On March 21, 2018, South Dakota’s Senate Bill 62 was signed into law, adding a 49th square to the nation’s patchwork of state data breach notification laws. You can find the full text of the statute here, but below we provide a few takeaways for organizations that maintain information about residents of South Dakota:
Triggered by Acquisition of Computerized Data Only
The law defines “breach of system security” as the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
This is similar in nature to data breach statutes in other states.
Expansive Definition of Personally Identifiable Information
South Dakota defines the term “personal information” broadly, which is on-trend with recent changes to other similar laws. South Dakota lists the following as “personal information,” when in combination with a first name or first initial plus last name:
• Social Security Number; • Driver’s license number or other unique identification number created or collected by a government body; • Account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; • Health information as defined by HIPAA; and • An identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
Even without the disclosure of an individual’s first name/initial and last name, the following is defined as “protected information”:
• a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and • account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
Timeline for Notification
South Dakota requires notification to an impacted individual – anyone whose personal information or “protected information” was accessed without authorization – within 60 days of discovery of a breach.
If the entity determines that the breach is not likely to result in harm to the impacted person, no notification is required. However, South Dakota joins a handful of other states that require the entity to document such a determination in writing and maintain the documentation for three years.
Regulatory and Third Party Notice
The South Dakota attorney general must be notified if the breach impacts more than 250 South Dakota residents.
The law also requires entities to notify all credit bureaus, regardless of how many South Dakota residents are impacted.
The law permits the attorney general to prosecute any failure to notify under the act as a deceptive act or practice under South Dakota’s laws. Civil penalties are authorized in an amount not more than $10,000 per day per violation, and the attorney general is permitted to recover attorney’s fees and costs associated with the action.
Entities that maintain information about South Dakota residents should ensure that their response to any security incident complies with this new law, particularly the notice requirement for the attorney general and credit bureaus.