Mar 262018

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

Colleen Theresa Brown, Edward R. McNicholas and Grady Nye
, , , ,

On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law).  South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.”

The law applies to the “personal information” of South Dakota residents, which includes a person’s first name or first initial and last name in combination with one or more elements, including Social Security number; driver license number or other unique identifier used or collected by a government body; account, credit card, or debit card numbers in combination with any required security code; health information; or an identification number assigned by an employer in combination with other authentication information.  Significantly, the law limits covered “health information” to that information which is defined by HIPAA regulations at 45 CFR 160.103.

Following a trend of specifying the number of days for notice, the law requires businesses to inform South Dakota residents and national consumer reporting agencies of a breach within 60 days from discovery or notification of the breach, unless delayed by the legitimate needs of law enforcement.

Furthermore, the new law requires that the South Dakota Attorney General must also be notified within 60 days if the breach affects more than 250 South Dakota residents.

Notably, the law includes a risk of harm exception that obviates the notice requirement when the business “reasonably determines that the breach will not likely result in harm to the affected person.” However, that risk of harm exception requires that that notice is given to the attorney general and the risk of harm decision is documented and retained for three years.  This no-risk-of-harm regulator notification requirement is uncommon, aligning South Dakota with Alaska, Florida, and Vermont on this approach.  The South Dakota law allows notification to be provided by written notice, electronic notice, or substitute notice.  Failure to provide the required notification would constitute an unfair or deceptive practice, subject to civil penalties of up to $10,000 per day per violation, plus the state’s attorneys’ fees.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Grady Nye

gnye@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.