KT Connections Blog

Can Your Business Afford to Pay $10,000 a Day?

Can Your Business Afford to Pay $10,000 a Day?

It’s a good thing South Dakota is one of the most data secure states. Since 2018, a data breach in South Dakota could cost your company up to $10,000 a day, per instance, if you don’t notify your customers.

For many years when businesses were faced with a data breach, there was the ‘potential’ of a loss of reputation, and the resulting loss of business could hurt your bottom line. In early 2018, South Dakota Governor Daugaard signed S.B. 62 and changed how businesses who are responsible for the data of their customers must respond to a breach. 

Gone are the days of concealing a data breach. If a concealment is found out, the penalties to your business are no longer a slap on the wrist or a ding to your reputation. Now, they are enough to bring even the largest enterprise-level business to heel. South Dakota’s aggressive breach notification policy surely has contributed to the lack of patient data breaches in 2018.

What South Dakota Breach Notification Means

If you’re an organization in South Dakota, such as a medical practice, finance, legal, or part of another industry responsible for maintaining the security and privacy of your customers’ data, there are legal ramifications if you suffer a breach and don’t disclose it. The law states that if you are hacked and the data is compromised (a breach), you must notify your clients, South Dakota’s state attorney general, and the major reporting agencies. 

Theft of personal information is being taken seriously, and your business will be held accountable for the damage done to your clients. S.B. 62 grants the state attorney general considerable power to prosecute each failure to disclose as a deceptive act under state law. It also allows the state to enact extreme penalties - including a civil penalty of up to $10,000 per day per violation - in addition to attorneys’ fees and costs. As you can see, data security can no longer be treated as an afterthought.

What Does S.B. 62 Say About Data Breaches?

Any person or organization conducting business which owns or licenses digital “personal or protected information” of South Dakota residents must provide notice of the breach unless exempt. For example, a HIPAA-regulated business which is already in compliance with federal law is considered to be in compliance with S.B. 62 if they follow the federal established rules of notification. This ‘safe harbor’ provision for HIPAA businesses is another reason why it is critical to ensure your medical practice is HIPAA compliant.

What Is Considered A Data Breach?

A data breach is considered to have occurred if “personal or protected information” was or is believed to have been accessed by an unauthorized person. Granting additional protections to consumers, the law defines “unauthorized persons” to include not only individuals who are not authorized to access or share this data, but also individuals who are allowed to access the data, but have done so “outside the guidelines for access o[r] disclosure established by the information holder.” This additional clarification of the law should give business owners pause as to who and what level of privileges they grant.

The Data Breach Must Be Reported

Prior to S.B. 62, a South Dakota organization had little incentive to disclose their breach or tried to delay notification for as long as they could so they could better control the optics. With S.B. 62, the information holder must notify affected individuals of the breach by mail, email, or other methods within 60 days after the breach discovery. 

The law also requires that the breach be reported to the state attorney general if more than 250 South Dakota residents have been affected. Finally, the information holder must also notify “all consumer reporting agencies” and “any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis”. This is unique to South Dakota’s Law, as most states require reporting at 1,000 people and only the big three consumer reporting companies. This reporting requirement is representative of how seriously South Dakota is taking data security.

Report Your Data Breach... or Else

As you can see, a data breach is no longer something to disclose and move on from; it can have serious ramifications to your business. These ramifications are backed by the state attorney general’s ability to prosecute “each failure to disclose” as an act of deception. The law allows for any remedies allowed by law; and additionally, the state may recover civil penalties up to $10,000 per day, per violation, plus applicable lawyers’ fees. 

As you can see, if you don’t respond appropriately to a data breach, it is conceivable that the combination of bad press, disgruntled customers and the State Attorney General, could cost you your business.

What Type of Data Loss Must be Reported?

  • Social Security number, Driver’s license number (or other government-issued identification document)
  • Credit card, or debit card number w/ required security or access code, password, routing number, PIN or other information permitting access to a financial account
  • A name in conjunction with “health information” (as defined under the Health Insurance Portability and Accountability Act or HIPAA)
  • An employer-assigned identification number w/ required security or access code, password, or biometric data used for authentication purposes

One thing to keep in mind is that South Dakota’s law goes farther in defining what constitutes a reportable data breach than most other states. For example, most states only require information disclosed with a person’s name attached to their data, S.B. 62 requires disclosure of a data breach even if the individual’s name has not been compromised.

South Dakota Businesses Must Evolve

Navigating the ever-changing landscape of compliance of South Dakota’s data breach notification requirements, HIPAA regulations, and cybersecurity solutions can be difficult for many businesses. If you’re unsure of how to protect your client’s data and your business against cyberattacks, you don’t have to figure it out on your own! Call KT Connections today at 605-341-3873.

Stop Trusting Hackers With Your Smartphone!
Microsoft is Releasing Out-of-Band Security Update...