On July 1, 2018, all fifty states will have active data breach statutes that govern the notification process for companies that experience a data loss incident. Alabama and South Dakota both recently passed data breach laws, representing the last two states to enact data breach legislation. As with other data breach statutes, Alabama and South Dakota have imposed slightly different requirements on businesses that experience a breach event, contributing to the increasingly rich tapestry of state laws governing data breaches.
Alabama’s Data Breach Notification Act of 2018 went into effect on May 1, 2018. The law applies to any entity that stores personally identifiable information, either on behalf of itself or as a third-party data storage provider. The act incorporates a broad definition of sensitive data, including an email address stored in combination with a password. The law also requires notification in the event that encrypted data is lost together with the related encryption key. However, notification will not be required where prompt investigation reveals that the breach is not reasonably likely to cause substantial harm to the individuals to whom the information relates. A breached entity must notify the Alabama Attorney General if the breach affects more than 1,000 Alabama residents. The law requires notification to take place within 45 days of a determination that a breach is reasonably likely to cause substantial harm to affected individuals.
South Dakota’s act will go into effect on July 1, 2018. The act distinguishes “personal information–” a person’s name in combination with factors such as their social security numbers or health data – from “protected information–” such as an email address in combination with the password. A breach of “protected information” does not need to include the person’s name in combination with the other lost data. The law will require a breached entity to provide notice to South Dakota’s Attorney General if the breach affects more than 250 South Dakota residents. Similar to many data breach laws, the law does not require notification if, following a reasonable investigation and notice to the South Dakota Attorney General, the entity determines that the breach will not likely result in harm to the affected persons. Finally, the law requires notification to take place within 60 days of the discovery of the breach.
Any company handling personally identifiable information should review these laws in their entirety and understand their implications before a data loss incident. The full text of Alabama’s Data Breach Notification Act of 2018 is available here. And South Dakota’s act is available here.