Gone are the days when business owners can consider data security the realm of the IT department. A recently enacted South Dakota law places legal responsibility for a data breach squarely on the business owner (and possibly employees).
On July 1, 2018, South Dakota’s new data breach notification law took effect. Here is what every South Dakota business should know about this new law:
- Definitions of "Personal Information" and "Protected Information"
The law defines "personal information" as a person’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security Number; (2) driver’s license number or other unique identification number created or collected by a government body; (3) account, credit or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; (4) health information; and (5) an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
The law further defines “protected information” as (1) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (2) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
- Breach Notification Requirement
The law requires notification to affected individuals (and, in certain circumstances, the Attorney General, as explained below) in the event of unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality, or integrity of personal information or protected information.
- Content and Method of Notice
The law does not contain content requirements for the notice. Notice may be provided (1) in writing; (2) electronically, if the notice is consistent with the provisions of E-SIGN; or (3) via substitute notice if the cost of providing notice would exceed $250,000, the number of affected individuals exceeds 500,000, or the entity does not have sufficient contact information for affected individuals. Substitute notice must consist of (1) email notice, if the entity has an email address for affected individuals; (2) conspicuous posting on the entity’s website; and (3) notification to statewide media.
- Timing
Notification to affected individuals is required within sixty (60) days of discovery of the breach.
- Harm Threshold
The law contains a harm threshold, under which notification is not required if, following an appropriate investigation and notice to the Attorney General, the entity reasonably determines that the breach will not likely result in harm to the affected person(s).
- Notice to the Attorney General
The law requires notification to the Attorney General of any breach that exceeds 250 South Dakota residents.
- Notice to the Consumer Reporting Agencies
In the event notification to affected individuals is required, the law also requires notification to the nationwide consumer reporting agencies of the timing, distribution and content of the notice to individuals.
- Penalties for Non-Compliance
A violation of the breach notification law is considered a deceptive act under the state’s consumer protection laws. This may have the effect of creating a private right of action. In addition, the Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
