Gone are the days when business owners can consider data security the realm of the IT department. A recently enacted South Dakota law places legal responsibility for data breach squarely on the business owner (and possibly employees).
Data Security is the province of “Information Holders” – which if you’re reading this, might be you
Under the new law, “information holders” who undergo certain kinds of data breach are required to notify persons whose information is compromised. In some cases, the information holder is also required to notify the Attorney General. " Information holder" means “any person or business that conducts business in South Dakota, and that owns or licenses computerized personal or protected information…” The law’s obligations thus seem to apply to any business entity as well as any individual who engages in qualifying commercial activity.
Reporting requirement & civil liability
Because the definition of information holder includes individuals as well as entities, the duty to report appears to be both personal and corporate. Likewise, violation of the law can give rise to both personal and/or corporate liability. Violators can be criminally prosecuted and forced to pay a civil fine of up to $10,000 per day. Data security is not just IT’s job, it's an owner's job. Owners, and their business entities, are on the hook for it.