ARTICLE
29 March 2018

And Then There Was One: South Dakota Passes Breach Notice Law, Alabama May Not Be Far Behind

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states' breach notice laws.
United States Privacy
Photo of Liisa M. Thomas
Photo of Amber Thomson
Authors

South Dakota recently became the 49th US state to enact data breach notification legislation. The new law takes effect July 1, 2018 and mirrors other states' breach notice laws. Information that if breached, gives rise to a duty to notify is defined to include Social Security and government-issued identification numbers, account and payment card numbers (in combination with security or access codes or PIN numbers), health information, and employer-issued identification numbers (in combination with security or access codes, biometric data, or passwords). Protected information includes user names or email addresses (in combination with passwords or security question answers), and account or payment card numbers (in combination with security or access codes or PIN numbers).

A "breach" in South Dakota is the unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). The law provides for a definition of encryption (using a process that comports with FIPS 140-2). The law gives companies a 60 day window to notify impacted individuals, but does not have content requirements for notice. Notice to SD authorities is required if more than 250 residents are impacted. Substitute notice in SD is permitted in certain circumstances, and constitutes notice by email (if the company has the email addresses for impacted people), website posting and notice to statewide media. Alabama is the lone US state without a breach notice law; at least for now. The Alabama State Senate delivered SB 318 to Governor Ivey on March 27 for her signature. Alabama may thus become the final state to pass a data breach notification law in the coming days.

Putting it Into Practice: The passing of this law is a reminder that breach notification remains on the forefront of regulators' minds. Companies with nationwide breach notice plans in place should update their plans to add South Dakota to the list, in particular the need to notify state authorities if over 250 residents have been impacted by a breach as defined by this new law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Amber Thomson
Amber Thomson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More