News From ITAC

Latest Breaches

Stolen laptops expose 208,000 names, addresses, Social Security numbers and health details
Names, birthdays, Social Security numbers, addresses and phone numbers of about 9,000 children accessible on web
Mailing error exposes15,000 students Social Security numbers in envelope window
Mailed envelope arrives damaged missing pages, 3700 names, policy numbers and Social Security numbers exposed
Mailing error exposes 243 landlord tax forms and Social Security numbers

Tweets on Twitter

Location : BreachCenter.com > Welcome To BreachCenter.com > Consumer Notification Laws > South Carolina Consumer Notification Laws

South Carolina Consumer Notification Laws


(3.45) Welcome To BreachCenter.com > Consumer Notification Laws > South Carolina Consumer Notification Laws

Statute Citation

S.C. Code § 39-1-90 (external link)

Effective date: 07/01/2009

What Is A Breach?

Unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.

When Is Notice Required?

Computerized data containing personal information: unencrypted, unredacted or not rendered unusable by other methods.

"Personal identifying information" means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the State, when the data elements are neither encrypted nor redacted: (1) social security number; (2) driver's license number or state identification card number issued instead of a driver's license; (3) financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident's financial account; or (4) other numbers or information which may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.

When Is Notice Not Required?

Harm Trigger
Notice is not required if the illegal use of the information has not occurred or is not reasonably likely to occur or use of the information does not create a material risk of harm.

Statutory
Certain requirements are inapplicable to banks or financial institutions subject to and in compliance with the privacy and security provision of the Gramm- Leach- Bliley Act (GLB).

Entities are deemed to be in compliance with some or all of the state statute’s requirements if they are subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice.

Existing Policy
Certain notice requirements may be satisfied if a person maintains its own notification procedures consistent with the timing requirements of state law; and if the person notifies affected individuals in accordance with its policies.

Good Faith
Notice is not required if there has been a good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business; and if the personal identifying information is not used or subject to further unauthorized disclosure.

Encryption
Notice is not required if the information is encrypted or redacted.

Who Must Notify?

A person conducting business in this state, and owning or licensing computerized data or other data that includes personal identifying information.

A person that maintains computerized unencrypted data that includes personal information that the state agency or person does not own must notify the owner or licensee.

Who Must Be Notified?

The individual.

The nationwide credit reporting agencies must be notified if more than 1,000 individuals receive notice at one time.

The Consumer Protection Division of the Department of Consumer Affairs if more than 1,000 individuals receive notice at one time.

Required Contents of Notice

Not specifically addressed.

Timing of Notice

The most expedient time possible and without unreasonable delay.

Notification may be delayed if a law enforcement agency determines that it will impede a criminal investigation. Notification is required after the law enforcement agency determines that it no longer compromises the investigation.

Notification may be delayed to determine the scope of the breach and restore the reasonable integrity of the data system.

Permitted Delivery of Notice

Written.

Electronic, if the person's primary method of communication with the individual is by electronic means or if electronic notice is consistent with
E- Sign requirements.

Telephonic notice.

Substitute notice may be done if cost of providing notice exceeds $250,000 or number of persons exceeds 500,000 or sufficient contact information not available. All of the following must be done: (i) email; (ii) web site posting; and (iii) notice to major statewide media.

Law Enforcement Contacts

Henry Mc Master, Esquire
Attorney General of South Carolina
Rembert C. Dennis Office Building
1000 Assembly Street, Room 519
Columbia, SC 29201
(803)734-3970

FBI- Columbia
151 Westpark Blvd
Columbia, SC 29210-3857
http://columbia.fbi.gov (external link)

(803) 551-4200

Secret Service- Charleston
(843)747-7242

Secret Service- Greenville
(864)233-1490

Electronic Crimes Task Force- Columbia
(803)772-4015
Email:

Contributors to this page: pshepard and admin .
Page last modified on Thursday 15 of October, 2009 10:09:21 EDT by pshepard . (Version 18)

Sidebar