South Dakota Becomes 49th State to Enact a Data Breach Notification Law

On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law).  South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.”

The law applies to the “personal information” of South Dakota residents, which includes a person’s first name or first initial and last name in combination with one or more elements, including Social Security number; driver license number or other unique identifier used or collected by a government body; account, credit card, or debit card numbers in combination with any required security code; health information; or an identification number assigned by an employer in combination with other authentication information.  Significantly, the law limits covered “health information” to that information which is defined by HIPAA regulations at 45 CFR 160.103.

Following a trend of specifying the number of days for notice, the law requires businesses to inform South Dakota residents and national consumer reporting agencies of a breach within 60 days from discovery or notification of the breach, unless delayed by the legitimate needs of law enforcement.

Furthermore, the new law requires that the South Dakota Attorney General must also be notified within 60 days if the breach affects more than 250 South Dakota residents.

Notably, the law includes a risk of harm exception that obviates the notice requirement when the business “reasonably determines that the breach will not likely result in harm to the affected person.” However, that risk of harm exception requires that that notice is given to the attorney general and the risk of harm decision is documented and retained for three years.  This no-risk-of-harm regulator notification requirement is uncommon, aligning South Dakota with Alaska, Florida, and Vermont on this approach.  The South Dakota law allows notification to be provided by written notice, electronic notice, or substitute notice.  Failure to provide the required notification would constitute an unfair or deceptive practice, subject to civil penalties of up to $10,000 per day per violation, plus the state’s attorneys’ fees.