On January 25, 2018, the South Dakota Senate approved the state’s first data breach notification law. If passed, the law would leave Alabama as the only U.S. state without a notification law. The proposed law will now move to the South Dakota House of Representatives for consideration and, if approved, to Governor Dennis Daugaard to be signed into law.
Like other state data breach notification laws, the proposed South Dakota law would require certain individuals and businesses who collect personal information of state residents to provide notification to a resident whose information is affected by a data breach. Specifically, the law would require “information holders” to provide statutorily-prescribed notice to state residents whose “personal” or “protected” information was, or is reasonably believed to have been, acquired by an unauthorized person. Such notification would have to be given within 60 days of the date the information holder learns of the breach, with a limited exception allowing for delay where a law enforcement agency determines notification would impede a criminal investigation. In addition to notifying affected residents, information holders would be required to notify the South Dakota Attorney General if the data breach affects more than 250 state residents.
The law would also grant the Attorney General enforcement authority allowing prosecution of information holders who fail to give the requisite notification. A violation of the law would be considered a deceptive act under the state’s consumer protection statute and would also allow for a civil penalty of up to $10,000 per day per violation. The law would not, however, create a private right of action for individuals to bring suit against information holders.
If enacted, South Dakota’s law would join the patchwork of data breach notification laws existing in all states except Alabama. Its passage would also come nearly 15 years after California, a progressive state in the area of data privacy regulation, enacted the first state data breach notification law. In the absence of a federal law providing uniform notification requirements, the individual laws of the 48 states currently require entities that experience a data breach—particularly large breaches with national impact—to undertake a complex notification process that accounts for variations in each state’s law. While at a macro level all of the state laws generally require notification to individuals when their personal information is exposed, differences in statutory language can have significant impacts on when and how notification must be given. For example, South Dakota’s proposed law requires notification after the unauthorized acquisition of personal information, while states such as Florida impose an arguably lower threshold of unauthorized access to personal information.
Other key differences among the state laws exist with respect to the definition of “personal information,” time periods for providing notification, and “safe harbors” or “risk of harm” exceptions that permit an entity to forego notification when it determines there is no reasonable likelihood of harm to affected individuals.