MONTH-IN-BRIEF (Apr 2018)
South Dakota Joins the Club by Passing a Data Breach Notification Law
By Jesse L. Noa, Potter Anderson & Corroon LLP
On March 21, 2018, South Dakota joined 48 other states by enacting its data breach notification law. Effective July 1, 2018, the law requires that any person or entity doing business in South Dakota that owns or licenses “personal information” or “protected information” of South Dakota residents must provide notification to affected residents in the event of a “breach of system security.” Absent limited exceptions, notice must be sent within 60 days of discovery of the breach to any resident whose information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice must also be provided to the attorney general if the breach impacts more than 250 residents. Like many other states, South Dakota provides a safe harbor for encrypted data, provided that the encryption key is not implicated as part of the breach. Violation of the law can carry steep penalties. The attorney general can seek up to $10,000 per day per violation in addition to other remedies, including possible criminal prosecution, as well as recovery of attorneys’ fees. Further, while not explicit, the law’s incorporation of South Dakota’s Deceptive Trade Practices Act raises a question regarding whether there is a private right of action under the new law.