South Dakota May Become 49th State to Pass a Data Breach Notification Law
Tuesday, January 23, 2018
data breach, South Dakota, policy, protection, doing business

Related Practices & Jurisdictions
Print Mail Download i

Only two states in the United States lack data breach notification statutes, but that may change in 2018. If legislation pending in South Dakota passes, Alabama would be the only state without a data breach notification law.

South Dakota Senate Bill No. 62 would create a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. The law would require an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure would have to be made within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

In addition, breaches affecting more than 250 South Dakota residents would have to be reported to the state’s Attorney General. When there is a breach involving more than 250 South Dakota residents, the information holder also must notify all consumer reporting agencies of the timing, distribution, and content of the breach notification sent to those affected residents.

The Senate Bill makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the bill authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

Today’s patchwork of 48 state breach notification laws requires data holders operating in multiple states to be aware of the requirements across several jurisdictions. There are steps companies can take to help them meet these requirements by establishing good baseline policies and practices.  These steps include:

  • Developing a written information security plan;
  • Training employees on data security;
  • Conducting regular data security assessments;
  • Running tabletop security exercises; and
  • Preparing template breach notices in advance of any breach.

As regulatorsplaintiff’s lawyers and the media continue to focus their attention on data breaches, companies should regularly review and update the measures they are taking to better secure the data they hold.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

Pregnant Workers Fairness Act Final Regulations Released
by: Joseph J. Lynett , Katharine C. Weber
USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang
MSHA Issues Long Awaited Final Silica Rule
by: Karl F. Kumli
Labor Commissioner’s FAQ on Fast Food Minimum Wage
by: Laura A. Pierson-Scheinberg , Benjamin A. Tulis
New Study Shows Gen Z LGBTQIA+ Students, Graduates Value, Seek Out Inclusive Workplaces
by: Teresa Burke Wright , Alexandra Hunstein
DHS Extends, Redesignates Temporary Protected Status for Ethiopia
by: Forrest G. Read IV
Privacy Versus Cyber – What is the Bigger Risk?
by: Joseph J. Lazzarotti
Top Five Labor Law Developments for March 2024
by: Jonathan J. Spitz , Richard F. Vitarelli

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins