South Carolina General Assembly
120th Session, 2013-2014

Download This Version in Microsoft Word format

Bill 1086

Indicates Matter Stricken
Indicates New Matter


(Text matches printed bills. Document has been reformatted to meet World Wide Web specifications.)

Indicates Matter Stricken

Indicates New Matter

COMMITTEE REPORT

April 9, 2014

S. 1086

Introduced by Senators Hayes and L. Martin

S. Printed 4/9/14--S.    [SEC 4/10/14 5:12 PM]

Read the first time March 6, 2014.

            

THE COMMITTEE ON JUDICIARY

To whom was referred a Bill (S. 1086) to amend Section 1-11-490, Code of Laws of South Carolina, 1976, relating to providing notice of a breach of security of state agency data, etc., respectfully

REPORT:

That they have duly and carefully considered the same and recommend that the same do pass with amendment:

Amend the bill, as and if amended, page 1, beginning on line 28, by striking SECTION 1 in its entirety and inserting therein the following:

/    SECTION    1. Subsections (C) and (E) through (I) in Section 1-11-490 of the 1976 Code, as added by Act 190 of 2008, are amended to read:

"(C)    The notification required by this section may be delayed if a law enforcement agency determines that the notification impedes a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that it no longer compromises the investigation. A delay in notification shall not exceed seventy-two hours after discovery, unless the agency requests and the attorney general grants, in writing, additional delays of up to seventy-two hours each upon a determination that such notification impedes a criminal investigation."

"(E)    The notice required by this section may be provided by:

(1)    must be clear, conspicuous, and shall include all of the following:

(a)    a description of the incident in general terms;

(b)    a description of the type of personal identifying information that was or is reasonably believed to have been subject to the unauthorized access and acquisition;

(c)    a description of the general acts of the agency to protect the personal identifying information from further unauthorized access;

(d)    a telephone number for the agency that a person may call for further information and assistance;

(e)    the toll-free telephone number, addresses, and website address for the South Carolina Department of Consumer Affairs, along with the following statement: 'For information on avoiding and defending against identity theft, you may contact the South Carolina Department of Consumer Affairs';

(2)    may be provided by:

(1)(a)    written notice;

(2)(b)    electronic notice, if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 USC U.S.C. Section 7001 and Chapter 6, Title 26 of the 1976 Code;

(3)(c)    telephonic notice; or

(4)(d)    substitute notice, if the agency demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the agency has insufficient contact information. Substitute notice consists of:

(a)(i)    e-mail email notice when the agency has an e-mail email address for the subject persons;

(b)(ii)    conspicuous posting of the notice on the agency's web site website page, if the agency maintains one; or

(c)(iii)    notification to major statewide media.

(F)    Notwithstanding subsection (E), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(G)(F)    A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1)    institute a civil action to recover damages;

(2)    seek an injunction to enforce compliance; and

(3)    recover attorney's fees and court costs, if successful.

(H)(G)    An agency that knowingly and wilfully violates this section is subject to an administrative fine up to one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.

(I)(H)    If the agency provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 USC U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice."    /

Renumber sections to conform.

Amend title to conform.

TOM YOUNG, JR. for Committee.

            

STATEMENT OF ESTIMATED FISCAL IMPACT

ESTIMATED FISCAL IMPACT ON GENERAL FUND EXPENDITURES:

$0 (No additional expenditures or savings are expected)

ESTIMATED FISCAL IMPACT ON FEDERAL & OTHER FUND EXPENDITURES:

$0 (No additional expenditures or savings are expected)

EXPLANATION OF IMPACT:

The Department of Consumer Affairs

The department reports that this bill will have no fiscal impact on the General Fund of the State, nor on federal and/or other funds.

Approved By:

Brenda Hart

Office of State Budget

A BILL

TO AMEND SECTION 1-11-490, CODE OF LAWS OF SOUTH CAROLINA, 1976, RELATING TO PROVIDING NOTICE OF A BREACH OF SECURITY OF STATE AGENCY DATA, SO AS TO REQUIRE THAT THE NOTICE DESCRIBE THE BREACH AND PROVIDE CONTACT INFORMATION WHERE ASSISTANCE MAY BE OBTAINED, INCLUDING THE DEPARTMENT OF CONSUMER AFFAIRS, AND TO DELETE A PROVISION ALLOWING AN AGENCY TO ADHERE TO ITS OWN POLICY; AND TO AMEND SECTION 39-1-90, RELATING TO PROVIDING NOTICE OF A BREACH OF SECURITY OF BUSINESS DATA, SO AS TO PROVIDE THE SAME NOTICE REQUIREMENTS AND TO DELETE THE SAME PROVISION.

Be it enacted by the General Assembly of the State of South Carolina:

SECTION    1.    Section 1-11-490(E) through (I) of the 1976 Code, as added by Act 190 of 2008, is amended to read:

"(E)    The notice required by this section may be provided by:

(1)    must be clear, conspicuous, and shall include all of the following:

(a)    a description of the incident in general terms;

(b)    a description of the type of personal identifying information that was or is reasonably believed to have been subject to the unauthorized access and acquisition;

(c)    a description of the general acts of the agency to protect the personal identifying information from further unauthorized access;

(d)    a telephone number for the agency that a person may call for further information and assistance;

(e)    the toll-free telephone number, addresses, and website address for the South Carolina Department of Consumer Affairs, along with the following statement: 'For information on avoiding and defending against identity theft, you may contact the South Carolina Department of Consumer Affairs.';

(2)    may be provided by:

(1a)    written notice;

(2b)    electronic notice, if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 USC U.S.C. Section 7001 and Chapter 6, Title 26 of the 1976 Code;

(3c)    telephonic notice; or

(4d)    substitute notice, if the agency demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the agency has insufficient contact information. Substitute notice consists of:

(ai)    e-mail email notice when the agency has an e-mail email address for the subject persons;

(bii)    conspicuous posting of the notice on the agency's web site website page, if the agency maintains one; or

(ciii)    notification to major statewide media.

(F)    Notwithstanding subsection (E), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(GF)        A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1)    institute a civil action to recover damages;

(2)    seek an injunction to enforce compliance; and

(3)    recover attorney's fees and court costs, if successful.

(HG)    An agency that knowingly and wilfully violates this section is subject to an administrative fine up to one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.

(IH)    If the agency provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 USC U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice."

SECTION    2.    Section 39-1-90(E) through (K) of the 1976 Code, as added by Act 190 of 2008, is amended to read:

"(E)    The notice required by this section may be provided by:

(1)    must be clear, conspicuous, and shall include all of the following:

(a)    a description of the incident in general terms;

(b)    a description of the type of personal identifying information that was or is reasonably believed to have been subject to the unauthorized access and acquisition;

(c)    a description of the general acts of the business to protect the personal identifying information from further unauthorized access;

(d)    a telephone number for the business that a person may call for further information and assistance;

(e)    the toll-free telephone number, addresses, and website address for the South Carolina Department of Consumer Affairs, along with the following statement: 'For information on avoiding and defending against identity theft, you may contact the South Carolina Department of Consumer Affairs.';

(2)    may be provided by:

(1a)    written notice;

(2b)    electronic notice, if the person's primary method of communication with the individual is by electronic means or is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 USC U.S.C. Section 7001 and Chapter 6, Title 26 of the 1976 Code;

(3c)    telephonic notice; or

(4d)    substitute notice, if the person demonstrates that the cost of providing notice exceeds two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds five hundred thousand or the person has insufficient contact information. Substitute notice consists of:

(ai)    e-mail email notice when the person has an e-mail email address for the subject persons;

(bii)    conspicuous posting of the notice on the web site website page of the person, if the person maintains one; or

(ciii)    notification to major statewide media.

(F)    Notwithstanding subsection (E), a person that maintains its own notification procedures as part of an information security policy for the treatment of personal identifying information and is otherwise consistent with the timing requirements of this section is considered to be in compliance with the notification requirements of this section if the person notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(GF)    A resident of this State who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may:

(1)    institute a civil action to recover damages in case of a wilful and knowing violation;

(2)    institute a civil action that must be limited to actual damages resulting from a violation in case of a negligent violation of this section;

(3)    seek an injunction to enforce compliance; and

(4)    recover attorney's fees and court costs, if successful.

(HG)    A person who knowingly and wilfully violates this section is subject to an administrative fine in the amount of one thousand dollars for each resident whose information was accessible by reason of the breach, the amount to be decided by the Department of Consumer Affairs.

(IH)    This section does not apply to a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act.

(JI)    A financial institution that is subject to and in compliance with the federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision, as amended, is considered to be in compliance with this section.

(KJ)    If a business provides notice to more than one thousand persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined in 15 USC U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice."

SECTION    3.    This act takes effect upon approval of the Governor.

----XX----

This web page was last updated on April 10, 2014 at 5:12 PM