South Dakota

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Not later than 60 days
Government Notification Required: Yes, if >250 residents are affected

SDCL §§ 22-40-19 to 22-40-26

Scope of this Summary:

Notification requirements applicable to individuals or entities that conduct business in the state and own or license covered info. Some types of businesses may be exempt from some or all of these requirements.

Rick of Harm Threshold

Notification is not required if, after appropriately investigating the breach and notifying the South Dakota attorney general, the information holder reasonably determines that the security breach is not likely to result in harm to the affected individual. Covered entities must document and retain the determination for at least three years.

Breach Defined

Unauthorized acquisition that materially compromises the security, confidentiality, or integrity of covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to covered info that is encrypted so long as the encryption key was not also acquired.

Form of Covered Information

Electronic Only

Covered Information

  • A South Dakota resident's first name or first initial and last name, in combination with any one or more of the following data elements:
    • Social security number.
    • Driver's license number or other unique identification number created or collected by a government body.
    • Account, credit card, or debit card number, in combination with any required security code, or information that would permit access to a person's financial account.
    • Health information, meaning information that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
    • An identification number assigned to a person by the person's employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
    • Personal information does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable; and
  • The following information is also protected, even when not combined with a resident's name:
    • A username or email address, in combination with a password, security question answer, or other information that permits access to an online account.
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person's financial account.

Consumer Notice Timing

Must be made no later than 60 days after discovery or notification of breach.

Consumer Notice

Method

By written notice or electronic notice if consistent with E-SIGN or if primary method of communication with affected resident. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The South Dakota Statute does not include content requirements for the notice to affected individuals.

Delayed Notice

Notification may be delayed if law enforcement determines that notification will impede a criminal investigation. If notification is delayed, it must be made no later than 30 days after law enforcement determines notification will not compromise the investigation.

Government Notice

If over 250 residents are affected, must notify the attorney general.

Consumer Reporting Agency Notice

If required to notify any residents, must also notify, without unreasonable delay, all national Consumer Reporting Agencies of timing, distribution, and content of notice.

Exceptions for Other Laws

The statute deems in compliance any information holder that is regulated by federal law or regulation, including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), and notifies affected South Dakota residents in accordance with those laws.

Third-Party Notice

The South Dakota statute does not list requirements for third-party notice.

Private Right of Action

The South Dakota statute does not provide a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023