South Dakota Data Breach Notification Laws: Reporting Rules & Timelines (2026)

South Dakota was one of the last states in the nation to enact a data breach notification law. The statute, S.D. Codified Laws 22-40-19 through 22-40-26, took effect on July 1, 2018, and applies to any information holder conducting business in South Dakota that owns or licenses computerized personal or protected information of state residents.

Despite being a late adopter, South Dakota's law includes several features that put it in line with more modern breach notification statutes: a firm 60-day notification deadline, a low Attorney General reporting threshold of 250 residents, and substantial daily penalties for noncompliance. The law also introduces the concept of "protected information," which covers login credentials even without a name.

This guide covers the full scope of South Dakota's breach notification requirements, including how they connect to the broader [South Dakota data privacy laws](/us-laws/data-privacy-laws/south-dakota-data-privacy-laws) framework.

Who Must Comply

South Dakota's law applies to any "information holder," defined as any person or business that conducts business in South Dakota and owns or licenses computerized personal or protected information of state residents. Businesses located outside South Dakota are covered if they hold data belonging to South Dakota residents.

When a third party maintains data on behalf of the data owner or licensee, the third party must notify the data owner or licensee immediately following discovery of a breach. The data owner then bears the responsibility to notify affected residents and the Attorney General.

Federal Law Compliance Exception

Under Section 22-40-23, information holders regulated by federal law that maintain breach notification procedures under federal requirements (such as HIPAA or the Gramm-Leach-Bliley Act) are deemed in compliance with South Dakota law if they notify affected residents in accordance with applicable federal requirements.

Own Security Policy Exception

An information holder that maintains its own notification procedure as part of an information security policy is also in compliance, provided the policy is consistent with the timing requirements and the holder notifies affected individuals in accordance with its own procedures.

What Triggers Notification

Under Section 22-40-19, a "breach of system security" means the unauthorized acquisition of unencrypted computerized data, or encrypted computerized data and the encryption key, by any person that materially compromises the security, confidentiality, or integrity of personal or protected information.

The definition focuses on unauthorized acquisition, not just unauthorized access. Mere access without acquisition may not trigger the law.

Encryption Safe Harbor

Encrypted data is excluded from the breach definition unless the encryption key was also compromised. South Dakota defines "encrypted" as data rendered unusable, unreadable, or indecipherable without a decryption process or key, or data encrypted in accordance with FIPS 140-2 (the Federal Information Processing Standard effective January 1, 2018).

Personal Information That Triggers the Law

South Dakota's definition of personal information under Section 22-40-19 means a person's first name or first initial and last name, in combination with any one or more of the following data elements:

• Driver's license number or other unique identification number created or collected by a government body
• Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or additional information that would permit access to a financial account
• Health information as defined in 45 CFR 160.103 (the HIPAA definition, covering past, present, or future physical or mental health conditions, healthcare provision, or healthcare payment)
• Identification number assigned by the person's employer, in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication

Personal information does not include information lawfully available from federal, state, or local government records, or information that has been redacted or otherwise made unusable.

Notable: SSN Coverage

While the user-provided summary mentions SSNs, South Dakota's statute covers them through the "unique identification number created or collected by a government body" category, which encompasses Social Security numbers, state ID numbers, and similar government-issued identifiers.

Protected Information: A Broader Category

South Dakota is one of relatively few states that defines a separate "protected information" category. Protected information includes:

• Username or email address in combination with a password, security question answer, or other information that permits access to an online account
• Account number or credit or debit card number in combination with any required security code, access code, or password that permits access to a financial account

Protected information does not require a name component to trigger notification. This means a breach of email addresses combined with passwords triggers notification even without names being compromised.

The 60-Day Notification Deadline

Under Section 22-40-20, an information holder must disclose the breach to any affected South Dakota resident not later than 60 days from the discovery or notification of the breach.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Once law enforcement determines that notification will no longer compromise the investigation, notification must be provided within 30 days.

Who Must Be Notified

Affected Individuals

Every South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person must receive notification.

Attorney General (250+ Threshold)

When a breach affects more than 250 South Dakota residents, the information holder must notify the South Dakota Attorney General by mail or email. This is one of the lower AG notification thresholds in the country.

Consumer Reporting Agencies

If disclosure to consumers or the Attorney General is required, notice must also be given to the nationwide consumer reporting agencies (Equifax, Experian, and TransUnion).

Methods of Notification

Under Section 22-40-22, South Dakota permits three types of notice:

• Written notice to the last known address
• Electronic notice, if consistent with federal electronic records provisions or if electronic communication is the information holder's primary method of contact with the resident
• Substitute notice, if the cost would exceed $250,000, the affected class exceeds 500,000 persons, or the holder lacks sufficient contact information. Substitute notice requires email to available addresses, conspicuous website posting, and notification to statewide media.

Penalties for Noncompliance

South Dakota's penalty structure is among the more aggressive in the country for a state without a private right of action.

Civil Penalties

Under Section 22-40-25, the Attorney General may bring an action to recover a civil penalty of up to $10,000 per day per violation. For a breach that goes unreported for weeks or months, this daily structure creates significant financial exposure.

Deceptive Acts Prosecution

The Attorney General may also prosecute each failure to disclose as a deceptive act or practice under Chapter 37-24, which provides additional remedies including injunctive relief, consumer restitution, and civil penalties.

Attorney's Fees and Costs

The Attorney General may recover attorney's fees and costs associated with any enforcement action.

No Private Right of Action

South Dakota's breach notification law does not create a private right of action. Only the Attorney General can enforce the statute. Individuals may pursue claims under other legal theories such as negligence, but not under the breach notification statute itself.

More South Dakota Laws

• South Dakota Recording Laws
• South Dakota Recording Laws
• South Dakota Recording Laws
• South Dakota Recording Laws
• South Dakota Recording Laws
• South Dakota Dog Bite Laws
• South Dakota Data Privacy Laws
• South Dakota Recording Laws

Sources and References

This article draws from the following official South Dakota government sources:

• S.D. Codified Laws Chapter 22-40 (Identity Crimes) - Full text of South Dakota's breach notification statute
• Section 22-40-19 (Definitions) - Definitions of personal information, protected information, and breach of system security
• Section 22-40-20 (Notice of Breach) - 60-day notification deadline and requirements
• Section 22-40-25 (Prosecution for Violations) - $10,000 per day penalty provisions
• South Dakota Consumer Protection: Security Breaches - AG breach reporting guidance

This article provides general legal information about South Dakota data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in South Dakota for guidance specific to your situation.