What local businesses need to know about the state’s new breach-notification law

June 26, 2018

This paid piece is sponsored by SDN Communications.

Businesses that use and store computerized information should get familiar with the state’s first-ever breach-notification law — and soon. It takes effect July 1.

The 2018 Legislature approved the bill at the request of Attorney General Marty Jackley. Gov. Dennis Daugaard signed it.

In approving the law, South Dakota edged out Alabama and became the 49th state with its own breach-notification law. Alabama approved a similar law this spring.

Many businesses in South Dakota and other states already are regulated through federal laws such as the Health Insurance Portability and Accountability Act of 1996 or the Gramm-Leach-Bliley Act, which puts rules on financial institutions.

Businesses that meet applicable federal regulations in dealing with breaches are deemed to be in accordance with South Dakota law.

The key provision of the state law requires that affected individuals be notified if unencrypted data — or encrypted data and the key — that compromises the security, confidentiality or integrity of personal or protected information is disclosed. Businesses must notify the affected individuals within 60 days of the breach’s discovery.

If a company investigates and determines the breach is not likely to hurt anyone, the leak does not have to be publicly disclosed. However, the attorney general must still be notified and can review the decision.

In addition to dealing with possible legal action taken by individuals whose information is exposed, the attorney general’s office may prosecute company failures to disclose breaches.

The new law appears to be similar to those in other states. In terms of breach-notification requirements, the vast majority of South Dakota businesses will now be covered by state or federal law.

The threshold required for businesses to take action is relatively low. The attorney general’s office must be notified of any breach that potentially affects more than 250 residents of the state.

The law defines personal information to include a person’s first name or first initial and last name in combination with at least one of the following:

  • Social Security number.
  • Driver’s license number.
  • Financial account information.
  • Health information.
  • Business-security information.

Breaches may be disclosed through means such as written notices, electronic notices and other means.

South Dakota’s law gives businesses 60 days from discovery or notification of a breach to take disclosure steps, unless law enforcement needs additional time to investigate. Some states allow only two days. Details like that can vary, but legislatures across America are toughening consumer protections in the wake of corporate data breaches, and understandably so.

There were more than 1,500 data breaches in 2017 throughout the United States. With the addition of South Dakota and Alabama, every state now has a breach-notification law.

Cybersecurity is an issue of growing importance across the nation. Local action to encourage business responsibility is in order.

SDN Communications has many resources, experts and services to help businesses improve their cybersecurity position. Start with the basics and download a free booklet using the link or the button below.

What local businesses need to know about the state’s new breach-notification law

Businesses that use and store computerized information should get familiar with the state’s first-ever breach-notification law — and soon. It takes effect July 1.

News Tip

Have a business news item to share with us?

Scroll to top