Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.
On Tuesday, January 23, 2018, the South Dakota State Senate Judiciary Committee passed a bill that would require companies to inform consumers of any “unauthorized acquisition” of personal data, unless the company and the State Attorney General’s Office determine that the breach is unlikely to harm those affected.
The proposed law would create a breach notification requirement for companies conducting business in South Dakota that own or retain computerized personal or protected information of South Dakota residents. The law would require an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure would have to be made within 60 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Additionally, when there is a breach involving more than 250 South Dakota residents, the information holder also must notify all consumer reporting agencies of the timing, distribution, and content of the breach notification sent to those affected residents.
The bill would make the South Dakota Attorney General’s Office responsible for investigating and enforcing violations. State authorities can impose criminal penalties for each failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law. In addition, the bill authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.
Companies regulated by federal law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), that have procedures for a security breach that follow the rules of their primary regulator, would be deemed in compliance with the proposed law.
Currently, only two states in the United States lack data breach notification statutes, but that may soon change. If this legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.
On Monday, January 22, 2018, lawmakers in Colorado introduced a bipartisan bill that would fortify current data privacy laws. The bill would require entities to implement “reasonable security procedures” to protect consumers’ personal information and would also expand notification requirements.
The proposed legislation would enhance state notification requirements in part by giving companies no more than 45 days in which to inform victims of a breach. However, entities can adhere to law enforcement needs or other necessary investigative measures being used to determine the scope of the breach and “restore the reasonable integrity of the computerized data system.” The bill further requires that the breach entity notify the state Attorney General no more than seven days after discovering a breach if more than 500 people are affected or are “reasonably believed to be affected.’’ Also, any company that maintains personal consumer data must have a written policy outlining how it will securely destroy the data once it is no longer needed.
As in South Dakota, the Colorado Attorney General’s Office would be tasked with investigating and prosecuting violations of the updated law. The proposed legislation would give state regulators some room on enforcement because it requires entities to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information, and the nature and size of the business and its operations,” without defining what is considered “reasonable.”
Both South Dakota’s and Colorado’s proposed legislations define “security breaches” as the “unauthorized acquisition” of unencrypted personally identifiable information, or of the encryption keys that could be used to unlock encrypted personal data.
Colorado’s definition of “personal information” under its bill accounts for medical information, health insurance information, and biometric data (which it does not define). South Dakota’s definition of “personal information” is similar, and includes “[h]ealth information as defined in 45 CFR 160.103” (i.e., under HIPAA). However, South Dakota’s bill defines biometric data as that “generated from measurements or analysis of human body characteristics for authentication purposes.”
The current landscape of 48 (soon to be 49) state breach notification laws requires data holders operating in multiple states to be aware of the requirements across several jurisdictions. Companies should work to meet these requirements by establishing good baseline policies and practices, and companies should regularly review and update the measures they are taking to better secure the data they hold. Data Protection Report will continue to monitor further developments in South Dakota and Colorado, as well as any other jurisdictions enhancing their data breach notification laws.
Special thanks to Robert Kantrowitz* for his assistance in drafting this post.
*Law Clerk–not admitted to practice law.