Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $10,000 per day per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations are responsible to complete any required regulatory reporting and consumer notification.
  • If notification is required to more than 250 persons, reporting to the state attorney general must be done either by mail or email.
  • Reporting must also be completed without unreasonable delay to all consumer reporting agencies and any other credit bureau or agency that compiles and maintains files on consumers on a nationwide basis.
  • If the notification is delayed by a law enforcement investigation, notification must be made within 30 days after determination that it will not compromise an investigation.
  • If the organization is not required to make a disclosure of a breach incident, written documentation must be maintained for at least 3 years.
  • Vendors should notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations may be fined or penalized for Vendor violations.
  • Failure to provide notification of breach incident(s) is considered a deceptive act or practice. The attorney general may bring a civil action to recover monetary damages up to $10,000 per day, per violation.
Statutes and Laws
  • S.D. Codified Laws §§ 22-40-19 to 22-40-26 Breach Notification Law

    S.D. Codified Laws § 37-24-6 Deceptive acts or practices

BAck to map