Only one U.S. state without a data breach notification law, that is.
South Dakota as become the 49th state to enact a data breach notification law, which take effect on July 1. The South Dakota law follows the pattern of the most recent notification laws, including an expansive definition of "Personal Information".
The law defines personal information as a person's first name/first initial and last name in combination with any one or more of the following:
Social Security Number; Driver's license number or other unique identification number created or collected by a government body; Account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person's financial account; Health information; Identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. There is an additional definition of "protected information" that includes (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (b) account number or credit/debit card number, in combination with any required security code, access code, or password that permits access to a person's financial account. The definition of "protected information" "does...