Every State Now Has a Data Breach Notification Law; Is Your Business Ready to Comply?
No matter where your business is located or operating, if your company suffers a data breach you may have legal compliance and reporting obligations or face possible fines and lawsuits. With legislation passing in South Dakota and Alabama at the beginning of April 2018, all 50 states now have data breach notification laws that businesses are required to follow should their data be breached.
South Dakota’s New Law Follows Trend of More Stringent Standards
If a business suffers a data breach, the obligations under each state’s laws vary. South Dakota’s law, S.B. 62, is more stringent compared to those that were passed several years earlier. For example, the definition of personal information – called “personal or protected information” in the South Dakota statute – that businesses must protect is much broader under South Dakota law, something that is also true of other recently enacted laws.
Under many states’ laws enacted previous to the South Dakota law, to constitute personal information, the information had to include at a minimum a first initial and a last name in combination with and linked to that person’s Social Security number, driver’s license number, financial account number or credit card plus password. South Dakota’s law does not require a name to be breached for the law to apply – employee ID numbers in combination with an access code, for example, constitute personal or protected information. In addition, a name in combination with “health information” as that term is defined under HIPAA also constitutes personal information. This could mean that more information constitutes personal information and thus a greater likelihood exists that if data is breached, it is covered by the statute and notification will become necessary.
Size of Breach Can Trigger Requirement to Report to Attorney General
Depending on the number of individuals affected, a business could be required to notify the state attorney general of its data breach. In many states, that requirement is not triggered unless more than 1,000 individuals, or in some cases more than 10,000 individuals, had their data compromised.
In South Dakota, a business is required to notify the state attorney general of the breach if more than 250 individuals were affected. While the smaller population of South Dakota may be a factor in the decision to require this notification if a relatively small amount of people are affected, this provision in the law shows a desire for more transparency in data breaches.
Notification Requirements and Penalties for Noncompliance Vary
South Dakota’s new law has an explicit deadline by which breach notification must occur: a business must notify affected individuals within 60 days after discovery. States with laws enacted earlier often do not have set deadlines for compliance; rather, businesses who suffer breaches that trigger breach notifications must provide those notifications “in the most expeditious time possible and without reasonable delay,” for example.
Failure to understand the nuances that are contained in each law could be costly. For example, to compare the two laws that passed last week, under the new Alabama law, an entity that fails to comply with state law could be fined up to $5,000.00 per day. Under South Dakota law, that fine doubles for failure to comply, up to $10,000.00 per day.
If you have questions about the applicability of data breach notification laws to a breach your company may have suffered, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Group.