Alabama Republican Gov. Kay Ivey has signed a bill that makes her state the 50th and final one to enact a consumer data breach notification law.
The measure requires that residents be notified within 45 days after a breach has been discovered if it is reasonably likely to cause substantial harm. The notification could be delayed if it would interfere with a law enforcement investigation.
Until recently, Alabama and South Dakota were the only states that didn’t have data breach notification laws.
Last month, South Dakota Gov. Gov. Dennis Daugaard, a Republican, signed a measure into law that would require affected residents to be notified within 60 days of a data breach’s discovery.
Legislators in a number of states have been trying to toughen consumer protections, in the wake of law year’s massive Equifax breach that exposed the personal data of nearly 148 million Americans.
Last year, there were a record 1,579 data breaches in the United States, a nearly 45 percent hike over the previous year, according to the Identity Theft Resource Center, a nonprofit that helps victims of identity theft and promotes public awareness.
Yesterday, retail company Hudson’s Bay, which owns Lord & Taylor and Saks Fifth Avenue, announced that it had been the victim of hacking by cybercriminals. A cybersecurity research firm said the hackers had obtained more than 5 million customer credit and debit card numbers.
At least 29 states are taking up consumer security breach notification bills this year, according to the National Conference of State Legislatures. In more than a dozen states, measures would require residents to be notified within a given time, from 48 hours up to 60 days.
State laws dealing with security breach notification vary considerably, from when affected victims must be notified to what is considered personal information.