In today's world, businesses collect legally protected personal information about customers all the time. It's part of knowing thy customer, right? Well, a new South Dakota data breach law aims to protect the public (i.e. customers) when data breach compromises their personal information. Having customers' personal information thus comes with a new cost - the cost of complying with this law.
Bird’s Eye View
The new law requires mandatory disclosure of certain data breaches to residents affected by the breach and, in some cases, to the attorney general. Not all data breaches appear to trigger disclosure. Only “breach of system security” against an “information holder” triggers the disclosure requirement. See S.D.C.L. 22-40 et seq. The definition of information holder under the new law is “any person or business that conducts business in this state, and that owns or licenses computerized personal or protected information of residents of this state.
One of the first questions you need to ask is: Does my activity make me a “person or business” for purposes of this law? The answer shouldn't be difficult to determine because “person” and “business” have broad definitions under state law. A follow up question might be: Do I conduct business in South Dakota? The answer to this question depends on what goes into conducting your business. Having a physical location in South Dakota likely means you conduct business here. Legal formation under South Dakota law, without physical operation here, probably means you conduct business "in South Dakota", but the answer is less certain and you should consult with a South Dakota business attorney.
Of particular note for businesses with online presence or who market across state lines into South Dakota: not having a physical location or original legal formation in South Dakota might not mean you don't conduct business here for purposes of the new law. If you operate under these circumstances, you should consult with a South Dakota business attorney as well.
Type of Information Protected
First, the law protects "computerized" information. This seems to refer to the form in which the information exists. The law doesn't explain what it means by computerized, but if computer industry parlance is used, this term would have broad definition.
Next let’s turn to the content covered by the new law. “Personal information” consists of combinations of other kinds of information. “Protected information” seems to overlap with “personal information,” although its thrust seems to be different. Both definitions requires close attention. Given how many combinations are possible, it's likely that your business has or will acquire some form of "personal or protected" information on customers.
Ownership or Licensing?
You next need to analyze your business’ relationship with information on South Dakota residents. Do you “own or license computerized personal information of residents of this state”? Id.
Data licensing has become a regular business practice, and you probably know whether you're in a licensing relationship. But whether or not your think you are, it's wise to consult with a South Dakota business attorney about this point.
The larger question is whether you “own” this information? The new law does not define ownership.
- Does ownership merely mean possessing the information, like having it exist somewhere in your computer system?
- Does ownership occur upon merely accessing the information, regardless of how it’s accessed?
- Does ownership have to be granted by the person the information pertains to?
This is the tip of the iceberg for questions raised by this new law. Stay tuned for further discussion and, as always, consult with an attorney before making legal decisions.
These posts are intended to be informational and not advisory. Discussion here is not legal advice and any intended action on your part should be done only after consultation with an attorney of your choice.