South Dakota Cybersecurity Laws You Should Know (2025)

Cybersecurity continues to be a growing concern for businesses across the United States, and South Dakota is no exception. With rising cyberattacks targeting sensitive data, companies must understand and comply with state and federal cybersecurity regulations. Below, we’ll break down the key cybersecurity laws that apply to South Dakota businesses and how to stay compliant in 2025.

South Dakota Cybersecurity Laws

South Dakota Data Breach Notification Law (S.D. Codified Laws § 22-40-19 through § 22-40-26)

The South Dakota Data Breach Notification Law, enacted in 2018, is one of the more comprehensive state breach laws. It requires businesses to notify affected individuals within 60 days of discovering a data breach involving personal or protected information.

If a breach impacts more than 250 South Dakota residents, businesses must also notify the South Dakota Attorney General. Failure to comply can result in civil penalties of up to $10,000 per day for each violation.

The law defines “personal information” broadly, including Social Security numbers, financial account details, biometric data, and health information.

South Dakota Deceptive Trade Practices and Consumer Protection Act (S.D. Codified Laws § 37-24-1 et seq.)

The Deceptive Trade Practices and Consumer Protection Act prohibits false or misleading claims about data security or privacy practices. Businesses that fail to maintain reasonable safeguards for consumer data can face enforcement actions from the Attorney General’s Office.

South Dakota Computer Crimes Law (S.D. Codified Laws § 43-43B-1 et seq.)

This statute criminalizes unauthorized computer access, data tampering, and intentional introduction of malware. Offenses include hacking, identity theft, and network disruption, with penalties ranging from misdemeanors to felonies depending on the extent of the damage.

South Dakota Electronic Transactions Act (S.D. Codified Laws § 53-12-1 et seq.)

The Electronic Transactions Act validates the use of electronic records and digital signatures in South Dakota. It requires businesses to secure such records from unauthorized modification or disclosure and to maintain reliable authentication systems.

Federal and Industry-Specific Cybersecurity Regulations That Affect South Dakota Businesses

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS applies to South Dakota businesses that accept or process credit card payments. Compliance involves data encryption, restricted access, and regular vulnerability testing.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA applies to South Dakota healthcare providers and their business associates. It mandates physical, administrative, and technical safeguards to protect personal health information (PHI).

Gramm-Leach-Bliley Act (GLBA)

Financial institutions in South Dakota must comply with GLBA, which requires comprehensive data protection programs, employee training, and consumer privacy disclosures.

General Data Protection Regulation (GDPR)

GDPR applies to South Dakota companies that handle personal data from EU residents. It requires explicit consent, the right to data access and deletion, and transparent privacy notices.

Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)

South Dakota financial institutions operating in New York must meet NYDFS cybersecurity standards, which include encryption, multifactor authentication, and mandatory 72-hour incident reporting.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides best practices for identifying, protecting, detecting, responding to, and recovering from cyber incidents. It’s widely adopted in South Dakota’s finance, energy, and agricultural sectors.

Federal Trade Commission (FTC) Act

The FTC Act requires South Dakota businesses to protect consumer data from unauthorized access. The FTC can take action against companies that fail to secure data or misrepresent their cybersecurity practices.

Children’s Online Privacy Protection Act (COPPA)

If your South Dakota business collects data from children under 13, COPPA applies. It requires verified parental consent and limits the collection and sharing of minors’ personal data.

Sarbanes-Oxley Act (SOX)

Publicly traded companies in South Dakota must comply with SOX, which enforces strong internal controls and secure recordkeeping for financial systems.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student records and applies to South Dakota schools and organizations that handle educational data.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA mandates that critical infrastructure operators in South Dakota report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act regulates commercial emails nationwide, requiring truthful subject lines, accurate sender details, and an easy unsubscribe option.

Defense Federal Acquisition Regulation Supplement (DFARS)

South Dakota defense contractors must comply with DFARS cybersecurity requirements aligned with NIST SP 800-171, which safeguard controlled unclassified information.

Section 5 of the FTC Act (Unfair or Deceptive Practices)

Section 5 prohibits unfair or deceptive cybersecurity practices, holding South Dakota businesses accountable for protecting customer data and being transparent about their security posture.

More South Dakota Cybersecurity Laws to Be Aware Of

The South Dakota Bureau of Information and Telecommunications (BIT) leads statewide cybersecurity policy and operates the South Dakota Fusion Center, which monitors cyber threats and coordinates incident response.

Private businesses are encouraged to align their cybersecurity programs with recognized frameworks such as NIST or CIS Controls, conduct annual risk assessments, and maintain written data protection and incident response plans.

Conclusion

Compliance with South Dakota cybersecurity laws is critical to protecting customer data and preventing costly penalties. By following the South Dakota Data Breach Notification Law and adhering to federal cybersecurity standards, businesses can strengthen their digital defenses and maintain trust.

If your organization needs help managing cybersecurity compliance in South Dakota, we offer tailored solutions to keep your operations secure and fully compliant.

Frequently Asked Questions About South Dakota Cybersecurity Laws

1. What is South Dakota’s main cybersecurity law?
   The South Dakota Data Breach Notification Law (S.D. Codified Laws § 22-40-19) is the state’s primary cybersecurity law, requiring breach notifications within 60 days of discovery.
2. Who enforces cybersecurity laws in South Dakota?
   The South Dakota Attorney General’s Office enforces breach notification and consumer protection laws.
3. What is the penalty for failing to report a breach in South Dakota?
   Companies can face civil penalties of up to $10,000 per day for non-compliance with breach notification requirements.
4. Does South Dakota require specific cybersecurity standards?
   No, but following frameworks like NIST or ISO 27001 helps demonstrate reasonable security practices and compliance readiness.
5. What types of data are protected under South Dakota law?
   Personal information such as Social Security numbers, driver’s license numbers, financial data, health information, and biometric identifiers are protected.

Read More Cybersecurity Laws by State:

Florida Cybersecurity Laws You Should Know (2025)

Ohio Cybersecurity Laws You Should Know (2025)

Virginia Cybersecurity Laws You Should Know (2025)

North Carolina Cybersecurity Laws You Should Know (2025)

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.