One of two remaining states without a data breach notification law has finally enacted one of its own. On March 21, 2018, South Dakota Governor Dennis Daugaard signed South Dakota Senate Bill 62 into law, creating the newest state data breach notification law, making Alabama the last holdout. South Dakota’s new statute, which will be added as a new section to S.D. Codified Law § 22-40, is similar to other state data breach notification laws; however, it does contain some unique definitions, notice requirements and enforcement provisions.
Definition of Breach Is Limited to “Computerized Data”
South Dakota defines a “breach of system security” as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.” It is important to note that the definition of breach of system security does not include personal or protected information that is stored on paper.
“Personal Information” and “Protected Information” Are Broadly Defined
The definitions of “personal information” and “protected information” under the new law include a wide array of personally identifiable information. In addition to Social Security and state-issued identification numbers, the definition of “personal information” also includes bank account numbers in combination with routing numbers, health information, and employer-issued identification numbers in combination with passwords or “biometric data,” when combined with a person’s name. The definition of “protected information” includes user names and passwords that permit access to online accounts, as well as account, credit or debit numbers in combination with any required code or password that would permit access to an individual’s financial account.
Risk of Harm Provision
South Dakota’s data breach law also includes a risk of harm provision. In other words, a breach must likely result in harm to affected residents in order to trigger notification obligations. However, unlike most state breach notification laws, if notice obligations under the new law are not triggered because a breach will not likely result in harm, the information holder will still need to provide notice of the incident to the state attorney general. In addition, a determination by an information holder to not provide breach notification will need to be documented in writing, and such documentation will need to be maintained for at least three years.
Timing of Individual Notice and Content
If an information holder determines that notice of a breach must be provided to affected residents, such notice will need to be made within 60 days of discovery. The notice can be delayed if law enforcement determines that breach notification will impede a criminal investigation.
South Dakota does not require any specific contents for individual notices. While notice to individuals can be made in writing, the new law will permit electronic notice if the information holder’s “primary method of communication” with the affected resident has been through electronic means.
Notice to Consumer Reporting Agencies
Unlike many state breach notification laws, the new law will require that notification be provided to consumer reporting agencies when residents receive notice of a breach, regardless of the size of the breach. Most state breach notification laws only require that such notice be made if a certain number of residents are affected (typically 500 or 1,000).
Regulatory Notice and Enforcement
The new law requires that information holders notify the attorney general if 250 or more South Dakota residents are provided with notice of a breach. The attorney general will be permitted to prosecute failures to provide individual notifications as deceptive acts or practices and to seek civil penalties of up to $10,000 per day, per violation.
For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws and Key Issues in State Data Breach Notification Laws.