New Security Breach Law in the State of South Dakota

New Security Breach Law in the State of South Dakota
March 03, 2022 | 4 minutes read

South Dakota S.B. 62 is a data breach notification law that was passed in the U.S. state of South Dakota in 2018. As South Dakota had yet to pass legislation governing the regulations of security breach incidents prior to the enactment of South Dakota S.B. 62, the law establishes the steps and protocols that business entities operating within the state are required to follow in the event that a security breach takes place. Additionally, the law also sets forth the punishments that businesses and organizations stand to face should they fail to comply with the requirements mandated by the law.

How is a security breach defined under South Dakota S.B. 62?

Under South Dakota S.B. 62, a security breach is defined as “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information.” Furthermore, as it concerns the scope and application of the law, the provisions of South Dakota S.B. 62 are applicable to “any person or business that conducts business in South Dakota, and that owns or licenses computerized personal or protected information of residents of South Dakota (“Information Holder”).”

What are the security breach notification requirements?

Under South Dakota S.B. 62, a business entity or organization that experiences a security breach is responsible for providing notice to all affected individuals and parties. These notifications must be provided to residents within South Dakota no later than 60 days after the discovery of the breach, and affected entities must also provide notification to the three major credit reporting agencies within the U.S. (Equifax, Experian, and TransUnion), as well as the South Dakota attorney general, in instances where a security breach affects more than 250 individuals within the state. Third parties that collect or process personal information on behalf of business entities within South Dakota are also required to comply with the provisions of the law.

What types of personal information are legally protected?

In contrast to many other security breach notification laws around the U.S., South Dakota S.B. 62 designates two different types of personal information that are covered under the law, personal information and so-called protected information. With this being said, the following types of personal information are legally protected should a security breach occur, in combination with a South Dakota resident’s first name or first initial and last name:

  • Social security numbers.
  • Driver’s license numbers, as well as any other unique identification number that may be issued on behalf of a government agency or body within the state.
  • Account numbers and credit and debit cards, as well as any required security codes, passwords, access codes, PIN numbers, routing numbers, or any other forms of personal information that could be used to grant access to a South Dakota resident’s financial account.
  • “Health information as defined in 45 CFR 160.103 (HIPAA).”
  • “An identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.”

Alternatively, the law also covers the following types of protected information:

  • User names and email addresses, in combination with any passwords, security question answers, or other forms of personal information that could be used to gain access to a South Dakota resident’s online account.
  • “Account number or credit and debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.”

What are the penalties for violating South Dakota S.B. 62?

In terms of the enforcement of South Dakota S.B. 62, the provisions established in the law are enforceable by the South Dakota attorney general. Subsequently, businesses and organizations within South Dakota that are found to be in violation of the law are subject to a number of sanctions and penalties. These punishments include a civil action of up to $10,000 per day in which a business entity is found to be in violation of the law, as well as associated attorney fees and legal costs. Moreover, violations of South Dakota S.B. 62 are also considered deceptive acts and practices under other applicable legislation within the state.

As every state and major territory within the U.S. passed some form of security breach legislation by the year 2018, South Dakota was one of the last states within the country to pass such legislation. Nevertheless, as the law outlines two separate categories of personal information that are legally protected in the event of a security breach, residents of South Dakota are afforded a significant level of protection as it relates to data security. To this point, residents within South Dakota can have the peace of mind that they will have the means to protect themselves should their personal information become compromised as a result of a data or security breach.