- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: Kacie L. Manisco
On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.
The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.
Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.
If you have any questions or would like more information, please contact Kacie Manisco at [email protected].