[BreachExchange] All 50 States Now Have Laws Regarding Notifications of Data Breaches

Inga Goddijn inga at riskbasedsecurity.com
Mon Apr 16 16:49:51 EDT 2018 

https://totalsecuritydailyadvisor.blr.com/emerging-issues-in-security/50-states-now-laws-regarding-notifications-data-breaches/

On March 21 and April 3, 2018, the governors of South Dakota and Alabama
inked data breach notification laws, outlining how entities must notify
victims in their states. These laws make them the 49th and 50th states,
respectively, to enact such legislation.
South Dakota SB62

The South Dakota law, Senate Bill (SB) 62, which takes effect on July 1,
requires any entity that experiences a data breach to notify affected
residents within 60 days of discovery of the event. This is the same amount
of time allowed to report a HIPAA violation
<https://www.hipaajournal.com/south-dakota-enacts-data-breach-notification-law/>.
South Dakota’s law defines “personal information” as either a person’s full
name or first initial and last name in combination with one of the
following:

   - Social Security number;
   - Driver’s license number or other government “created or collected”
   identification number;
   - A credit or debit card number, including a Personal Identification
   Number (PIN) or Card Verification Code (CVC), found on the back of the card;
   - A username or e-mail address and associated authentication methods,
   including a password or security question answer that grants access to an
   online account;
   - An employment identification number and any associated code, password,
   or biometric data used for authentication; *or*
   - Health/medical information as defined in 45 CFR 160.103.

If a given data breach impacts more than 250 state residents, the
organization must also send a notification to the Attorney General’s office
also within 60 days of discovery. Any delays in notification extending
beyond the 60 days could be subject to a $10,000-per-day fine, plus state
attorneys’ fees, and possibly a $10,000 fine for each violation.

The South Dakota legislation includes an exception that exempts
organizations that have “reasonably determine[d] that the breach will not
likely result in harm to the affected person” from notifying affected
individuals. *HIPAA Journal
<https://www.hipaajournal.com/south-dakota-enacts-data-breach-notification-law/>*
notes contrasts with similar laws in many other states.
Alabama SB 318

Alabama’s SB 318
<https://healthitsecurity.com/news/alabama-last-us-state-to-enact-data-breach-notification-law>
was signed into law on April 3, 2018, and it takes effect on May 1. It
mirrors South Dakota’s law regarding how it defines “personal information,”
including information it exempts, such as information that has been
lawfully made public by federal, state, or local government, and
information that has been encrypted, redacted, or is otherwise unusable.

There are three significant differences between the two laws. Alabama is
requiring that compromised organizations notify Alabama residents of a data
breach affecting their personal information within 45 days. Failure to do
so could result in fines of up to $5,000 per day, with the potential for
the Attorney General to file lawsuits on behalf of affected residents.

The Alabama law has a similar risk harm exemption to South Dakota, though
the threshold for notifying the Attorney General’s office of a breach is
set at 1,000 residents rather than 250. Alabama also requires the
organizations to notify credit reporting agencies in these instances.
Data Breach Regulation at the Federal Level

The passage of South Dakota’s and Alabama’s legislation comes at an
interesting time. In February 2018, a draft House Bill titled the *Data
Acquisition and Technology Accountability and Security Act*
<https://financialservices.house.gov/uploadedfiles/bills-115-datasa-pih.pdf>
began circulating on Capitol Hill. The bill has the potential to render all
50 state laws obsolete. The bill would apply to “any person, partnership,
corporation, trust, estate, cooperative, association, or other entity that
accesses, maintains, or stores personal, or handles personal information.”

In March, Lisa Madigan, Illinois Attorney General, sent a letter
<http://www.illinoisattorneygeneral.gov/pressroom/2018_03/Committee_Leaders_letter.pdf>
to the House Financial Services Committee on behalf of a bipartisan group
of 32 state Attorneys General. The Attorneys General argue that any federal
legislation would preempt state data breach and security laws, thereby
harming the abilities of state Attorneys General to protect their
residents. They also state that the proposed law would result in “less
transparency to consumers” and allows organizations to push any
notification of a breach until after the harm has already occurred.

While the Attorneys General do present valid arguments, we’ll have to wait
and see whether the federal government takes their concerns into
consideration. Having a single, federal regulation dictating data breach
response would place less of a burden on organizations, which would only
have to apply a single reporting standard.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180416/80125e9d/attachment.html>

More information about the BreachExchange mailing list