South Dakota finally passes a data protection law
In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR. Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party.
Class of the protected individuals
The bill applies to individuals residing in the state.
Individual Rights
Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach).
PII is defined as “computerized data” consisting of first name (or first initial) and last names AND one of the following :
- Identification number (such as social security numbers, driver’s, military, insurance),
- Financial information such as Account number, routing, PIN numbers,
- a combination of username and password used to access accounts,
- Encryption key*, security codes,
- Biometric data.
The bill does not apply to data that is publically available or was obtained in good faith.
Compliance
Data controllers , or information holders as referenced in the bill, are required to comply with this bill.
Safe harbors
The bill provides a number of safe harbors. A Safe Harbor is an circumstance that eliminates a controllers’ duty to report a “breach.” Like the majority of states, the bill provides a safe harbor if the comprised data is encrypted. Encryption is a technical safeguard that renders data unreadable, without a key. Encrypting data significantly reduces and often eliminates the risk of harm to individuals. The bill also mentions the redaction of records, as an alternative safe harbor.
The bill provides additional safe harbors, if the controller is in compliance with GLBA and or HIPAA. This makes sense since these are federal laws, with more stringent privacy, security and reporting requirements.
Reporting
Controllers must report the breach to affected individuals within 60 days of reasonable discovery of the breach.
Substitute notice is allowed, where the cost to notify individuals exceeds $250,000 and the number of individuals exceeds 5,000 persons. Additionally, substitute notice is proper when the controller does not have sufficient information to appropriately notify or identify individuals affected by the breach.
Controllers are required to notify the state’s Attorney General’s office, if more than 250 residents are affected by breach.
Enforcement
Similar to Alabama's bill and number of other state bills, SB 62 does not provide a private of action by individuals against a controller as a result of a data breach.
The bill is mainly enforced by the Attorney General. A controller may be fined $10,000 per day per violation plus Attorneys’ fees for non-compliance.
For intentional disclosures and or breaches of PII, a person could be liable for criminal fines and guilty of a misdemeanor under SD Statute § 37-24-6.
I have written a comparison piece on the two latest state data protection laws on LinkedIn.
Comments
Post a Comment
all comments to this blog are moderated