South Dakota Senate Attorney Judiciary Committee Advances Data Breach Notification Bill

by | Jan 26, 2018

The South Dakota Senate Attorney Judiciary Committee has passed a bill to introduce data breach notification legislation after a 7-0 vote. The bill was proposed by the Committee on Judiciary following a request issued by the Attorney General Marty Jackley.

At present there are only two states in the United States that still have not introduced data breach legislation to safeguard state residents. Following  the introduction of the Bill in South Dakota, Alabama looks like it will be the sole state with a data breach notification law.

The South Dakota Senate Bill No. 62 makes it obligatory for notifications to be sent to state residents and the Attorney General once a breach that affects in excess of  state residents. The breach notifications must be issued without unreasonable delay and no later than 45 days following the identification of a breach, unless a delay is required by law enforcement.

Breach notifications would not be needed if the breached body, along with the attorney general, rules that consumers would be unlikely to be affected due of the breach.

A breach is classified as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The law would be applicable to personal information, which is restricted to the full name or initial and last name along with the following data elements:

Social Security details, driver’s license number, unique government ID number, medical history, health insurance data, employment ID number with associated security code, account or credit/debit card details in along with security codes, passwords, PINs or access codes that would allow access to those accounts, biometric data used for authentication reasons, and email addresses, combined with passwords/security question answers, or other data that allows access to an online account.

The breach notifications must to be made in writing or electronically if the breach victim is normally contacted in that fashion. If the cost of notification is over $250,000 or more than 500,000 people have been impacted, or if insufficient contact information is recorded on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to have an email notice – if a valid email address is recorded, a conspicuous posting on the entity’s website, and a notice to statewide media outlets. Breaches affecting over 250,000 individuals would also necessitate notification to be issued to credit reporting agencies.

If the bill is passed, the South Dakota Attorney General would be empowered to bring an action against the breached body over the failure to adhere with the law. The maximum civil fine would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be redeemable.

The South Dakota breach notification law would apply to all organizations operating in the state of South Dakota, although bodies in compliance with federal laws that have breach reporting obligations would be deemed to be in compliance with the requirements of the proposed legislation.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy