It’s a good thing South Dakota is one of the most data secure states. Since 2018, a data breach in South Dakota could cost your company up to $10,000 a day, per instance, if you don’t notify your customers.
For many years when businesses were faced with a data breach, there was the ‘potential’ of a loss of reputation, and the resulting loss of business could hurt your bottom line. In early 2018, South Dakota Governor Daugaard signed S.B. 62 and changed how businesses who are responsible for the data of their customers must respond to a breach.
Gone are the days of concealing a data breach. If a concealment is found out, the penalties to your business are no longer a slap on the wrist or a ding to your reputation. Now, they are enough to bring even the largest enterprise-level business to heel. South Dakota’s aggressive breach notification policy surely has contributed to the lack of patient data breaches in 2018.
If you’re an organization in South Dakota, such as a medical practice, finance, legal, or part of another industry responsible for maintaining the security and privacy of your customers’ data, there are legal ramifications if you suffer a breach and don’t disclose it. The law states that if you are hacked and the data is compromised (a breach), you must notify your clients, South Dakota’s state attorney general, and the major reporting agencies.
Theft of personal information is being taken seriously, and your business will be held accountable for the damage done to your clients. S.B. 62 grants the state attorney general considerable power to prosecute each failure to disclose as a deceptive act under state law. It also allows the state to enact extreme penalties - including a civil penalty of up to $10,000 per day per violation - in addition to attorneys’ fees and costs. As you can see, data security can no longer be treated as an afterthought.
Any person or organization conducting business which owns or licenses digital “personal or protected information” of South Dakota residents must provide notice of the breach unless exempt. For example, a HIPAA-regulated business which is already in compliance with federal law is considered to be in compliance with S.B. 62 if they follow the federal established rules of notification. This ‘safe harbor’ provision for HIPAA businesses is another reason why it is critical to ensure your medical practice is HIPAA compliant.
A data breach is considered to have occurred if “personal or protected information” was or is believed to have been accessed by an unauthorized person. Granting additional protections to consumers, the law defines “unauthorized persons” to include not only individuals who are not authorized to access or share this data, but also individuals who are allowed to access the data, but have done so “outside the guidelines for access o[r] disclosure established by the information holder.” This additional clarification of the law should give business owners pause as to who and what level of privileges they grant.
Prior to S.B. 62, a South Dakota organization had little incentive to disclose their breach or tried to delay notification for as long as they could so they could better control the optics. With S.B. 62, the information holder must notify affected individuals of the breach by mail, email, or other methods within 60 days after the breach discovery.
The law also requires that the breach be reported to the state attorney general if more than 250 South Dakota residents have been affected. Finally, the information holder must also notify “all consumer reporting agencies” and “any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis”. This is unique to South Dakota’s Law, as most states require reporting at 1,000 people and only the big three consumer reporting companies. This reporting requirement is representative of how seriously South Dakota is taking data security.
As you can see, a data breach is no longer something to disclose and move on from; it can have serious ramifications to your business. These ramifications are backed by the state attorney general’s ability to prosecute “each failure to disclose” as an act of deception. The law allows for any remedies allowed by law; and additionally, the state may recover civil penalties up to $10,000 per day, per violation, plus applicable lawyers’ fees.
As you can see, if you don’t respond appropriately to a data breach, it is conceivable that the combination of bad press, disgruntled customers and the State Attorney General, could cost you your business.
One thing to keep in mind is that South Dakota’s law goes farther in defining what constitutes a reportable data breach than most other states. For example, most states only require information disclosed with a person’s name attached to their data, S.B. 62 requires disclosure of a data breach even if the individual’s name has not been compromised.
Navigating the ever-changing landscape of compliance of South Dakota’s data breach notification requirements, HIPAA regulations, and cybersecurity solutions can be difficult for many businesses. If you’re unsure of how to protect your client’s data and your business against cyberattacks, you don’t have to figure it out on your own! Call KT Connections today at 605-341-3873.