South Dakota is the 49th State to Enact a Breach Notification Law
Yesterday, South Dakota’s Governor signed into law “An Act to provide for the notification related to a breach of certain data and to provide a penalty therefor.” Under the Act, when a “breach of system security” involves personal or protected information, the holder of the information must notify affected residents within 60 days and, if more than 250 individuals are affected, the holder must notify the state attorney general. The definition of personal information includes health information and certain other employer-specific identifying information. “Protected information” means information necessary to access an online account tied to financial account information. Alabama is now the only state without a law addressing data breach notification although such legislation is currently pending in that state.