The states of South Dakota and Alabama currently do not have breach notification laws. However, the scenario will be different for South Dakota soon if their State Legislature approves proposed bill SB 62 passed by the Senate Judiciary Committee. The new bill seeks to amend Chapter 22-40 of the Codified Laws relating to identity crimes. It requires companies that maintain South Dakota residents’ computerized information to inform residents should there be unauthorized acquisition of their personal data.
The bill stipulates that in case of a breach, affected residents should be notified in 45 days from the discovery of the breach. The only exception to this rule is if the company and state attorney general’s office determine the breach to be not harmful to residents’ data. Extension to the 60-day limit is allowed if law enforcement agencies asked for more time to investigate the incident. If the breach affects over 250 South Dakota residents, consumer reporting agencies must be informed of the timing, distribution and content of the breach notification letters sent to affected residents.
The bill mostly follows HIPAA’s definition of Protected Health Information except the definition of biometric data. It is slightly amended to refer to “that generated from measurements or analysis of human body characteristics for authentication purposes.” HIPAA-covered entities and business associates are regarded as compliant to the proposed bill unless subsequently proven otherwise. Organizations that are not yet HIPAA compliant must seek professional advice to comply to the requirements.
Under the bill, the South Dakota Attorney General’s Office is responsible for investigating non-compliance to the state’s breach notification laws. The Attorney General has the authority to impose a civil penalty amounting to as much as $10,000 per violation per day in addition to the costs of pursuing civil action. The bill also gives permission for the state to impose civil penalties amounting to as much as $2,000 per day for violating the Deceptive Trade Practices and Consumer Protection Law. This law penalizes a company that knew or should have known its legal duty to notify residents of a breach of their personal information but failed to do so.