In February, we reported that South Dakota and Alabama were the last two U.S. states without data breach notification laws. Since then, both states have enacted data breach laws.
South Dakota governor Dennis Daugaard signed South Dakota Bill No. 62 into law on March 21, making it the 49th state to pass a data breach notification law. The law integrates contemporary principles found in other recently enacted state data breach laws. These principles include a broad definition of personal information—for example, employee ID numbers together with an access code or biometric data fall within the scope of the definition. The law requires companies to disclose a breach to affected consumers no later than 60 days from the date of discovery or notification of the security incident. Affected consumers include any South Dakota resident whose “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”
On March 28, Alabama governor Kay Ivey signed the Alabama Data Breach Notification Act into law. The Act imposes a breach notification timetable that is shorter than South Dakota’s – companies must notify affected consumers no later than 45 days from the date the breach is discovered. Another notable element is the requirement that companies notify Alabama Attorney General Steve Marshall in writing if a single breach involves more than 1,000 individuals.
The impact of each of the 50 U.S. state data breach laws will become clear as breaches continue to affect entities holding the information of individuals around the nation. As iterations of federal data breach notification bills are introduced before Congress, but not passed into law, a glaring regulatory gap persists. State attorneys general have made an effort to fill that gap, leading the charge in national enforcement actions. With the support of the now complete quilt, state attorneys general will likely continue to spearhead enforcement efforts.