SOUTH DAKOTA DATA BREACH NOTIFICATION LETTER PACKAGE
(Prepared for Immediate Attorney Customization)
[// GUIDANCE: 1. This package contains (i) a statutory notification letter to the South Dakota Attorney General (“AG Letter”) and (ii) a consumer notification letter (“Consumer Letter”).
2. South Dakota’s data-breach statute is codified at S.D. Codified Laws §§ 22-40-19 et seq. (“SDDB Law”).
3. The template is drafted to satisfy the content and timing requirements of SDDB Law and to minimize exposure to statutory civil penalties (currently up to $10,000 per day, per violation).
4. All bracketed text must be completed or modified before issuance.
5. If ≥ 1,000 individuals nationwide will be notified, a separate notice to the national consumer reporting agencies is required under 15 U.S.C. § 1681a, et seq. (Fair Credit Reporting Act).]
TABLE OF CONTENTS
- Document Header
- Definitions
- Operative Provisions
3.1 AG Letter
3.2 Consumer Letter (Exhibit A) - Representations & Warranties
- Covenants
- Default & Remedies
- Risk Allocation
- Dispute Resolution
- General Provisions
- Execution Block
- Exhibit A – Form of Consumer Notification Letter
1. DOCUMENT HEADER
Title: South Dakota Data Breach Notification Letter Package
Parties:
• “Company” – [LEGAL NAME OF COMPANY], a [STATE] [ENTITY TYPE] with its principal place of business at [ADDRESS].
• “South Dakota Attorney General” – Office of the Attorney General, 1302 E. Highway 14, Suite 1, Pierre, SD 57501-8501.
Effective Date: [DATE NOTICES WILL BE SENT]
Jurisdiction: State of South Dakota
2. DEFINITIONS
For purposes of this Notification Package, capitalized terms have the meanings set forth below:
“Breach” – The unauthorized acquisition of unencrypted data (or of encrypted data with the encryption key) that compromises the security, confidentiality, or integrity of Personal Information, as defined in SDCL § 22-40-20(1).
“Company” – The entity identified in the Document Header.
“Consumer” – Any individual South Dakota resident whose Personal Information was, or is reasonably believed to have been, accessed or acquired in the Breach.
“Personal Information” – The data elements described in SDCL § 22-40-19(4), including but not limited to an individual’s first name or first initial and last name in combination with: (a) Social Security number; (b) driver’s license/State ID number; (c) account or credit-card number with required access credentials; (d) medical information; (e) health-insurance identification number; (f) unique biometric data; or (g) username or e-mail address with password or security question/answer.
3. OPERATIVE PROVISIONS
3.1 Attorney General Notification Letter (“AG Letter”)
[ON COMPANY LETTERHEAD]
[DATE]
The Honorable [NAME, if known]
South Dakota Attorney General
1302 E. Highway 14, Suite 1
Pierre, SD 57501-8501
Re: Data Breach Notification Pursuant to SDCL §§ 22-40-19 – 26
Dear Attorney General [LAST NAME]:
[1] Introduction
Pursuant to SDCL § 22-40-20, [COMPANY] (“Company”) hereby provides written notice of a breach of system security involving Personal Information of South Dakota residents.
[2] Incident Description
• Date(s) of Breach: [INCIDENT DATE(S)]
• Date of Discovery: [DISCOVERY DATE]
• Systems Affected: [BRIEF DESCRIPTION]
• Nature & Scope: [HIGH-LEVEL NARRATIVE OF HOW THE BREACH OCCURRED, E.G., “A sophisticated phishing attack compromised an employee’s credentials and allowed unauthorized access to the Company’s customer-relations management database.”]
[3] Categories of Personal Information Affected
The Breach involved the following data elements as defined under SDDB Law:
☐ Social Security numbers
☐ Driver’s license/State-issued ID numbers
☐ Financial account or payment-card numbers with required access codes
☐ Medical information
☐ Health-insurance identification numbers
☐ Biometric identifiers
☐ Username/e-mail address with password or security question answer
(collectively, the “Impacted Data”).
[NUMBER OF SD RESIDENTS] South Dakota residents and [TOTAL NUMBER] individuals nationwide were affected.
[4] Company’s Remedial Actions
Immediately upon discovery, Company:
a. Contained and eradicated malicious code;
b. Engaged a forensic cybersecurity firm ([FIRM NAME]) to investigate;
c. Reset credentials for affected accounts;
d. Implemented multi-factor authentication enterprise-wide;
e. Offered complimentary identity-protection services (12 months) to Consumers.
[5] Consumer Notification
Pursuant to SDCL § 22-40-20, Company will notify, or has notified, all affected South Dakota residents on or before [NOTIFICATION DATE] (within the statutory 60-day period). A copy of the Consumer Letter is attached as Exhibit A.
[6] Law-Enforcement Coordination
Company has consulted with [LAW-ENFORCEMENT AGENCY] (Case No. [CASE NUMBER]); no delay in notification was requested.
[7] Consumer Reporting Agencies (“CRAs”)
☐ Applicable. Company anticipates notifying the major CRAs because notice will issue to ≥ 1,000 individuals nationwide.
☐ Not Applicable. Less than 1,000 individuals will be notified.
[8] Contact Information
For further information, please contact:
[CONTACT NAME]
[CONTACT TITLE]
[CONTACT PHONE] | [CONTACT E-MAIL]
Company appreciates your office’s attention to this matter and welcomes any questions.
Respectfully submitted,
[AUTHORIZED SIGNATORY NAME]
[Title] | [Company]
3.2 Consumer Notification Letter (“Consumer Letter”)
[See Exhibit A]
4. REPRESENTATIONS & WARRANTIES
Company represents and warrants to the South Dakota Attorney General that:
a. The information contained in the AG Letter and Exhibit A is true, complete, and accurate to the best of Company’s knowledge as of the Effective Date.
b. The AG Letter and Consumer Letter comply with the timing and content requirements of SDCL § 22-40-20.
c. Company has implemented—and will continue to implement—reasonable security measures to protect Personal Information in accordance with SDCL § 22-40-20(4).
[// GUIDANCE: These limited warranties are defensive; broader warranties could expose the client to misrepresentation claims.]
5. COVENANTS
a. Ongoing Cooperation: Company shall promptly supplement or amend the AG Letter if material new facts are discovered.
b. Future Compliance: Company shall maintain, review, and update its written information-security program to comport with evolving industry standards and SDDB Law.
6. DEFAULT & REMEDIES
Failure to comply with SDDB Law may subject Company to civil penalties not to exceed $10,000 per day, per violation, and to injunctive relief under SDCL § 37-24-6.
7. RISK ALLOCATION
Liability for statutory penalties is governed exclusively by SDDB Law. No contractual indemnification or liability cap applies.
8. DISPUTE RESOLUTION
Governing Law: This Notification Package is governed by the laws of the State of South Dakota, without regard to conflicts-of-law rules.
Forum Selection: Any dispute arising from or relating to the subject matter hereof shall be brought in the state courts located in Hughes County, South Dakota.
9. GENERAL PROVISIONS
a. Integration. This Package (including Exhibit A) constitutes the entire written notice required under SDCL §§ 22-40-19 – 26.
b. Amendments. Any amendment shall be in writing and signed by an authorized Company representative.
c. Reservation of Rights. Company reserves all defenses available at law or equity.
d. Severability. If any provision of this Package is held invalid, the remaining provisions shall remain in full force and effect.
10. EXECUTION BLOCK
IN WITNESS WHEREOF, the undersigned executes this South Dakota Data Breach Notification Letter Package as of the Effective Date.
[COMPANY NAME]
By: ____
Name: [AUTHORIZED SIGNATORY NAME]
Title: [TITLE]
Date: ________
11. EXHIBIT A – FORM OF CONSUMER NOTIFICATION LETTER
[ON COMPANY LETTERHEAD]
[DATE]
[CONSUMER NAME]
[ADDRESS LINE 1]
[ADDRESS LINE 2]
Re: Notice of Data Breach
Dear [CONSUMER NAME]:
What Happened?
On [DISCOVERY DATE], we discovered that unauthorized actors gained access to certain Company systems between [INCIDENT START] and [INCIDENT END]. Our independent forensic investigation confirmed that files containing your personal information were accessed and/or exfiltrated.
What Information Was Involved?
The impacted information may have included your:
☐ Social Security number
☐ Driver’s license/State-issued ID number
☐ [OTHER IMPACTED DATA FIELDS].
What We Are Doing.
• Immediately contained the incident and engaged leading cybersecurity experts.
• Reported the incident to law-enforcement authorities.
• Enhanced our network security, including mandatory multi-factor authentication and continuous monitoring.
• Offering you [12/24] months of complimentary [IDENTITY MONITORING PRODUCT] through [SERVICE PROVIDER]. Instructions to activate this service are enclosed.
What You Can Do.
• Enroll in the complimentary identity-protection service no later than [ENROLLMENT DEADLINE].
• Review your account statements and credit reports for suspicious activity.
• Consider placing a fraud alert or security freeze on your credit file.
• Additional resources and contact information are provided in the attached “Information About Identity Theft Protection” sheet.
For More Information.
If you have any questions, please call our dedicated, toll-free hotline at [PHONE] (Monday–Friday, 8 a.m.–8 p.m. Central) or e-mail us at [EMAIL].
We regret any inconvenience this incident may cause and remain committed to protecting your information.
Sincerely,
[AUTHORIZED SIGNATORY NAME]
[Title] | [Company]
Enclosures:
1. “Steps You Can Take to Protect Your Information”
2. Activation Code & Instructions for [IDENTITY MONITORING PRODUCT]
[// GUIDANCE: 1. Include FTC and CRA contact information in the “Steps You Can Take” enclosure to satisfy SDCL § 22-40-20(3)(d).
2. Confirm that the enrollment period for complimentary services is commercially reasonable (industry standard is 12 months; healthcare entities may provide 24 months).
3. If usernames/e-mail addresses with passwords were breached, recommend forced password reset and include that instruction here.]
END OF TEMPLATE