All 50 states plus Washington, DC now have data breach notification laws in place

On April 3, 2018, the State of Alabama signed its own data breach notification law, making it the last of the 50 states to enact such a regulation. Alabama SB 318 takes effect on May 1 and mirrors South Dakota’s law on how it defines “personal information,” as well as with regards to information that is exempted – e.g. data that is lawfully made available by federal, state, or local government, as well as encrypted, redacted, or unusable information.

Read our blog on South Dakota’s data breach notification law to find out what information is included, what is required from covered entities, and more.

Differences between Alabama and South Dakota’s data breach notification laws

The potential for the attorney general (AG) to file lawsuits on behalf of affected residents still exists. There is also a similar risk harm exemption, whereby a data breach notification is not required if, after an investigation and disclosure to the AG, the impacted organization can determine that the breach is not likely to put those affected at risk. However, there are three significant differences between the two laws:

South Dakota and Alabama data breach notification regulations

Data breach notification laws on a national level

In February 2018, a draft House Bill titled the Data Acquisition and Technology Accountability and Security Act started circulating on Capitol Hill. This bill may have the power to render all 50 enacted state laws obsolete. It would cover “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

Last month, Illinois AG Lisa Madigan sent a letter on behalf of 32 AGs (bipartisan) to the House Financial Services Committee. The AG group claims that any federal legislation could obstruct state data breach laws, which may prevent state AG efforts to protect their residents. Additionally, the bill would require notification by retailers and other businesses only if it is determined that “the breach of data security has resulted in identity theft, fraud or economic loss” to consumers. The proposed law could result in “less transparency to consumers,” and enables entities to delay breach notifications until after the harm has occurred.

Another significant point is that the proposed bill exempts banking and financial institutions. The reason is that organizations are covered under a separate law, Gramm–Leach–Bliley. This says that if a company discovers a data breach or hack, and that “misuse of its information about a customer has occurred or is reasonably possible,” the organization “should notify the affected customer as soon as possible.” The key word here is ‘should’ as it does not mandate notification. Credit reporting agencies, such as Equifax, can benefit from such a loophole, since they are considered a financial organization under Gramm–Leach–Bliley.

Nonetheless, an overarching federal cybersecurity regulation is necessary to reduce inconsistencies and prevent confusion. Federal legislation would also consolidate how affected organizations must respond, notify, and report on data breaches. We’ll have to see how federal government reacts to opponents of the proposed bill.

As the US gets up to speed with cybersecurity, it’s more important than ever to protect your data

With data breach notification laws in every state, the NYDFS Cybersecurity Regulation (23 NYCRR 500) tightening its control over financial institutions, and the upcoming EU General Data Protection Regulation (GDPR) compliance deadline (May 25), it’s in your best interests to protect your information assets and the IT systems that process them.

A great way to safeguard your organization and ensure an adequate cybersecurity posture is to implement an information security management system (ISMS). An ISMS provides the policies, procedures, and controls – technical and organizational – to protect confidential and sensitive data from cyber threats. The international information security standard ISO 27001 provides the specifications for a best-practice ISMS, which considers people, processes, and technology.

An important aspect of obtaining ISO 27001-accredited certification is delivering documentation, which can prove conformance to the Standard. However, the road to a successful ISO 27001 implementation, let alone providing adequate documentation, can be challenging. IT Governance offers the ISO 27001 ISMS Documentation Toolkit Bolt-on, which includes document templates relating to ISO/IEC 27001:2013.

Using the included gap analysis, documentation dashboard, and implementation management tools, you will more seamlessly be able to compare your security posture with the Standard’s requirements throughout your implementation. Click here to learn more about the ISO 27001 ISMS Documentation Toolkit Bolt-on.