On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach notification law, though this may soon change. The District of Columbia and three U.S. territories – Guam, Puerto Rico and the U.S. Virgin Islands – also have data breach notification laws in place.
South Dakota’s law requires that any person or business that conducts business in South Dakota and owns or licenses computerized “personal information”[1] or “protected information”[2] of the state’s residents (such persons/businesses referred to as “information holders”) disclose any “breach of system security” to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.
The law gives information holders a sixty-day window (from date of discovery or notification of the breach) to notify individuals, unless law enforcement determines that the notification should be delayed. However, if the information holder holds an appropriate investigation, reasonably determines that the breach will not likely result in harm to the affected residents and notifies the South Dakota attorney general of its determination, then the information holder is not required to notify affected residents.
Additionally, information holders must notify (1) all consumer reporting agencies and (2) if the breach affects over 250 South Dakota residents, the South Dakota attorney general. This consumer reporting agency notification obligation is unique, as most state breach notification laws only require such notification if a high number of residents, for example 500 or 1,000 residents, are affected.
The law provides the state Attorney General (and, potentially, affected residents) with imposing remedies. A violation of the breach notification law is considered a deceptive act or practice under South Dakota Codified Laws (“SDCL”) § 37-24-6, South Dakota’s consumer protection law. The South Dakota attorney general may (1) “prosecute each failure to disclose” under the breach notification law’s provisions as a deceptive act or practice under SDCL § 37-24-6, (2) impose a civil penalty of up to $10,000 per day per violation and (3) avail himself of any of the remedies provided under chapter 37-24 of SDCL. South Dakota Attorney General Jackley reportedly stated that failure to be notified under the breach notification law entitles affected residents to a private right of action under SDCL § 37-24-31.
[1] “Personal information” is defined as a person’s name in combination with any of the following: (a) Social Security numbers, (b) driver’s license numbers or other government-issued unique identification numbers, (c) account, credit card or debit card numbers, in combination with any required code, PIN or information that would permit access to a person’s financial account, (d) health information as defined by HIPAA, and (e) employee identification numbers in combination with any code or biometric data required for authentication.
[2] “Protected information” is defined as (a) user names and email addresses in combination with any associated passwords or security question answers which would provide access to online accounts, and (b) account, credit card or debit card numbers in combination with any required code or password that permits access to a person’s financial account. Please note that (b) overlaps with part of the definition of “personal information,” but not completely.
