S.C. Code § 39-1-90
S.B. 453 (signed into law April 2, 2008)
Effective July 1, 2009
H.B. 3248 (signed into law April 23, 2013)
Effective April 23, 2013
Application. A natural person, an individual, or a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative or association (collectively, Entity) conducting business in SC, and owning or licensing computerized data or other data that includes PI.
Security Breach Definition. Unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of PI maintained by the Entity, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.
- Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of its business is not a breach of the security of the system if the PI is not used or subject to further unauthorized disclosure.
Notification Obligation. Any Entity to which the statute applies shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of SC whose unencrypted and unredacted PI was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.
Notification to Consumer Reporting Agencies. If an Entity provides notice to more than 1,000 persons at one time pursuant to the statute, the Entity shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notice.
Attorney General/Agency Notification. If an Entity provides notice to more than 1,000 SC residents, the Entity shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs of the timing, distribution, and content of the notice.
Third-Party Data Notification. An Entity conducting business in SC and maintaining computerized data or other data that includes PI that the Entity does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Timing of Notification. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Personal Information Definition. The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of SC, when the data elements are neither encrypted nor redacted:
- Social Security Number;
- Driver license number or state identification card number issued instead of a driver license;
- Financial account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account; or
- Other numbers or information that may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.
Notice Required. Notice may be provided by one of the following methods:
- Written notice;
- Telephonic notice; or
- Electronic notice, if the person’s primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice exceeds $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the person has insufficient contact information. Substitute notice consists of:
- Email notice when the Entity has an email address for the subject persons;
- Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
- Notification to major statewide media.
Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.
Exception: Compliance with Other Laws.
- Gramm-Leach-Bliley Act. This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provisions of the Gramm-Leach-Bliley Act.
- Interagency Guidance. A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as amended, is considered to be in compliance with this section.
Penalties. A person who knowingly and willfully violates this section is subject to an administrative fine of $1,000 for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.
Other Key Provisions:
- Delay for Law Enforcement. The notification required by the statute may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by the statute must be made after the law enforcement agency determines that it no longer compromises the investigation.
- Private Right of Action. A resident of SC who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: institute a civil action to recover damages in case of a willful and knowing violation; institute a civil action to recover only actual damages resulting from a violation in case of a negligent violation; seek an injunction to enforce compliance; and recover attorney’s fees and court costs, if successful.