|
April 11, 2018 - Both South Dakota and Alabama have passed data breach notification laws, and the governors of both states have now signed them. These two states were the last American hold-outs for data breach notification. The new Alabama law will go into effect May 1st and the South Dakota law goes into effect on July 1st.
Neither of the new laws is ideal. Both of them allow the breaching party to determine "risk of harm." This means that if the breaching party determines that there is a very low risk of harm to those whose information was breached, no notification is required.
The South Dakota law only applies to electronic data. This means that a breach caused by inappropriate disposal of paper records wouldn't be covered. It also removes any need for notification if the breached data is encrypted and the encryption key isn't included in the stolen data.
The Alabama law covers any form of data breach and it includes government agencies.
Violations of either of the law can include civil and criminal penalties for private parties and companies. The Alabama law eliminates the penalties for government entities but the state's Attorney General is required to release an annual report that includes information on state agencies involved in any data breach.
The new laws are a positive development for consumers of both states. Once they go into effect, every state and US territory will have data breach notification requirements in place for their citizens.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Politics & Politicians 
