August 17, 2020

«First_Name» «Last_Name»
«STREET»
«CITY» SD «Zip»
Dear «First_Name»,
On June 19, 2020, the South Dakota Department of Public Safety’s State Fusion Center (Fusion Center) received
information concerning a data breach targeting one of its vendors, Netsential.com, Inc., a web development firm used
by fusion centers and law enforcement agencies nationwide. The breach is subject of an ongoing federal criminal
investigation; however, there have been public reports that a substantial amount of data from a variety of Netsential’s
clients was compromised. On behalf of the Fusion Center, I apologize for our vendor’s data breach. You are
receiving this letter because you may have been impacted by this breach.
This spring, the Fusion Center, using Netsential’s services, developed a secure online portal to assist first responders
in identifying COVID-19-positive individuals for their situational awareness during calls for service. Law enforcement
officers were not given a list of COVID-19 positive individuals but were able to call a dispatcher to verify whether a
particular individual was COVID-19 positive.
This information was maintained on Netsential’s secure servers and access to the information was carefully restricted
to a select number of South Dakota officials who received both training in handling the data and an individual
password for accessing it. Before uploading the information to Netsential, the Fusion Center took steps to ensure
that if a third party ever accessed the file separately from the online portal, individual health information would not be
disclosed. However, when processing this data, Netsential added certain labels to the file that could allow a third
party to identify you and your COVID-19 status if the file was ever removed from Netsential’s system. Netsential’s
above-mentioned security failure allowed unauthorized access to its system by a third party. The Fusion Center
believes your name, address, birth date, and COVID-19 status was on the list that was compromised during this
breach, which means this information may continue to be available on various internet sites that link to files from the
Netsential breach. The list did not include any financial information, social security numbers, or internet passwords of
any individuals.
We have informed Netsential it has a responsibility under South Dakota law to notify you of the breach of your data,
but Netsential has not confirmed it will do so. Given the sensitivity of your information, the Fusion Center is notifying
you directly, so you receive notice even if Netsential fails to act. Please understand this notification does not relieve
Netsential of its responsibility to provide its own notice to you, nor does it mean the Fusion Center or Department of
Public Safety accepts legal responsibility for any claim that may arise from Netsential’s breach.
I would urge you to take appropriate precautions to ensure your information is not exploited following the Netsential
breach. In particular, I recommend you review the information and use the tips to identify identity theft from the South
Dakota Attorney General’s Consumer Protection Division’s website at
https://consumer.sd.gov/fastfacts/identitytheft.aspx. Should you have specific questions after reviewing this letter and
the information from the link above, please contact the Fusion Center by using the following link:
http://sdfusion.org/notification/.
Sincerely,

Paul Niedringhaus, Director

South Dakota Fusion Center ● 605-773-3105