The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.
See Why Do Data Breach Disclosures Take So Long? Let’s Ask the SEC Chairman
North Carolina, in a never-ending race to see which state can come up with the most impractical breach notification law, has proposed legislation that would (1) now requiring that companies notify consumers and the state Attorney General of data breaches within 15 days; and (2) adopt the HHS’ view under HIPAA that a ransomware attack is a data breach that requires notification and reporting. You can read more details about the new law here, but this is enough to help you see why even this Texan believes we need a federal breach notification law in place before some state requires instantaneous notification of consumers by a clairvoyant.
South Dakota’s proposed legislation is at least generally consistent with the existing laws of many of the other 48 states. It would require companies to notify its residents whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days from the discovery or notification of the breach. Breaches affecting more than 250 of its residents would require notifying the state’s Attorney General as well. You can read more details about the proposed law here.
Under the proposed laws for both the North Carolina and South Dakota, the failure to comply with the breach notification requirements would be a violation of the respective states’ deceptive trade practices laws.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
1 thought on “State data breach notification law mishmash would get worse with proposed NC and SD legislation — is instant notification by clairvoyant next?”
You must log in to post a comment.