The South Dakota Senate Attorney Judiciary Committee has passed a bill to introduce data breach notification legislation after a 7-0 vote. The bill was proposed by the Committee on Judiciary following a request issued by the Attorney General Marty Jackley.
At present there are only two states in the United States that still have not introduced data breach legislation to safeguard state residents. Following the introduction of the Bill in South Dakota, Alabama looks like it will be the sole state with a data breach notification law.
The South Dakota Senate Bill No. 62 makes it obligatory for notifications to be sent to state residents and the Attorney General once a breach that affects in excess of state residents. The breach notifications must be issued without unreasonable delay and no later than 45 days following the identification of a breach, unless a delay is required by law enforcement.
Breach notifications would not be needed if the breached body, along with the attorney general, rules that consumers would be unlikely to be affected due of the breach.
A breach is classified as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
The law would be applicable to personal information, which is restricted to the full name or initial and last name along with the following data elements:
Social Security details, driver’s license number, unique government ID number, medical history, health insurance data, employment ID number with associated security code, account or credit/debit card details in along with security codes, passwords, PINs or access codes that would allow access to those accounts, biometric data used for authentication reasons, and email addresses, combined with passwords/security question answers, or other data that allows access to an online account.
The breach notifications must to be made in writing or electronically if the breach victim is normally contacted in that fashion. If the cost of notification is over $250,000 or more than 500,000 people have been impacted, or if insufficient contact information is recorded on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to have an email notice – if a valid email address is recorded, a conspicuous posting on the entity’s website, and a notice to statewide media outlets. Breaches affecting over 250,000 individuals would also necessitate notification to be issued to credit reporting agencies.
If the bill is passed, the South Dakota Attorney General would be empowered to bring an action against the breached body over the failure to adhere with the law. The maximum civil fine would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be redeemable.
The South Dakota breach notification law would apply to all organizations operating in the state of South Dakota, although bodies in compliance with federal laws that have breach reporting obligations would be deemed to be in compliance with the requirements of the proposed legislation.