There are only two U.S. states that do not have data breach legislation for the protection of their state residents – South Dakota and Alabama. But that will soon change as the Committee on Judiciary recently introduced South Dakota Senate bill No. 62 at the request of Attorney General Marty Jackley.
The bill requires the notification of state residents and the State Attorney General when a breach impacts 250 or more state residents. The issued notification should not exceed 45 days after the discovery of a breach. It should be issued without unnecessary delay unless requested by law enforcement. There’s no need to issue breach notifications if the breached entity and the attorney general deems the breach as not harmful to the consumers.
A breach refers to the acquisition by an unauthorized individual of any unencrypted computerized information or encrypted computerized information together with the encryption key that materially compromises the security, confidentiality, or integrity of personal or protected information kept under the custody of the information holder.
The bill limits what is regarded as personal information to the resident’s full name or initial and last name together with the following data elements:
- Social Security number
- unique government ID number
- driver’s license number
- medical information
- health insurance information
- biometric data used for authenticating identity
- employment ID number and security code
- email addresses and passwords/security question answers
- other information that permits access to an online account
- account or credit/debit card numbers and their security codes, passwords, PINs or access codes that would permit access to those accounts
The issued breach notifications must be sent via mail or electronically if the breach victim is contacted via this channel. A substitute breach notice may be issued if the cost of notification would exceed $250,000 or if over 500,000 persons had been impacted. Breached entity may use substitute breach notices, such as an email notice, a prominent notice on the entity’s website or a notice using statewide media. When over 250,000 persons are impacted by a breach, notification to credit reporting agencies is also required.
If this data breach notification legislation passed, breached entities will be penalized for failure to comply a maximum civil penalty of $10,000 per day, per violation plus attorney’s fees and other costs. All entities doing business in South Dakota need to follow this law. Entities already in compliance with federal laws’ breach reporting requirements are regarded as compliant to the proposed law.