South Dakota Enacts Data Breach Notification Law

By Thomas Johnson

Effective July 1, healthcare providers, business associates, and other businesses maintaining patient information in South Dakota, will have a new law with which to adhere.

In the 2018 legislative session, South Dakota’s legislature passed - and its governor signed - South Dakota’s first data breach notification law.  Prior to the new law, South Dakota was one of only two states without a state law requirement to notify individuals in the event of a data breach. The law’s enactment signals the continuing emphasis in federal and state law, and regulatory environments, on protecting individual’s personal information.  

Under the new law, which will be codified in South Dakota’s trade regulation statutes, “Personal Information” and “Protected Information” are broadly defined to include a wide array of personally identifiable information.  Categories of personal or protected information include a person’s first and last name combined with the following: (1) social security number; (2) driver’s license number or other government ID; (3) account number with access code/routing number; (4) health information as defined under HIPAA; and (5) employee ID in combination with an access code or biometric data.

Generally, the law requires “information holders” to notify South Dakota residents of any “breach of system security” involving “personal or protected information,” within 60 days of discovery.  The law also requires notice to the Attorney General in data breaches involving greater than 250 residents. There is a “risk of harm” exception in the new law which provides that if the breached entity “reasonably determines that the breach will not likely result in harm to the affected person”, notifications do not need to be issued.  The law is substantially similar to data breach notification laws from other states, but it does contain some unique provisions. This includes a mandatory reporting obligation to credit reporting agencies, which is something that does not expressly appear in HIPAA’s regulations.

Interestingly, there is some question whether the new law creates a private cause of action for damages in violation of the new law.  The law’s text does not create such a private cause of action. However, the law incorporates South Dakota’s Deceptive Trade Practices Act, which expressly authorizes a civil cause of action.  The Attorney General is also authorized to prosecute violations of the law, carrying penalties up to $10,000 per day for each violation.

The new law exempts information holders that are subject to HIPAA and its regulations, as long as those information holders comply with HIPAA’s requirements.  Nonetheless, stakeholders in the healthcare industry should take note of South Dakota’s new data breach regime. It may have incidental effects on their data security practices, including their notification obligations.  From an enforcement perspective, it remains to be seen whether or not individuals can now expressly pursue private causes of action for certain data breaches in South Dakota.

Tommy Johnson is a corporate and healthcare lawyer at Boyce Law Firm in Sioux Falls.