is discovered, unless a law enforcement agency determines that the notification will impede a criminal investigation.
“Thank you to our legislators and Governor Dennis Daugaard for passing this very important piece of legislation protecting South Dakota consumers and businesses,” Attorney General Marty Jackley said in a statement. “We will continue to see an increase in cybercrime and we need the tools to combat these breaches and thefts of our personal information.”
South Dakota’s law, like Alabama’s, applies to a broad range of personal and protected information—including “health information” as defined under the Health Insurance Portability and Accountability Act (HIPAA). The definition of personal information also includes an identification number assigned by an employer in combination with any required security code, access code, password, or biometric data.
Notification of an individual is not required if, following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.
A failure to comply with the notice requirement would be considered a “deceptive act” under South Dakota’s unfair trade practices law, which can trigger criminal as well as civil enforcement. An information holder subject to HIPAA or the Gramm-Leach-Bliley Act that maintains breach response procedures as prescribed by the appropriate federal regulator is deemed to be in compliance with the state law, if state residents are notified in accordance with the federal law.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic.