What are the legal requirements for disclosing data breaches?

In South Carolina, businesses must comply with specific legal requirements for disclosing data breaches that involve personal information. According to South Carolina Code Ann. § 39-1-90, any person or business that conducts business in South Carolina and owns or licenses computerized data that includes personal information must disclose a breach of the security of the data in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and as provided in the statute. If a breach of security affects 1,000 or more individuals, then anyone conducting business in South Carolina must disclose the breach to all affected individuals in the most expedient time possible and without unreasonable delay; the notice must also be provided to the South Carolina Attorney General. If a breach of security affects fewer than 1,000 individuals, then notice of the breach must be provided to either the affected individuals or to the South Carolina Attorney General. The notice must include the name and contact information of the person or business that experienced the breach, a description of the information that was subject to the breach, the date on which the breach occurred, advice that customers should review their accounts for unauthorized activity, and how the affected individuals can protect themselves from identity theft or other potential financial harm. In all cases, the business must take steps to protect the affected individuals, such as providing information on any free credit monitoring services that are available. The business must also take steps to investigate the breach, which may include contacting law enforcement. If certain criteria are met, the business may also be required to notify the national consumer reporting agencies of the breach.

What are the legal requirements for disclosing data breaches?

Related FAQs

Related Blog Posts