There are currently only two U.S. states that do not have a state data breach notification law: South Dakota and Alabama. Recently, South Dakota took a big step toward approving a data breach notification law. On January 25, 2018, the state's Senate Attorney Judiciary Committee advanced the bill after a 7–0 vote, sending it to the South Dakota House of Representatives for consideration.
In addition to the standard data elements that are considered by most states with data breach laws, South Dakota Bill No. 62 follows the pattern of other states that are now looking to broaden the definition of "personally indentifiable information" to include elements such as biometrics. Notification will need to be provided without unreasonable delay and no later than 45 days after the breach has been discovered. In addition, when breaches impact more than 250 SD residents, an entity is required to notify not only customers but also the state attorney general's office.
Like many other state breach laws, SD Bill No. 62 does not require notification in instances where the data that has been compromised is encrypted and the unauthorized party does not have the encryption key. Furthermore, if the breached entity, in conjunction with the state attorney general, determines residents would unlikely be harmed as a result of the breach, notification will not be required.
In a recent column published in the "Guest Voices" section of "AL.com," Alabama Attorney General Steve Marshall addresses the Alabama Data Breach Notification Act of 2018, a bill a crafted by his office that "requires the entity to notify consumers within a reasonable time after it has determined that a consumer's personally identifying information has been accessed and is likely to cause the consumer harm. If the data breach involves the information of more than 1,000 individuals, then notice must be given to the Attorney General's Office as well."
Based on the increase in high-profile data breaches, 2018 certainly looks to be the year that all 50 U.S. states will finally have their own data breach law to protect consumers. Only time will tell.
This article is presented for informational purposes only and is not intended to constitute legal advice.