South Dakota joins other states requiring data-breach reporting

With the signing in March of South Dakota's SB 62, every state in the Midwest now has a law that requires consumers to be informed of data breaches involving their personal information.

The new South Dakota statute describes this type of breach as the unauthorized acquisition of computerized data that “materially compromises the security, confidentiality or integrity of personal or protected information” — for example, a person’s name combined with his or her Social Security number, email address, or credit card information. Notification to the consumer must be made within 60 days. A breach involving more than 250 South Dakotans must be reported to the state attorney general.

Concerns about fraud and identity theft have increased with a rise in the use of social media and the Internet, along with high-profile, large-scale breaches involving firms such as Equifax and Yahoo. The first reporting law was adopted in California a decade-and-a-half ago; today, every state now has one. These laws, though, vary from one jurisdiction to the other — for example, the deadlines for reporting to consumers, requirements on informing state government of the breach, and use of a “harm threshold” to determine whether the reporting is required.

Federal legislation has been introduced to replace these state laws with a single national standard.

Stateline Midwest: April 20181.45 MB