As we wrote when the law passed, South Dakota now has a data breach notification law, making it the last state to have a data breach notification statute on the books. (The breach notification law of the other hold-out state, Alabama, went into effect on June 1.) The law is now in effect, and as we reported, mirrors many facets of other states’ breach laws. Notification is required when there is an unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). Encryption is defined in South Dakota (unlike many other states), and notification must occur within 60 days. If notification to more than 250 South Dakota residents is required a company must notify state authorities as well.
Putting it Into Practice: Companies with a nation-wide breach notice law should keep in mind South Dakota’s 60-day timing requirements as well as its state authority notification provision.