Last week, South Dakota became the 49th U.S. state to enact a data breach notification law with the passage of S.B. 62, which sets forth requirements for notifying state residents, the state attorney general, and major consumer reporting agencies in the event of a breach. The law, which will take effect on July 1, 2018, parallels many recently passed or amended state data breach notification laws through its inclusion of an expansive definition of “personally identifiable information” and an explicit deadline for notifying affected residents. However, a few elements of the law push further than comparable laws from other states and have the potential to shift companies’ data breach notification practices.

Under the new law, any person or business conducting business in South Dakota that owns or licenses computerized “personal or protected information” of South Dakota residents must provide notice of the breach unless certain exceptions apply. A “breach” occurs when personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. Notably, the law defines an “unauthorized person” to include not only individuals who are not authorized to acquire or disclose personal information, but also individuals who are authorized to do so but have acquired or disclosed personal information “outside the guidelines for access o[r] disclosure established by the information holder.” This specific addition to the law could impact decision-making processes for businesses who encounter potential data security incidents that parallel the characteristics set forth in the statute.

The law defines a breach to include the disclosure of personal or protected information that is unencrypted, or encrypted if the encryption key is also acquired. By implication, a breach of encrypted information without an associated compromise of the encryption key will not be covered within this definition. In order to qualify as encrypted, however, data must be rendered “unusable, unreadable, or indecipherable” either “without the use of a decryption process or key” or in accordance with the Federal Information Processing Standard 140-2 in effect on Jan. 1, 2018. Although it is not free from doubt, this provision indicates that compliance with FIPS may not be strictly required but may instead represent a more explicitly defined safe harbor that companies can implement to take advantage of this exception from disclosure requirements.

The concept of “personal or protected information” expands the scope of the information this law covers beyond other comparable state data breach notification laws. The definition of “personal information” parallels other state data breach notification laws by covering an individual’s name in conjunction with a Social Security number, driver’s license number (or other government-issued identification number), or an account, credit card, or debit card number in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account. However, the definition also covers a name in conjunction with “health information” (as defined under the Health Insurance Portability and Accountability Act) or an employer-assigned identification number in combination with any required security code, access code, password, or biometric data used for authentication purposes.

“Protected information,” on the other hand, does not need to be disclosed in connection with an individual’s name. South Dakota’s new law joins several other states that have recently begun to require disclosure of breaches of a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account. However, South Dakota’s new law also goes farther than other state laws in defining “protected information” to include an account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account, even in the absence of an individual’s name. Although most state data breach notice laws only cover such information if disclosed in connection with an individual’s name, South Dakota’s law will require disclosure of a breach of this information regardless of whether individuals’ names are involved.

South Dakota also joins a recent trend among other state data breach notification laws in setting explicit deadlines for providing notification to affected individuals, the state attorney general and major consumer reporting agencies. Under the law, an information holder must notify affected individuals of the breach by mail, email or substitute notification measures within 60 days after the discovery or notification of the breach. The law also requires an information holder to disclose the breach to the state attorney general if the breach involves more than 250 South Dakota residents. If an information holder “reasonably determines,” after an “appropriate investigation,” that the breach will not likely result in harm to affected individuals, notification to the individuals is not required, but the information holder must notify the attorney general and maintain documentation of this determination in writing for three years. The notification can also be delayed if a law enforcement agency determines that it will impede a criminal investigation, but must be provided within 30 days after the agency determines that it will not compromise the investigation.

If an information holder must notify individuals of a breach, the law states that the information holder must also notify “all consumer reporting agencies,” as defined under the Fair Credit Reporting Act, and “any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis.” This expansive requirement differs significantly from other state data breach notification laws, which often only require notification of the three major consumer reporting agencies if a breach impacts more than a specific number of state residents (usually 1,000). No explicit time frame is required for either of these types of notifications.

The new law also includes “safe harbor” provisions for HIPAA- or Gramm-Leach-Bliley Act-regulated entities that notify affected South Dakota residents in compliance with applicable federal laws or regulations. For entities that fail to disclose a breach under the new law, however, such a failure could prove costly. Under the law, the state attorney general can prosecute “each failure to disclose” as a deceptive act or practice under state law and, in addition to any remedy provided for such acts or practices by state law, may recover a civil penalty of up to $10,000 per day per violation, in addition to attorneys’ fees and costs.

South Dakota’s new law may represent the next step in the evolving landscape of compliance with varying provisions of state data breach notification laws, and several unusual provisions could complicate decision-making for businesses required to notify South Dakota residents.

This article was originally published in Law360.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.