What you need to know about South Dakota's data-breach notification law
Data breaches are not new phenomena. They have occurred since companies began maintaining records of customers’ personal information. However, data breaches have become an increasing concern with the growing reliance on digital data and cloud computing.
High-profile data breaches have pervaded the news in recent years and exposed the vulnerability of consumers’ personal information. In South Dakota alone, over 200,000 people were impacted by the Equifax breach last year.
Because of the major growth of data breaches, beginning in the early 2000s, states across the country began enacting data-breach notification laws. These laws require entities that receive and maintain customer personal information to notify an individual if his data may have been subject to unauthorized access. During the 2018 legislative session, South Dakota became one of the last two states in the country to adopt a data-breach notification law. With Alabama adopting its own law this summer, every state now has its own data-breach notification law.
The law generally
South Dakota codified its data-breach notification statutes at SDCL 22-40-19 to 22-40-26. The legislation was spearheaded by Attorney General Marty Jackley to protect South Dakotans from identity theft. Although entities have a strong interest in keeping their data systems secure, it is the individuals who have their information stolen who may experience the crippling financial effects of identity theft. By timely notifying citizens their personal information may have been compromised, businesses ensure their customers will be better able to monitor their credit information and mitigate any potential damages from a data breach.
Although data breaches are an increasing occurrence, their definition can still be elusive. The new South Dakota data-breach notification law explains breach as the unauthorized acquisition of data that could compromise the security, confidentiality or integrity of personal or protected information. Furthermore, the law defines what constitutes personal and protected information, so businesses have a clear reference point in the unfortunate event of a data breach.
According to the new law, any time an information holder becomes aware of a data breach, it is required to disclose the breach to any South Dakota resident whose personal information is reasonably believed to have been acquired by an unauthorized person. The entity must make this disclosure within 60 days of discovering the breach unless law enforcement requires the disclosure to be delayed so that it will not impede a criminal investigation. If the entity conducts an appropriate investigation and determines the breach will not likely result in harm to the affected person, the entity is not required to disclose the breach, assuming notice has still been given to the attorney general.
In certain instances, an information holder also is required to notify specific agencies if it experiences a breach of personal or protected information. Entities that experience a data breach are required to notify consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis. This provision allows agencies that maintain credit scores to monitor the accounts that may have been compromised in order to mitigate the damaging effects for the exposed individuals. If a data breach affects more than 250 residents of South Dakota, the information holder also is required to disclose the breach to the South Dakota attorney general.
South Dakota’s new data-breach notification law also prescribes the methods by which information holders may provide notice. The law specifically allows three types of notice depending on the specific circumstances of the breach and the information holder’s general practices.
An entity is deemed compliant with South Dakota’s data-breach notification law if the entity is regulated by federal law, including HIPAA or the Gramm-Leach-Bliley Act, and the entity maintains data-breach policies under those federal laws. If an information holder’s current policies align with the timing requirements of the new law, the entity is permitted to follow its established procedures to deliver notice, regardless of whether the entity complies with the methods of notice outlined in the South Dakota statutes. Any information holder that is regulated by federal law or regulation that requires notification in the event of a data breach is deemed to comply with the South Dakota law as long as it maintains procedures in accordance with those federal provisions.
Laws in other states
Each state has its own statutes governing data-breach notification requirements. While there is overlap in the specifics of these laws, key differences make it important to consult with legal counsel. If your business has customers outside South Dakota, or even outside the United States, your obligations in the event of a data breach could be diverse. For example, South Dakota’s statutes apply only to electronic data, but several states apply their data-breach notification laws to paper records as well. There are also important differences in the definitions central to the notification obligations, such as the way the states define “personal information.”
Since data-breach notification laws always include criminal and civil penalties for violators, your business should know and understand its legal obligations. Legal counsel also can assist you in adopting internal policies and procedures for preventing, identifying and addressing a data breach.
On the national and international stages, many legislative bodies are moving to adopt requirements applicable to the intake and maintenance of private data. These laws are preemptive rather than remedial, governing how businesses collect and use the data, regardless of whether a breach has occurred. In June, California enacted a Consumer Privacy Act to protect the rights of Californians over their personal data. The European Union’s General Data Protection Regulation became effective in May, to protect and empower EU citizens and their data privacy. It may take years for other countries and states to follow suit, but consumers are demanding greater security and accountability from businesses entrusted with private information.