It has taken some time for South Dakota to introduce legislation to enhance protections for consumers impacted by breaches of their personal private data. Laws have already been passed in 48 states that obligate persons and companies that hold personal information to publish notifications to breach victims when that information is accessible by unauthorized individuals.
Last week, South Dakota citizens were given similar security measures to those in place in adjoining states. On March 21, 2018, South Dakota attorney general Marty Jackley published a statement confirming SB 62 had been signed by Governor Daugaard and will be enacted on July 1, 2018.
The bipartisan bill obligates bodies that suffer a breach of personal information to broadcast notifications to impacted state residents within 60 days of discovery of the breach – the same time frame as is required under HIPAA.
Personal information is classified as the full name or first initial and last name of a state resident along with either a government ID number, Social Security number, driver’s license details, credit/debit card number (with an associated code that permits the card to be used), employment ID number (with authentication data), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be submitted to the state attorney general if the breach affects more than 250 state citizens, also within 60 days of identification of the breach.
As opposed to many states, there is a danger of harm exception in the South Dakota data breach notification law. If a breached body “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be broadcast.
Delaying the issuing of breach notifications could result in a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each breach.
Now that the South Dakota data breach notification law has been enacted, Alabama is the only remaining state that has not yet passed state-level data breach notification regulations. There is now a good chance that this will change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 in the Alabama Senate in March 2018.