Last month, Alabama and South Dakota became the latest states to enact data breach notification laws. All 50 states now have such laws, but the laws and companies’ obligations thereunder vary widely from state to state.
The Alabama and South Dakota laws—described in detail in the chart linked below—are similar to the laws of other states, but each have a few important features to be aware of. First, both states have firm notice deadlines—45 days after the breach for Alabama and 60 days for South Dakota. Both states require notice to the Attorney General if the number of impacted residents exceeds a threshold—1,000 people in Alabama and 250 people in South Dakota. Interestingly, under the South Dakota law, a company is not required to notify individuals of a breach if it determines that the breach will not likely result in financial harm, but the company must notify the Attorney General of this determination and maintain associated documentation for three years (Florida’s law has a similar provision).
Alabama’s and South Dakota’s laws do not provide individuals a private right of action against a company that fails to comply with notice obligations, but do permit the state AG to prosecute failures to disclose as a deceptive business practice. The penalties for violating the statutes can be steep—in South Dakota, up to $10,000 per day per failure to disclose, and in Alabama, up to $500,000 per breach plus an additional $5,000 penalty per day of non-compliance.
As it has for the past several years, the U.S. Congress is currently considering legislation to establish a nationwide standard for data breach disclosures. The draft Senate bill would require notice within 30 days, and individuals who conceal a data breach could be sentenced to up to five years in prison. A draft bill in the House of Representatives would set federal requirements for companies collecting personal information and would preempt state law on breach notification.
At the same time, states are continuing to pass laws and take more aggressive enforcement stances, with at least 30 states currently considering enhancements to existing laws. For example, in the first quarter of 2018, state legislatures in Oregon and Colorado have considered imposing firm notice deadlines, and the Attorney General of the State of New York championed legislation to require social media companies to notify users of misuse of their personal information.