This week two more U.S. breach notice laws go into effect…
NOTE: 6/30 Made an important correction, putting the “un” on “reasonable”; thanks for catching that, Chris!
1. Most of South Carolina’s Financial Identity Fraud and Identity Theft Protection Act went into effect in December 2008. However, Section 4.A and Section 7.A, which cover identity theft and security breach notification, are going into effect on July 1, 2009.
A few interesting notes about this law:
- It has a civil penalty of $1,000 per resident affected by the breach for entities who ‘knowingly and wilfully’ violate the notification requirements.
- It does not specify a maximum amount for the total penalty. Most other U.S. state and territory breach notice laws have penalty caps.
- If the number of residents affected exceeds 1,000, entities also have to notify the Department of Consumer Affairs.
2. Alaska’s Personal Information Protection Act goes into effect no July 1, 2009.
A violation of this law could result in a penalty of up to $500 for each resident whose information was compromised by the breach, with the maximum amount set at $50,000.
Among other requirements, both of these laws require:
- That businesses who possess (‘own’ or license) the personal information of residents of the states to notify a breach of security to every resident whose personal information was affected.
- Breach notification must be made within the ‘most expedient time possible and without unreasonable delay’.
Tags: awareness and training, breach notice law, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training