As of last month, when South Dakota and Alabama passed data breach notification laws, all 50 states (as well as the District of Columbia and several U.S. territories) now have data breach notification laws on their books.
In the absence of a comprehensive federal regime, these laws have formed a patchwork of notification requirements for companies that have suffered hacks and other data breach incidents. While most states have enacted data breach notification statutes that follow a similar structure, each state’s law includes nuances on significant issues such as what is considered a breach, who needs to be notified when a breach occurs, when and how. The Alabama Data Breach Notification Act of 2018, which will go into effect on June 1, 2018, is among the most stringent in the country, requiring, among other things, that covered entities implement and maintain reasonable security measures and undertake certain investigatory actions when they determine a breach has or may have occurred. Further, under their newly passed statutes, both South Dakota and Alabama will empower their respective AGs to bring civil actions against entities that violate the new data breach notification laws. In a similar vein, Delaware recently expanded companies’ affirmative obligations to protect private information and last November, New York AG Eric Schneiderman announced that he was working with state legislators to introduce comprehensive new legislation that would require companies to take steps to protect private information, broaden the type of private information covered, and increase potential penalties for failures to comply with the law.
The new laws in South Dakota and Alabama, and continued legislative and regulatory efforts to strengthen data breach and security laws in other states, show that unless and until national federal standard is passed by Congress, companies will continue to be required to navigate overlapping (and potentially conflicting) obligations in all 50 states.