As of this month, every state in the U.S. now has a data breach notification law. Just yesterday, South Dakota's first ever data breach notification law went into effect (July first).
What do South Dakota Businesses Need to Know
- Personal Information and Protected Information Defined:
- "Personal Information" consists of a person's first name or first initial and last name, in combination with their (a) social security number, (b) driver’s license number or other unique government id number, (c) bank account, credit card or debit card number in combination with security code, access code, password, routing number, PIN or any information that would permit access to a person’s financial account, (d) health information, and (e) an employer id number in combination with any required security code, access code, password, or biometric data for authentication purposes.
- "Protected Information” consists of (a) a username or email address in combination with a password, security question answer, or other information that permits access to an online account AND (b) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. NOTE: Protected Information does not include a person’s name.
- Data Breach Notification Requirement:
- In the event of unauthorized acquisition of data by any person that compromises the security, confidentiality or integrity of personal or protected information, the law requires notification to be given to affected individuals (and, in certain circumstances, the Attorney General).
- A harm threshold is included pursuant to which notification is not required if, after an appropriate investigation is conducted and notice is given to the Attorney General, the entity reasonably determines that the breach "will not likely result in harm" to the affected person(s).
- The law requires notification to nationwide consumer reporting agencies of the timing, distribution and content of the notice regardless of the number of affected and requires notification to the Attorney General if any breach exceeds 250 South Dakota residents being affected.
- Method of Notice:
- Notice may be provided (a) in writing, (b) electronically consistent with E-SIGN, or (b) via substitute notice if the cost of providing notice would exceed $250,000, the affected number exceeds 500,000 individuals, or the entity does not have sufficient contact information to give notice.
- Substitute notice methods must consist of (a) email notice, if email address is available, (b) conspicuous posting on the entity’s website, and (c) notification to statewide media.
- Timing of Notice:
- A 60-day deadline was implemented for notification.
- Penalties for Non-Compliance:
- A violation of the breach notification law has the effect of creating a private right of action and the Attorney General may impose a fine of up to $10,000 per day per violation.
Get Ahead of a Potential Data Breach
Data breaches are not only caused by hacking, they can also be caused by physical threats. Businesses large and small in South Dakota can take precautions to minimize the risk of a data breach. Implementing solid data security policies can defend against both online and offline threats. Include these basic steps in your policy to get you started:
- Secure Storage — Keep documents and data-containing devices physically secured in a locked bin or area with limited, controlled access.
- Secure Disposal and Destruction — Both documents and hardware should be securely disposed of through shredding (paper and hard drive disks) or erasure (hard drives, digital media devices). Be sure to use an R2 or e-stewards certified vendor for any disposal, shredding, wiping or resale services to guarantee all data is securely destroyed and is in compliance with all applicable privacy legislation.
- Electronic Security — User authentication and system protection including passwords, firewalls and anti-virus programming.
- Human Capital Security — Background checks, proper training and security policies, termination protocols will prevent human error, negligence or intention.
SEAM based in Sioux Falls, South Dakota can help businesses prevent data breaches before they happen. We offer hard drive shredding both onsite and off, hard drive erasure and data wiping, secure electronics recycling, and value recovery through certified resale services. Contact us today to see if we can help your South Dakota organization get your security policy started.