October 20, 2020

Volume X, Number 294

October 19, 2020

Subscribe to Latest Legal News and Analysis

South Dakota Passes Breach Notification Law, Leaving Alabama the Only U.S. State Without a Breach Notification Law

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach notification law, though this may soon change. The District of Columbia and three U.S. territories – Guam, Puerto Rico and the U.S. Virgin Islands – also have data breach notification laws in place.

South Dakota’s law requires that any person or business that conducts business in South Dakota and owns or licenses computerized “personal information”[1] or “protected information”[2] of the state’s residents (such persons/businesses referred to as “information holders”) disclose any “breach of system security” to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law gives information holders a sixty-day window (from date of discovery or notification of the breach) to notify individuals, unless law enforcement determines that the notification should be delayed. However, if the information holder holds an appropriate investigation, reasonably determines that the breach will not likely result in harm to the affected residents and notifies the South Dakota attorney general of its determination, then the information holder is not required to notify affected residents.

Additionally, information holders must notify (1) all consumer reporting agencies and (2) if the breach affects over 250 South Dakota residents, the South Dakota attorney general. This consumer reporting agency notification obligation is unique, as most state breach notification laws only require such notification if a high number of residents, for example 500 or 1,000 residents, are affected.

The law provides the state Attorney General (and, potentially, affected residents) with imposing remedies. A violation of the breach notification law is considered a deceptive act or practice under South Dakota Codified Laws (“SDCL”) § 37-24-6, South Dakota’s consumer protection law. The South Dakota attorney general may (1) “prosecute each failure to disclose” under the breach notification law’s provisions as a deceptive act or practice under SDCL § 37-24-6, (2) impose a civil penalty of up to $10,000 per day per violation and (3) avail himself of any of the remedies provided under chapter 37-24 of SDCL. South Dakota Attorney General Jackley reportedly stated that failure to be notified under the breach notification law entitles affected residents to a private right of action under SDCL § 37-24-31.

[1] “Personal information” is defined as a person’s name in combination with any of the following: (a) Social Security numbers, (b) driver’s license numbers or other government-issued unique identification numbers, (c) account, credit card or debit card numbers, in combination with any required code, PIN or information that would permit access to a person’s financial account, (d) health information as defined by HIPAA, and (e) employee identification numbers in combination with any code or biometric data required for authentication.

[2] “Protected information” is defined as (a) user names and email addresses in combination with any associated passwords or security question answers which would provide access to online accounts, and (b) account, credit card or debit card numbers in combination with any required code or password that permits access to a person’s financial account. Please note that (b) overlaps with part of the definition of “personal information,” but not completely.

© 2020 Proskauer Rose LLP. National Law Review, Volume VIII, Number 92


About this Author

Tiffany Quach, associate, corporate department, business law, proskauer, New York, Privacy Law, IP, technology

Tiffany Quach is an associate in the Corporate Department. Her practice focuses on intellectual property, technology, privacy and data security, marketing and advertising across a range of industries, including media, communications, life sciences, financial services, retail, fashion, entertainment and sports. She has represented clients including Altice USA, Harry Winston, the Juilliard School and ZocDoc in relation to intellectual property and privacy and data security matters.

She contributes to Proskauer’s Privacy Law blog and maintains the...

Nicole Kramer, Corporate attorney, Proskauer

Nicole Kramer is an associate in the Corporate Department. She earned her J.D. from N.Y.U., where she was an AnBryce Scholar and served as an executive editor for the school’s Law Review. She focused her research and studies on intellectual property and privacy law, and participated in the school’s Technology Law and Policy Clinic. She interned as a legal assistant for Autodesk, a corporation that develops software for the architecture, engineering, manufacturing, media and entertainment industries.

She graduated from Stanford University with a degree in political science.