Blog & Tools

South Dakota justifiably adds breach-notification law

Data Breach - New SD Law

Companies that keep their customer records on paper and store the information in file cabinets - if there are businesses like that left in South Dakota - don’t have to worry about the state’s new breach notification law.

However, businesses that use and store computerized data ­probably should familiarize themselves with provisions of South Dakota’s first-ever breach-notification law, which takes effect July 1.

The 2018 Legislature approved the bill at the request of Attorney General Marty Jackley. Gov. Dennis Daugaard signed it.

In approving the law, South Dakota edged out Alabama and became the 49th state with its own breach-notification law. Alabama approved a similar law this spring.

Many businesses in South Dakota and other states already are regulated by federal regulations through laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or the Gramm Leach Bliley Act, which puts rules on financial institutions.

Businesses that meet applicable federal regulations in dealing with breaches are deemed to be in accordance with South Dakota law.

The key provision of South Dakota’s law requires that affected individuals be notified if unencrypted data (or encrypted data and the key) that compromises the security, confidentiality or integrity of personal or protected information is disclosed. Affected individuals must be notified within 60 days of the breach’s discovery.

If a company investigates and determines that a breach is not likely to hurt anyone, the leak does not have to be publicly disclosed. However, the attorney general must be notified and can review the decision.

In addition to dealing with possible legal action taken by individuals whose information is exposed, the attorney general’s office may prosecute company failures to disclose breaches.

Nancy Johnson, in-house counsel for SDN Communications, prepared a report about the law change for SDN’s Board of Managers.

The state’s law appears to be similar to those in other states, Johnson said. She doesn’t expect the law to affect the telecommunications industry much. But it could affect businesses not subject to federal regulation, she said.

Greg Dean followed the bill as it worked its way through the Legislature in Pierre. He’s is the director of industry relations for the South Dakota Telecommunications Association.

In terms of breach-notification requirements, the vast majority of South Dakota businesses will now be covered by state or federal law, Dean said.

The threshold required for businesses to take action is relatively low, Dean points out. The attorney general’s office must be notified of any breach that that potentially affects more than 250 residents of the state.

The law defines personal information to include a person’s first name or first initial and last name in combination with one of the following:

  • a Social Security number.
  • a driver’s license number.
  • financial account information.
  • health information.
  • business-security information.

Breaches may be disclosed through means such as written notices, electronic notices and other means.

South Dakota’s law gives businesses 60 days from discovery or notification of a breach to take disclosure steps, unless law enforcement needs additional time to investigate. Some states only allow two days. Details like that can vary, but legislatures across America are toughening consumer protections in the wake of corporate data breaches, and understandably so.

There were more than 1,500 data breaches in 2017 throughout the United States. With the addition of South Dakota and Alabama, every state now has a breach-notification law.

Cybersecurity is an issue of growing importance across the nation. Local action to encourage business responsibility is in order.