South Dakota remains the last state in the nation without data breach reporting protection for citizens, but Attorney General Marty Jackley intends to change that with the help of lawmakers this session.
Here’s what business leaders need to know about the bill.
- The basics – The Senate Judiciary Committee heard testimony Tuesday, January 23, on Senate Bill 62, which requires companies to notify the state within 60 days of a breach affecting more than 250 residents. The committee passed an amended version of the bill on a 7-0 vote. It now goes on to the full Senate.
- The “Trigger Mechanism” – Jackley offered an amendment during the hearing that would allow the affected business time to do an internal investigation to determine whether the breach negatively impacts the individuals impacted. If the business and the Attorney General determine there is no negative impact, the individuals do not have to be notified. However, if the AG determines a negative impact exists, the business will need to notify those individuals or risk prosecution and individual legal lawsuits or a class action lawsuit on behalf of those impacted.
- When it might be a crime – Much of the debate has centered on the appropriate criminal/civil penalties if a business does not provide proper notice to affected individuals following discovery of a breach.
- Why now? – Jackley says the bill is necessary because South Dakota residents are being directly impacted by large scale data breaches. He specifically notes the state’s estimated 275,000 residents whose personal information was released in the Equifax breach.
Update: On Thursday, January 25, Senators gave their final approval to SB 62 on a vote of 30-2 (with 3 members excused). An added amendment dealt with HIPAA concerns raised by the health care industry. The bill now moves on to the House.
Jackley recently spoke at the Better Business Bureau annual cybersecurity event to explain the breach’s impact and the legislation being brought forward. Watch the video below.