And Then There Was One – South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind Posted on March 28, 2018
South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states’ breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer- issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers).
A “breach” in South Dakota is the unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). The law provides for a definition of encryption (using a process that comports with FIPS 140-2). The law gives companies a 60 day window to notify impacted individuals, but does not have content requirements for notice. Notice to SD authorities is required if more than 250 residents are impacted. Substitute notice in SD is permitted in certain circumstances, and constitutes notice by email (if the company has the email addresses for impacted people), website posting and notice to statewide media. Alabama is the lone US state without a breach notice law; at least for now. The Alabama State Senate delivered SB 318 to Governor Ivey on March 27 for her signature. Alabama may thus become the final state to pass a data breach notification law in the coming days.
PUTTING IT INTO PRACTICE: The passing of this law is a reminder that breach notification remains on the forefront of regulators’ minds. Companies with nationwide breach notice plans in place should update their plans to add South Dakota to the list, in particular the need to notify state authorities if over 250 residents have been impacted by a breach as defined by this new law.
Power Company Slammed With Hefty $2.7M Fine After Data Breach
Posted on March 14, 2018
An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.
The company notified its regulator, the Western Electricity Coordinating Council, of the incident. A subsequent investigation revealed the company failed to apply its information protection program to the exposed protected information. The company also failed to ensure its contractor followed its information protection program. The company indicated that it believed it unlikely the data was accessed or acquired during the time it was available online. Regulators were not as optimistic. In its penalty notice to the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. noted that there was no assurance the data was not already used or acquired by a malicious actor.
PUTTING IT INTO PRACTICE: This case is a reminder that when incidents occur, regulators may take aggressive positions about the level of protections a company had -or should have had- in place. This holds true not just for regulator expectations about internal controls, but third party controls as well.
                    27 Eye on Privacy 2018 Year in Review