South Carolina General Assembly
116th Session, 2005-2006

Download This Bill in Microsoft Word format

Indicates Matter Stricken
Indicates New Matter

S. 669

STATUS INFORMATION

General Bill
Sponsors: Senators Reese and Leventis
Document Path: l:\council\bills\bbm\10720mm05.doc

Introduced in the Senate on March 23, 2005
Currently residing in the Senate Committee on Judiciary

Summary: Personal identifying information

HISTORY OF LEGISLATIVE ACTIONS 

     Date      Body   Action Description with journal page number
-------------------------------------------------------------------------------
   3/23/2005  Senate  Introduced and read first time SJ-19
   3/23/2005  Senate  Referred to Committee on Judiciary SJ-19
    4/4/2005  Senate  Referred to Subcommittee: Moore (ch), Ford, Mescher, 
                        Rankin, Scott

View the latest legislative information at the LPITS web site

VERSIONS OF THIS BILL

3/23/2005

(Text matches printed bills. Document has been reformatted to meet World Wide Web specifications.)

A BILL

TO AMEND THE CODE OF LAWS OF SOUTH CAROLINA, 1976, BY ADDING SECTION 1-11-490 SO AS TO PROVIDE FOR NOTICE TO A SOUTH CAROLINA RESIDENT WHOSE PERSONAL IDENTIFYING INFORMATION MAY HAVE BEEN ACCESSED THROUGH A BREACH OF THE SECURITY OF COMPUTERIZED DATA OWNED, LICENSED, OR OTHERWISE CONTROLLED BY A STATE AGENCY, TO PROVIDE DEFINITIONS, TO SPECIFY REQUIREMENTS OF THE NOTICE, AND TO PROVIDE PENALTIES FOR NONCOMPLIANCE; AND BY ADDING SECTION 39-1-90 SO AS TO PROVIDE FOR NOTICE TO A SOUTH CAROLINA RESIDENT WHOSE PERSONAL IDENTIFYING INFORMATION MAY HAVE BEEN ACCESSED THROUGH A BREACH OF THE SECURITY OF COMPUTERIZED DATA OWNED, LICENSED, OR OTHERWISE CONTROLLED BY A PERSON CONDUCTING BUSINESS IN THIS STATE, TO PROVIDE DEFINITIONS, TO SPECIFY REQUIREMENTS OF THE NOTICE, AND TO PROVIDE PENALTIES FOR NONCOMPLIANCE.

Be it enacted by the General Assembly of the State of South Carolina:

SECTION    1.    The General Assembly finds that:

(1)    The privacy and financial security of individuals is increasingly at risk due to the increasingly widespread collection of personal identifying information by both the private and public sector.

(2)    Credit card transactions, magazine subscriptions, telephone numbers, real estate records, automobile registrations, consumer surveys, warranty registrations, credit reports, and Internet Web sites are all sources of personal identifying information and sources of material for identity thieves.

(3)    Identity theft is one of the fastest growing crimes and it is costly to both the marketplace and consumers.

(4)    Victims of identity theft may minimize the damage by acting quickly; therefore, expeditious notification of possible misuse of a person's personal identifying information is imperative."

SECTION    2.    Article 1, Chapter 1 of Title 11 of the 1976 Code is amended by adding:

"Section 1-11-490.    (A)    An agency of this State owning or licensing computerized data that includes personal identifying information shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose unencrypted personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(B)    An agency maintaining computerized data that includes personal identifying information that the agency does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

(C)    The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation.

(D)    For purposes of this section:

(1)    'Agency' means any agency, department, board, commission, committee, or institution of higher learning of the State or a political subdivision of it.

(2)    'Breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the agency. Good faith acquisition of personal identifying information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.

(3)    'Personal identifying information' has the same meaning as 'identifying information" in Section 16-13-510(C).

(E)    The notice required by this section may be provided by:

(1)    written notice;

(2)    electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code and Chapter 6 of Title 26 of the 1976 Code;

(3)    substitute notice, if the agency demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the agency has insufficient contact information. Substitute notice consists of:

(a)    e-mail notice when the agency has an e-mail address for the subject persons;

(b)    conspicuous posting of the notice on the agency's Web site page, if the agency maintains one;

(c)    notification to major statewide media.

(F)    Notwithstanding subsection (E), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(G)    A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1)    institute a civil action to recover damages;

(2)    seek an injunction to enforce compliance;

(3)    recover attorney's fee and court costs, if successful."

SECTION    3.    Chapter 1 of Title 39 of the 1976 Code is amended by adding:

"Section 39-1-90.    (A)    A person conducting business in this State, and owning or licensing computerized data that includes personal identifying information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of this State whose unencrypted personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(B)    A person conducting business in this State and maintaining computerized data that includes personal identifying information that the person does not own shall notify the owner or licensee of the information of a breach of the security of the data immediately following discovery, if the personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

(C)    The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation.

(D)    For purposes of this section:

(1)    'Breach of the security of the system' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person. Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.

(2)    'Person' means any individual, partnership, corporation, trust, association, and other organization or group of persons.

(3)    'Personal identifying information' has the same meaning as 'identifying information' in Section 16-13-510(C).

(E)    The notice required by this section may be provided by:

(1)    written notice;

(2)    electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures in Section 7001 of Title 15 of the United States Code and chapter 6 of Title 11 of the 1976 Code;

(3)    substitute notice, if the person demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the person has insufficient contact information. Substitute notice consists of:

(a)    e-mail notice when the person has an e-mail address for the subject persons;

(b)    conspicuous posting of the notice on the Web site page of the person, if the person maintains one.

(c)    notification to major statewide media.

(F)    Notwithstanding subsection (E), a person that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if the person notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(G)    A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1)    institute a civil action to recover damages;

(2)    seek an injunction to enforce compliance;

(3)    recover attorney's fee and court costs, if successful."

SECTION    5.    This act takes effect upon approval by the Governor.

----XX----

This web page was last updated on Friday, December 4, 2009 at 3:31 P.M.