Search biometric

According to reports, bank customers in Australia (yes, data breach notification requirements exist down under) have been affected by “an industry-wide” data breach experienced by a third-party service provider to the banks – property valuation firm, LandMark White. As expected, the banks are investigating and in some cases notifying customers about the incident. However, there are reports that some of the affected banks are suspending this vendor from the group of valuation firms they use. This is not an unusual reaction by organizations whose third party service providers have or are believed to have caused a data breach affecting the organization’s customers, patients, students, employees, etc. But, it is worth thinking about whether that is the best course of action.

In the United States, there is a growing number of states that require businesses to contractually bind their third party services providers to maintain reasonable safeguards to protect personal information made available to the third parties to perform services. For example, under the Illinois Personal Information Protection Act:

A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

Personal information under this law includes information such as name coupled with Social Security number, drivers license number, medical information, and unique biometric data used to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. In connection with obtaining written assurances from a third party vendor, many companies engage their vendors in an assessment process to get a better sense of the security of the vendor’s environment. Assessments can take many forms including interviewing the vendor’s chief information security officer, reviewing policies and procedures, subjecting the vendor to a detailed security questionnaire, penetration tests, and more. When organizations think of best practices for data security, assessment procedures of some kind certainly should be on the list.

But after the assessments and contract negotiations are completed, data breaches can still happen. In many cases, when a third party vendor experiences a breach affecting personal information, the owners of that information are the vendor’s customers. Uncomfortable as it may be, breach notification laws generally require the vendor maintaining the breached personal information to notify the owner, the vendor’s customer(s). At that point, the parties typically work through the incident response process, which in many cases could be driven by contract, although many agreements are silent on this issue.

In any event, organizations will almost invariably begin to think about whether this is a vendor they want on their team going forward. Of course, there are a number of reasons that might support terminating the relationship, such as:

  • The vendor may not have been protecting the information they way it should have under the contract and applicable law, resulting in the breach.
  • The vendor has not been transparent, responsive, or cooperative with the organization during the incident response process.
  • The vendor has not taken sufficient steps to ensure a similar breach will not happen again.
  • The organization is getting pressure from its customers who are serviced or supported, in part, by the vendor.
  • The organization has been unhappy with the vendor for some time (unrelated to the breach) and this is the last straw.

However, there also are reasons for maintaining the relationship, which include:

  • “The grass is always greener on the other side” – it may not be. There is no guarantee that a new vendor will have greater data security, be able to avoid a sophisticated attack, or be willing to work with the owner of the data as transparently as the current vendor.
  • The current vendor arguably is “battle-tested” with data security and incident response more top of mind.
  • There is a long-standing, trusted relationship with the vendor whose products and/or services are too important to the organization.
  • Both the organization and the vendor may be more inclined following a breach to collaborate on enhanced security measures and incident response planning.

The author takes no position here on whether to stay or go, as such a decision requires consideration of a number of factors. Third party service providers play important roles for many organizations, and their selection and continued utilization are decisions that should be made following an appropriate level of due diligence and analysis.

 

Yesterday, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael)announced Assembly Bill 1130 which is intended to strengthen California’s existing data breach notification law. In short, AB 1130 would amend the existing law to include passport numbers and biometric information (e.g., fingerprint and retina scan data) in the definition of personal information, so that, if breached under the law, notification to consumers would be required.

Currently, similar to most breach notification laws in other states, California’s data breach notification law defines personal information to include a covered person’s first name (or first initial) and last name coupled with sensitive information such as Social Security numbers, driver’s license numbers, financial account numbers and health information. The changes under AB 1130 would keep California out in front of other states, although a number of other states, such as Illinois, already include data such as biometric information as personal information under their breach notification laws. As many have observed, these state by state changes only add to the complexity businesses face when they experience a data breach affecting individuals in multiple states.

News reports concerning the announcement of AB 1130 note that Attorney General Xavier Becerra “has promised to crack down on companies that try to hide data breaches from the public.” And soon individuals in California affected by a data breach likely will have expanded rights to sue under the California Consumer Privacy Act (CCPA). As we reported earlier, the CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The CCPA incorporates much of the definition of personal information under the California breach notification law. What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include passport and biometric data only increases these risks.

The U.S. Supreme Court may finally weigh in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Standing to sue in a data breach class action suit, largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”.  For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th5th, and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.

The U.S. Supreme Court may finally weigh in on the status of standing in data breach litigation this term, in Frank v. Gaos. The Court recently requested supplemental briefs addressing whether any of the name plaintiffs has standing such that federal courts have Article III jurisdiction over the dispute. The Court’s request is particularly notable, as the issue before the Court was not initially focused on standing. Although Frank is not a classic data breach case, rather a privacy class action settlement based on unauthorized sharing of website search terms to third-parties, it may still provide the Court an opportunity to resolve the circuit split and issue further guidance on standing in data breach litigation.

Similarly, the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”), likely to increase the already large number of suits, including putative class actions, filed under the law. It goes without saying that the U.S. Supreme Court’s decision in Frank v. Gaos could have significant impact on data breach class action lawsuits.

 

A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

  • Social Security number,
  • Driver’s license number,
  • Passport or military identification number
  • Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
  • Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
  • Account information such as user name and password or email address and password
  • First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and it’s only a matter of time before one of them finally sticks. We will continue to report on the Data Care Act of 2018 and other similar initiatives as developments unfold.

And now it’s Louisiana’s turn! After several states recently enacted or strengthened existing data breach notification laws (Colorado, Arizona, South Dakota and Alabama just to name a few…), on May 20th , Louisiana Governor John Edwards signed an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018.

As with the recent overhaul of Colorado’s Data Breach Notification Act, the amendments to Louisiana’s law are significant.

Key updates to Louisiana’s new law include:

  • Expansion of personal information.

 Personal information was previously defined under the law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account.  The new law specifies its application to “an individual resident of this state” and expands the definition of ‘personal information’ to include a state identification card number; passport number; and “biometric data.”  “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account”.

  • Breach notification requirements.

Previously, businesses were required to notify affected residents of a breach in the “most expedient time possible and without unreasonable delay”. The new law now requires that this be done “not later than sixty (60) days from the discovery of a breach”. In comparison to other states’ recent amendments, a 60-day notice period is fairly long. Colorado recently included a 30-day notice period, and both Arizona and Alabama a 45-day notice period. Notably, when required notification is delayed at the request of law enforcement or due to a determination by the business that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the integrity of the data system, the business is required to provide the Louisiana Attorney General the reasons for the delay in writing within the sixty day notification period to obtain a reasonable extension of the time to notify impacted individuals.

In addition, the new law lowers the bar for allowing substitute notification (notification by e-mail, posting to the business’s Internet site and statewide media). Whereas before substitute notice was only permitted if providing notification would exceed $250,000 or notifying more than 500,000 affected residents, the amended law allows for notification where providing notification would exceed $100,000 or notifying more than 100,000 affected residents.

  • Requirements for reasonable security procedures and data disposal.

The new law requires that any person that conducts business in the state or owns or licenses computerized data that includes personal information shall:

  • Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure;
  • Take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

This is a significant expansion to Louisiana’s law, particularly regarding its emphasis on reasonable security practices and procedures and data destruction. It is also worth noting, that Oregon’s similar amendment to its Data Breach Notification Law that we reported on back in April, took effect on June 2nd.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. Our recently published State Data Breach Notification Laws: Overview of the Patchwork is a great resource for understanding common provisions, and trends in state statutory amendments.

Back in January, Colorado lawmakers on both sides of the aisle introduced a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Now, Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.

HB 1128 was sponsored by Rep. Cole Wist (R), Rep. Jeff Bridges (D), Senator Kent Lambert (R) and Senator Lois Court (D), and was passed unanimously by the Legislature, signifying the bipartisan understanding that, in today’s climate, data security is a key issue that must be addressed. Nonetheless, the bill was initially met with opposition by large businesses that argued the certain heightened requirements were already obligatory under federal law, and that notification to the Attorney General within 7 days, was too short a timeframe to determine if misuse of data had occurred, which could result in fear over identity theft even when not present. The bill was then given an overhaul, taking into consideration the businesses’ concerns.

Key updates to Colorado’s new law include:

  • Expansion of breach notification requirements.

The bill expands the definition of information that, if breached, would require notification to affected Colorado residents. Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). Specific content requirements also were added to the state’s existing data breach notification law. Of note, the law does not create exemptions for entities subject to reporting requirements under HIPAA or the Gramm-Leach-Bliley Act, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

  • Requirements for reasonable security procedures and data disposal.

The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.

More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must to develop and maintain a written policy for the destruction and proper disposal of those documents. Additionally, covered entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate. Thus, as required in other states such as Massachusetts and California, businesses need to be reviewing services agreements with their third party vendors to ensure they include appropriate language to meet these requirements.

Note that with respect to the reasonable safeguard and data disposal requirements, PII is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” with respect to the law’s breach notification requirement.

The Attorney General’s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.

This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data. Covered entities are advised to develop and implement practices and procedures appropriate for the PII and PI they own, license, or maintain including administrative, technical and physical safeguards.

For more information on data breach notification law developments, see our recent articles:

Last month, South Dakota and Alabama became the final two states to enact a data breach notification law. In addition, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. Arizona is the latest state to update its data breach notification law to reflect recent trends.

Introduced in January and signed into law recently by Arizona Governor Doug Ducey, the new law has several key updates, including:

  • Expands the definition of personal information to encompass:
    • information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
    • a private key that is unique to an individual and is used to authenticate or sign an electronic record;
    • an individual health insurance identification number;
    • a passport number;
    • a taxpayer identification number or an identity protection personal identification number issued by the IRS;
    • unique biometric data used for online authentication purposes; or
    • an individual’s username or email address, in combination with password or security question and answer, that allows access to an online account.
  • Sets a 45-day notification requirement for consumers affected by the breach.
  • Risk of harm analysis: notification not required if a third-party forensic investigator or law enforcement agency determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
  • Types of notice: notice may be accomplished via email if the entity providing notice has email addresses for individuals subject to notification.
  • Notification content requirement: notice must contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies, and the Federal Trade Commission.
  • If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
  • The Attorney General can impose civil penalties on violators of $10,000 per affected individual or the total economic loss sustained by affected individuals up to a max of $500,000.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. Our recently published State Data Breach Notification Laws: Overview of the Patchwork is a great resource for understanding common provisions, and trends in state statutory amendments. Please contact your Jackson Lewis attorney to discuss these developments and specific state breach notification laws and reasonable safeguard requirements.

On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect June 1, 2018. Being the last state to enact a breach notification law, Alabama had the benefit of examining the approach in just about all of the other states and apparently drew provisions from many other state laws, including relatively detailed requirements for covered entities (as defined within the statute) and their third-party service providers to maintain reasonable requirements to protect “sensitive personally identifying information.”

Breach Notification Requirements

The Alabama Data Breach Notification Act requires covered entities to notify any Alabama resident whose sensitive personally identifying information was, or the covered entity “reasonably believes,” to have been acquired by an unauthorized person as a result of a data breach that is reasonably likely to cause substantial harm to the individual to whom the information relates.

Similar to South Dakota and recent amendments to other state data breach notification laws, the Alabama law includes an expansive definition of personal information. Notably, however, “biometric information” is not included in Alabama’s definition of personal information, as has been a typical inclusion for other states of late.

Personal information or “sensitive personally identifying information” as it is called by the Alabama law, is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

  • A non-truncated social security number or tax identification number;
  • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

The law requires a covered entity that experiences a data breach to notify affected Alabama residents “as expeditiously as possible and without unreasonable delay,” taking into account a reasonable time to conduct an appropriate investigation, but not later than 45 days from the determination that a breach has occurred and is reasonably likely to cause substantial harm, with certain exceptions. Notably, if a covered entity’s third party agent experiences a breach of security in the agent’s system, the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Covered entities should be reviewing their services agreements with third party vendors to ensure they are consistent with these requirements.

In addition, if more than 1,000 state residents are impacted by the breach, the state attorney general and consumer reporting agencies must be notified. Following a number of other states, the Alabama law also sets forth specific content requirements for the notices to individuals and the Attorney General. For example, if notification to the Attorney General is required, it must include (i) a summary of events surrounding the breach, (ii) the approximate number of individuals in the Alabama affected by the breach, (iii) information about any services, such as ID theft prevention or monitoring services, being offered or scheduled to be offered, without charge, to individuals and instructions on how to use the services, and (iv) contact information for the covered entity or its agent.

Reasonable Safeguard Requirements

The Alabama law also imposes a reasonable security requirement for covered entities and their third party vendors. Under the law covered entities and third parties are required implement and maintain reasonable security measures to protect sensitive personally identifying information (see definition above) against a breach of security. This provision is significant not only because it reaches third party agents as well as covered entities, but also because of the scope of the information to which it applies. For example, the similar requirement under often cited Massachusetts regulations currently does not apply to medical information; the Alabama reasonable safeguard requirement appears to reach this category of personal information.

Security measures include:

  • Designation of an employee(s) to coordinate the reasonable security measures;
  • Identification of internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers, if any, that are contractually required to maintain appropriate safeguards;
  • Keeping management of a covered entity, including its board of directors, appropriately informed of the overall status of its security measures;

Notably, the law also requires covered entities to conduct an assessment of its security based upon the entity’s security measures as a whole and placing an emphasis on data security failures that are multiple or systemic, including consideration of all the following:

  • The size of the covered entity.
  • The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
  • The covered entity’s cost to implement and maintain the security measures to protect against a breach of security relative to its resources.

Enforcement

A violation of the Alabama Data Breach Notification Act is also considered a violation of the Alabama Deceptive Trade Practices Act, however criminal penalties are not available. The Office of the Attorney General maintains the exclusive authority to bring an action for civil penalties – there is no private right of action. Failure to comply with the Alabama law could result in fines of up to $5,000 per day, with a cap of $500,000 per breach. Of note, such penalties are reserved for failure to comply with the law’s notification requirements, and it is not clear to what extent such penalties would apply for failure to comply with the law’s reasonable security requirements.

As each state now has a data breach notification law, and many states continue to amend those laws, it is imperative for companies operating in multiple states and/or maintain personal information about residents of multiple states to be aware of the requirements across several jurisdictions. Companies should regularly review and update the measures they are taking to better secure the data they hold and appropriately response to any potential data incident.

It’s official! Alabama is the only remaining state lacking a data breach notification statute. On March 21, 2018 South Dakota Attorney General Marty Jackley announced that Governor Dennis Daugaard signed into law the state’s first data breach notification law, after unanimous approval by both chambers of the state legislature a couple weeks prior. The law will take effect July 1, 2018.

 South Dakota’s new law creates a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. On trend with recent amendments to other state data breach notification laws, the South Dakota law includes an expansive definition of personal information.

The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security Number;
  • driver’s license number or other unique identification number created or collected by a government body;
  • account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account;
  • health information; and
  • an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

In addition, protected information is defined as:

  • a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and
  • account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
  • NOTE: “protected information” does not include a person’s name.

The law requires an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure must be made within 60 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

Further, breaches affecting more than 250 South Dakota residents must be reported to the state’s Attorney General. Note that if the information holder reasonably believes the breach will not likely result in harm to the affected person, the information holder is not required to make a disclosure so long as the information holder first conducts an appropriate investigation and provides notice to the attorney general. This determination needs to be documented in writing and maintained for at least three years.

The South Dakota law makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the law authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

A string of large-scale breaches made clear that additional protections for South Dakota consumers were needed. Alabama is now the only state without a data breach notification law, but that will likely change in the coming weeks. A house-amended version of Senate Bill 318, the Alabama Data Breach Notification Act sponsored by Senator Arthur Orr (R-Decatur), passed the House of Representatives unanimously on March 22nd, but requires concurrence from the Senate before being sent to the Alabama governor for signing.