Attorney General Marty Jackley wants to crack down on what he refers to as violations of consumer privacy. He proposes Senate Bill 49, which would criminalize improperly storing and disposing personal or protected information.
SDCL 22-40-19 defines “personal information” as “a person’s first name or first initial and last name” (evidently we can hand out your middle name all we want) in combination with one or more of the following bits of data:
- Social security number;
- Driver license number or other unique identification number created or collected by a government body;
- Account, credit card, or debit card number, in combination with any required security code, access code, password, routing number, PIN, or any additional information that would permit access to a person’s financial account;
- Health information as defined in 45 CFR 160.103; or
- An identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
The same statute defines “protected information” as “A user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” or “account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.”
The “in combination with” phrase catches my eye. It appears that a person or business can leak your name and a list of all of your credit card numbers, as long as the list does not include your PINs or security codes. Similarly, a person or business could give out your name and employee ID number, as long as that information isn’t accompanied by a code, password, or your height. Your name and email address are also fair game for publication, as long as we don’t give out the password to access your email account.
Jackley’s new Senate Bill 49 doesn’t address that odd aspect of the definition of personal or protected information. Senate Bill 49 does go beyond punishing leaks of information to require people, businesses, and governmental agencies to “take all reasonable steps” to properly secure and protect unauthorized access to or use of records containing personal or protected information. Those steps include requiring the destruction of records when their retention is no longer required “by burning, pulverizing, crosscut shredding, erasing, or otherwise modifying the information contained in the records to make the information unreadable or indecipherable by any means.”
Fail to properly lock up and eventually shred such records, and SB 49 will bust you under the deceptive practices law, SDCL 37-24-6. Under that law, each violation—which could be read to mean each record improperly handled—can draw a Class 1 misdemeanor, a Class 6 felony, or a Class 5 felony, depending on whether the violation is under $1,000, between $1,000 and $100,000, or $100,000 or more. How we figure the dollar value of a bit of personal or protected information is not made clear in current law or in SB 49. But SB 49 would also allow the A.G. to sue data mishandlers for a civil penalty of up to $10,000 per day per violation. I suppose we could say that accessing your company’s client database via the Caribou Coffee wi-fi and leaving the interface open on your laptop at your table while you hit the head constitutes one violation. But what if Jackley sends in the DCI to audit your security protocols and finds that your main office has been maintaining customer information in an Excel spreadsheet with no password protection since you started business in 2013. Is that violation for each day for ten years? If so, the Attorney General could take you to court for a $36,520,000 penalty!
Attorney General Jackley says this bill is about consumer protection:
“Protection of personal and confidential information continues to be a threat to our consumers,” Jackley said. “This consumer protection bill provides further guidance on how to protect confidential and private information and strengthens the penalty for those who do not protect confidential information or try to profit from the sale of that information” [Office of the Attorney General, press release, 2023.01.17].
But remember: we are citizens, not just consumers. The good part of this bill is that applies its requirements to governmental agencies as well as people and businesses. Jackley’s 2018 data breach notification law applies only to “any person or business that conducts business in this state,” not to the state or its political subdivisions themselves. So theoretically, instead of (or in addition to!) ordering audits of every business owned by Democrats in South Dakota and frying them for not incinerating every out-of-date file, Jackley could conduct a reign of terror on every state agency to root out enemies of the regime. He could just have DCI walk into every government office, take pictures of any document lying out in view on a desk or computer screen, identify the exposed personal or protected information, and take to court every targeted office functionary who didn’t donate enough to his campaign.
But Marty would never do that. he would only use Senate Bill 49 to protect our personal information and hold information holders, private and public, accountable.
Of course, by including governmental agencies in SB 49, Jackley creates one more excuse for the state and other public entities to drag their feet on public records requests. Public agencies should already be reviewing and redacting SSNs and other sensitive data from records before releasing them, but SB 49’s threat of a $10K fine for failing to keep such data secure may prompt even longer reviews of requested records.
Senate Bill 49 will get its first hearing before Senate Judiciary—no date is shown on the LRC webpage, but Jackley says his package will get first hearing this week, so maybe tomorrow, Friday, at 7:45 a.m. CST.