Share this article on:
The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote.
Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law.
The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement.
Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be harmed as a result of the breach.
A breach is defined as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
The law would apply to personal information, which is limited to the full name or initial and last name in conjunction with the following data elements:
Social Security number, driver’s license number, unique government ID number, medical information, health insurance information, employment ID number with associated security code, account or credit/debit card numbers in conjunction with security codes, passwords, PINs or access codes that would permit access to those accounts, biometric data used for authentication purposes, and email addresses, in combination with passwords/security question answers, or other information that permits access to an online account.
The breach notifications would need to be made in writing or electronically if the breach victim is usually contacted in that manner. If the cost of notification exceeds $250,000 or more than 500,000 individuals have been impacted, or if insufficient contact information is held on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to include an email notice – if a valid email address is held, a conspicuous posting on the entity’s website, and a notice to statewide media. Breaches impacting more than 250,000 individuals would also require notification to be provided to credit reporting agencies.
If passed, the South Dakota Attorney General would be authorized to bring an action against the breached entity over the failure to comply with the law. The maximum civil penalty would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be recoverable.
The South Dakota breach notification law would apply to all entities doing business in the state of South Dakota, although entities in compliance with federal laws that have breach reporting requirements would be deemed to be in compliance with the requirements of the proposed law.