South Dakota Moves Closer to Adopting Breach Notice Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Christopher Brown

South Dakota’s Senate Judiciary Committee Jan. 23 voted 7-0 to bring the state one step closer to enacting its first data breach notification law.

The bill ( S.B. 62) would require an information holder, upon discovery of a data breach of unencrypted computerized data, to disclose the incident to impacted consumers within 60 days. Most of the 48 states with a breach notice law set a more general deadline for companies to report breaches within a reasonable time after discovery. But 12 states set in their laws a specific time limit for providing notice. Florida, at 30 days, has the shortest time limit to notify affected individuals.

The bill includes Social Security numbers, financial and payment card data, and health information as protected data.

The measure would require companies to notify the state attorney general if a breach affects more than 250 state residents. The attorney general could bring a civil action against companies for failure to comply with the measure, seeking up to $10,000 per day per violation.

Massive data breaches involving Equifax Inc. and Target Corp. motivated the push for the legislation.

“Data breaches such as those that have occurred with Equifax and Target have affected thousands of South Dakotans’ financial security and personal information,” state Attorney General Marty Jackley (R) said in a statement. The bill is “an important step to protect consumers and to assist law enforcement in its investigation of major data breaches,” he said.

South Dakota is one of two states, the other being Alabama, that doesn’t have a data breach notification statute. Legislation to supersede state statutes with a single federal standard has been floated in Congress since 2003 but has never passed.

Alabama Attorney General Steve Marshall (R) is optimistic that Alabama will enact a breach notice statute this year, his communications director, Mike Lewis, told Bloomberg Law Jan. 23.

Harm Threshold

Before sending the bill to the full Senate, the committee amended the bill to add a risk of harm threshold for when a company must notify individuals of a breach. Business groups, including the South Dakota Retailers Association and the South Dakota Bankers Association, had called for the change.

If after an investigation and notice to the attorney general, a company “reasonably determines that the breach will not likely result in harm to the affected person,” then no notice is required.

Sen. Stace Nelson (R) told the committee that he would like to see the Senate take a second look at the provision requiring notification of the attorney general for any breach affecting at least 250 residents. “My concern is that that’s too large a number,” he said. “I’d like to see us whittle that number down.”

Jackley told the committee that he would consider amendments lowering the 250-resident threshold to be “friendly amendments”—that is, proposed changes to the bill that wouldn’t draw opposition.

With assistance from Daniel R. Stoller in Washington

To contact the reporter on this story: Christopher Brown in St. Louis at ChrisBrown@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security