Earlier this year, South Dakota passed the state’s first data breach notification law. Prior to passage of the law, South Dakota was one of only two states that did not have a state data breach notification law. The law went into effect this past July.
As with data breach notification laws in other states, South Dakota’s law applies to Illinois business that own or license personal information of South Dakota residents.
What is included in the South Dakota Data Breach Notification Law?
In many ways, South Dakota’s law is similar to data breach notification laws in other states, including Illinois. The law requires that any company that conducts business in South Dakota, and that owns or licenses computerized personal or protected information of South Dakota residents, must notify any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. The information holder has sixty days to provide notification of the breach, unless law enforcement determines that a longer period of time is necessary. The information holder must also notify all consumer reporting agencies and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis. Additionally, if more than 250 South Dakota residents are affected, the information holder must initially notify the state attorney general.
Notification is however not required if after an investigation and notification to the attorney general, the information holder determines that the data breach will not likely result in harm to the affected person. Such a determination must be documented and retained by the information holder for not less than three years.
The attorney general has the power to prosecute each failure to disclose as a deceptive act under South Dakota’s consumer protection law, or may bring an action to recover on behalf of the state a civil penalty up to $10,000 per day per violation.
Although state data breach notification laws are substantially similar, there are important differences that companies need to be aware of to ensure compliance with the law. If you have any questions regards data breach notification law, or data breach planning and response, please contact Tim Hayes at McKenna Storer.
If your company collects and stores and kind of personal data, including employee data, you must be prepared for a potential data breach, you may want to download our FREE “Ten Data Privacy Issues Every Business Must Address.” In this guide, we give you valuable information about data privacy that you have probably not considered.