In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents. On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well. Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required. Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day. The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law.
On January 19, 2018, state legislators in Colorado introduced a bill that would strengthen the requirements under existing state data protection legislation by obligating (i) all public and private entities in the state to develop a written policy for the proper destruction of both hard copy and electronic documents containing personal information and (ii) all individuals who collect personal information of Colorado residents to implement and maintain “reasonable” security procedures “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” In addition, the existing state breach notification laws applicable to Colorado individuals and businesses would be bolstered by the addition of an express time frame for notification of no later than 45 days from the date of the breach and a new requirement that if a breach affects 500 or more Colorado residents, notice must also be sent to the state Attorney General no later than seven days following discovery of the breach.
Notably, the definitions of “personal information” in the two bills are not identical: in the proposed Colorado bill, the definition includes all biometric data, whereas the proposed South Dakota law includes biometric data solely to the extent needed for authentication purposes in combination with an employer-issued identification number. This inconsistency in scope is just one example of the wide variation among state laws and underscores why industry groups, among others, are advocating for a single federal law that would govern a company’s breach notification obligations.
The full text of the proposed South Dakota bill is available here.
The full text of the proposed Colorado bill is available here.
For further discussion of the continued calls by industry groups for a federal data breach notification statute, see this earlier blog entry.