Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.
South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. The law would require an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure would have to be made within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.
In addition, breaches affecting more than 250 South Dakota residents would have to be reported to the state’s Attorney General. When there is a breach involving more than 250 South Dakota residents, the information holder also must notify all consumer reporting agencies of the timing, distribution, and content of the breach notification sent to those affected residents.
The Senate Bill makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the bill authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.
Today’s patchwork of 48 state breach notification laws requires data holders operating in multiple states to be aware of the requirements across several jurisdictions. There are steps companies can take to help them meet these requirements by establishing good baseline policies and practices. These steps include:
- Developing a written information security plan;
- Training employees on data security;
- Conducting regular data security assessments;
- Running tabletop security exercises; and
- Preparing template breach notices in advance of any breach.
As regulators, plaintiff’s lawyers and the media continue to focus their attention on data breaches, companies should regularly review and update the measures they are taking to better secure the data they hold.