On March 21, 2018, South Dakota became the forty-ninth state to enact a data breach notification law when Senate Bill 62 was signed by the governor. South Dakota’s breach notification law is effective July 1, 2018. In 2002, California became the first state to enact a data breach law, and since then, nearly every state has followed suit. Up until this point, the lone stragglers were South Dakota and Alabama (more on Alabama below).
Any person or business conducting business in South Dakota and that owns or licenses computerized “personal information” or “protected information” of South Dakota residents must comply with the new data breach notification law.
What Information Is Covered?
South Dakota’s breach notification law is similar to many other states in terms of defining “breach of the security of the system” and “personal information,” though notably the definition of personal information includes health information (as defined in the Health Insurance Portability and Accountability Act Privacy Rule). The law also contains a definition of an additional term, “protected information,” which includes (1) user name/email address in combination with a password, security question answer, or other information that permits access to an online account, and (2) account, credit or debit card number in combination with any required security code, access code, or password that permits access to a person’s financial account. These definitions follow the trend of expansive definitions of information subject to breach notification.
Risk of Harm Standard
The law requires notification to affected South Dakota residents whose personal information or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. However, South Dakota’s breach notification law contains a risk of harm standard, pursuant to which notification is not required if, following an appropriate investigation and notice to the attorney general, the entity reasonably determines that the breach will not likely result in harm to the affected person(s).
Breach Notification Obligations
The law mandates certain notification requirements, including notification to affected individuals no later than sixty (60) days from the discovery of the breach. Notice to the attorney general is required if the breach affects more than two hundred and fifty (250) South Dakota residents.
All consumer reporting agencies and any other credit bureau that compiles and maintains files on consumers on a nationwide basis must also be notified without unreasonable delay. Interestingly, prior versions of the law limited reporting obligations to consumer reporting agencies and credit bureaus only to those breaches affecting more than two hundred and fifty (250) residents. However, the final version of the law removed that limitation and, as such, breaches of any size in South Dakota must be reported to consumer reporting agencies and credit bureaus.
Failure to disclose a breach is considered a deceptive act under the state’s consumer protection laws, and the attorney general may impose a fine of up to $10,000 per day per violation of the breach notification law.
Here’s Looking at You, Alabama
In related news, Alabama also has legislation pending that, if passed, would mean that all fifty (50) states, plus Washington D.C., would have a data breach law on the books.
For questions about South Dakota’s new data breach law or other state data breach laws, please contact the authors or your Quarles & Brady data privacy and security attorney.