South Dakota moved closer Tuesday to shedding its status as one of only two States without a Data Breach Notification Law, while Colorado Lawmakers introduced a New Law mandating “reasonable security procedures,” imposing Data Disposal Rules, and tightening the Timeframe in which to Alert Authorities to a Breach.
The moves are the latest in a trend of Statehouses around the Country stepping in to fill gaps in Cybersecurity Lawmaking and Enforcement left by the Federal Government, which continues to drag its feet on Data Breach Legislation.
South Dakota
A Legislative Panel has approved a Bill that would require Companies to inform South Dakota Residents whose Personal information was taken in a Data Breach. The Senate Judiciary Committee voted 7-0 Tuesday to advance Attorney General Marty Jackley’s Bill. It would require Residents be Notified within 60 days of a Breach’s discovery unless the Company and Attorney General determine it likely wouldn’t harm the affected People.
The Plan would also require Companies to inform the Attorney General if a Breach affected over 250 Residents. Companies regulated by Federal Law that have Procedures for a Security Breach that follow the Rules of their Primary Regulator would be deemed in Compliance with the proposed Law. Jackley has said the State needs a Fair Reporting Law that requires Consumers to be Notified about the Loss of their Information.
The Notice by the information Holder may be by Written Notice, Electronic Notice, or Substitute Notice. A failure to comply with the Notice Requirement would be a Deceptive Act under existing South Dakota law (§37-24-6) for purposes of Criminal and Civil Enforcement. The Attorney General may also bring an Action to Recover Civil Damages of not more than $10,000 per day per Violation.
Forty-eight States, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted Legislation requiring Private or Governmental entities to notify Individuals of Security Breaches of Information involving Personally Identifiable Information.
Security Breach Laws typically have provisions regarding who must comply with the Law (e.g., Businesses, Data/Information Brokers, Government Entities, etc); definitions of “Personal Information” (e.g., Name combined with SSN, Drivers License or State ID, Account Numbers, etc.); what constitutes a Breach (e.g., Unauthorized Acquisition of Data); requirements for Notice (e.g., Timing or Method of Notice, who must be Notified); and Exemptions (e.g., for Encrypted information).
CLICK HERE for a List of each States Data Breach Laws.
NYC Wins When Everyone Can Vote! Michael H. Drucker
No comments:
Post a Comment