South Dakota finally passes a data protection law



In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR.  Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party.

Class of the protected individuals

The bill applies to individuals residing in the state.

Individual Rights

Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach).

PII is defined as “computerized data” consisting of first name (or first initial) and last names AND one of the following :
  • Identification number (such as social security numbers, driver’s, military, insurance),
  • Financial information such as Account number, routing, PIN numbers,
  • a combination of username and password used to access accounts,
  • Encryption key*, security codes,
  • Protected health information (PHI) under HIPAA and
  • Biometric data.
The bill does not apply to data that is publically available or was obtained in good faith.

Compliance
Data controllers , or information holders as referenced in the bill, are required to comply with this bill.

Safe harbors
The bill provides a number of safe harbors. A Safe Harbor is an circumstance that eliminates a controllers’ duty to report a “breach.” Like the majority of states, the bill provides a safe harbor if the comprised data is encrypted.  Encryption is a technical safeguard that renders data unreadable, without a key. Encrypting data significantly reduces and often eliminates the risk of harm to individuals. The bill also mentions the redaction of records, as an alternative safe harbor.

The bill provides additional safe harbors, if the controller is in compliance with GLBA and or HIPAA. This makes sense since these are federal laws, with more stringent privacy, security and reporting requirements.

Reporting
Controllers must report the breach to affected individuals within 60 days of reasonable discovery of the breach.

Substitute notice is allowed, where the cost to notify individuals exceeds $250,000 and the number of individuals exceeds 5,000 persons. Additionally, substitute notice is proper when the controller does not have sufficient information to appropriately notify or identify individuals affected by the breach.

Controllers are required to notify the state’s Attorney General’s office, if more than 250 residents are affected by breach.

Enforcement
Similar to Alabama's bill and number of other state bills, SB 62 does not provide a private of action by individuals against a controller as a result of a data breach.

The bill is mainly enforced by the Attorney General. A controller may be fined $10,000 per day per violation plus Attorneys’ fees for non-compliance.

For intentional disclosures and or breaches of PII,  a person could be liable for criminal fines and guilty of a misdemeanor under SD Statute § 37-24-6.

I have written a comparison piece on the two latest state data protection laws on LinkedIn.



Comments

Post a Comment

all comments to this blog are moderated

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o
Read more

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

  By Victorianne Musonza #privacy-by-design #digitaladvertising #dataprivacy #CCPA #GDPR In the ever-evolving world of digital advertising, user consent, and data privacy should be an afterthought but rather something that is built into the design. As companies strive to engage consumers effectively, it is important to address these issues and implement robust mitigation strategies, all while embracing the concept of privacy by design. User consent is a major focus for data privacy in digital advertising. Consumers must have clear, transparent information about how their data is collected, used, and shared. By obtaining explicit consent, companies can establish trust and ensure that users are aware of the purpose and extent of data processing. This consent should be easily accessible, providing users with options to manage their preferences and exercise control over their personal information. However, obtaining mere consent is not enough; organizations must prioritize data privacy mit
Read more

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.
Read more