Patchwork Complete: South Dakota & Alabama Are Final Two States to Adopt Data Breach Notification La Patchwork Complete: South Dakota & Alabama Are Final Two States to Adopt Data Breach Notification La

Patchwork Complete: South Dakota & Alabama Are Final Two States to Adopt Data Breach Notification Laws

In the past month, the patchwork of state data breach notification laws was finally completed when South Dakota and Alabama adopted their own respective breach notification laws. On March 21, South Dakota Governor Dennis Daugaard signed the state’s data breach notification legislation (S.B. 62) into law. Then, on March 28, 2018, Alabama Governor Kay Ivey signed the state’s data breach notification legislation (S.B. 318) into law. Now, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted a data breach notification law.[1]

State data breach notification laws generally mirror each other from state to state. However, each state has its differences. Below is a breakdown of a few noteworthy provisions and variations in South Dakota’s and Alabama’s respective data breach notification laws.

Provision South Dakota Alabama
Noteworthy Definitions “Encryption”: The statute defines “encryption” to include conformance with the Federal Information Processing Standards (“FIPS”) 140-2. “Covered Entity”: The statute defines “covered entity” broadly to include “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.”
Personal Information Defined The statute individually defines “personal information” and “protected information” in order to capture all relevant consumer data. The statute defines only “sensitive personally identifying information” in order to capture all relevant consumer data.
Disclosure – Notification Timeline Notification must be made to affected individuals no later than 60 days for discovery or notification of the breach. Notification must be made as “expeditiously as possible and without unreasonable delay,” but no later than 45 days after notification of the breach.
The statute also describes what must be included in the written notice to affected individuals.
Disclosure – Notice to the Attorney General The Attorney General must be notified in writing or via e-mail of a breach exceeding 250 South Dakotans. The Attorney General must be notified in writing of a breach exceeding 1,000 individuals.
Statute also describes what must be included in the written notice.
Disclosure – Consumer Reporting Agencies Notification must be made “without unreasonable delay” to all consumer reporting agencies under 15 U.S.C. § 1681a in the event of a breach.
This statute is unique, because it does not explicitly state a threshold for triggering reporting to consumer reporting agencies.
Notification must be made “without unreasonable delay” to all consumer reporting agencies under 15 U.S.C. § 1681a in the event of a breach of more than 1,000 individuals at a single time.
 
Enforcement Attorney General Enforcement: The Attorney General may prosecute failure to comply with the statute as a “deceptive act or practice.”
This statute is unique, because aside from bringing civil enforcement actions, it appears that the Attorney General can also bring criminal enforcement actions against an entity under the state’s Deceptive Trade Practices Act.
Private Right of Action: The statute does not create an express private right of action.
Attorney General Enforcement: The Attorney General may prosecute failure to comply with the statute as a “deceptive act or practice.”
The statute permits the Attorney General to bring a civil enforcement action, but excludes any kind of criminal liability in the state’s Deceptive Trade Practices Act for covered entities.
Private Right of Action: The statute explicitly does not create a private right of action.
Other Noteworthy Provisions   Third-Party Agent Notification: In the event that a third-party agent experiences a data breach, it shall notify the covered entity “as expeditiously as possible and without unreasonable delay,” but no later than 10 days after determination or reasonable belief that a breach has occurred.[2]
 
For more information, contact Matt Diaz or another member of our Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.


[1] Security Breach Notification Laws, NCSL (Mar. 29, 2018), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
[2] The above table was based on an analysis of the following sources: S.B. 62, 93rd Leg. Assembly (S.D. 2018), http://sdlegislature.gov/docs/legsession/2018/Bills/SB62S.pdf; S.B. 31 (AL 2018), http://arc-sos.state.al.us/PAC/SOSACPDF.001/A0012674.PDF; Practical Law Intellectual Property & Technology, Westlaw, Data Breach Notification Laws: South Dakota (2018); Practical Law Intellectual Property & Technology, Westlaw, Data Breach Notification Laws: Alabama (2018).

View Full Site View Mobile Optimized