South Carolina has joined the ranks of U.S. states that require companies and other entities to alert residents of a data breach involving personally identifying information. The law went into effect earlier this month, on July 1, 2009.
Like many such laws based on the original California law, the South Carolina data breach law provides safe harbor when data is lost or stolen; however, this protection kicks in only if data protection measures, like encryption software, such as from AlertBoot endpoint security, is used to secure the data. In other words, no encryption = no legal protection.
You’ll want to consult with your legal advisor, as I’m far removed from the legal profession, but here are the major points covered by the law.
What Is Personal Identifying Information Under South Carolina Law?
Under Section 16-13-510 of the South Carolina legislature, “personal identifying information” is composed of the first name or its initial; the last name; and one or more of the following:
Social Security number;
Driver’s license number or state identification card number issued instead of a driver’s license;
Financial account number, or credit card or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account; or
Other numbers or information which may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.
The four points above are lifted directly from S.C.’s on-line legislature site. I should remark that, as noted in the same section, the above definition only holds when elements are “neither encrypted nor redacted.” This leaves us in a weird situation where, for example, if you encrypt someone’s full name and SSN, it stops becoming personal identifying information.
Which makes sense, in a way: If it’s encrypted, the information is scrambled up, so it can’t be identifying anyone anymore. (Or, I guess, it’s a roundabout way of saying that you’re legally protected if you encrypt sensitive information.)
Penalties For Violating South Carolina’s Data Privacy Law
So, let’s say that a company decides “to heck with it, we’re not notifying people.” What kind of damages are we looking at here? Well, it’s kind of complicated.
Under Section 39-1-90 H, one faces a fine of $1,000 per resident affected by the breach. Lose a USB disk with 50 names and SSNs, and you’re looking at a $50,000 fine.
But, that section is slightly confusing…
A person who knowingly and wilfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs. [my emphasis]
“The amount to be decided?” What “the amount to be decided?” The previous portion clearly states that it’s $1,000 per resident. Does the Department of Consumer Affairs have the ability to cap the fine (say, no more than $10,000)? Also, that’s not the end of it.
Under Section 39-1-90 G, any South Carolina resident is allowed to do the following:
Institute a civil action to recover damages in case of a wilful and knowing violation;
Institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section;
Seek an injunction to enforce compliance; and
Recover attorney’s fees and court costs, if successful.
This is in addition to any other rights S.C. residents may have.
If you don’t speak lawyer-ese, I believe that to “institute a civil action” refers to a civilian filing a lawsuit in court.
An “injunction” is fancy-speak for a court order that stops someone from doing something; I guess in the above, it means that one can sue a company to stop not notifying people? Which in turn means that they have to start notifying people of a breach? Yeah, I don’t get it either; consult with a lawyer. (It probably means you have the power to force companies to correct any ills.)
Obviously, a company’s going to have to shell out money to defend itself.
Taking the above into consideration, using disk encryption programs on laptops is beginning to look like a cost-effective alternative. And if you decide not to use it, then at least don’t try to hide a breach…it just can’t end well.
Notification for South Carolina Data Breaches
OK, so the above section on penalties scared you straight into alerting residents of a data breach. How do you do it? You have a choice of:
Electronic notice, but only if that’s the primary method of communication (for example, a company like Yahoo! only gets in touch with me via e-mail.)
Telephonic notice (slightly expensive if a lot of people have been affected by a breach)
Also, a substitute notice can be used, if:
- Cost of providing notice exceeds $250,000; or,
- Residents to be notified exceeds five hundred thousand; or,
- There is insufficient contact information for direct contact
Substitute notice can consist of e-mail (I guess even if it wasn’t the primary method of communication), conspicuous posting of the notice on the company web site page, or alerting major statewide media.
Finally, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies must be notified as well if more than one thousand people are affected.
As far as I can tell, there is no word on what must be included in the notification letter (some states, for example, specify that the date of the breach, where it happened, etc. must be included).
Related Articles and Sites: