Share this article on:
At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature.
The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data.
If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization.
Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing, distribution, and content of the breach notification sent to affected residents.
How This Might Affect HIPAA-Covered Entities
Although the bill mostly uses HIPAA´s definition of Protected Health Information to determine what constitutes “personal data”, the definition of biometric data is slightly amended to “that generated from measurements or analysis of human body characteristics for authentication purposes”.
A more significant dissimilarity with the HIPAA is that affected residents of South Dakota have to be notified of a breach within sixty days, rather than the ninety days mandated by the Breach Notification Rule. There is also the requirement to notify consumer reporting agencies of a breach affecting more than 250 residents (rather than informing HHS of breaches involving more than 500 records).
HIPAA-Covered Entities and Business Associates maintaining the personal data of South Dakota residents will be deemed to be in compliance with the proposals unless it is subsequently proven otherwise. Organizations unsure about their HIPAA Compliance should seek professional advice as the proposed penalties for non-compliance with South Dakota´s breach notification law are significant.
Penalties for Non-Compliance with the Proposed Bill
The bill places the responsibility for investigating non-compliance with the South Dakota Attorney General´s Office, and gives the Attorney General the authority to impose a civil penalty of up to $10,000 per violation per day plus the costs of pursuing civil action.
The bill also allows the State to impose civil penalties of up to $2,000 per violation per day under it “Deceptive Trade Practices and Consumer Protection Law” (§37-24-27). The criteria for falling foul of this law is that a company knew, or should have known, it had a legal duty to notify consumers of a breach of their personal information.