South Dakota Enacts Data Breach Notification Law

South Dakota recently passed a data breach notification statute in response to a highly publicized 2017 data security breach involving a nationwide credit reporting agency.  The new law requires disclosure of a breach of system security to any state resident whose personal information was or is reasonably believed to have been acquired by an unauthorized person.  The law takes effect on July 1, 2018.

The disclosure of the breach must generally be made within 60 days from the discovery or notification of the breach, to both affected state residents and consumer reporting agencies, and must include notice to the state attorney general if a breach affects more than 250 South Dakota residents.

“Personal information” is defined to include a person’s first name, or first initial and last name in combination with various data elements, including, a social security number, or driver license number, as well as an account, credit, or debit card number.  “Protected information” includes a user name or email address in combination with a password, security question answer or other information that permits access to an online account.

An “unauthorized person” is defined as any person not authorized to acquire or disclose personal information, or any person authorized by the information holder to access personal information who has acquired or disclosed the personal information outside the guidelines established by the information holder.

Failure to disclose a breach in accordance with the requirements of the new law may carry civil penalties of up to $10,000 per day, per violation.