Privacy & Information Security Law Blog

On July 1, 2009, new laws will take effect in Alaska and South Carolina that will require entities that have experienced data security breaches involving personal information to notify affected individuals of the breaches.  With these additions, a total of 44 states, plus the District of Columbia, Puerto Rico and the U.S. Virgin Islands, will have active breach notification laws in place.  There are no breach notification laws in Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota.

Alaska Stat. § 45.48.010 et seq. will apply to breaches of unencrypted personal information in both paper and electronic records.  Personal information is defined as first name or first initial and last name plus one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account, and (iv) passwords, personal identification numbers or other access codes for financial accounts.  Notification is not required if, after an appropriate investigation and written notification to the attorney general of Alaska, the entity experiencing the breach determines that there is not a reasonable likelihood that harm to the individuals whose personal information has been acquired has resulted or will result from the breach.  An entity is also exempt from notification in the event of an unauthorized but good-faith acquisition of personal information by an employee of the entity, so long as the employee does not use the personal information for an illegitimate purpose or make further unauthorized disclosure of the information.  The statute authorizes a state agency to promulgate implementing regulations at any point after the effective date.

South Carolina. Code Ann. § 39-1-90 will apply to breaches of unencrypted personal identifying information in both paper and electronic records.  Personal identifying information is defined as first name or first initial and last name in combination with and linked to one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial account, and (iv) other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.  The law does not require notification in the event of an unauthorized but good-faith acquisition of personal identifying information by an employee of the entity for the purposes of its business if the personal identifying information is not used or subject to further unauthorized disclosure.