South Carolina Lawyer
SC Lawyer, September 2008, #4.
Lost Laptops and Personal Financial Information: What Does South Carolina's New Identity Fraud Act Mean to Businesses?
South Carolina Lawyer September 2008 Lost Laptops and Personal Financial Information: What Does South Carolina's New Identity Fraud Act Mean to Businesses? By D. Kay Tennyson and Jared Q. Libet Chapter 1
July 17, 2009 . Columbia, SC. Sitting in the Columbia airport terminal on her way back to New York following a presentation to several South Carolina real estate agents, P.C. Apple, an account representative with one of the nation's largest real estate companies, realizes, with horror, that she left her laptop in the taxi. Frantically, she calls the taxi company, her assistant and her South Carolina liaison, but by the time her flight lands at JFK, the truth is painfully obvious: Her laptop is nowhere to be found.
"Well, what's the big deal?" her assistant inquires. "It's just a laptop. I'm sure they'll give you another one."
"It's not that," Ms. Apple laments. "This laptop had all of the personal information for all of our South Carolina customers. Names, social security numbers, mortgage information, you name it. Who knows what might happen if that information gets into the wrong hands?"
"So, what are you going to do?"
"(Sighs) . . . I suppose I'll get our South Carolina counsel on the phone and find out what we need to do. I know some states have specific requirements as to what to do when you think your customers' private information may have fallen into the wrong hands. They will know whether South Carolina has requirements specific to their state."
How will counsel advise Ms. Apple? Whether working with her to solve her problem, or (in a more perfect world) advising her and her company what they should do to safeguard their customers' personal, non-public information, South Carolina lawyers need to be aware of the new South Carolina Financial Identity Fraud and Identity Theft Protection Act ("the S.C. Identity Fraud Act" or "the Act"), enacted in the spring of 2008. With the Act, South Carolina joins the majority of states with laws regarding the privacy of customer and consumer information.
What must a company do when its customers' private information is lost or stolen?
South Carolina's Financial Identity Fraud and Identity Theft Protection Act: new requirements for some businesses in South Carolina
As of December 31, 2008, when many of the new provisions of the S.C. Identify Fraud Act take effect, those doing business in South Carolina may be subject to South Carolina's new privacy laws. See 2008 S.C. Acts 190, S.B.*0453, 2007-08 Gen. Assem., 117th Sess., § 7.B (S.C. 2008) (enacted; to be codified as S.C. Code Ann. § 37-20-210 et seq.; § 30-2-300 et seq.; § 1-11-490; § 16-11-725; § 16-13-512; § 39-1-90; § 16-13-510). As the Act's name suggests, much of it is focused on protecting consumers from identity fraud. This article focuses on the portions of the Act that create requirements for those doing business in South Carolina that possess personal information about individuals.
Breach of security of business data
Section 7.A. of the Act, to be codified as S.C. Code § 39-1-90, takes effect on July 1, 2009. Significant to business and counsel, this section establishes requirements as to when and how businesses must notify customers of a potential security breach that may have compromised their private information.
Who is covered, and are there exceptions?
Any person or entity "conducting business in South Carolina" that maintains protected, non-private personal identifying information may be subject to the requirements and penalties of this portion of the Act. See S.C. Code Ann. § 39-1-90(A). This statute, however, contains an important exception: businesses already subject to and complying with certain federal statutes are not subject to this portion of South Carolina's new Act. These exceptions include entities that are "significantly engaged" in "financial activities," which are already covered by the federal Gramm-Leach-Bliley Act (GLB) (codified at 15 U.S.C. § 6801, et seq.). See S.C. Code Ann. § 39-1-90(I)-(J). Detailed discussion of GLB and other federal privacy statutes and regulations is beyond the scope of this article.
"So I'm reading this part about the new financial identity fraud act not applying to businesses covered by GLB," Ms. Apple commented to counsel. "Does that mean we don't have to worry about this?"
"Although GLB does cover a wide range of businesses it terms "financial institutions," those that are 'significantly engaged in financial activities,' South Carolina counsel explained, "your company is not subject to GLB's regulations. If you offered mortgages or real estate settlement services, GLB would apply, but real-estate agent services don't fall under GLB. This falls squarely within the purview of the new South Carolina Financial Identity Fraud and Identity Theft Protection Act."
End of Interlude
What information is protected?
The Act protects...