Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $10,000 per day per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Attorney General if the breach affects more than 250 consumers.
  • Breach reporting must be made to all consumer reporting agencies that compile and maintain reports on consumers on a nationwide basis if the breach affects more than 1,000 consumers.
  • The law defines specific requirements for consumer notification and disclosure of a breach to the State Attorney General.
  • The State Attorney General may publish the name of the breached entity and corresponding information.
  • Documentation (written) must be maintained for at least 5 years if it is reasonably determined that the consumers whose personal information was subject to the breach of security are unlikely to suffer harm.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • S.D. Codified Laws §§ 22-40-19 to 22-40-26 Breach Notification Law ( July 2018)

    S.D. Codified Laws §§ 37-24-6 Deceptive acts or practices

BAck to map