On March 21, 2018, South Dakota became the 49th state to enact a breach notification law, leaving Alabama as the sole U.S. state without one. The South Dakota law will take effect on July 1, 2018. Here is a summary of several of the new legislation’s key features:
Defining “Personal Information”: Like many other state data breach notification statutes, the new law defines “Personal Information” as a person’s first name or first initial and last name, in combination with any one or more of a variety of identifiers, including a social security number, driver license number, account/credit/debit card number in combination with any required security code, health information, or an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
Defining “Protected Information”: Notably, the South Dakota statute expands the scope of information requiring notification beyond most other state data breach notification laws by encompassing information that does not include an individual’s name. In particular, the law defines “Protected Information” as including:
–A user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and
–Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
Notification Requirements and Timing:
–To Individuals: The law requires notification to affected individuals in the event of “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
–The notification must be made not later than 60 days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement. There are no specific content requirements for the notice. Notification must be made by (1) written notice; (2) electronic notice, if the notice is consistent with the provisions of 15 U.S.C. § 7001; or (3) substitute notice, if the information holder demonstrates the cost of providing notice would exceed $250,000.
–Exception: An information holder is not required to make a disclosure if, following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person. The information holder shall document the determination under this section in writing and maintain the documentation for not less than three years.
–To Credit Reporting Agencies: If notification is given to affected individuals, notification must be given to credit bureaus or agencies without unreasonable delay. This notification must provide the timing, distribution, and content of the notice.
–To the State Attorney General: The law requires notification to the attorney general (by mail or electronic mail) where the breach exceeds 250 South Dakota residents.
Penalties: Failure to disclose under the law may be prosecuted by the attorney general as a deceptive act or practice. In addition, the attorney general may bring an action to recover on behalf of the state a civil penalty of not more than $10,000 per day per violation, plus recovery of attorneys’ fees and costs.
