What entities are covered?
Information holders are covered. Information holder means “any person or business that conducts business in [South Dakota], and that owns or retains computerized personal or protected information of residents of [South Dakota].” SB 62 (1)(3)
Is there a requirement for service providers?
No.
What data are covered?
Both “personal information” and “protected information” are covered. SB 62 § 1(4)-(5). Personal information means “a person’s first name or first initial and last name, in combination with any one or more of the following:”
(1) Social security number;
(2) Driver license number or other unique identification number created or collected by a government body;
(3) Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
(4) Medical information;
(5) Health insurance information as defined under federal law; or
(6) An identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. SB 62 § 1(4).
There is, however, an exception. Personal information does not include information that is “lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable.” SB 62 § 1(4).
Protected information, which is also covered, includes:
(1) A user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and
(2) Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. SB 62 § 1(5).
Has there been a breach?
Breach of system security means “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”
There is, however, an exception. “Breach of a system security” does not include “the good faith acquisition of personal or protected information by an employee or agent of the information holder for the purposes of the information holder if the personal or protected information is not used or subject to further unauthorized disclosure.” SB 62 § 1(1).
Is there a risk of harm analysis?
Yes. Notice is not required if, “following an appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” SB 62 § 2.
Who receives notice?
Individuals: “Following the discovery or notification of a breach of system security, an information holder shall disclose . . . the breach of system security to any resident of this state whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.” SB 62 § 2.
Consumer Reporting Agencies: “If an information holder discovers circumstances that require notification . . . the information holder shall also notify, without unreasonable delay, all consumer reporting agencies . . . and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.” SB 62 § 6.
Government Entities: “Any information holder that experiences a breach of system security . . . shall disclose to the attorney general by mail or electronic mail any breach of system security that exceeds [250] residents of [South Dakota].” SB 62 § 2.
When must notice be given?
“A disclosure under this section shall be made not later than sixty days from the discovery or notification of the breach of system security, unless a longer period of time is required due to the legitimate needs of law enforcement.” SB 62 § 2.
May notice be delayed?
Notice may be delayed if “a law enforcement agency determines that the notification will impede a criminal investigation.” It warrants noting, however, that “[i]f the notification is delayed, the notification shall be made not later than [30] days after the law enforcement agency determines that notification will not compromise the criminal investigation.” SB 62 § 3.
How must notice be given?
The required disclosures may be given by:
(1) Written notice;
(2) Electronic notice, if (1) the electronic notice is consistent with federal law, or (2) the information holder’s primary method of communication with the South Dakota resident has been by electronic means. SB 62 § 4(1)-(2).
Is substitute notice available?
Substitute notice is available in any of the following circumstances:
(1) If the information holder demonstrates that the cost of providing notice would exceed $250,000;
(2) The affected class of persons to be notified exceeds 500,000 persons; or
(3) The information holder does not have sufficient contact information. SB 62 § 4(3).
Such substitute notice must consist of each of the following:
(1) Email notice, if the information holder has an email address for the subject persons;
(2) Conspicuous posting of the notice on the information holder’s website, if the information holder maintains a website page; and
(3) Notification to statewide media. SB 62 § 4(3).
Is there an exemption or safe harbor?
For Establishment of Notification Methods:
Yes. “[I]f an information holder maintains its own notification procedure as part of an information security policy for the treatment of personal or protected information[,] and the policy is otherwise consistent with the timing requirements . . . the information holder is in compliance with the notification requirements . . . if the information holder notifies each person in accordance with the information holder’s policies in the event of a breach of system security.” SB 62 § 5.
For Following Interagency Guidelines:
Yes. “[A]ny information holder that is regulated by federal law or regulation, [including HIPAA or Gramm-Leach-Bliley] and that maintains procedures for a breach of system security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional federal regulator is deemed to be in compliance [with state law] if the information holder notifies affected South Dakota residents in accordance with the provisions of the applicable federal law or regulation.” SB 62 § 8.
What is the enforcement/penalty mechanism?
The attorney general may prosecute each failure to disclose as a deceptive act or practice under South Dakota law. The attorney general may also bring an action to recover on behalf of the state a civil penalty of not more than $10,000 per day per violation. Moreover, the attorney general may also recover attorney’s fees and any costs associated with any action brought under the data breach notification law. SB 62 § 7.
Is there a private right of action?
No.