Security Breach Legislation in the State of South Carolina

S.C. Code Ann. § 39-1-90 is a security breach notification law that was passed in the U.S. state of South Carolina in 2009 and later amended in 2013. S.C. Code Ann. § 39-1-90 was passed for the purpose of providing residents of the state of South Carolina with legal protection as it pertains to personal information that has been compromised as a result of a security breach. With this being said, S.C. Code Ann. § 39-1-90 establishes the procedures that business entities within South Carolina as charged with following in the event that a security breach takes place. Furthermore, the S.C. Code Ann. § 39-1-90 also empowers the South Carolina Consumer Protection Division of the Department of Consumer Affairs to impose penalties against businesses within the state that are found to be in violation of the law.

What is the scope and applicability of S.C. Code Ann. § 39-1-90?

In terms of the scope and application of S.C. Code Ann. § 39-1-90, the provisions of the law are applicable to any “natural person, an individual, or a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative or association (collectively, Entity) conducting business in SC, and owning or licensing computerized data or other data that includes PI.” Moreover, the law also applies to any “entity conducting business in SC and maintaining computerized data or other data that includes PI that the Entity does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.”

What are the security breach notification requirements under S.C. Code Ann. § 39-1-90?

In terms of the security breach requirements under S.C. Code Ann. § 39-1-90, the law mandates that an entity provide notification to all affected parties in the event that a security breach occurs. These notifications must be provided to residents of South Carolina without undue delay, and must provide residents with information including a description of the breach in general terms, as well as the steps that the affected entity has undertaken to restore the reasonable integrity of the data system that was breached, among other things. Additionally, affected entities must also provide notification to the Consumer Protection Division of the Department of Consumer Affairs if a data breach affects more than 1,000 residents in the state.

What categories of personal information are protected under S.C. Code Ann. § 39-1-90?

Under S.C. Code Ann. § 39-1-90, the following categories of personal information are protected in the event that a security breach occurs, in combination with a South Carolina resident’s first name or first initial and last name, in instances where the following data elements have been neither redacted nor encrypted:

• Social security numbers.
• Driver’s license numbers and state identification card numbers.
• Financial account numbers, credit card numbers, and debit card numbers, in conjunction with any required security codes, access codes, or passwords that could be used to grant access to an individual’s financial account.
• “Other numbers or information that may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.”

What are the penalties for violating S.C. Code Ann. § 39-1-90?

In contrast to many other data breach notification laws at the U.S. state level, the provisions of S.C. Code Ann. § 39-1-90 are enforced by the Consumer Protection Division of the Department of Consumer Affairs as opposed to the South Carolina Attorney General. To this point, South Carolina residents that have their rights violated as it relates to security breaches are entitled to take the following legal actions:

• File a civil lawsuit against a business entity for the purpose of recovering damages, in instances where the violation was found to have been caused deliberately.
• File a civil lawsuit against a business entity for damages incurred, in instances where the violation was found to have been caused by negligence.
• The enforcement of compliance through a court injunction.
• The recovery of legal fees and court costs.

To further illustrate the potential scope and severity of punishments that can be handed down in accordance with the provisions established in S.C. Code Ann. § 39-1-90, Indianapolis-based health insurance company Anthem Inc. was ordered to pay $115 million to settle a class-action lawsuit in 2017. This lawsuit was filed in response to a data breach that the company experienced in 2015, which led to the personal information of more than 79 million people becoming compromised. As the breach affected millions of residents within multiple U.S. states, including South Carolina, the company also offered two free years of credit servicing for all individuals that were affected by the breach.

Through the provisions set forth in S.C. Code Ann. § 39-1-90, residents of South Carolina were provided with the legal means to protect themselves in the event that their personal information is compromised following a security breach. As Anthem Inc’s $115 million settlement in 2017 shows, the penalties for violating data breach notification at the U.S. state level can prove to be extremely costly. As such, residents of the state of South Carolina can rest assured that they will be able to take a wide range of measures and legal actions to protect themselves against the adverse effects of a security breach.