The South Dakota Data Breach Notification Law Has Been Approved

All 48 U.S. states are already implementing a Breach Notification Law that requires individuals and companies storing personal information to send a notification letter to individuals when a data breach occurs. South Dakota is one of two states that have yet to introduce this legislation.  That status changed on March 21, 2018 when South Dakota attorney general Marty Jackley announced that Governor Daugaard has signed SB 6 and will be implemented on July 1, 2018.  South Dakota residents will now receive the same consumer protection as their neighboring states.

The new approved bill has the following fine points:

An entity that experiences a data breach must issue notifications to South Dakota residents whose personal information is compromised within 60 days of discovering the breach. The breach notification time frame required by this bill is the same as that of the HIPAA. Personal information as defined in the bill refers to the full name or first initial and full name of a state resident plus any of the following information:

  • a government ID number
  • driver’s license number
  • Social Security number
  • employment ID number (with authentication information)
  • credit/debit card number (with an associated code that permits card usage)
  • health information (as defined in HIPAA 45 CFR 160.103)

An entity must notify the state attorney general of any breach that impacts over 250 state residents within 60 days of discovering the breach. The South Dakota data breach notification law includes a risk of harm exception. In case a breached entity determines that the breach will unlikely harm the affected person, there’s no need to issue a notification. If breach notification is delayed, the entity could be fined up to $10,000 per day on top of state attorney’s fees.

Since South Dakota’s data breach notification law has been approved, the only state that hasn’t introduced a state-wide breach notification law is Alabama. However, it is expected that Alabama will follow soon as the same legislation – the Alabama Data Breach Notification Act of 2018 passed by the Alabama Senate – is under consideration by the House of Representatives.

About Christine Garcia 1312 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at