South Dakota the penultimate state to enact its own data breach notification law

On March 21, South Dakota became the 49th state to enact a data breach notification law. Governor Dennis Daugaard signed Senate Bill 62, which goes into effect on July 1, 2018. Any organization that holds, transfers, or processes South Dakota residents’ personal data in digital format is covered by the new law.

Alabama is the last of the 50 states, including Washington DC, to have data breach legislation on the books. At this time, Alabama has its own data breach legislation pending.

What information is covered?

South Dakota’s breach notification law is similar to other states’ in that it references “breach of system security” and “personal information”. However, personal information also includes health information as defined in the Health Insurance Portability and Accountability Act Privacy Rule. The bill has an additional term, “protected information”, which includes:

  • Online account access – username and/or email address combined with a password, as well as any other means of authentication, such as security question answers
  • Financial account access – account payment card numbers combined with security codes, as well as access codes or passwords that admit a person to their financial account

What is required from covered organizations?

The law requires South Dakota residents to be notified whenever their personal data is compromised. They must also be made aware if there is reason to believe a data breach has occurred where their information was compromised. The law, however, contains a risk of harm standard: a notification is not required if, after conducting an appropriate investigation and disclosing findings to the attorney general, the organization can determine that the breach is not likely to place affected people at risk.

South Dakota’s data breach law includes a notification time frame

An organization impacted by a data breach must disclose details to affected individuals no later than 60 days from discovery. The attorney general must also be notified if more than 250 South Dakota residents have been affected. All consumer reporting agencies and credit bureaus that maintain files with consumer data nationwide must also be informed without unreasonable delay, no matter the number of breach victims. Previously, the breach had to affect more than 250 residents to report to these respective agencies.

Any organization that fails to disclose a breach is not complying with the state’s consumer protection laws. The attorney general can impose a fine of up to $10,000 per day per violation.

How an ISMS can help your organization protect its information assets

With all 50 states – plus Washington DC – now enacting data breach notification laws, the next step is for federal government to create an overarching regulation. However, for now, we must rely on a complex patchwork of state and local laws enforcing consumer data protection. Either way, your organization should make it a top priority to protect the data it owns and the IT systems that process that data.

A great way to safeguard your organization and ensure cybersecurity is to implement an information security management system (ISMS). An ISMS outlines the policies, procedures and controls – technical and organizational – to systematically protect confidential and sensitive data from cyber threats.

The international information security standard ISO 27001 provides the specifications for a best-practice ISMS, which is based on three pillars: people, processes, and technology. ISO 27001 can be used to meet state requirements, such as South Dakota’s new regulation. The road to a successful ISO 27001 implementation can be difficult. If you want to know where to start, download this free green paper for a quick overview.

Free Download: Implementing an ISMS – The nine-step approach