A vote in favor of introducing data breach notification legislation has been overwhelmingly passed by the South Dakota Senate Attorney Judiciary Committee. The bill advanced after a 7-0 vote. It was originally introduced at the request of South Dakota Attorney General Marty Jackley.
Presently there are only two states left in the US that have yet to implement data breach legislation to protect state residents. As it seems that South Dakota is likely to introduce new protections for state residents, Alabama looks like it will be the only state that has no data breach notification law.
The Bill being sent forward – South Dakota Senate Bill No. 62 – states that notifications must be issued to state residents. A notification must also be sent to the state Attorney General if the breach impacts 250 or more state residents. The breach notifications would need to be sent out without unnecessary delay and no later than 45 days from the data the breach is discovered, unless a delay is requested by law enforcement agencies.
There would be no requirement for breach notifications if the breached entity, along with the attorney general, finds that consumers would only face a small chance of harm as a result of the breach.
A breach, in this case, is referred to as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
The legislation in question would apply to personal information, which means the full name or initial and last name of a state resident in combination with any of the following data elements:
Social Security number, driver’s license particulars, unique government identification number, medical information, health insurance information, employment identification number with associated security code, account or credit/debit card numbers present with security codes, passwords, PINs or access codes that would be used to gain access to those accounts, biometric data used for authentication purposes, and email addresses, present with passwords/security question answers, or other information that permits logging on to to an internet account.
The breach notifications would need to be sent in writing or digitally if the breach victim is usually contacted in that way. If the cost of notification is higher than $250,000 or in excess of 500,000 individuals have been affected, or if insufficient contact details are held on those affected by the breach, a substitute breach notice would be permitted. Substitute notices would need to incorporate an email notice – if a valid email address is held – a conspicuous posting on the organization’s website, and a notice to statewide news agencies. Breaches involving over 250,000 individuals would also require notification to be provided to credit reporting agencies.
If the Bill is passed, the South Dakota Attorney General would be allowed to bring an action against the breached entity for breaking the law. The highest civil penalty would be $10,000 per day, per breach. Attorney’s fees and other costs resulting from the action would also be retrievable.
The South Dakota breach notification legislation, if passed, would apply to all companies/firms doing business in South Dakota, although companies/firms in compliance with federal legislation that has breach reporting requirements would be ruled to be in compliance with the state law.