Click here to review text of state statute
Information Covered / Important Definitions
Personal information of South Dakota residents.
Definition includes usernames and passwords, financial information, personal identification numbers (“PINs”), or other access codes for financial accounts, medical information, health insurance information, and identification number assigned by an employer in combination with any required security code, access code, password, or biometric data.
Also covers “protected information,” which includes user name or email address with access code for online accounts, and account number or credit or debit card number, in combination with any access code for financial accounts.
“Security Breach” means the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.
"Information holder” means any person or business that conducts business in this state, and that owns or licenses computerized personal or protected information of state residents.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business that conducts business in South Dakota, and that owns or licenses computerized personal or protected information of residents of South Dakota.
Third party recipients:
Third parties maintaining personal information on behalf of a covered entity must notify covered entity about a breach and cooperate as necessary to allow covered entity to comply with statute. The covered entity must satisfy all further notification obligations under the statute.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach as expeditiously as possible and without unreasonable delay, but no later than sixty (60) days following the discovery of the breach unless law enforcement agency determines that disclosure will interfere with a criminal investigation (in which case notification delayed until authorized by law enforcement).
Notice to affected residents is required to contain specific content described in statute.
- If a delay in notification is prompted by law enforcement needs, notice to affected residents must occur the notification shall be made not later than thirty (30) days after the law enforcement agency determines that notification will not compromise the criminal investigation.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if, after an investigation and written notice to the attorney general, the entity determines that there is not a reasonable likelihood of harm to the consumers whose personal information was acquired. The determination must be documented in writing and maintained for three years.
Any covered entity that must notify more than 250 residents at one time of a security breach is also required to notify the attorney general and consumer reporting agencies without unreasonable delay.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal information that was lost, stolen or accessed by an unauthorized individual is encrypted or redacted.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the South Dakota statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the South Dakota statute.
A covered entity that is subject to GLBA or HIPAA is exempt from South Dakota’s statute.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
In addition to any remedy provided under SD § 37-24-6, violations by non-governmental entities are liable for civil penalties up to $10,000 per day per violation.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute