South Carolina Breach of Security of Business Data
SC Code § 39-1-90
SUMMARY:
EFFECTIVE. July 1, 2009
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in South Carolina and owns or licenses computerized data that includes Personal Information; and (2) any person or entity which maintains computerized data which includes Personal Information on State residents.
WHAT IS A BREACH. An unauthorized acquisition of and access to unencrypted or unredacted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business, when illegal use of the Personal Information has occurred or is likely to occur, or such use creates a risk of harm to a South Carolina resident. A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, savings and checking accounts, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account
-
Other numbers or information which may be used to access a person’s financial accounts or used by a governmental or regulatory entity that will uniquely identify an individual.
-
Digital signatures.
-
Birth dates.
-
Current or former names, including first, last, middle, and last names, or first, middle, and last names, but only when the names are combined with and linked to other identifying information provided in this section.
-
Current or former addresses, but only when the addresses are combined with and linked to other identifying information provided in this section.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the South Carolina residents affected. If more than 1,000 South Carolina residents are involved in a breach, the person or business shall, without unreasonable delay, also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice. If more than 1,000 South Carolina residents are involved in a breach, the person or business shall, without unreasonable delay, also notify the Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected South Carolina residents are notified by the person or business in accordance with its policies.
-
This Section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act.
-
A financial institution that complies with the notice requirements required by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business discovers or is notified of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement or measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if it is the primary means of communication or notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of the breach immediately following discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. A person or business which knowingly and willfully violates this Section will be subject to a fine of $1,000 per resident whose Personal Information was breached. This amount to be determined by the Department of Consumer Affairs. South Carolina residents who have been injured from a violation of this Section may, in addition to all other rights and remedies available by law, file a civil lawsuit to.
-
Recover damages and attorney’s fees and costs.
-
Seek a court order to enforce compliance with this Section.
PRIVATE RIGHT OF ACTION. Yes. An injured resident may file a civil action to recover damages, in addition to and cumulative of all other rights and remedies available at law.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. S.C. Code § 37-20-190. When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
LEGISLATIVE UPDATES.
S.B. 453 – Signed into law on 4/2/2008, Effective 7/1/2009.
H.B. 3248 – Signed into law on 4/23/2013, Effective 4/23/2013.
For more information, see here: https://www.scstatehouse.gov/code/t39c001.php
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.