Jan. 24, 2018
This piece is presented by SDN Communications.
South Dakota remains the last state in the nation without data breach reporting protection for citizens, but Attorney General Marty Jackley intends to change that with the help of lawmakers this session.
Here’s what business leaders need to know about the bill.
- The basics – The basics – The Senate Judiciary Committee heard testimony Jan. 23 on Senate Bill 62, which requires companies to notify the state within 60 days of a breach affecting more than 250 residents. The committee passed an amended version of the bill on a 7-0 vote. It now goes on to the full Senate.
- It’s not a slam dunk – Jackley offered an amendment during the hearing that would allow the affected business time to do an internal investigation to determine whether the breach negatively impacts the individuals impacted. If the business and the attorney general determine there is no negative impact, the individuals do not have to be notified. However, if the AG determines a negative impact exists, the business will need to notify those individuals or risk prosecution and individual legal lawsuits or a class action lawsuit on behalf of those impacted.
- When it might be a crime – Much of the debate has centered on the appropriate criminal and civil penalties if a business does not provide proper notice to affected individuals following discovery of a breach.
- Federal vs. state compliance – Another holdup on the bill is work on an amendment to give industries that already follow federal compliance such as HIPPA, SOC II and CPNI a pass on state compliance.
Jackley said the bill is necessary because South Dakotans are being directly impacted by large-scale data breaches. He noted the state’s estimated 275,000 residents whose personal information was released in the Equifax breach.
He recently spoke at the Better Business Bureau’s annual cybersecurity event to explain the breach’s impact and the legislation being brought forward.
To watch, click on the image below.