A voted in favor of introducing data breach notification legislation has been overwhelmingly passed by the South Dakota Senate Attorney Judiciary Committee. The bill advanced after a 7-0 vote. It was originally introduced, at the request of the Attorney General Marty Jackley, by the Committee on Judiciary.
Presently there are only two states left in the US that have yet to implement data breach legislation to secure state residents. As it seems that South Dakota is likely to introduce new protections for state citizens, Alabama looks like it will be the final state that has no data breach notification law.
The Bill being sent forward – South Dakota Senate Bill No. 62 – states that notifications must to be issued to state residents and the Attorney General once a breach occurs that impacts 250 or more state citizens. The breach notifications would need to be sent out without unnecessary delay and no later than 45 days following the a breach being uncovered, unless a delay is requested by law enforcement agencies.
There would be no requirement for breach notifications if the breached entity, along with the attorney general, finds that consumers would have a small chance of being damaged as a result of the violation.
A breach, in this case, is referred to as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
The legislation in question would apply to personal information, which is kept to the full name or initial and last name when present with the following data details:
Social Security number, driver’s license particulars, unique government identification number, medical information, health insurance information, employment identification number with associated security code, account or credit/debit card numbers present with security codes, passwords, PINs or access codes that would be used to gain access to those accounts, biometric data used for authentication purposes, and email addresses, present with passwords/security question answers, or other information that permits logging on to to an internet account.
The breach notifications would need to be sent in writing or digitally if the breach victim is usually contacted in that way. If the cost of notification is higher than $250,000 or in excess of 500,000 individuals have suffered, or if insufficient contact details are held on those affected by the breach, a substitute breach notice would be permitted. Substitute notices would need to incorporate an email notice – if a valid email address is held, a conspicuous posting on the organization’s website, and a notice to statewide news agencies. Breaches involving over 250,000 individuals would also require notification to be provided to credit reporting agencies.
If the Bill is passed, the South Dakota Attorney General would be allowed to bring an action against the breached entity for breaking the law. The highest civil penalty would be $10,000 per day, per breach. Attorney’s fees and other costs resulting from the action would also be retrievable.
The South Dakota breach notification legislation, if passed, would apply to all companies/firms doing business in South Dakota, although companies/firms in compliance with federal legislation that have breach reporting requirements would be ruled to be in compliance with the necessary requirements.