We previously noted last month that only two states had not enacted a data breach notification law to date—South Dakota and Alabama [see related post].

South Dakota passed the finish line right before Alabama, but both states have now joined the rest of the nation in enacting data breach notification laws for their citizens.  Last month, South Dakota Governor Dennis Daugaard signed South Dakota § 22-40-19 et. seq., the South Dakota Data Breach Notification Law,  into effect. Alabama Governor Kay Ivey’s signature on April 3, 2018, inked the final state data breach law into effect. The Alabama law goes into effect on May 1, 2018, the highlights of which we noted during our previous post.

The South Dakota new breach notification law is applicable to electronic records only. It defines “personal information” in a conservative manner, including a person’s name in combination with a Social Security number, driver’s license number or unique number issued by the government, account, credit card, or debit card with security, PIN or passcode, routing number or any other information that would allow someone to access a person’s account, health information or an identification number assigned by an employer including a security code, access code, password or biometric data. It is interesting to note that the protection of biometric data is protected only as it is associated with authentication of an employee by an employer.

It also defines “protected information” as a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account, (which is duplicative of the definition of “personal information”).

Notification of a breach must be made to individuals within 60 days of discovery unless law enforcement requests a delay. If law enforcement requests a delay, notification must be made within 30 days after law enforcement notifies the holder that notification will not compromise a criminal investigation. Notification is not required if the holder of the information, following an investigation and notice to the attorney general believes the breach will not likely result in harm to the affected person. If that determination is made, the holder of the information must document its findings and maintain the documentation for at least three years.

If notification is provided, the Attorney General is also to be notified if more than 250 residents are affected. All reportable breaches, no matter how many South Dakota residents are affected, must be reported to the credit reporting agencies.

The Attorney General is authorized by the statute to prosecute failures to disclose data breaches and can recover civil penalties of up to $10,000 per day per violation, along with attorney’s fees and costs.