- South Dakota became the 49th state to have a data breach notification law when Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.
The bill includes health information in its definition of personal information as well, which should that data be compromised in a data breach, individuals would need to be notified.
Additionally, organizations that suffer a data breach will need to provide notification should the incident involve individuals’ first name or first initial and last name, in combination with any of the following elements:
- Social Security number
- Driver’s license number or other government issued unique identification number
- An account, credit card, or debit card number in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account
- An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
The attorney general will need to be notified of breaches involving more than 250 South Dakota residents.
“A disclosure…shall be made not later than sixty days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement,” the bi-partisan bill reads. “An information holder is not required to make a disclosure…if, following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.”
“The information holder shall document the determination…in writing and maintain the documentation for not less than three years.”
The South Dakota Attorney General can prosecute an organization should they failure to disclose a breach. The civil penalty could be “not more than ten thousand dollars per day per violation.”
Oregon updates data breach law, increasing consumer protection
Oregon took one step closer to updating its current data breach notification law, with the senate unanimously passing Senate Bill 1551 in February 2018.
Sen. Floyd Prozanski brought the bill to the Senate, while Rep. Paul Holvey has introduced a similar bill to the House of Representatives.
“Consumers protecting themselves when their personal data is compromised should be as easy and inexpensive as possible,” Prozanski said in a statement. “When there is a data breach, credit freezes should be granted right away, at no cost, to help people protect themselves from financial hardship due to identity theft. With passage of Senate Bill 1551, we will update and strengthen Oregon’s Consumer Identity Theft Protection Act, which I spearheaded in 2007.”
SB 1551 was created largely in response to the large-scale 2017 Equifax data breach that impacted approximately 145 million Americans.
The updated Oregon bill would allow consumers to place a credit freeze with each credit reporting agency for any reason and at no cost. Removing or temporarily lifting a credit freeze would also be free.
Companies would need to notify consumers no more than 45 days after a data breach is discovered, according to the bill.
“No company should be able to make money by helping someone protect themselves because that company didn’t adequately protect the consumer’s data,” Prozanski stated. “This bill will ensure consumers have adequate tools and protections in place in the unfortunate circumstance that this type of massive breach happens again.”
Even with more states implementing data breach notification laws or updating current laws, there is also legislation in the works that aims to create one overarching data breach law. However, the majority of state attorneys general are not pleased with such a suggestion.
Illinois Attorney General Lisa Madigan recently led a group of 32 attorneys general in writing a letter to Congress, urging the government to not preempt state data security and state data breach laws.
A draft bill, the Data Acquisition and Technology Accountability and Security Act, also “appears to place Equifax and other consumer reporting agencies and financial institutions out of states’ enforcement reach,” the group wrote.
“We urge you to avoid limiting our ability to learn about data breaches and to require companies to improve their data security measures going forward,” the attorneys general explained.
Under the bill, companies would be able to use their own judgement in determining whether consumers should be notified about a breach. Additionally, the legislation only requires notification for incidents affecting 5,000 or more consumers. The majority of data breaches are smaller in size, the letter stated.
“As just one example, of the over 21,000 breaches reported to the Massachusetts Attorney General’s Office since 2008, each breach impacted, on average, just 488 Massachusetts residents, the group said. “Instead, we believe there is a place for both state and federal agencies to act to protect consumers’ important personal information.”