On March 8, both chambers of the South Dakota Legislature passed S.B. 62, the state’s first data breach notification bill. The bill creates a notification requirement for any person or business who owns or retains personal information of state residents. Specifically, information holders would be required to notify state residents within 60 days after the residents’ “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.” Information holders would also need to notify the State Attorney General if the breach involves more than 250 consumers. Notification to consumers is not necessary if the information holder conducts an investigation and determines that consumers are not likely to be harmed. However, the information holder must still notify the attorney general in such a case. The State Attorney General can impose a civil penalty with potential fines of up to $10,0000 a day per violation.
The bill is currently before Gov. Dennis Daugaard and if enacted, Alabama would be left as the only state without a data breach notification statute. Alabama, however, is also looking to strengthen its data breach protections. The Alabama Senate recently passed a notification bill unanimously that was backed by the support of the State Attorney General.
TIP: While almost all states have data breach notification laws, the laws vary in terms of the definition of “breach” and the time frame in which consumers must be informed. It is therefore important for information holders who collect consumer data in multiple states to stay apprised of the various requirements under each state's law to ensure timely disclosure.